Class: Google::Cloud::NetworkSecurity::V1::AuthzPolicy

Inherits:
Object
  • Object
show all
Extended by:
Protobuf::MessageExts::ClassMethods
Includes:
Protobuf::MessageExts
Defined in:
proto_docs/google/cloud/networksecurity/v1/authz_policy.rb

Overview

AuthzPolicy is a resource that allows to forward traffic to a callout backend designed to scan the traffic for security purposes.

Defined Under Namespace

Modules: AuthzAction, LoadBalancingScheme, PolicyProfile Classes: AuthzRule, CustomProvider, LabelsEntry, Target

Instance Attribute Summary collapse

Instance Attribute Details

#action::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzAction

Returns Required. Can be one of ALLOW, DENY, CUSTOM.

When the action is CUSTOM, customProvider must be specified.

When the action is ALLOW, only requests matching the policy will be allowed.

When the action is DENY, only requests matching the policy will be denied.

When a request arrives, the policies are evaluated in the following order:

  1. If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.

  2. If there are any DENY policies that match the request, the request is denied.

  3. If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.

  4. Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.

Returns:

  • (::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzAction)

    Required. Can be one of ALLOW, DENY, CUSTOM.

    When the action is CUSTOM, customProvider must be specified.

    When the action is ALLOW, only requests matching the policy will be allowed.

    When the action is DENY, only requests matching the policy will be denied.

    When a request arrives, the policies are evaluated in the following order:

    1. If there is a CUSTOM policy that matches the request, the CUSTOM policy is evaluated using the custom authorization providers and the request is denied if the provider rejects the request.

    2. If there are any DENY policies that match the request, the request is denied.

    3. If there are no ALLOW policies for the resource or if any of the ALLOW policies match the request, the request is allowed.

    4. Else the request is denied by default if none of the configured AuthzPolicies with ALLOW action match the request.



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101

class AuthzPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specifies the set of targets to which this policy should be applied to.
  # @!attribute [rw] load_balancing_scheme
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme]
  #     Optional. All gateways and forwarding rules referenced by this policy and
  #     extensions must share the same load balancing scheme. Required only when
  #     targeting forwarding rules. If targeting Secure Web Proxy, this field
  #     must be `INTERNAL_MANAGED` or not specified. Must not be specified
  #     when targeting Agent Gateway. Supported values:
  #     `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
  #     to [Backend services
  #     overview](https://cloud.google.com/load-balancing/docs/backend-service).
  # @!attribute [rw] resources
  #   @return [::Array<::String>]
  #     Required. A list of references to the Forwarding Rules, Secure Web Proxy
  #     Gateways, or Agent Gateways on which this policy will be applied.
  class Target
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Conditions to match against the incoming request.
  # @!attribute [rw] from
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From]
  #     Optional. Describes properties of a source of a request.
  # @!attribute [rw] to
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To]
  #     Optional. Describes properties of a target of a request.
  # @!attribute [rw] when
  #   @return [::String]
  #     Optional. CEL expression that describes the conditions to be satisfied
  #     for the action. The result of the CEL expression is ANDed with the from
  #     and to. Refer to the CEL language reference for a list of available
  #     attributes.
  class AuthzRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Determines how a string value should be matched.
    # @!attribute [rw] exact
    #   @return [::String]
    #     The input string must match exactly the string specified here.
    #
    #     Examples:
    #
    #     * ``abc`` only matches the value ``abc``.
    #
    #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     The input string must have the prefix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``abc.xyz``
    #
    #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] suffix
    #   @return [::String]
    #     The input string must have the suffix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc``
    #
    #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] contains
    #   @return [::String]
    #     The input string must have the substring specified here.
    #     Note: empty contains match is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc.def``
    #
    #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ignore_case
    #   @return [::Boolean]
    #     If true, indicates the exact/prefix/suffix/contains matching should be
    #     case insensitive. For example, the matcher ``data`` will match both
    #     input string ``Data`` and ``data`` if set to true.
    class StringMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Represents a range of IP Addresses.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     Required. The address prefix.
    # @!attribute [rw] length
    #   @return [::Integer]
    #     Required. The length of the address range.
    class IpBlock
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a client VM resource accessing the internal
    # application load balancers.
    # @!attribute [rw] tag_value_id_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
    #     Optional. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request.
    # @!attribute [rw] iam_service_account
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. An IAM service account to match against the source
    #     service account of the VM sending the request.
    class RequestResource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of resource tag value permanent IDs to match against
      # the resource manager tags value associated with the source VM of a
      # request.
      # @!attribute [rw] ids
      #   @return [::Array<::Integer>]
      #     Required. A list of resource tag value permanent IDs to match against
      #     the resource manager tags value associated with the source VM of a
      #     request. The match follows AND semantics which means all
      #     the ids must match. Limited to 5 ids in the Tag value id set.
      class TagValueIdSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Determines how a HTTP header should be matched.
    # @!attribute [rw] name
    #   @return [::String]
    #     Optional. Specifies the name of the header in the request.
    # @!attribute [rw] value
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. Specifies how the header match will be performed.
    class HeaderMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a principal to be matched against.
    # @!attribute [rw] principal_selector
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
    #     Optional. An enum to decide what principal value the principal rule
    #     will match against. If not specified, the PrincipalSelector is
    #     CLIENT_CERT_URI_SAN.
    # @!attribute [rw] principal
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Required. A non-empty string whose value is matched against the
    #     principal value based on the principal_selector. Only exact match can
    #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
    #     CLIENT_CERT_COMMON_NAME selectors.
    class Principal
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # The principal value the principal rule will match against.
      module PrincipalSelector
        # Unspecified principal selector. It will be treated as
        # CLIENT_CERT_URI_SAN by default.
        PRINCIPAL_SELECTOR_UNSPECIFIED = 0

        # The principal rule is matched against a list of URI SANs in the
        # validated client's certificate. A match happens when there is any
        # exact URI SAN value match. This is the default principal selector.
        CLIENT_CERT_URI_SAN = 1

        # The principal rule is matched against a list of DNS Name SANs in the
        # validated client's certificate. A match happens when there is any
        # exact DNS Name SAN value match.
        # This is only applicable for Application Load Balancers
        # except for classic Global External Application load balancer.
        # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_DNS_NAME_SAN = 2

        # The principal rule is matched against the common name in the client's
        # certificate. Authorization against multiple common names in the
        # client certificate is not supported. Requests with multiple common
        # names in the client certificate will be rejected if
        # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
        # happens when there is an exact common name value match.
        # This is only applicable for Application Load Balancers
        # except for global external Application Load Balancer and
        # classic Application Load Balancer.
        # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_COMMON_NAME = 3
      end
    end

    # Describes properties of one or more sources of a request.
    # @!attribute [rw] sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the properties of a request's sources. At least one
    #     of sources or notSources must be specified. Limited to 1 source.
    #     A match occurs when ANY source (in sources or notSources) matches the
    #     request. Within a single source, the match follows AND semantics
    #     across fields and OR semantics within a single field, i.e. a match
    #     occurs when ANY principal matches AND ANY ipBlocks match.
    # @!attribute [rw] not_sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the negated properties of request sources. Matches
    #     requests from sources that do not match the criteria specified in this
    #     field. At least one of sources or notSources must be specified.
    class From
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes the properties of a single source.
      # @!attribute [rw] principals
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
      #     Optional. A list of identities derived from the client's certificate.
      #     This field will not match on a request unless frontend mutual TLS is
      #     enabled for the forwarding rule or Gateway and the client certificate
      #     has been successfully validated by mTLS.
      #     Each identity is a string whose value is matched against a list of
      #     URI SANs, DNS Name SANs, or the common name in the client's
      #     certificate. A match happens when any principal matches with the
      #     rule. Limited to 50 principals per Authorization Policy for regional
      #     internal Application Load Balancers, regional external Application
      #     Load Balancers, cross-region internal Application Load Balancers, and
      #     Cloud Service Mesh. This field is not supported for global external
      #     Application Load Balancers.
      # @!attribute [rw] ip_blocks
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
      #     Optional. A list of IP addresses or IP address ranges to match
      #     against the source IP address of the request. Limited to 10 ip_blocks
      #     per Authorization Policy
      # @!attribute [rw] resources
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
      #     Optional. A list of resources to match against the resource of the
      #     source VM of a request. Limited to 10 resources per Authorization
      #     Policy.
      class RequestSource
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes properties of one or more targets of a request. At
    #     least one of operations or notOperations must be specified. Limited to
    #     1 operation. A match occurs when ANY operation (in operations or
    #     notOperations) matches. Within an operation, the match follows AND
    #     semantics across fields and OR semantics within a field, i.e. a match
    #     occurs when ANY path matches AND ANY header matches and ANY method
    #     matches.
    # @!attribute [rw] not_operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes the negated properties of the targets of a request.
    #     Matches requests for operations that do not match the criteria
    #     specified in this field. At least one of operations or notOperations
    #     must be specified.
    class To
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes properties of one or more targets of a request.
      # @!attribute [rw] header_set
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
      #     Optional. A list of headers to match against in http header.
      # @!attribute [rw] hosts
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of HTTP Hosts to match against. The match can be one
      #     of exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     hosts per Authorization Policy.
      # @!attribute [rw] paths
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of paths to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     paths per Authorization Policy.
      #     Note that this path match includes the query parameters. For gRPC
      #     services, this should be a fully-qualified name of the form
      #     /package.service/method.
      # @!attribute [rw] methods
      #   @return [::Array<::String>]
      #     Optional. A list of HTTP methods to match against. Each entry must be
      #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
      #     OPTIONS). It only allows exact match and is always case sensitive.
      #     Limited to 10 methods per Authorization Policy.
      # @!attribute [rw] mcp
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
      #     Optional. Defines the MCP protocol attributes to match on. If the MCP
      #     payload in the request body cannot be successfully parsed, the
      #     request will be denied. This field can be set only for AuthzPolicies
      #     targeting AgentGateway resources.
      # @!attribute [rw] snis
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of SNIs to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). If there is no
      #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
      #     Matches are always case sensitive unless the ignoreCase is set.
      #     Limited to 10 SNIs per Authorization Policy.
      class RequestOperation
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes a set of HTTP headers to match against.
        # @!attribute [rw] headers
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
        #     Required. A list of headers to match against in http header.
        #     The match can be one of exact, prefix, suffix, or contains
        #     (substring match). The match follows AND semantics which means all
        #     the headers must match. Matches are always case sensitive unless
        #     the ignoreCase is set. Limited to 10 headers per Authorization
        #     Policy.
        class HeaderSet
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP methods to match against.
        # @!attribute [rw] name
        #   @return [::String]
        #     Required. The MCP method to match against. Allowed values are as
        #     follows:
        #     1. `tools`, `prompts`, `resources` - these will match against all
        #        sub methods under the respective methods.
        #     2. `prompts/list`, `tools/list`, `resources/list`,
        #        `resources/templates/list`
        #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
        #        `resources/unsubscribe`, `resources/read`
        #     Params cannot be specified for categories 1 and 2.
        # @!attribute [rw] params
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
        #     Optional. A list of MCP method parameters to match against. The
        #     match can be one of exact, prefix, suffix, or contains (substring
        #     match). Matches are always case sensitive unless the ignoreCase is
        #     set. Limited to 10 MCP method parameters per Authorization Policy.
        class MCPMethod
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP protocol attributes to match against for a
        # given MCP request.
        # @!attribute [rw] base_protocol_methods_option
        #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
        #     Optional. If specified, matches on the MCP protocol’s non-access
        #     specific methods namely:
        #     * initialize
        #     * completion/
        #     * logging/
        #     * notifications/
        #     * ping
        #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
        # @!attribute [rw] methods
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
        #     Optional. A list of MCP methods and associated parameters to match
        #     on. It is recommended to use this field to match on tools, prompts
        #     and resource accesses while setting the baseProtocolMethodsOption
        #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
        #     protocol methods.
        #     Limited to 10 MCP methods per Authorization Policy.
        class MCP
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes the option to match against the base MCP protocol methods.
        module BaseProtocolMethodsOption
          # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
          BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

          # Skip matching on the base MCP protocol methods.
          SKIP_BASE_PROTOCOL_METHODS = 1

          # Match on the base MCP protocol methods.
          MATCH_BASE_PROTOCOL_METHODS = 2
        end
      end
    end
  end

  # Allows delegating authorization decisions to Cloud IAP or to
  # Service Extensions.
  # @!attribute [rw] cloud_iap
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap]
  #     Optional. Delegates authorization decisions to Cloud IAP. Applicable
  #     only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
  #     level is not compatible with Cloud IAP settings in the BackendService.
  #     Enabling IAP in both places will result in request failure. Ensure that
  #     IAP is enabled in either the AuthzPolicy or the BackendService but not in
  #     both places.
  # @!attribute [rw] authz_extension
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension]
  #     Optional. Delegate authorization decision to user authored Service
  #     Extension. Only one of cloudIap or authzExtension can be specified.
  class CustomProvider
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Optional. Delegates authorization decisions to Cloud IAP. Applicable
    # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    # level is not compatible with Cloud IAP settings in the BackendService.
    # Enabling IAP in both places will result in request failure. Ensure that
    # IAP is enabled in either the AuthzPolicy or the BackendService but not in
    # both places.
    class CloudIap
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Optional. Delegate authorization decision to user authored extension.
    # Only one of cloudIap or authzExtension can be specified.
    # @!attribute [rw] resources
    #   @return [::Array<::String>]
    #     Required. A list of references to authorization
    #     extensions that will be invoked for requests matching this policy.
    #     Limited to 1 custom provider.
    class AuthzExtension
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Load balancing schemes supported by the `AuthzPolicy` resource. The valid
  # values are `INTERNAL_MANAGED` and
  # `EXTERNAL_MANAGED`. For more information, refer to [Backend services
  # overview](https://cloud.google.com/load-balancing/docs/backend-service).
  module LoadBalancingScheme
    # Default value. Do not use.
    LOAD_BALANCING_SCHEME_UNSPECIFIED = 0

    # Signifies that this is used for Regional internal or Cross-region
    # internal Application Load Balancing.
    INTERNAL_MANAGED = 1

    # Signifies that this is used for Global external or Regional external
    # Application Load Balancing.
    EXTERNAL_MANAGED = 2

    # Signifies that this is used for Cloud Service Mesh. Meant for use by
    # CSM GKE controller only.
    INTERNAL_SELF_MANAGED = 3
  end

  # The action to be applied to this policy. Valid values are
  # `ALLOW`, `DENY`, `CUSTOM`.
  module AuthzAction
    # Unspecified action.
    AUTHZ_ACTION_UNSPECIFIED = 0

    # Allow request to pass through to the backend.
    ALLOW = 1

    # Deny the request and return a HTTP 404 to the client.
    DENY = 2

    # Delegate the authorization decision to an external authorization engine.
    CUSTOM = 3
  end

  # The type of authorization being performed.
  # New values may be added in the future.
  module PolicyProfile
    # Unspecified policy profile.
    POLICY_PROFILE_UNSPECIFIED = 0

    # Applies to request authorization. `CUSTOM` authorization
    # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
    # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
    # events.
    REQUEST_AUTHZ = 1

    # Applies to content security, sanitization, etc. Only
    # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
    # custom provider must support `EXT_PROC_GRPC` protocol only and be capable
    # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
    # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
    # with `FULL_DUPLEX_STREAMED` body send mode.
    CONTENT_AUTHZ = 2
  end
end

#create_time::Google::Protobuf::Timestamp (readonly)

Returns Output only. The timestamp when the resource was created.

Returns:



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101

class AuthzPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specifies the set of targets to which this policy should be applied to.
  # @!attribute [rw] load_balancing_scheme
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme]
  #     Optional. All gateways and forwarding rules referenced by this policy and
  #     extensions must share the same load balancing scheme. Required only when
  #     targeting forwarding rules. If targeting Secure Web Proxy, this field
  #     must be `INTERNAL_MANAGED` or not specified. Must not be specified
  #     when targeting Agent Gateway. Supported values:
  #     `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
  #     to [Backend services
  #     overview](https://cloud.google.com/load-balancing/docs/backend-service).
  # @!attribute [rw] resources
  #   @return [::Array<::String>]
  #     Required. A list of references to the Forwarding Rules, Secure Web Proxy
  #     Gateways, or Agent Gateways on which this policy will be applied.
  class Target
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Conditions to match against the incoming request.
  # @!attribute [rw] from
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From]
  #     Optional. Describes properties of a source of a request.
  # @!attribute [rw] to
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To]
  #     Optional. Describes properties of a target of a request.
  # @!attribute [rw] when
  #   @return [::String]
  #     Optional. CEL expression that describes the conditions to be satisfied
  #     for the action. The result of the CEL expression is ANDed with the from
  #     and to. Refer to the CEL language reference for a list of available
  #     attributes.
  class AuthzRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Determines how a string value should be matched.
    # @!attribute [rw] exact
    #   @return [::String]
    #     The input string must match exactly the string specified here.
    #
    #     Examples:
    #
    #     * ``abc`` only matches the value ``abc``.
    #
    #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     The input string must have the prefix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``abc.xyz``
    #
    #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] suffix
    #   @return [::String]
    #     The input string must have the suffix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc``
    #
    #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] contains
    #   @return [::String]
    #     The input string must have the substring specified here.
    #     Note: empty contains match is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc.def``
    #
    #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ignore_case
    #   @return [::Boolean]
    #     If true, indicates the exact/prefix/suffix/contains matching should be
    #     case insensitive. For example, the matcher ``data`` will match both
    #     input string ``Data`` and ``data`` if set to true.
    class StringMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Represents a range of IP Addresses.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     Required. The address prefix.
    # @!attribute [rw] length
    #   @return [::Integer]
    #     Required. The length of the address range.
    class IpBlock
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a client VM resource accessing the internal
    # application load balancers.
    # @!attribute [rw] tag_value_id_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
    #     Optional. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request.
    # @!attribute [rw] iam_service_account
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. An IAM service account to match against the source
    #     service account of the VM sending the request.
    class RequestResource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of resource tag value permanent IDs to match against
      # the resource manager tags value associated with the source VM of a
      # request.
      # @!attribute [rw] ids
      #   @return [::Array<::Integer>]
      #     Required. A list of resource tag value permanent IDs to match against
      #     the resource manager tags value associated with the source VM of a
      #     request. The match follows AND semantics which means all
      #     the ids must match. Limited to 5 ids in the Tag value id set.
      class TagValueIdSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Determines how a HTTP header should be matched.
    # @!attribute [rw] name
    #   @return [::String]
    #     Optional. Specifies the name of the header in the request.
    # @!attribute [rw] value
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. Specifies how the header match will be performed.
    class HeaderMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a principal to be matched against.
    # @!attribute [rw] principal_selector
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
    #     Optional. An enum to decide what principal value the principal rule
    #     will match against. If not specified, the PrincipalSelector is
    #     CLIENT_CERT_URI_SAN.
    # @!attribute [rw] principal
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Required. A non-empty string whose value is matched against the
    #     principal value based on the principal_selector. Only exact match can
    #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
    #     CLIENT_CERT_COMMON_NAME selectors.
    class Principal
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # The principal value the principal rule will match against.
      module PrincipalSelector
        # Unspecified principal selector. It will be treated as
        # CLIENT_CERT_URI_SAN by default.
        PRINCIPAL_SELECTOR_UNSPECIFIED = 0

        # The principal rule is matched against a list of URI SANs in the
        # validated client's certificate. A match happens when there is any
        # exact URI SAN value match. This is the default principal selector.
        CLIENT_CERT_URI_SAN = 1

        # The principal rule is matched against a list of DNS Name SANs in the
        # validated client's certificate. A match happens when there is any
        # exact DNS Name SAN value match.
        # This is only applicable for Application Load Balancers
        # except for classic Global External Application load balancer.
        # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_DNS_NAME_SAN = 2

        # The principal rule is matched against the common name in the client's
        # certificate. Authorization against multiple common names in the
        # client certificate is not supported. Requests with multiple common
        # names in the client certificate will be rejected if
        # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
        # happens when there is an exact common name value match.
        # This is only applicable for Application Load Balancers
        # except for global external Application Load Balancer and
        # classic Application Load Balancer.
        # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_COMMON_NAME = 3
      end
    end

    # Describes properties of one or more sources of a request.
    # @!attribute [rw] sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the properties of a request's sources. At least one
    #     of sources or notSources must be specified. Limited to 1 source.
    #     A match occurs when ANY source (in sources or notSources) matches the
    #     request. Within a single source, the match follows AND semantics
    #     across fields and OR semantics within a single field, i.e. a match
    #     occurs when ANY principal matches AND ANY ipBlocks match.
    # @!attribute [rw] not_sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the negated properties of request sources. Matches
    #     requests from sources that do not match the criteria specified in this
    #     field. At least one of sources or notSources must be specified.
    class From
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes the properties of a single source.
      # @!attribute [rw] principals
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
      #     Optional. A list of identities derived from the client's certificate.
      #     This field will not match on a request unless frontend mutual TLS is
      #     enabled for the forwarding rule or Gateway and the client certificate
      #     has been successfully validated by mTLS.
      #     Each identity is a string whose value is matched against a list of
      #     URI SANs, DNS Name SANs, or the common name in the client's
      #     certificate. A match happens when any principal matches with the
      #     rule. Limited to 50 principals per Authorization Policy for regional
      #     internal Application Load Balancers, regional external Application
      #     Load Balancers, cross-region internal Application Load Balancers, and
      #     Cloud Service Mesh. This field is not supported for global external
      #     Application Load Balancers.
      # @!attribute [rw] ip_blocks
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
      #     Optional. A list of IP addresses or IP address ranges to match
      #     against the source IP address of the request. Limited to 10 ip_blocks
      #     per Authorization Policy
      # @!attribute [rw] resources
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
      #     Optional. A list of resources to match against the resource of the
      #     source VM of a request. Limited to 10 resources per Authorization
      #     Policy.
      class RequestSource
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes properties of one or more targets of a request. At
    #     least one of operations or notOperations must be specified. Limited to
    #     1 operation. A match occurs when ANY operation (in operations or
    #     notOperations) matches. Within an operation, the match follows AND
    #     semantics across fields and OR semantics within a field, i.e. a match
    #     occurs when ANY path matches AND ANY header matches and ANY method
    #     matches.
    # @!attribute [rw] not_operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes the negated properties of the targets of a request.
    #     Matches requests for operations that do not match the criteria
    #     specified in this field. At least one of operations or notOperations
    #     must be specified.
    class To
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes properties of one or more targets of a request.
      # @!attribute [rw] header_set
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
      #     Optional. A list of headers to match against in http header.
      # @!attribute [rw] hosts
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of HTTP Hosts to match against. The match can be one
      #     of exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     hosts per Authorization Policy.
      # @!attribute [rw] paths
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of paths to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     paths per Authorization Policy.
      #     Note that this path match includes the query parameters. For gRPC
      #     services, this should be a fully-qualified name of the form
      #     /package.service/method.
      # @!attribute [rw] methods
      #   @return [::Array<::String>]
      #     Optional. A list of HTTP methods to match against. Each entry must be
      #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
      #     OPTIONS). It only allows exact match and is always case sensitive.
      #     Limited to 10 methods per Authorization Policy.
      # @!attribute [rw] mcp
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
      #     Optional. Defines the MCP protocol attributes to match on. If the MCP
      #     payload in the request body cannot be successfully parsed, the
      #     request will be denied. This field can be set only for AuthzPolicies
      #     targeting AgentGateway resources.
      # @!attribute [rw] snis
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of SNIs to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). If there is no
      #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
      #     Matches are always case sensitive unless the ignoreCase is set.
      #     Limited to 10 SNIs per Authorization Policy.
      class RequestOperation
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes a set of HTTP headers to match against.
        # @!attribute [rw] headers
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
        #     Required. A list of headers to match against in http header.
        #     The match can be one of exact, prefix, suffix, or contains
        #     (substring match). The match follows AND semantics which means all
        #     the headers must match. Matches are always case sensitive unless
        #     the ignoreCase is set. Limited to 10 headers per Authorization
        #     Policy.
        class HeaderSet
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP methods to match against.
        # @!attribute [rw] name
        #   @return [::String]
        #     Required. The MCP method to match against. Allowed values are as
        #     follows:
        #     1. `tools`, `prompts`, `resources` - these will match against all
        #        sub methods under the respective methods.
        #     2. `prompts/list`, `tools/list`, `resources/list`,
        #        `resources/templates/list`
        #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
        #        `resources/unsubscribe`, `resources/read`
        #     Params cannot be specified for categories 1 and 2.
        # @!attribute [rw] params
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
        #     Optional. A list of MCP method parameters to match against. The
        #     match can be one of exact, prefix, suffix, or contains (substring
        #     match). Matches are always case sensitive unless the ignoreCase is
        #     set. Limited to 10 MCP method parameters per Authorization Policy.
        class MCPMethod
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP protocol attributes to match against for a
        # given MCP request.
        # @!attribute [rw] base_protocol_methods_option
        #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
        #     Optional. If specified, matches on the MCP protocol’s non-access
        #     specific methods namely:
        #     * initialize
        #     * completion/
        #     * logging/
        #     * notifications/
        #     * ping
        #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
        # @!attribute [rw] methods
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
        #     Optional. A list of MCP methods and associated parameters to match
        #     on. It is recommended to use this field to match on tools, prompts
        #     and resource accesses while setting the baseProtocolMethodsOption
        #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
        #     protocol methods.
        #     Limited to 10 MCP methods per Authorization Policy.
        class MCP
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes the option to match against the base MCP protocol methods.
        module BaseProtocolMethodsOption
          # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
          BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

          # Skip matching on the base MCP protocol methods.
          SKIP_BASE_PROTOCOL_METHODS = 1

          # Match on the base MCP protocol methods.
          MATCH_BASE_PROTOCOL_METHODS = 2
        end
      end
    end
  end

  # Allows delegating authorization decisions to Cloud IAP or to
  # Service Extensions.
  # @!attribute [rw] cloud_iap
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap]
  #     Optional. Delegates authorization decisions to Cloud IAP. Applicable
  #     only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
  #     level is not compatible with Cloud IAP settings in the BackendService.
  #     Enabling IAP in both places will result in request failure. Ensure that
  #     IAP is enabled in either the AuthzPolicy or the BackendService but not in
  #     both places.
  # @!attribute [rw] authz_extension
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension]
  #     Optional. Delegate authorization decision to user authored Service
  #     Extension. Only one of cloudIap or authzExtension can be specified.
  class CustomProvider
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Optional. Delegates authorization decisions to Cloud IAP. Applicable
    # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    # level is not compatible with Cloud IAP settings in the BackendService.
    # Enabling IAP in both places will result in request failure. Ensure that
    # IAP is enabled in either the AuthzPolicy or the BackendService but not in
    # both places.
    class CloudIap
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Optional. Delegate authorization decision to user authored extension.
    # Only one of cloudIap or authzExtension can be specified.
    # @!attribute [rw] resources
    #   @return [::Array<::String>]
    #     Required. A list of references to authorization
    #     extensions that will be invoked for requests matching this policy.
    #     Limited to 1 custom provider.
    class AuthzExtension
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Load balancing schemes supported by the `AuthzPolicy` resource. The valid
  # values are `INTERNAL_MANAGED` and
  # `EXTERNAL_MANAGED`. For more information, refer to [Backend services
  # overview](https://cloud.google.com/load-balancing/docs/backend-service).
  module LoadBalancingScheme
    # Default value. Do not use.
    LOAD_BALANCING_SCHEME_UNSPECIFIED = 0

    # Signifies that this is used for Regional internal or Cross-region
    # internal Application Load Balancing.
    INTERNAL_MANAGED = 1

    # Signifies that this is used for Global external or Regional external
    # Application Load Balancing.
    EXTERNAL_MANAGED = 2

    # Signifies that this is used for Cloud Service Mesh. Meant for use by
    # CSM GKE controller only.
    INTERNAL_SELF_MANAGED = 3
  end

  # The action to be applied to this policy. Valid values are
  # `ALLOW`, `DENY`, `CUSTOM`.
  module AuthzAction
    # Unspecified action.
    AUTHZ_ACTION_UNSPECIFIED = 0

    # Allow request to pass through to the backend.
    ALLOW = 1

    # Deny the request and return a HTTP 404 to the client.
    DENY = 2

    # Delegate the authorization decision to an external authorization engine.
    CUSTOM = 3
  end

  # The type of authorization being performed.
  # New values may be added in the future.
  module PolicyProfile
    # Unspecified policy profile.
    POLICY_PROFILE_UNSPECIFIED = 0

    # Applies to request authorization. `CUSTOM` authorization
    # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
    # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
    # events.
    REQUEST_AUTHZ = 1

    # Applies to content security, sanitization, etc. Only
    # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
    # custom provider must support `EXT_PROC_GRPC` protocol only and be capable
    # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
    # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
    # with `FULL_DUPLEX_STREAMED` body send mode.
    CONTENT_AUTHZ = 2
  end
end

#custom_provider::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider

Returns Optional. Required if the action is CUSTOM. Allows delegating authorization decisions to Cloud IAP or to Service Extensions. One of cloudIap or authzExtension must be specified.

Returns:



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101

class AuthzPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specifies the set of targets to which this policy should be applied to.
  # @!attribute [rw] load_balancing_scheme
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme]
  #     Optional. All gateways and forwarding rules referenced by this policy and
  #     extensions must share the same load balancing scheme. Required only when
  #     targeting forwarding rules. If targeting Secure Web Proxy, this field
  #     must be `INTERNAL_MANAGED` or not specified. Must not be specified
  #     when targeting Agent Gateway. Supported values:
  #     `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
  #     to [Backend services
  #     overview](https://cloud.google.com/load-balancing/docs/backend-service).
  # @!attribute [rw] resources
  #   @return [::Array<::String>]
  #     Required. A list of references to the Forwarding Rules, Secure Web Proxy
  #     Gateways, or Agent Gateways on which this policy will be applied.
  class Target
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Conditions to match against the incoming request.
  # @!attribute [rw] from
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From]
  #     Optional. Describes properties of a source of a request.
  # @!attribute [rw] to
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To]
  #     Optional. Describes properties of a target of a request.
  # @!attribute [rw] when
  #   @return [::String]
  #     Optional. CEL expression that describes the conditions to be satisfied
  #     for the action. The result of the CEL expression is ANDed with the from
  #     and to. Refer to the CEL language reference for a list of available
  #     attributes.
  class AuthzRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Determines how a string value should be matched.
    # @!attribute [rw] exact
    #   @return [::String]
    #     The input string must match exactly the string specified here.
    #
    #     Examples:
    #
    #     * ``abc`` only matches the value ``abc``.
    #
    #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     The input string must have the prefix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``abc.xyz``
    #
    #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] suffix
    #   @return [::String]
    #     The input string must have the suffix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc``
    #
    #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] contains
    #   @return [::String]
    #     The input string must have the substring specified here.
    #     Note: empty contains match is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc.def``
    #
    #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ignore_case
    #   @return [::Boolean]
    #     If true, indicates the exact/prefix/suffix/contains matching should be
    #     case insensitive. For example, the matcher ``data`` will match both
    #     input string ``Data`` and ``data`` if set to true.
    class StringMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Represents a range of IP Addresses.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     Required. The address prefix.
    # @!attribute [rw] length
    #   @return [::Integer]
    #     Required. The length of the address range.
    class IpBlock
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a client VM resource accessing the internal
    # application load balancers.
    # @!attribute [rw] tag_value_id_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
    #     Optional. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request.
    # @!attribute [rw] iam_service_account
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. An IAM service account to match against the source
    #     service account of the VM sending the request.
    class RequestResource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of resource tag value permanent IDs to match against
      # the resource manager tags value associated with the source VM of a
      # request.
      # @!attribute [rw] ids
      #   @return [::Array<::Integer>]
      #     Required. A list of resource tag value permanent IDs to match against
      #     the resource manager tags value associated with the source VM of a
      #     request. The match follows AND semantics which means all
      #     the ids must match. Limited to 5 ids in the Tag value id set.
      class TagValueIdSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Determines how a HTTP header should be matched.
    # @!attribute [rw] name
    #   @return [::String]
    #     Optional. Specifies the name of the header in the request.
    # @!attribute [rw] value
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. Specifies how the header match will be performed.
    class HeaderMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a principal to be matched against.
    # @!attribute [rw] principal_selector
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
    #     Optional. An enum to decide what principal value the principal rule
    #     will match against. If not specified, the PrincipalSelector is
    #     CLIENT_CERT_URI_SAN.
    # @!attribute [rw] principal
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Required. A non-empty string whose value is matched against the
    #     principal value based on the principal_selector. Only exact match can
    #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
    #     CLIENT_CERT_COMMON_NAME selectors.
    class Principal
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # The principal value the principal rule will match against.
      module PrincipalSelector
        # Unspecified principal selector. It will be treated as
        # CLIENT_CERT_URI_SAN by default.
        PRINCIPAL_SELECTOR_UNSPECIFIED = 0

        # The principal rule is matched against a list of URI SANs in the
        # validated client's certificate. A match happens when there is any
        # exact URI SAN value match. This is the default principal selector.
        CLIENT_CERT_URI_SAN = 1

        # The principal rule is matched against a list of DNS Name SANs in the
        # validated client's certificate. A match happens when there is any
        # exact DNS Name SAN value match.
        # This is only applicable for Application Load Balancers
        # except for classic Global External Application load balancer.
        # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_DNS_NAME_SAN = 2

        # The principal rule is matched against the common name in the client's
        # certificate. Authorization against multiple common names in the
        # client certificate is not supported. Requests with multiple common
        # names in the client certificate will be rejected if
        # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
        # happens when there is an exact common name value match.
        # This is only applicable for Application Load Balancers
        # except for global external Application Load Balancer and
        # classic Application Load Balancer.
        # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_COMMON_NAME = 3
      end
    end

    # Describes properties of one or more sources of a request.
    # @!attribute [rw] sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the properties of a request's sources. At least one
    #     of sources or notSources must be specified. Limited to 1 source.
    #     A match occurs when ANY source (in sources or notSources) matches the
    #     request. Within a single source, the match follows AND semantics
    #     across fields and OR semantics within a single field, i.e. a match
    #     occurs when ANY principal matches AND ANY ipBlocks match.
    # @!attribute [rw] not_sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the negated properties of request sources. Matches
    #     requests from sources that do not match the criteria specified in this
    #     field. At least one of sources or notSources must be specified.
    class From
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes the properties of a single source.
      # @!attribute [rw] principals
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
      #     Optional. A list of identities derived from the client's certificate.
      #     This field will not match on a request unless frontend mutual TLS is
      #     enabled for the forwarding rule or Gateway and the client certificate
      #     has been successfully validated by mTLS.
      #     Each identity is a string whose value is matched against a list of
      #     URI SANs, DNS Name SANs, or the common name in the client's
      #     certificate. A match happens when any principal matches with the
      #     rule. Limited to 50 principals per Authorization Policy for regional
      #     internal Application Load Balancers, regional external Application
      #     Load Balancers, cross-region internal Application Load Balancers, and
      #     Cloud Service Mesh. This field is not supported for global external
      #     Application Load Balancers.
      # @!attribute [rw] ip_blocks
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
      #     Optional. A list of IP addresses or IP address ranges to match
      #     against the source IP address of the request. Limited to 10 ip_blocks
      #     per Authorization Policy
      # @!attribute [rw] resources
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
      #     Optional. A list of resources to match against the resource of the
      #     source VM of a request. Limited to 10 resources per Authorization
      #     Policy.
      class RequestSource
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes properties of one or more targets of a request. At
    #     least one of operations or notOperations must be specified. Limited to
    #     1 operation. A match occurs when ANY operation (in operations or
    #     notOperations) matches. Within an operation, the match follows AND
    #     semantics across fields and OR semantics within a field, i.e. a match
    #     occurs when ANY path matches AND ANY header matches and ANY method
    #     matches.
    # @!attribute [rw] not_operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes the negated properties of the targets of a request.
    #     Matches requests for operations that do not match the criteria
    #     specified in this field. At least one of operations or notOperations
    #     must be specified.
    class To
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes properties of one or more targets of a request.
      # @!attribute [rw] header_set
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
      #     Optional. A list of headers to match against in http header.
      # @!attribute [rw] hosts
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of HTTP Hosts to match against. The match can be one
      #     of exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     hosts per Authorization Policy.
      # @!attribute [rw] paths
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of paths to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     paths per Authorization Policy.
      #     Note that this path match includes the query parameters. For gRPC
      #     services, this should be a fully-qualified name of the form
      #     /package.service/method.
      # @!attribute [rw] methods
      #   @return [::Array<::String>]
      #     Optional. A list of HTTP methods to match against. Each entry must be
      #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
      #     OPTIONS). It only allows exact match and is always case sensitive.
      #     Limited to 10 methods per Authorization Policy.
      # @!attribute [rw] mcp
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
      #     Optional. Defines the MCP protocol attributes to match on. If the MCP
      #     payload in the request body cannot be successfully parsed, the
      #     request will be denied. This field can be set only for AuthzPolicies
      #     targeting AgentGateway resources.
      # @!attribute [rw] snis
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of SNIs to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). If there is no
      #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
      #     Matches are always case sensitive unless the ignoreCase is set.
      #     Limited to 10 SNIs per Authorization Policy.
      class RequestOperation
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes a set of HTTP headers to match against.
        # @!attribute [rw] headers
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
        #     Required. A list of headers to match against in http header.
        #     The match can be one of exact, prefix, suffix, or contains
        #     (substring match). The match follows AND semantics which means all
        #     the headers must match. Matches are always case sensitive unless
        #     the ignoreCase is set. Limited to 10 headers per Authorization
        #     Policy.
        class HeaderSet
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP methods to match against.
        # @!attribute [rw] name
        #   @return [::String]
        #     Required. The MCP method to match against. Allowed values are as
        #     follows:
        #     1. `tools`, `prompts`, `resources` - these will match against all
        #        sub methods under the respective methods.
        #     2. `prompts/list`, `tools/list`, `resources/list`,
        #        `resources/templates/list`
        #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
        #        `resources/unsubscribe`, `resources/read`
        #     Params cannot be specified for categories 1 and 2.
        # @!attribute [rw] params
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
        #     Optional. A list of MCP method parameters to match against. The
        #     match can be one of exact, prefix, suffix, or contains (substring
        #     match). Matches are always case sensitive unless the ignoreCase is
        #     set. Limited to 10 MCP method parameters per Authorization Policy.
        class MCPMethod
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP protocol attributes to match against for a
        # given MCP request.
        # @!attribute [rw] base_protocol_methods_option
        #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
        #     Optional. If specified, matches on the MCP protocol’s non-access
        #     specific methods namely:
        #     * initialize
        #     * completion/
        #     * logging/
        #     * notifications/
        #     * ping
        #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
        # @!attribute [rw] methods
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
        #     Optional. A list of MCP methods and associated parameters to match
        #     on. It is recommended to use this field to match on tools, prompts
        #     and resource accesses while setting the baseProtocolMethodsOption
        #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
        #     protocol methods.
        #     Limited to 10 MCP methods per Authorization Policy.
        class MCP
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes the option to match against the base MCP protocol methods.
        module BaseProtocolMethodsOption
          # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
          BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

          # Skip matching on the base MCP protocol methods.
          SKIP_BASE_PROTOCOL_METHODS = 1

          # Match on the base MCP protocol methods.
          MATCH_BASE_PROTOCOL_METHODS = 2
        end
      end
    end
  end

  # Allows delegating authorization decisions to Cloud IAP or to
  # Service Extensions.
  # @!attribute [rw] cloud_iap
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap]
  #     Optional. Delegates authorization decisions to Cloud IAP. Applicable
  #     only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
  #     level is not compatible with Cloud IAP settings in the BackendService.
  #     Enabling IAP in both places will result in request failure. Ensure that
  #     IAP is enabled in either the AuthzPolicy or the BackendService but not in
  #     both places.
  # @!attribute [rw] authz_extension
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension]
  #     Optional. Delegate authorization decision to user authored Service
  #     Extension. Only one of cloudIap or authzExtension can be specified.
  class CustomProvider
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Optional. Delegates authorization decisions to Cloud IAP. Applicable
    # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    # level is not compatible with Cloud IAP settings in the BackendService.
    # Enabling IAP in both places will result in request failure. Ensure that
    # IAP is enabled in either the AuthzPolicy or the BackendService but not in
    # both places.
    class CloudIap
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Optional. Delegate authorization decision to user authored extension.
    # Only one of cloudIap or authzExtension can be specified.
    # @!attribute [rw] resources
    #   @return [::Array<::String>]
    #     Required. A list of references to authorization
    #     extensions that will be invoked for requests matching this policy.
    #     Limited to 1 custom provider.
    class AuthzExtension
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Load balancing schemes supported by the `AuthzPolicy` resource. The valid
  # values are `INTERNAL_MANAGED` and
  # `EXTERNAL_MANAGED`. For more information, refer to [Backend services
  # overview](https://cloud.google.com/load-balancing/docs/backend-service).
  module LoadBalancingScheme
    # Default value. Do not use.
    LOAD_BALANCING_SCHEME_UNSPECIFIED = 0

    # Signifies that this is used for Regional internal or Cross-region
    # internal Application Load Balancing.
    INTERNAL_MANAGED = 1

    # Signifies that this is used for Global external or Regional external
    # Application Load Balancing.
    EXTERNAL_MANAGED = 2

    # Signifies that this is used for Cloud Service Mesh. Meant for use by
    # CSM GKE controller only.
    INTERNAL_SELF_MANAGED = 3
  end

  # The action to be applied to this policy. Valid values are
  # `ALLOW`, `DENY`, `CUSTOM`.
  module AuthzAction
    # Unspecified action.
    AUTHZ_ACTION_UNSPECIFIED = 0

    # Allow request to pass through to the backend.
    ALLOW = 1

    # Deny the request and return a HTTP 404 to the client.
    DENY = 2

    # Delegate the authorization decision to an external authorization engine.
    CUSTOM = 3
  end

  # The type of authorization being performed.
  # New values may be added in the future.
  module PolicyProfile
    # Unspecified policy profile.
    POLICY_PROFILE_UNSPECIFIED = 0

    # Applies to request authorization. `CUSTOM` authorization
    # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
    # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
    # events.
    REQUEST_AUTHZ = 1

    # Applies to content security, sanitization, etc. Only
    # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
    # custom provider must support `EXT_PROC_GRPC` protocol only and be capable
    # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
    # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
    # with `FULL_DUPLEX_STREAMED` body send mode.
    CONTENT_AUTHZ = 2
  end
end

#description::String

Returns Optional. A human-readable description of the resource.

Returns:

  • (::String)

    Optional. A human-readable description of the resource.



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101

class AuthzPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specifies the set of targets to which this policy should be applied to.
  # @!attribute [rw] load_balancing_scheme
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme]
  #     Optional. All gateways and forwarding rules referenced by this policy and
  #     extensions must share the same load balancing scheme. Required only when
  #     targeting forwarding rules. If targeting Secure Web Proxy, this field
  #     must be `INTERNAL_MANAGED` or not specified. Must not be specified
  #     when targeting Agent Gateway. Supported values:
  #     `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
  #     to [Backend services
  #     overview](https://cloud.google.com/load-balancing/docs/backend-service).
  # @!attribute [rw] resources
  #   @return [::Array<::String>]
  #     Required. A list of references to the Forwarding Rules, Secure Web Proxy
  #     Gateways, or Agent Gateways on which this policy will be applied.
  class Target
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Conditions to match against the incoming request.
  # @!attribute [rw] from
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From]
  #     Optional. Describes properties of a source of a request.
  # @!attribute [rw] to
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To]
  #     Optional. Describes properties of a target of a request.
  # @!attribute [rw] when
  #   @return [::String]
  #     Optional. CEL expression that describes the conditions to be satisfied
  #     for the action. The result of the CEL expression is ANDed with the from
  #     and to. Refer to the CEL language reference for a list of available
  #     attributes.
  class AuthzRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Determines how a string value should be matched.
    # @!attribute [rw] exact
    #   @return [::String]
    #     The input string must match exactly the string specified here.
    #
    #     Examples:
    #
    #     * ``abc`` only matches the value ``abc``.
    #
    #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     The input string must have the prefix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``abc.xyz``
    #
    #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] suffix
    #   @return [::String]
    #     The input string must have the suffix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc``
    #
    #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] contains
    #   @return [::String]
    #     The input string must have the substring specified here.
    #     Note: empty contains match is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc.def``
    #
    #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ignore_case
    #   @return [::Boolean]
    #     If true, indicates the exact/prefix/suffix/contains matching should be
    #     case insensitive. For example, the matcher ``data`` will match both
    #     input string ``Data`` and ``data`` if set to true.
    class StringMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Represents a range of IP Addresses.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     Required. The address prefix.
    # @!attribute [rw] length
    #   @return [::Integer]
    #     Required. The length of the address range.
    class IpBlock
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a client VM resource accessing the internal
    # application load balancers.
    # @!attribute [rw] tag_value_id_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
    #     Optional. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request.
    # @!attribute [rw] iam_service_account
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. An IAM service account to match against the source
    #     service account of the VM sending the request.
    class RequestResource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of resource tag value permanent IDs to match against
      # the resource manager tags value associated with the source VM of a
      # request.
      # @!attribute [rw] ids
      #   @return [::Array<::Integer>]
      #     Required. A list of resource tag value permanent IDs to match against
      #     the resource manager tags value associated with the source VM of a
      #     request. The match follows AND semantics which means all
      #     the ids must match. Limited to 5 ids in the Tag value id set.
      class TagValueIdSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Determines how a HTTP header should be matched.
    # @!attribute [rw] name
    #   @return [::String]
    #     Optional. Specifies the name of the header in the request.
    # @!attribute [rw] value
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. Specifies how the header match will be performed.
    class HeaderMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a principal to be matched against.
    # @!attribute [rw] principal_selector
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
    #     Optional. An enum to decide what principal value the principal rule
    #     will match against. If not specified, the PrincipalSelector is
    #     CLIENT_CERT_URI_SAN.
    # @!attribute [rw] principal
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Required. A non-empty string whose value is matched against the
    #     principal value based on the principal_selector. Only exact match can
    #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
    #     CLIENT_CERT_COMMON_NAME selectors.
    class Principal
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # The principal value the principal rule will match against.
      module PrincipalSelector
        # Unspecified principal selector. It will be treated as
        # CLIENT_CERT_URI_SAN by default.
        PRINCIPAL_SELECTOR_UNSPECIFIED = 0

        # The principal rule is matched against a list of URI SANs in the
        # validated client's certificate. A match happens when there is any
        # exact URI SAN value match. This is the default principal selector.
        CLIENT_CERT_URI_SAN = 1

        # The principal rule is matched against a list of DNS Name SANs in the
        # validated client's certificate. A match happens when there is any
        # exact DNS Name SAN value match.
        # This is only applicable for Application Load Balancers
        # except for classic Global External Application load balancer.
        # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_DNS_NAME_SAN = 2

        # The principal rule is matched against the common name in the client's
        # certificate. Authorization against multiple common names in the
        # client certificate is not supported. Requests with multiple common
        # names in the client certificate will be rejected if
        # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
        # happens when there is an exact common name value match.
        # This is only applicable for Application Load Balancers
        # except for global external Application Load Balancer and
        # classic Application Load Balancer.
        # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_COMMON_NAME = 3
      end
    end

    # Describes properties of one or more sources of a request.
    # @!attribute [rw] sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the properties of a request's sources. At least one
    #     of sources or notSources must be specified. Limited to 1 source.
    #     A match occurs when ANY source (in sources or notSources) matches the
    #     request. Within a single source, the match follows AND semantics
    #     across fields and OR semantics within a single field, i.e. a match
    #     occurs when ANY principal matches AND ANY ipBlocks match.
    # @!attribute [rw] not_sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the negated properties of request sources. Matches
    #     requests from sources that do not match the criteria specified in this
    #     field. At least one of sources or notSources must be specified.
    class From
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes the properties of a single source.
      # @!attribute [rw] principals
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
      #     Optional. A list of identities derived from the client's certificate.
      #     This field will not match on a request unless frontend mutual TLS is
      #     enabled for the forwarding rule or Gateway and the client certificate
      #     has been successfully validated by mTLS.
      #     Each identity is a string whose value is matched against a list of
      #     URI SANs, DNS Name SANs, or the common name in the client's
      #     certificate. A match happens when any principal matches with the
      #     rule. Limited to 50 principals per Authorization Policy for regional
      #     internal Application Load Balancers, regional external Application
      #     Load Balancers, cross-region internal Application Load Balancers, and
      #     Cloud Service Mesh. This field is not supported for global external
      #     Application Load Balancers.
      # @!attribute [rw] ip_blocks
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
      #     Optional. A list of IP addresses or IP address ranges to match
      #     against the source IP address of the request. Limited to 10 ip_blocks
      #     per Authorization Policy
      # @!attribute [rw] resources
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
      #     Optional. A list of resources to match against the resource of the
      #     source VM of a request. Limited to 10 resources per Authorization
      #     Policy.
      class RequestSource
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes properties of one or more targets of a request. At
    #     least one of operations or notOperations must be specified. Limited to
    #     1 operation. A match occurs when ANY operation (in operations or
    #     notOperations) matches. Within an operation, the match follows AND
    #     semantics across fields and OR semantics within a field, i.e. a match
    #     occurs when ANY path matches AND ANY header matches and ANY method
    #     matches.
    # @!attribute [rw] not_operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes the negated properties of the targets of a request.
    #     Matches requests for operations that do not match the criteria
    #     specified in this field. At least one of operations or notOperations
    #     must be specified.
    class To
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes properties of one or more targets of a request.
      # @!attribute [rw] header_set
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
      #     Optional. A list of headers to match against in http header.
      # @!attribute [rw] hosts
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of HTTP Hosts to match against. The match can be one
      #     of exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     hosts per Authorization Policy.
      # @!attribute [rw] paths
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of paths to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     paths per Authorization Policy.
      #     Note that this path match includes the query parameters. For gRPC
      #     services, this should be a fully-qualified name of the form
      #     /package.service/method.
      # @!attribute [rw] methods
      #   @return [::Array<::String>]
      #     Optional. A list of HTTP methods to match against. Each entry must be
      #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
      #     OPTIONS). It only allows exact match and is always case sensitive.
      #     Limited to 10 methods per Authorization Policy.
      # @!attribute [rw] mcp
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
      #     Optional. Defines the MCP protocol attributes to match on. If the MCP
      #     payload in the request body cannot be successfully parsed, the
      #     request will be denied. This field can be set only for AuthzPolicies
      #     targeting AgentGateway resources.
      # @!attribute [rw] snis
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of SNIs to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). If there is no
      #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
      #     Matches are always case sensitive unless the ignoreCase is set.
      #     Limited to 10 SNIs per Authorization Policy.
      class RequestOperation
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes a set of HTTP headers to match against.
        # @!attribute [rw] headers
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
        #     Required. A list of headers to match against in http header.
        #     The match can be one of exact, prefix, suffix, or contains
        #     (substring match). The match follows AND semantics which means all
        #     the headers must match. Matches are always case sensitive unless
        #     the ignoreCase is set. Limited to 10 headers per Authorization
        #     Policy.
        class HeaderSet
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP methods to match against.
        # @!attribute [rw] name
        #   @return [::String]
        #     Required. The MCP method to match against. Allowed values are as
        #     follows:
        #     1. `tools`, `prompts`, `resources` - these will match against all
        #        sub methods under the respective methods.
        #     2. `prompts/list`, `tools/list`, `resources/list`,
        #        `resources/templates/list`
        #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
        #        `resources/unsubscribe`, `resources/read`
        #     Params cannot be specified for categories 1 and 2.
        # @!attribute [rw] params
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
        #     Optional. A list of MCP method parameters to match against. The
        #     match can be one of exact, prefix, suffix, or contains (substring
        #     match). Matches are always case sensitive unless the ignoreCase is
        #     set. Limited to 10 MCP method parameters per Authorization Policy.
        class MCPMethod
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP protocol attributes to match against for a
        # given MCP request.
        # @!attribute [rw] base_protocol_methods_option
        #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
        #     Optional. If specified, matches on the MCP protocol’s non-access
        #     specific methods namely:
        #     * initialize
        #     * completion/
        #     * logging/
        #     * notifications/
        #     * ping
        #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
        # @!attribute [rw] methods
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
        #     Optional. A list of MCP methods and associated parameters to match
        #     on. It is recommended to use this field to match on tools, prompts
        #     and resource accesses while setting the baseProtocolMethodsOption
        #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
        #     protocol methods.
        #     Limited to 10 MCP methods per Authorization Policy.
        class MCP
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes the option to match against the base MCP protocol methods.
        module BaseProtocolMethodsOption
          # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
          BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

          # Skip matching on the base MCP protocol methods.
          SKIP_BASE_PROTOCOL_METHODS = 1

          # Match on the base MCP protocol methods.
          MATCH_BASE_PROTOCOL_METHODS = 2
        end
      end
    end
  end

  # Allows delegating authorization decisions to Cloud IAP or to
  # Service Extensions.
  # @!attribute [rw] cloud_iap
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap]
  #     Optional. Delegates authorization decisions to Cloud IAP. Applicable
  #     only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
  #     level is not compatible with Cloud IAP settings in the BackendService.
  #     Enabling IAP in both places will result in request failure. Ensure that
  #     IAP is enabled in either the AuthzPolicy or the BackendService but not in
  #     both places.
  # @!attribute [rw] authz_extension
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension]
  #     Optional. Delegate authorization decision to user authored Service
  #     Extension. Only one of cloudIap or authzExtension can be specified.
  class CustomProvider
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Optional. Delegates authorization decisions to Cloud IAP. Applicable
    # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    # level is not compatible with Cloud IAP settings in the BackendService.
    # Enabling IAP in both places will result in request failure. Ensure that
    # IAP is enabled in either the AuthzPolicy or the BackendService but not in
    # both places.
    class CloudIap
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Optional. Delegate authorization decision to user authored extension.
    # Only one of cloudIap or authzExtension can be specified.
    # @!attribute [rw] resources
    #   @return [::Array<::String>]
    #     Required. A list of references to authorization
    #     extensions that will be invoked for requests matching this policy.
    #     Limited to 1 custom provider.
    class AuthzExtension
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Load balancing schemes supported by the `AuthzPolicy` resource. The valid
  # values are `INTERNAL_MANAGED` and
  # `EXTERNAL_MANAGED`. For more information, refer to [Backend services
  # overview](https://cloud.google.com/load-balancing/docs/backend-service).
  module LoadBalancingScheme
    # Default value. Do not use.
    LOAD_BALANCING_SCHEME_UNSPECIFIED = 0

    # Signifies that this is used for Regional internal or Cross-region
    # internal Application Load Balancing.
    INTERNAL_MANAGED = 1

    # Signifies that this is used for Global external or Regional external
    # Application Load Balancing.
    EXTERNAL_MANAGED = 2

    # Signifies that this is used for Cloud Service Mesh. Meant for use by
    # CSM GKE controller only.
    INTERNAL_SELF_MANAGED = 3
  end

  # The action to be applied to this policy. Valid values are
  # `ALLOW`, `DENY`, `CUSTOM`.
  module AuthzAction
    # Unspecified action.
    AUTHZ_ACTION_UNSPECIFIED = 0

    # Allow request to pass through to the backend.
    ALLOW = 1

    # Deny the request and return a HTTP 404 to the client.
    DENY = 2

    # Delegate the authorization decision to an external authorization engine.
    CUSTOM = 3
  end

  # The type of authorization being performed.
  # New values may be added in the future.
  module PolicyProfile
    # Unspecified policy profile.
    POLICY_PROFILE_UNSPECIFIED = 0

    # Applies to request authorization. `CUSTOM` authorization
    # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
    # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
    # events.
    REQUEST_AUTHZ = 1

    # Applies to content security, sanitization, etc. Only
    # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
    # custom provider must support `EXT_PROC_GRPC` protocol only and be capable
    # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
    # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
    # with `FULL_DUPLEX_STREAMED` body send mode.
    CONTENT_AUTHZ = 2
  end
end

#http_rules::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule>

Returns Optional. A list of authorization HTTP rules to match against the incoming request. A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.

Returns:

  • (::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule>)

    Optional. A list of authorization HTTP rules to match against the incoming request. A policy match occurs when at least one HTTP rule matches the request or when no HTTP rules are specified in the policy. At least one HTTP Rule is required for Allow or Deny Action. Limited to 5 rules.



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101

class AuthzPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specifies the set of targets to which this policy should be applied to.
  # @!attribute [rw] load_balancing_scheme
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme]
  #     Optional. All gateways and forwarding rules referenced by this policy and
  #     extensions must share the same load balancing scheme. Required only when
  #     targeting forwarding rules. If targeting Secure Web Proxy, this field
  #     must be `INTERNAL_MANAGED` or not specified. Must not be specified
  #     when targeting Agent Gateway. Supported values:
  #     `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
  #     to [Backend services
  #     overview](https://cloud.google.com/load-balancing/docs/backend-service).
  # @!attribute [rw] resources
  #   @return [::Array<::String>]
  #     Required. A list of references to the Forwarding Rules, Secure Web Proxy
  #     Gateways, or Agent Gateways on which this policy will be applied.
  class Target
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Conditions to match against the incoming request.
  # @!attribute [rw] from
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From]
  #     Optional. Describes properties of a source of a request.
  # @!attribute [rw] to
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To]
  #     Optional. Describes properties of a target of a request.
  # @!attribute [rw] when
  #   @return [::String]
  #     Optional. CEL expression that describes the conditions to be satisfied
  #     for the action. The result of the CEL expression is ANDed with the from
  #     and to. Refer to the CEL language reference for a list of available
  #     attributes.
  class AuthzRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Determines how a string value should be matched.
    # @!attribute [rw] exact
    #   @return [::String]
    #     The input string must match exactly the string specified here.
    #
    #     Examples:
    #
    #     * ``abc`` only matches the value ``abc``.
    #
    #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     The input string must have the prefix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``abc.xyz``
    #
    #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] suffix
    #   @return [::String]
    #     The input string must have the suffix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc``
    #
    #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] contains
    #   @return [::String]
    #     The input string must have the substring specified here.
    #     Note: empty contains match is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc.def``
    #
    #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ignore_case
    #   @return [::Boolean]
    #     If true, indicates the exact/prefix/suffix/contains matching should be
    #     case insensitive. For example, the matcher ``data`` will match both
    #     input string ``Data`` and ``data`` if set to true.
    class StringMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Represents a range of IP Addresses.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     Required. The address prefix.
    # @!attribute [rw] length
    #   @return [::Integer]
    #     Required. The length of the address range.
    class IpBlock
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a client VM resource accessing the internal
    # application load balancers.
    # @!attribute [rw] tag_value_id_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
    #     Optional. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request.
    # @!attribute [rw] iam_service_account
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. An IAM service account to match against the source
    #     service account of the VM sending the request.
    class RequestResource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of resource tag value permanent IDs to match against
      # the resource manager tags value associated with the source VM of a
      # request.
      # @!attribute [rw] ids
      #   @return [::Array<::Integer>]
      #     Required. A list of resource tag value permanent IDs to match against
      #     the resource manager tags value associated with the source VM of a
      #     request. The match follows AND semantics which means all
      #     the ids must match. Limited to 5 ids in the Tag value id set.
      class TagValueIdSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Determines how a HTTP header should be matched.
    # @!attribute [rw] name
    #   @return [::String]
    #     Optional. Specifies the name of the header in the request.
    # @!attribute [rw] value
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. Specifies how the header match will be performed.
    class HeaderMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a principal to be matched against.
    # @!attribute [rw] principal_selector
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
    #     Optional. An enum to decide what principal value the principal rule
    #     will match against. If not specified, the PrincipalSelector is
    #     CLIENT_CERT_URI_SAN.
    # @!attribute [rw] principal
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Required. A non-empty string whose value is matched against the
    #     principal value based on the principal_selector. Only exact match can
    #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
    #     CLIENT_CERT_COMMON_NAME selectors.
    class Principal
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # The principal value the principal rule will match against.
      module PrincipalSelector
        # Unspecified principal selector. It will be treated as
        # CLIENT_CERT_URI_SAN by default.
        PRINCIPAL_SELECTOR_UNSPECIFIED = 0

        # The principal rule is matched against a list of URI SANs in the
        # validated client's certificate. A match happens when there is any
        # exact URI SAN value match. This is the default principal selector.
        CLIENT_CERT_URI_SAN = 1

        # The principal rule is matched against a list of DNS Name SANs in the
        # validated client's certificate. A match happens when there is any
        # exact DNS Name SAN value match.
        # This is only applicable for Application Load Balancers
        # except for classic Global External Application load balancer.
        # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_DNS_NAME_SAN = 2

        # The principal rule is matched against the common name in the client's
        # certificate. Authorization against multiple common names in the
        # client certificate is not supported. Requests with multiple common
        # names in the client certificate will be rejected if
        # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
        # happens when there is an exact common name value match.
        # This is only applicable for Application Load Balancers
        # except for global external Application Load Balancer and
        # classic Application Load Balancer.
        # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_COMMON_NAME = 3
      end
    end

    # Describes properties of one or more sources of a request.
    # @!attribute [rw] sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the properties of a request's sources. At least one
    #     of sources or notSources must be specified. Limited to 1 source.
    #     A match occurs when ANY source (in sources or notSources) matches the
    #     request. Within a single source, the match follows AND semantics
    #     across fields and OR semantics within a single field, i.e. a match
    #     occurs when ANY principal matches AND ANY ipBlocks match.
    # @!attribute [rw] not_sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the negated properties of request sources. Matches
    #     requests from sources that do not match the criteria specified in this
    #     field. At least one of sources or notSources must be specified.
    class From
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes the properties of a single source.
      # @!attribute [rw] principals
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
      #     Optional. A list of identities derived from the client's certificate.
      #     This field will not match on a request unless frontend mutual TLS is
      #     enabled for the forwarding rule or Gateway and the client certificate
      #     has been successfully validated by mTLS.
      #     Each identity is a string whose value is matched against a list of
      #     URI SANs, DNS Name SANs, or the common name in the client's
      #     certificate. A match happens when any principal matches with the
      #     rule. Limited to 50 principals per Authorization Policy for regional
      #     internal Application Load Balancers, regional external Application
      #     Load Balancers, cross-region internal Application Load Balancers, and
      #     Cloud Service Mesh. This field is not supported for global external
      #     Application Load Balancers.
      # @!attribute [rw] ip_blocks
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
      #     Optional. A list of IP addresses or IP address ranges to match
      #     against the source IP address of the request. Limited to 10 ip_blocks
      #     per Authorization Policy
      # @!attribute [rw] resources
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
      #     Optional. A list of resources to match against the resource of the
      #     source VM of a request. Limited to 10 resources per Authorization
      #     Policy.
      class RequestSource
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes properties of one or more targets of a request. At
    #     least one of operations or notOperations must be specified. Limited to
    #     1 operation. A match occurs when ANY operation (in operations or
    #     notOperations) matches. Within an operation, the match follows AND
    #     semantics across fields and OR semantics within a field, i.e. a match
    #     occurs when ANY path matches AND ANY header matches and ANY method
    #     matches.
    # @!attribute [rw] not_operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes the negated properties of the targets of a request.
    #     Matches requests for operations that do not match the criteria
    #     specified in this field. At least one of operations or notOperations
    #     must be specified.
    class To
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes properties of one or more targets of a request.
      # @!attribute [rw] header_set
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
      #     Optional. A list of headers to match against in http header.
      # @!attribute [rw] hosts
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of HTTP Hosts to match against. The match can be one
      #     of exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     hosts per Authorization Policy.
      # @!attribute [rw] paths
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of paths to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     paths per Authorization Policy.
      #     Note that this path match includes the query parameters. For gRPC
      #     services, this should be a fully-qualified name of the form
      #     /package.service/method.
      # @!attribute [rw] methods
      #   @return [::Array<::String>]
      #     Optional. A list of HTTP methods to match against. Each entry must be
      #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
      #     OPTIONS). It only allows exact match and is always case sensitive.
      #     Limited to 10 methods per Authorization Policy.
      # @!attribute [rw] mcp
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
      #     Optional. Defines the MCP protocol attributes to match on. If the MCP
      #     payload in the request body cannot be successfully parsed, the
      #     request will be denied. This field can be set only for AuthzPolicies
      #     targeting AgentGateway resources.
      # @!attribute [rw] snis
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of SNIs to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). If there is no
      #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
      #     Matches are always case sensitive unless the ignoreCase is set.
      #     Limited to 10 SNIs per Authorization Policy.
      class RequestOperation
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes a set of HTTP headers to match against.
        # @!attribute [rw] headers
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
        #     Required. A list of headers to match against in http header.
        #     The match can be one of exact, prefix, suffix, or contains
        #     (substring match). The match follows AND semantics which means all
        #     the headers must match. Matches are always case sensitive unless
        #     the ignoreCase is set. Limited to 10 headers per Authorization
        #     Policy.
        class HeaderSet
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP methods to match against.
        # @!attribute [rw] name
        #   @return [::String]
        #     Required. The MCP method to match against. Allowed values are as
        #     follows:
        #     1. `tools`, `prompts`, `resources` - these will match against all
        #        sub methods under the respective methods.
        #     2. `prompts/list`, `tools/list`, `resources/list`,
        #        `resources/templates/list`
        #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
        #        `resources/unsubscribe`, `resources/read`
        #     Params cannot be specified for categories 1 and 2.
        # @!attribute [rw] params
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
        #     Optional. A list of MCP method parameters to match against. The
        #     match can be one of exact, prefix, suffix, or contains (substring
        #     match). Matches are always case sensitive unless the ignoreCase is
        #     set. Limited to 10 MCP method parameters per Authorization Policy.
        class MCPMethod
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP protocol attributes to match against for a
        # given MCP request.
        # @!attribute [rw] base_protocol_methods_option
        #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
        #     Optional. If specified, matches on the MCP protocol’s non-access
        #     specific methods namely:
        #     * initialize
        #     * completion/
        #     * logging/
        #     * notifications/
        #     * ping
        #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
        # @!attribute [rw] methods
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
        #     Optional. A list of MCP methods and associated parameters to match
        #     on. It is recommended to use this field to match on tools, prompts
        #     and resource accesses while setting the baseProtocolMethodsOption
        #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
        #     protocol methods.
        #     Limited to 10 MCP methods per Authorization Policy.
        class MCP
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes the option to match against the base MCP protocol methods.
        module BaseProtocolMethodsOption
          # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
          BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

          # Skip matching on the base MCP protocol methods.
          SKIP_BASE_PROTOCOL_METHODS = 1

          # Match on the base MCP protocol methods.
          MATCH_BASE_PROTOCOL_METHODS = 2
        end
      end
    end
  end

  # Allows delegating authorization decisions to Cloud IAP or to
  # Service Extensions.
  # @!attribute [rw] cloud_iap
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap]
  #     Optional. Delegates authorization decisions to Cloud IAP. Applicable
  #     only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
  #     level is not compatible with Cloud IAP settings in the BackendService.
  #     Enabling IAP in both places will result in request failure. Ensure that
  #     IAP is enabled in either the AuthzPolicy or the BackendService but not in
  #     both places.
  # @!attribute [rw] authz_extension
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension]
  #     Optional. Delegate authorization decision to user authored Service
  #     Extension. Only one of cloudIap or authzExtension can be specified.
  class CustomProvider
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Optional. Delegates authorization decisions to Cloud IAP. Applicable
    # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    # level is not compatible with Cloud IAP settings in the BackendService.
    # Enabling IAP in both places will result in request failure. Ensure that
    # IAP is enabled in either the AuthzPolicy or the BackendService but not in
    # both places.
    class CloudIap
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Optional. Delegate authorization decision to user authored extension.
    # Only one of cloudIap or authzExtension can be specified.
    # @!attribute [rw] resources
    #   @return [::Array<::String>]
    #     Required. A list of references to authorization
    #     extensions that will be invoked for requests matching this policy.
    #     Limited to 1 custom provider.
    class AuthzExtension
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Load balancing schemes supported by the `AuthzPolicy` resource. The valid
  # values are `INTERNAL_MANAGED` and
  # `EXTERNAL_MANAGED`. For more information, refer to [Backend services
  # overview](https://cloud.google.com/load-balancing/docs/backend-service).
  module LoadBalancingScheme
    # Default value. Do not use.
    LOAD_BALANCING_SCHEME_UNSPECIFIED = 0

    # Signifies that this is used for Regional internal or Cross-region
    # internal Application Load Balancing.
    INTERNAL_MANAGED = 1

    # Signifies that this is used for Global external or Regional external
    # Application Load Balancing.
    EXTERNAL_MANAGED = 2

    # Signifies that this is used for Cloud Service Mesh. Meant for use by
    # CSM GKE controller only.
    INTERNAL_SELF_MANAGED = 3
  end

  # The action to be applied to this policy. Valid values are
  # `ALLOW`, `DENY`, `CUSTOM`.
  module AuthzAction
    # Unspecified action.
    AUTHZ_ACTION_UNSPECIFIED = 0

    # Allow request to pass through to the backend.
    ALLOW = 1

    # Deny the request and return a HTTP 404 to the client.
    DENY = 2

    # Delegate the authorization decision to an external authorization engine.
    CUSTOM = 3
  end

  # The type of authorization being performed.
  # New values may be added in the future.
  module PolicyProfile
    # Unspecified policy profile.
    POLICY_PROFILE_UNSPECIFIED = 0

    # Applies to request authorization. `CUSTOM` authorization
    # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
    # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
    # events.
    REQUEST_AUTHZ = 1

    # Applies to content security, sanitization, etc. Only
    # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
    # custom provider must support `EXT_PROC_GRPC` protocol only and be capable
    # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
    # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
    # with `FULL_DUPLEX_STREAMED` body send mode.
    CONTENT_AUTHZ = 2
  end
end

#labels::Google::Protobuf::Map{::String => ::String}

Returns Optional. Set of labels associated with the AuthzPolicy resource.

The format must comply with the following requirements.

Returns:

  • (::Google::Protobuf::Map{::String => ::String})

    Optional. Set of labels associated with the AuthzPolicy resource.

    The format must comply with the following requirements.



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101

class AuthzPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specifies the set of targets to which this policy should be applied to.
  # @!attribute [rw] load_balancing_scheme
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme]
  #     Optional. All gateways and forwarding rules referenced by this policy and
  #     extensions must share the same load balancing scheme. Required only when
  #     targeting forwarding rules. If targeting Secure Web Proxy, this field
  #     must be `INTERNAL_MANAGED` or not specified. Must not be specified
  #     when targeting Agent Gateway. Supported values:
  #     `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
  #     to [Backend services
  #     overview](https://cloud.google.com/load-balancing/docs/backend-service).
  # @!attribute [rw] resources
  #   @return [::Array<::String>]
  #     Required. A list of references to the Forwarding Rules, Secure Web Proxy
  #     Gateways, or Agent Gateways on which this policy will be applied.
  class Target
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Conditions to match against the incoming request.
  # @!attribute [rw] from
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From]
  #     Optional. Describes properties of a source of a request.
  # @!attribute [rw] to
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To]
  #     Optional. Describes properties of a target of a request.
  # @!attribute [rw] when
  #   @return [::String]
  #     Optional. CEL expression that describes the conditions to be satisfied
  #     for the action. The result of the CEL expression is ANDed with the from
  #     and to. Refer to the CEL language reference for a list of available
  #     attributes.
  class AuthzRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Determines how a string value should be matched.
    # @!attribute [rw] exact
    #   @return [::String]
    #     The input string must match exactly the string specified here.
    #
    #     Examples:
    #
    #     * ``abc`` only matches the value ``abc``.
    #
    #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     The input string must have the prefix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``abc.xyz``
    #
    #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] suffix
    #   @return [::String]
    #     The input string must have the suffix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc``
    #
    #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] contains
    #   @return [::String]
    #     The input string must have the substring specified here.
    #     Note: empty contains match is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc.def``
    #
    #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ignore_case
    #   @return [::Boolean]
    #     If true, indicates the exact/prefix/suffix/contains matching should be
    #     case insensitive. For example, the matcher ``data`` will match both
    #     input string ``Data`` and ``data`` if set to true.
    class StringMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Represents a range of IP Addresses.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     Required. The address prefix.
    # @!attribute [rw] length
    #   @return [::Integer]
    #     Required. The length of the address range.
    class IpBlock
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a client VM resource accessing the internal
    # application load balancers.
    # @!attribute [rw] tag_value_id_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
    #     Optional. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request.
    # @!attribute [rw] iam_service_account
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. An IAM service account to match against the source
    #     service account of the VM sending the request.
    class RequestResource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of resource tag value permanent IDs to match against
      # the resource manager tags value associated with the source VM of a
      # request.
      # @!attribute [rw] ids
      #   @return [::Array<::Integer>]
      #     Required. A list of resource tag value permanent IDs to match against
      #     the resource manager tags value associated with the source VM of a
      #     request. The match follows AND semantics which means all
      #     the ids must match. Limited to 5 ids in the Tag value id set.
      class TagValueIdSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Determines how a HTTP header should be matched.
    # @!attribute [rw] name
    #   @return [::String]
    #     Optional. Specifies the name of the header in the request.
    # @!attribute [rw] value
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. Specifies how the header match will be performed.
    class HeaderMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a principal to be matched against.
    # @!attribute [rw] principal_selector
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
    #     Optional. An enum to decide what principal value the principal rule
    #     will match against. If not specified, the PrincipalSelector is
    #     CLIENT_CERT_URI_SAN.
    # @!attribute [rw] principal
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Required. A non-empty string whose value is matched against the
    #     principal value based on the principal_selector. Only exact match can
    #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
    #     CLIENT_CERT_COMMON_NAME selectors.
    class Principal
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # The principal value the principal rule will match against.
      module PrincipalSelector
        # Unspecified principal selector. It will be treated as
        # CLIENT_CERT_URI_SAN by default.
        PRINCIPAL_SELECTOR_UNSPECIFIED = 0

        # The principal rule is matched against a list of URI SANs in the
        # validated client's certificate. A match happens when there is any
        # exact URI SAN value match. This is the default principal selector.
        CLIENT_CERT_URI_SAN = 1

        # The principal rule is matched against a list of DNS Name SANs in the
        # validated client's certificate. A match happens when there is any
        # exact DNS Name SAN value match.
        # This is only applicable for Application Load Balancers
        # except for classic Global External Application load balancer.
        # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_DNS_NAME_SAN = 2

        # The principal rule is matched against the common name in the client's
        # certificate. Authorization against multiple common names in the
        # client certificate is not supported. Requests with multiple common
        # names in the client certificate will be rejected if
        # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
        # happens when there is an exact common name value match.
        # This is only applicable for Application Load Balancers
        # except for global external Application Load Balancer and
        # classic Application Load Balancer.
        # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_COMMON_NAME = 3
      end
    end

    # Describes properties of one or more sources of a request.
    # @!attribute [rw] sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the properties of a request's sources. At least one
    #     of sources or notSources must be specified. Limited to 1 source.
    #     A match occurs when ANY source (in sources or notSources) matches the
    #     request. Within a single source, the match follows AND semantics
    #     across fields and OR semantics within a single field, i.e. a match
    #     occurs when ANY principal matches AND ANY ipBlocks match.
    # @!attribute [rw] not_sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the negated properties of request sources. Matches
    #     requests from sources that do not match the criteria specified in this
    #     field. At least one of sources or notSources must be specified.
    class From
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes the properties of a single source.
      # @!attribute [rw] principals
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
      #     Optional. A list of identities derived from the client's certificate.
      #     This field will not match on a request unless frontend mutual TLS is
      #     enabled for the forwarding rule or Gateway and the client certificate
      #     has been successfully validated by mTLS.
      #     Each identity is a string whose value is matched against a list of
      #     URI SANs, DNS Name SANs, or the common name in the client's
      #     certificate. A match happens when any principal matches with the
      #     rule. Limited to 50 principals per Authorization Policy for regional
      #     internal Application Load Balancers, regional external Application
      #     Load Balancers, cross-region internal Application Load Balancers, and
      #     Cloud Service Mesh. This field is not supported for global external
      #     Application Load Balancers.
      # @!attribute [rw] ip_blocks
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
      #     Optional. A list of IP addresses or IP address ranges to match
      #     against the source IP address of the request. Limited to 10 ip_blocks
      #     per Authorization Policy
      # @!attribute [rw] resources
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
      #     Optional. A list of resources to match against the resource of the
      #     source VM of a request. Limited to 10 resources per Authorization
      #     Policy.
      class RequestSource
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes properties of one or more targets of a request. At
    #     least one of operations or notOperations must be specified. Limited to
    #     1 operation. A match occurs when ANY operation (in operations or
    #     notOperations) matches. Within an operation, the match follows AND
    #     semantics across fields and OR semantics within a field, i.e. a match
    #     occurs when ANY path matches AND ANY header matches and ANY method
    #     matches.
    # @!attribute [rw] not_operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes the negated properties of the targets of a request.
    #     Matches requests for operations that do not match the criteria
    #     specified in this field. At least one of operations or notOperations
    #     must be specified.
    class To
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes properties of one or more targets of a request.
      # @!attribute [rw] header_set
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
      #     Optional. A list of headers to match against in http header.
      # @!attribute [rw] hosts
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of HTTP Hosts to match against. The match can be one
      #     of exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     hosts per Authorization Policy.
      # @!attribute [rw] paths
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of paths to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     paths per Authorization Policy.
      #     Note that this path match includes the query parameters. For gRPC
      #     services, this should be a fully-qualified name of the form
      #     /package.service/method.
      # @!attribute [rw] methods
      #   @return [::Array<::String>]
      #     Optional. A list of HTTP methods to match against. Each entry must be
      #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
      #     OPTIONS). It only allows exact match and is always case sensitive.
      #     Limited to 10 methods per Authorization Policy.
      # @!attribute [rw] mcp
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
      #     Optional. Defines the MCP protocol attributes to match on. If the MCP
      #     payload in the request body cannot be successfully parsed, the
      #     request will be denied. This field can be set only for AuthzPolicies
      #     targeting AgentGateway resources.
      # @!attribute [rw] snis
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of SNIs to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). If there is no
      #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
      #     Matches are always case sensitive unless the ignoreCase is set.
      #     Limited to 10 SNIs per Authorization Policy.
      class RequestOperation
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes a set of HTTP headers to match against.
        # @!attribute [rw] headers
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
        #     Required. A list of headers to match against in http header.
        #     The match can be one of exact, prefix, suffix, or contains
        #     (substring match). The match follows AND semantics which means all
        #     the headers must match. Matches are always case sensitive unless
        #     the ignoreCase is set. Limited to 10 headers per Authorization
        #     Policy.
        class HeaderSet
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP methods to match against.
        # @!attribute [rw] name
        #   @return [::String]
        #     Required. The MCP method to match against. Allowed values are as
        #     follows:
        #     1. `tools`, `prompts`, `resources` - these will match against all
        #        sub methods under the respective methods.
        #     2. `prompts/list`, `tools/list`, `resources/list`,
        #        `resources/templates/list`
        #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
        #        `resources/unsubscribe`, `resources/read`
        #     Params cannot be specified for categories 1 and 2.
        # @!attribute [rw] params
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
        #     Optional. A list of MCP method parameters to match against. The
        #     match can be one of exact, prefix, suffix, or contains (substring
        #     match). Matches are always case sensitive unless the ignoreCase is
        #     set. Limited to 10 MCP method parameters per Authorization Policy.
        class MCPMethod
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP protocol attributes to match against for a
        # given MCP request.
        # @!attribute [rw] base_protocol_methods_option
        #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
        #     Optional. If specified, matches on the MCP protocol’s non-access
        #     specific methods namely:
        #     * initialize
        #     * completion/
        #     * logging/
        #     * notifications/
        #     * ping
        #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
        # @!attribute [rw] methods
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
        #     Optional. A list of MCP methods and associated parameters to match
        #     on. It is recommended to use this field to match on tools, prompts
        #     and resource accesses while setting the baseProtocolMethodsOption
        #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
        #     protocol methods.
        #     Limited to 10 MCP methods per Authorization Policy.
        class MCP
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes the option to match against the base MCP protocol methods.
        module BaseProtocolMethodsOption
          # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
          BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

          # Skip matching on the base MCP protocol methods.
          SKIP_BASE_PROTOCOL_METHODS = 1

          # Match on the base MCP protocol methods.
          MATCH_BASE_PROTOCOL_METHODS = 2
        end
      end
    end
  end

  # Allows delegating authorization decisions to Cloud IAP or to
  # Service Extensions.
  # @!attribute [rw] cloud_iap
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap]
  #     Optional. Delegates authorization decisions to Cloud IAP. Applicable
  #     only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
  #     level is not compatible with Cloud IAP settings in the BackendService.
  #     Enabling IAP in both places will result in request failure. Ensure that
  #     IAP is enabled in either the AuthzPolicy or the BackendService but not in
  #     both places.
  # @!attribute [rw] authz_extension
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension]
  #     Optional. Delegate authorization decision to user authored Service
  #     Extension. Only one of cloudIap or authzExtension can be specified.
  class CustomProvider
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Optional. Delegates authorization decisions to Cloud IAP. Applicable
    # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    # level is not compatible with Cloud IAP settings in the BackendService.
    # Enabling IAP in both places will result in request failure. Ensure that
    # IAP is enabled in either the AuthzPolicy or the BackendService but not in
    # both places.
    class CloudIap
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Optional. Delegate authorization decision to user authored extension.
    # Only one of cloudIap or authzExtension can be specified.
    # @!attribute [rw] resources
    #   @return [::Array<::String>]
    #     Required. A list of references to authorization
    #     extensions that will be invoked for requests matching this policy.
    #     Limited to 1 custom provider.
    class AuthzExtension
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Load balancing schemes supported by the `AuthzPolicy` resource. The valid
  # values are `INTERNAL_MANAGED` and
  # `EXTERNAL_MANAGED`. For more information, refer to [Backend services
  # overview](https://cloud.google.com/load-balancing/docs/backend-service).
  module LoadBalancingScheme
    # Default value. Do not use.
    LOAD_BALANCING_SCHEME_UNSPECIFIED = 0

    # Signifies that this is used for Regional internal or Cross-region
    # internal Application Load Balancing.
    INTERNAL_MANAGED = 1

    # Signifies that this is used for Global external or Regional external
    # Application Load Balancing.
    EXTERNAL_MANAGED = 2

    # Signifies that this is used for Cloud Service Mesh. Meant for use by
    # CSM GKE controller only.
    INTERNAL_SELF_MANAGED = 3
  end

  # The action to be applied to this policy. Valid values are
  # `ALLOW`, `DENY`, `CUSTOM`.
  module AuthzAction
    # Unspecified action.
    AUTHZ_ACTION_UNSPECIFIED = 0

    # Allow request to pass through to the backend.
    ALLOW = 1

    # Deny the request and return a HTTP 404 to the client.
    DENY = 2

    # Delegate the authorization decision to an external authorization engine.
    CUSTOM = 3
  end

  # The type of authorization being performed.
  # New values may be added in the future.
  module PolicyProfile
    # Unspecified policy profile.
    POLICY_PROFILE_UNSPECIFIED = 0

    # Applies to request authorization. `CUSTOM` authorization
    # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
    # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
    # events.
    REQUEST_AUTHZ = 1

    # Applies to content security, sanitization, etc. Only
    # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
    # custom provider must support `EXT_PROC_GRPC` protocol only and be capable
    # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
    # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
    # with `FULL_DUPLEX_STREAMED` body send mode.
    CONTENT_AUTHZ = 2
  end
end

#name::String

Returns Required. Identifier. Name of the AuthzPolicy resource in the following format: projects/{project}/locations/{location}/authzPolicies/{authz_policy}.

Returns:

  • (::String)

    Required. Identifier. Name of the AuthzPolicy resource in the following format: projects/{project}/locations/{location}/authzPolicies/{authz_policy}.



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101

class AuthzPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specifies the set of targets to which this policy should be applied to.
  # @!attribute [rw] load_balancing_scheme
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme]
  #     Optional. All gateways and forwarding rules referenced by this policy and
  #     extensions must share the same load balancing scheme. Required only when
  #     targeting forwarding rules. If targeting Secure Web Proxy, this field
  #     must be `INTERNAL_MANAGED` or not specified. Must not be specified
  #     when targeting Agent Gateway. Supported values:
  #     `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
  #     to [Backend services
  #     overview](https://cloud.google.com/load-balancing/docs/backend-service).
  # @!attribute [rw] resources
  #   @return [::Array<::String>]
  #     Required. A list of references to the Forwarding Rules, Secure Web Proxy
  #     Gateways, or Agent Gateways on which this policy will be applied.
  class Target
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Conditions to match against the incoming request.
  # @!attribute [rw] from
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From]
  #     Optional. Describes properties of a source of a request.
  # @!attribute [rw] to
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To]
  #     Optional. Describes properties of a target of a request.
  # @!attribute [rw] when
  #   @return [::String]
  #     Optional. CEL expression that describes the conditions to be satisfied
  #     for the action. The result of the CEL expression is ANDed with the from
  #     and to. Refer to the CEL language reference for a list of available
  #     attributes.
  class AuthzRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Determines how a string value should be matched.
    # @!attribute [rw] exact
    #   @return [::String]
    #     The input string must match exactly the string specified here.
    #
    #     Examples:
    #
    #     * ``abc`` only matches the value ``abc``.
    #
    #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     The input string must have the prefix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``abc.xyz``
    #
    #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] suffix
    #   @return [::String]
    #     The input string must have the suffix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc``
    #
    #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] contains
    #   @return [::String]
    #     The input string must have the substring specified here.
    #     Note: empty contains match is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc.def``
    #
    #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ignore_case
    #   @return [::Boolean]
    #     If true, indicates the exact/prefix/suffix/contains matching should be
    #     case insensitive. For example, the matcher ``data`` will match both
    #     input string ``Data`` and ``data`` if set to true.
    class StringMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Represents a range of IP Addresses.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     Required. The address prefix.
    # @!attribute [rw] length
    #   @return [::Integer]
    #     Required. The length of the address range.
    class IpBlock
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a client VM resource accessing the internal
    # application load balancers.
    # @!attribute [rw] tag_value_id_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
    #     Optional. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request.
    # @!attribute [rw] iam_service_account
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. An IAM service account to match against the source
    #     service account of the VM sending the request.
    class RequestResource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of resource tag value permanent IDs to match against
      # the resource manager tags value associated with the source VM of a
      # request.
      # @!attribute [rw] ids
      #   @return [::Array<::Integer>]
      #     Required. A list of resource tag value permanent IDs to match against
      #     the resource manager tags value associated with the source VM of a
      #     request. The match follows AND semantics which means all
      #     the ids must match. Limited to 5 ids in the Tag value id set.
      class TagValueIdSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Determines how a HTTP header should be matched.
    # @!attribute [rw] name
    #   @return [::String]
    #     Optional. Specifies the name of the header in the request.
    # @!attribute [rw] value
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. Specifies how the header match will be performed.
    class HeaderMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a principal to be matched against.
    # @!attribute [rw] principal_selector
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
    #     Optional. An enum to decide what principal value the principal rule
    #     will match against. If not specified, the PrincipalSelector is
    #     CLIENT_CERT_URI_SAN.
    # @!attribute [rw] principal
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Required. A non-empty string whose value is matched against the
    #     principal value based on the principal_selector. Only exact match can
    #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
    #     CLIENT_CERT_COMMON_NAME selectors.
    class Principal
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # The principal value the principal rule will match against.
      module PrincipalSelector
        # Unspecified principal selector. It will be treated as
        # CLIENT_CERT_URI_SAN by default.
        PRINCIPAL_SELECTOR_UNSPECIFIED = 0

        # The principal rule is matched against a list of URI SANs in the
        # validated client's certificate. A match happens when there is any
        # exact URI SAN value match. This is the default principal selector.
        CLIENT_CERT_URI_SAN = 1

        # The principal rule is matched against a list of DNS Name SANs in the
        # validated client's certificate. A match happens when there is any
        # exact DNS Name SAN value match.
        # This is only applicable for Application Load Balancers
        # except for classic Global External Application load balancer.
        # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_DNS_NAME_SAN = 2

        # The principal rule is matched against the common name in the client's
        # certificate. Authorization against multiple common names in the
        # client certificate is not supported. Requests with multiple common
        # names in the client certificate will be rejected if
        # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
        # happens when there is an exact common name value match.
        # This is only applicable for Application Load Balancers
        # except for global external Application Load Balancer and
        # classic Application Load Balancer.
        # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_COMMON_NAME = 3
      end
    end

    # Describes properties of one or more sources of a request.
    # @!attribute [rw] sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the properties of a request's sources. At least one
    #     of sources or notSources must be specified. Limited to 1 source.
    #     A match occurs when ANY source (in sources or notSources) matches the
    #     request. Within a single source, the match follows AND semantics
    #     across fields and OR semantics within a single field, i.e. a match
    #     occurs when ANY principal matches AND ANY ipBlocks match.
    # @!attribute [rw] not_sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the negated properties of request sources. Matches
    #     requests from sources that do not match the criteria specified in this
    #     field. At least one of sources or notSources must be specified.
    class From
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes the properties of a single source.
      # @!attribute [rw] principals
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
      #     Optional. A list of identities derived from the client's certificate.
      #     This field will not match on a request unless frontend mutual TLS is
      #     enabled for the forwarding rule or Gateway and the client certificate
      #     has been successfully validated by mTLS.
      #     Each identity is a string whose value is matched against a list of
      #     URI SANs, DNS Name SANs, or the common name in the client's
      #     certificate. A match happens when any principal matches with the
      #     rule. Limited to 50 principals per Authorization Policy for regional
      #     internal Application Load Balancers, regional external Application
      #     Load Balancers, cross-region internal Application Load Balancers, and
      #     Cloud Service Mesh. This field is not supported for global external
      #     Application Load Balancers.
      # @!attribute [rw] ip_blocks
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
      #     Optional. A list of IP addresses or IP address ranges to match
      #     against the source IP address of the request. Limited to 10 ip_blocks
      #     per Authorization Policy
      # @!attribute [rw] resources
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
      #     Optional. A list of resources to match against the resource of the
      #     source VM of a request. Limited to 10 resources per Authorization
      #     Policy.
      class RequestSource
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes properties of one or more targets of a request. At
    #     least one of operations or notOperations must be specified. Limited to
    #     1 operation. A match occurs when ANY operation (in operations or
    #     notOperations) matches. Within an operation, the match follows AND
    #     semantics across fields and OR semantics within a field, i.e. a match
    #     occurs when ANY path matches AND ANY header matches and ANY method
    #     matches.
    # @!attribute [rw] not_operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes the negated properties of the targets of a request.
    #     Matches requests for operations that do not match the criteria
    #     specified in this field. At least one of operations or notOperations
    #     must be specified.
    class To
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes properties of one or more targets of a request.
      # @!attribute [rw] header_set
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
      #     Optional. A list of headers to match against in http header.
      # @!attribute [rw] hosts
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of HTTP Hosts to match against. The match can be one
      #     of exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     hosts per Authorization Policy.
      # @!attribute [rw] paths
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of paths to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     paths per Authorization Policy.
      #     Note that this path match includes the query parameters. For gRPC
      #     services, this should be a fully-qualified name of the form
      #     /package.service/method.
      # @!attribute [rw] methods
      #   @return [::Array<::String>]
      #     Optional. A list of HTTP methods to match against. Each entry must be
      #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
      #     OPTIONS). It only allows exact match and is always case sensitive.
      #     Limited to 10 methods per Authorization Policy.
      # @!attribute [rw] mcp
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
      #     Optional. Defines the MCP protocol attributes to match on. If the MCP
      #     payload in the request body cannot be successfully parsed, the
      #     request will be denied. This field can be set only for AuthzPolicies
      #     targeting AgentGateway resources.
      # @!attribute [rw] snis
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of SNIs to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). If there is no
      #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
      #     Matches are always case sensitive unless the ignoreCase is set.
      #     Limited to 10 SNIs per Authorization Policy.
      class RequestOperation
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes a set of HTTP headers to match against.
        # @!attribute [rw] headers
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
        #     Required. A list of headers to match against in http header.
        #     The match can be one of exact, prefix, suffix, or contains
        #     (substring match). The match follows AND semantics which means all
        #     the headers must match. Matches are always case sensitive unless
        #     the ignoreCase is set. Limited to 10 headers per Authorization
        #     Policy.
        class HeaderSet
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP methods to match against.
        # @!attribute [rw] name
        #   @return [::String]
        #     Required. The MCP method to match against. Allowed values are as
        #     follows:
        #     1. `tools`, `prompts`, `resources` - these will match against all
        #        sub methods under the respective methods.
        #     2. `prompts/list`, `tools/list`, `resources/list`,
        #        `resources/templates/list`
        #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
        #        `resources/unsubscribe`, `resources/read`
        #     Params cannot be specified for categories 1 and 2.
        # @!attribute [rw] params
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
        #     Optional. A list of MCP method parameters to match against. The
        #     match can be one of exact, prefix, suffix, or contains (substring
        #     match). Matches are always case sensitive unless the ignoreCase is
        #     set. Limited to 10 MCP method parameters per Authorization Policy.
        class MCPMethod
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP protocol attributes to match against for a
        # given MCP request.
        # @!attribute [rw] base_protocol_methods_option
        #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
        #     Optional. If specified, matches on the MCP protocol’s non-access
        #     specific methods namely:
        #     * initialize
        #     * completion/
        #     * logging/
        #     * notifications/
        #     * ping
        #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
        # @!attribute [rw] methods
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
        #     Optional. A list of MCP methods and associated parameters to match
        #     on. It is recommended to use this field to match on tools, prompts
        #     and resource accesses while setting the baseProtocolMethodsOption
        #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
        #     protocol methods.
        #     Limited to 10 MCP methods per Authorization Policy.
        class MCP
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes the option to match against the base MCP protocol methods.
        module BaseProtocolMethodsOption
          # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
          BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

          # Skip matching on the base MCP protocol methods.
          SKIP_BASE_PROTOCOL_METHODS = 1

          # Match on the base MCP protocol methods.
          MATCH_BASE_PROTOCOL_METHODS = 2
        end
      end
    end
  end

  # Allows delegating authorization decisions to Cloud IAP or to
  # Service Extensions.
  # @!attribute [rw] cloud_iap
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap]
  #     Optional. Delegates authorization decisions to Cloud IAP. Applicable
  #     only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
  #     level is not compatible with Cloud IAP settings in the BackendService.
  #     Enabling IAP in both places will result in request failure. Ensure that
  #     IAP is enabled in either the AuthzPolicy or the BackendService but not in
  #     both places.
  # @!attribute [rw] authz_extension
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension]
  #     Optional. Delegate authorization decision to user authored Service
  #     Extension. Only one of cloudIap or authzExtension can be specified.
  class CustomProvider
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Optional. Delegates authorization decisions to Cloud IAP. Applicable
    # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    # level is not compatible with Cloud IAP settings in the BackendService.
    # Enabling IAP in both places will result in request failure. Ensure that
    # IAP is enabled in either the AuthzPolicy or the BackendService but not in
    # both places.
    class CloudIap
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Optional. Delegate authorization decision to user authored extension.
    # Only one of cloudIap or authzExtension can be specified.
    # @!attribute [rw] resources
    #   @return [::Array<::String>]
    #     Required. A list of references to authorization
    #     extensions that will be invoked for requests matching this policy.
    #     Limited to 1 custom provider.
    class AuthzExtension
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Load balancing schemes supported by the `AuthzPolicy` resource. The valid
  # values are `INTERNAL_MANAGED` and
  # `EXTERNAL_MANAGED`. For more information, refer to [Backend services
  # overview](https://cloud.google.com/load-balancing/docs/backend-service).
  module LoadBalancingScheme
    # Default value. Do not use.
    LOAD_BALANCING_SCHEME_UNSPECIFIED = 0

    # Signifies that this is used for Regional internal or Cross-region
    # internal Application Load Balancing.
    INTERNAL_MANAGED = 1

    # Signifies that this is used for Global external or Regional external
    # Application Load Balancing.
    EXTERNAL_MANAGED = 2

    # Signifies that this is used for Cloud Service Mesh. Meant for use by
    # CSM GKE controller only.
    INTERNAL_SELF_MANAGED = 3
  end

  # The action to be applied to this policy. Valid values are
  # `ALLOW`, `DENY`, `CUSTOM`.
  module AuthzAction
    # Unspecified action.
    AUTHZ_ACTION_UNSPECIFIED = 0

    # Allow request to pass through to the backend.
    ALLOW = 1

    # Deny the request and return a HTTP 404 to the client.
    DENY = 2

    # Delegate the authorization decision to an external authorization engine.
    CUSTOM = 3
  end

  # The type of authorization being performed.
  # New values may be added in the future.
  module PolicyProfile
    # Unspecified policy profile.
    POLICY_PROFILE_UNSPECIFIED = 0

    # Applies to request authorization. `CUSTOM` authorization
    # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
    # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
    # events.
    REQUEST_AUTHZ = 1

    # Applies to content security, sanitization, etc. Only
    # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
    # custom provider must support `EXT_PROC_GRPC` protocol only and be capable
    # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
    # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
    # with `FULL_DUPLEX_STREAMED` body send mode.
    CONTENT_AUTHZ = 2
  end
end

#network_rules::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule>

Returns Optional. A list of authorization network rules to match against the incoming request. A policy match occurs when at least one network rule matches the request. At least one network rule is required for Allow or Deny Action if no HTTP rules are provided. Network rules are mutually exclusive with HTTP rules. Limited to 5 rules.

Returns:

  • (::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule>)

    Optional. A list of authorization network rules to match against the incoming request. A policy match occurs when at least one network rule matches the request. At least one network rule is required for Allow or Deny Action if no HTTP rules are provided. Network rules are mutually exclusive with HTTP rules. Limited to 5 rules.



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101

class AuthzPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specifies the set of targets to which this policy should be applied to.
  # @!attribute [rw] load_balancing_scheme
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme]
  #     Optional. All gateways and forwarding rules referenced by this policy and
  #     extensions must share the same load balancing scheme. Required only when
  #     targeting forwarding rules. If targeting Secure Web Proxy, this field
  #     must be `INTERNAL_MANAGED` or not specified. Must not be specified
  #     when targeting Agent Gateway. Supported values:
  #     `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
  #     to [Backend services
  #     overview](https://cloud.google.com/load-balancing/docs/backend-service).
  # @!attribute [rw] resources
  #   @return [::Array<::String>]
  #     Required. A list of references to the Forwarding Rules, Secure Web Proxy
  #     Gateways, or Agent Gateways on which this policy will be applied.
  class Target
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Conditions to match against the incoming request.
  # @!attribute [rw] from
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From]
  #     Optional. Describes properties of a source of a request.
  # @!attribute [rw] to
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To]
  #     Optional. Describes properties of a target of a request.
  # @!attribute [rw] when
  #   @return [::String]
  #     Optional. CEL expression that describes the conditions to be satisfied
  #     for the action. The result of the CEL expression is ANDed with the from
  #     and to. Refer to the CEL language reference for a list of available
  #     attributes.
  class AuthzRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Determines how a string value should be matched.
    # @!attribute [rw] exact
    #   @return [::String]
    #     The input string must match exactly the string specified here.
    #
    #     Examples:
    #
    #     * ``abc`` only matches the value ``abc``.
    #
    #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     The input string must have the prefix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``abc.xyz``
    #
    #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] suffix
    #   @return [::String]
    #     The input string must have the suffix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc``
    #
    #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] contains
    #   @return [::String]
    #     The input string must have the substring specified here.
    #     Note: empty contains match is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc.def``
    #
    #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ignore_case
    #   @return [::Boolean]
    #     If true, indicates the exact/prefix/suffix/contains matching should be
    #     case insensitive. For example, the matcher ``data`` will match both
    #     input string ``Data`` and ``data`` if set to true.
    class StringMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Represents a range of IP Addresses.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     Required. The address prefix.
    # @!attribute [rw] length
    #   @return [::Integer]
    #     Required. The length of the address range.
    class IpBlock
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a client VM resource accessing the internal
    # application load balancers.
    # @!attribute [rw] tag_value_id_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
    #     Optional. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request.
    # @!attribute [rw] iam_service_account
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. An IAM service account to match against the source
    #     service account of the VM sending the request.
    class RequestResource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of resource tag value permanent IDs to match against
      # the resource manager tags value associated with the source VM of a
      # request.
      # @!attribute [rw] ids
      #   @return [::Array<::Integer>]
      #     Required. A list of resource tag value permanent IDs to match against
      #     the resource manager tags value associated with the source VM of a
      #     request. The match follows AND semantics which means all
      #     the ids must match. Limited to 5 ids in the Tag value id set.
      class TagValueIdSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Determines how a HTTP header should be matched.
    # @!attribute [rw] name
    #   @return [::String]
    #     Optional. Specifies the name of the header in the request.
    # @!attribute [rw] value
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. Specifies how the header match will be performed.
    class HeaderMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a principal to be matched against.
    # @!attribute [rw] principal_selector
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
    #     Optional. An enum to decide what principal value the principal rule
    #     will match against. If not specified, the PrincipalSelector is
    #     CLIENT_CERT_URI_SAN.
    # @!attribute [rw] principal
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Required. A non-empty string whose value is matched against the
    #     principal value based on the principal_selector. Only exact match can
    #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
    #     CLIENT_CERT_COMMON_NAME selectors.
    class Principal
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # The principal value the principal rule will match against.
      module PrincipalSelector
        # Unspecified principal selector. It will be treated as
        # CLIENT_CERT_URI_SAN by default.
        PRINCIPAL_SELECTOR_UNSPECIFIED = 0

        # The principal rule is matched against a list of URI SANs in the
        # validated client's certificate. A match happens when there is any
        # exact URI SAN value match. This is the default principal selector.
        CLIENT_CERT_URI_SAN = 1

        # The principal rule is matched against a list of DNS Name SANs in the
        # validated client's certificate. A match happens when there is any
        # exact DNS Name SAN value match.
        # This is only applicable for Application Load Balancers
        # except for classic Global External Application load balancer.
        # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_DNS_NAME_SAN = 2

        # The principal rule is matched against the common name in the client's
        # certificate. Authorization against multiple common names in the
        # client certificate is not supported. Requests with multiple common
        # names in the client certificate will be rejected if
        # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
        # happens when there is an exact common name value match.
        # This is only applicable for Application Load Balancers
        # except for global external Application Load Balancer and
        # classic Application Load Balancer.
        # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_COMMON_NAME = 3
      end
    end

    # Describes properties of one or more sources of a request.
    # @!attribute [rw] sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the properties of a request's sources. At least one
    #     of sources or notSources must be specified. Limited to 1 source.
    #     A match occurs when ANY source (in sources or notSources) matches the
    #     request. Within a single source, the match follows AND semantics
    #     across fields and OR semantics within a single field, i.e. a match
    #     occurs when ANY principal matches AND ANY ipBlocks match.
    # @!attribute [rw] not_sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the negated properties of request sources. Matches
    #     requests from sources that do not match the criteria specified in this
    #     field. At least one of sources or notSources must be specified.
    class From
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes the properties of a single source.
      # @!attribute [rw] principals
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
      #     Optional. A list of identities derived from the client's certificate.
      #     This field will not match on a request unless frontend mutual TLS is
      #     enabled for the forwarding rule or Gateway and the client certificate
      #     has been successfully validated by mTLS.
      #     Each identity is a string whose value is matched against a list of
      #     URI SANs, DNS Name SANs, or the common name in the client's
      #     certificate. A match happens when any principal matches with the
      #     rule. Limited to 50 principals per Authorization Policy for regional
      #     internal Application Load Balancers, regional external Application
      #     Load Balancers, cross-region internal Application Load Balancers, and
      #     Cloud Service Mesh. This field is not supported for global external
      #     Application Load Balancers.
      # @!attribute [rw] ip_blocks
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
      #     Optional. A list of IP addresses or IP address ranges to match
      #     against the source IP address of the request. Limited to 10 ip_blocks
      #     per Authorization Policy
      # @!attribute [rw] resources
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
      #     Optional. A list of resources to match against the resource of the
      #     source VM of a request. Limited to 10 resources per Authorization
      #     Policy.
      class RequestSource
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes properties of one or more targets of a request. At
    #     least one of operations or notOperations must be specified. Limited to
    #     1 operation. A match occurs when ANY operation (in operations or
    #     notOperations) matches. Within an operation, the match follows AND
    #     semantics across fields and OR semantics within a field, i.e. a match
    #     occurs when ANY path matches AND ANY header matches and ANY method
    #     matches.
    # @!attribute [rw] not_operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes the negated properties of the targets of a request.
    #     Matches requests for operations that do not match the criteria
    #     specified in this field. At least one of operations or notOperations
    #     must be specified.
    class To
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes properties of one or more targets of a request.
      # @!attribute [rw] header_set
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
      #     Optional. A list of headers to match against in http header.
      # @!attribute [rw] hosts
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of HTTP Hosts to match against. The match can be one
      #     of exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     hosts per Authorization Policy.
      # @!attribute [rw] paths
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of paths to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     paths per Authorization Policy.
      #     Note that this path match includes the query parameters. For gRPC
      #     services, this should be a fully-qualified name of the form
      #     /package.service/method.
      # @!attribute [rw] methods
      #   @return [::Array<::String>]
      #     Optional. A list of HTTP methods to match against. Each entry must be
      #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
      #     OPTIONS). It only allows exact match and is always case sensitive.
      #     Limited to 10 methods per Authorization Policy.
      # @!attribute [rw] mcp
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
      #     Optional. Defines the MCP protocol attributes to match on. If the MCP
      #     payload in the request body cannot be successfully parsed, the
      #     request will be denied. This field can be set only for AuthzPolicies
      #     targeting AgentGateway resources.
      # @!attribute [rw] snis
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of SNIs to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). If there is no
      #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
      #     Matches are always case sensitive unless the ignoreCase is set.
      #     Limited to 10 SNIs per Authorization Policy.
      class RequestOperation
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes a set of HTTP headers to match against.
        # @!attribute [rw] headers
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
        #     Required. A list of headers to match against in http header.
        #     The match can be one of exact, prefix, suffix, or contains
        #     (substring match). The match follows AND semantics which means all
        #     the headers must match. Matches are always case sensitive unless
        #     the ignoreCase is set. Limited to 10 headers per Authorization
        #     Policy.
        class HeaderSet
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP methods to match against.
        # @!attribute [rw] name
        #   @return [::String]
        #     Required. The MCP method to match against. Allowed values are as
        #     follows:
        #     1. `tools`, `prompts`, `resources` - these will match against all
        #        sub methods under the respective methods.
        #     2. `prompts/list`, `tools/list`, `resources/list`,
        #        `resources/templates/list`
        #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
        #        `resources/unsubscribe`, `resources/read`
        #     Params cannot be specified for categories 1 and 2.
        # @!attribute [rw] params
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
        #     Optional. A list of MCP method parameters to match against. The
        #     match can be one of exact, prefix, suffix, or contains (substring
        #     match). Matches are always case sensitive unless the ignoreCase is
        #     set. Limited to 10 MCP method parameters per Authorization Policy.
        class MCPMethod
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP protocol attributes to match against for a
        # given MCP request.
        # @!attribute [rw] base_protocol_methods_option
        #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
        #     Optional. If specified, matches on the MCP protocol’s non-access
        #     specific methods namely:
        #     * initialize
        #     * completion/
        #     * logging/
        #     * notifications/
        #     * ping
        #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
        # @!attribute [rw] methods
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
        #     Optional. A list of MCP methods and associated parameters to match
        #     on. It is recommended to use this field to match on tools, prompts
        #     and resource accesses while setting the baseProtocolMethodsOption
        #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
        #     protocol methods.
        #     Limited to 10 MCP methods per Authorization Policy.
        class MCP
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes the option to match against the base MCP protocol methods.
        module BaseProtocolMethodsOption
          # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
          BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

          # Skip matching on the base MCP protocol methods.
          SKIP_BASE_PROTOCOL_METHODS = 1

          # Match on the base MCP protocol methods.
          MATCH_BASE_PROTOCOL_METHODS = 2
        end
      end
    end
  end

  # Allows delegating authorization decisions to Cloud IAP or to
  # Service Extensions.
  # @!attribute [rw] cloud_iap
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap]
  #     Optional. Delegates authorization decisions to Cloud IAP. Applicable
  #     only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
  #     level is not compatible with Cloud IAP settings in the BackendService.
  #     Enabling IAP in both places will result in request failure. Ensure that
  #     IAP is enabled in either the AuthzPolicy or the BackendService but not in
  #     both places.
  # @!attribute [rw] authz_extension
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension]
  #     Optional. Delegate authorization decision to user authored Service
  #     Extension. Only one of cloudIap or authzExtension can be specified.
  class CustomProvider
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Optional. Delegates authorization decisions to Cloud IAP. Applicable
    # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    # level is not compatible with Cloud IAP settings in the BackendService.
    # Enabling IAP in both places will result in request failure. Ensure that
    # IAP is enabled in either the AuthzPolicy or the BackendService but not in
    # both places.
    class CloudIap
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Optional. Delegate authorization decision to user authored extension.
    # Only one of cloudIap or authzExtension can be specified.
    # @!attribute [rw] resources
    #   @return [::Array<::String>]
    #     Required. A list of references to authorization
    #     extensions that will be invoked for requests matching this policy.
    #     Limited to 1 custom provider.
    class AuthzExtension
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Load balancing schemes supported by the `AuthzPolicy` resource. The valid
  # values are `INTERNAL_MANAGED` and
  # `EXTERNAL_MANAGED`. For more information, refer to [Backend services
  # overview](https://cloud.google.com/load-balancing/docs/backend-service).
  module LoadBalancingScheme
    # Default value. Do not use.
    LOAD_BALANCING_SCHEME_UNSPECIFIED = 0

    # Signifies that this is used for Regional internal or Cross-region
    # internal Application Load Balancing.
    INTERNAL_MANAGED = 1

    # Signifies that this is used for Global external or Regional external
    # Application Load Balancing.
    EXTERNAL_MANAGED = 2

    # Signifies that this is used for Cloud Service Mesh. Meant for use by
    # CSM GKE controller only.
    INTERNAL_SELF_MANAGED = 3
  end

  # The action to be applied to this policy. Valid values are
  # `ALLOW`, `DENY`, `CUSTOM`.
  module AuthzAction
    # Unspecified action.
    AUTHZ_ACTION_UNSPECIFIED = 0

    # Allow request to pass through to the backend.
    ALLOW = 1

    # Deny the request and return a HTTP 404 to the client.
    DENY = 2

    # Delegate the authorization decision to an external authorization engine.
    CUSTOM = 3
  end

  # The type of authorization being performed.
  # New values may be added in the future.
  module PolicyProfile
    # Unspecified policy profile.
    POLICY_PROFILE_UNSPECIFIED = 0

    # Applies to request authorization. `CUSTOM` authorization
    # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
    # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
    # events.
    REQUEST_AUTHZ = 1

    # Applies to content security, sanitization, etc. Only
    # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
    # custom provider must support `EXT_PROC_GRPC` protocol only and be capable
    # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
    # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
    # with `FULL_DUPLEX_STREAMED` body send mode.
    CONTENT_AUTHZ = 2
  end
end

#policy_profile::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::PolicyProfile

Returns Optional. Immutable. Defines the type of authorization being performed. If not specified, REQUEST_AUTHZ is applied. This field cannot be changed once AuthzPolicy is created.

Returns:



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101

class AuthzPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specifies the set of targets to which this policy should be applied to.
  # @!attribute [rw] load_balancing_scheme
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme]
  #     Optional. All gateways and forwarding rules referenced by this policy and
  #     extensions must share the same load balancing scheme. Required only when
  #     targeting forwarding rules. If targeting Secure Web Proxy, this field
  #     must be `INTERNAL_MANAGED` or not specified. Must not be specified
  #     when targeting Agent Gateway. Supported values:
  #     `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
  #     to [Backend services
  #     overview](https://cloud.google.com/load-balancing/docs/backend-service).
  # @!attribute [rw] resources
  #   @return [::Array<::String>]
  #     Required. A list of references to the Forwarding Rules, Secure Web Proxy
  #     Gateways, or Agent Gateways on which this policy will be applied.
  class Target
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Conditions to match against the incoming request.
  # @!attribute [rw] from
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From]
  #     Optional. Describes properties of a source of a request.
  # @!attribute [rw] to
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To]
  #     Optional. Describes properties of a target of a request.
  # @!attribute [rw] when
  #   @return [::String]
  #     Optional. CEL expression that describes the conditions to be satisfied
  #     for the action. The result of the CEL expression is ANDed with the from
  #     and to. Refer to the CEL language reference for a list of available
  #     attributes.
  class AuthzRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Determines how a string value should be matched.
    # @!attribute [rw] exact
    #   @return [::String]
    #     The input string must match exactly the string specified here.
    #
    #     Examples:
    #
    #     * ``abc`` only matches the value ``abc``.
    #
    #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     The input string must have the prefix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``abc.xyz``
    #
    #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] suffix
    #   @return [::String]
    #     The input string must have the suffix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc``
    #
    #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] contains
    #   @return [::String]
    #     The input string must have the substring specified here.
    #     Note: empty contains match is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc.def``
    #
    #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ignore_case
    #   @return [::Boolean]
    #     If true, indicates the exact/prefix/suffix/contains matching should be
    #     case insensitive. For example, the matcher ``data`` will match both
    #     input string ``Data`` and ``data`` if set to true.
    class StringMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Represents a range of IP Addresses.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     Required. The address prefix.
    # @!attribute [rw] length
    #   @return [::Integer]
    #     Required. The length of the address range.
    class IpBlock
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a client VM resource accessing the internal
    # application load balancers.
    # @!attribute [rw] tag_value_id_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
    #     Optional. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request.
    # @!attribute [rw] iam_service_account
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. An IAM service account to match against the source
    #     service account of the VM sending the request.
    class RequestResource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of resource tag value permanent IDs to match against
      # the resource manager tags value associated with the source VM of a
      # request.
      # @!attribute [rw] ids
      #   @return [::Array<::Integer>]
      #     Required. A list of resource tag value permanent IDs to match against
      #     the resource manager tags value associated with the source VM of a
      #     request. The match follows AND semantics which means all
      #     the ids must match. Limited to 5 ids in the Tag value id set.
      class TagValueIdSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Determines how a HTTP header should be matched.
    # @!attribute [rw] name
    #   @return [::String]
    #     Optional. Specifies the name of the header in the request.
    # @!attribute [rw] value
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. Specifies how the header match will be performed.
    class HeaderMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a principal to be matched against.
    # @!attribute [rw] principal_selector
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
    #     Optional. An enum to decide what principal value the principal rule
    #     will match against. If not specified, the PrincipalSelector is
    #     CLIENT_CERT_URI_SAN.
    # @!attribute [rw] principal
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Required. A non-empty string whose value is matched against the
    #     principal value based on the principal_selector. Only exact match can
    #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
    #     CLIENT_CERT_COMMON_NAME selectors.
    class Principal
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # The principal value the principal rule will match against.
      module PrincipalSelector
        # Unspecified principal selector. It will be treated as
        # CLIENT_CERT_URI_SAN by default.
        PRINCIPAL_SELECTOR_UNSPECIFIED = 0

        # The principal rule is matched against a list of URI SANs in the
        # validated client's certificate. A match happens when there is any
        # exact URI SAN value match. This is the default principal selector.
        CLIENT_CERT_URI_SAN = 1

        # The principal rule is matched against a list of DNS Name SANs in the
        # validated client's certificate. A match happens when there is any
        # exact DNS Name SAN value match.
        # This is only applicable for Application Load Balancers
        # except for classic Global External Application load balancer.
        # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_DNS_NAME_SAN = 2

        # The principal rule is matched against the common name in the client's
        # certificate. Authorization against multiple common names in the
        # client certificate is not supported. Requests with multiple common
        # names in the client certificate will be rejected if
        # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
        # happens when there is an exact common name value match.
        # This is only applicable for Application Load Balancers
        # except for global external Application Load Balancer and
        # classic Application Load Balancer.
        # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_COMMON_NAME = 3
      end
    end

    # Describes properties of one or more sources of a request.
    # @!attribute [rw] sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the properties of a request's sources. At least one
    #     of sources or notSources must be specified. Limited to 1 source.
    #     A match occurs when ANY source (in sources or notSources) matches the
    #     request. Within a single source, the match follows AND semantics
    #     across fields and OR semantics within a single field, i.e. a match
    #     occurs when ANY principal matches AND ANY ipBlocks match.
    # @!attribute [rw] not_sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the negated properties of request sources. Matches
    #     requests from sources that do not match the criteria specified in this
    #     field. At least one of sources or notSources must be specified.
    class From
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes the properties of a single source.
      # @!attribute [rw] principals
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
      #     Optional. A list of identities derived from the client's certificate.
      #     This field will not match on a request unless frontend mutual TLS is
      #     enabled for the forwarding rule or Gateway and the client certificate
      #     has been successfully validated by mTLS.
      #     Each identity is a string whose value is matched against a list of
      #     URI SANs, DNS Name SANs, or the common name in the client's
      #     certificate. A match happens when any principal matches with the
      #     rule. Limited to 50 principals per Authorization Policy for regional
      #     internal Application Load Balancers, regional external Application
      #     Load Balancers, cross-region internal Application Load Balancers, and
      #     Cloud Service Mesh. This field is not supported for global external
      #     Application Load Balancers.
      # @!attribute [rw] ip_blocks
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
      #     Optional. A list of IP addresses or IP address ranges to match
      #     against the source IP address of the request. Limited to 10 ip_blocks
      #     per Authorization Policy
      # @!attribute [rw] resources
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
      #     Optional. A list of resources to match against the resource of the
      #     source VM of a request. Limited to 10 resources per Authorization
      #     Policy.
      class RequestSource
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes properties of one or more targets of a request. At
    #     least one of operations or notOperations must be specified. Limited to
    #     1 operation. A match occurs when ANY operation (in operations or
    #     notOperations) matches. Within an operation, the match follows AND
    #     semantics across fields and OR semantics within a field, i.e. a match
    #     occurs when ANY path matches AND ANY header matches and ANY method
    #     matches.
    # @!attribute [rw] not_operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes the negated properties of the targets of a request.
    #     Matches requests for operations that do not match the criteria
    #     specified in this field. At least one of operations or notOperations
    #     must be specified.
    class To
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes properties of one or more targets of a request.
      # @!attribute [rw] header_set
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
      #     Optional. A list of headers to match against in http header.
      # @!attribute [rw] hosts
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of HTTP Hosts to match against. The match can be one
      #     of exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     hosts per Authorization Policy.
      # @!attribute [rw] paths
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of paths to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     paths per Authorization Policy.
      #     Note that this path match includes the query parameters. For gRPC
      #     services, this should be a fully-qualified name of the form
      #     /package.service/method.
      # @!attribute [rw] methods
      #   @return [::Array<::String>]
      #     Optional. A list of HTTP methods to match against. Each entry must be
      #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
      #     OPTIONS). It only allows exact match and is always case sensitive.
      #     Limited to 10 methods per Authorization Policy.
      # @!attribute [rw] mcp
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
      #     Optional. Defines the MCP protocol attributes to match on. If the MCP
      #     payload in the request body cannot be successfully parsed, the
      #     request will be denied. This field can be set only for AuthzPolicies
      #     targeting AgentGateway resources.
      # @!attribute [rw] snis
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of SNIs to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). If there is no
      #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
      #     Matches are always case sensitive unless the ignoreCase is set.
      #     Limited to 10 SNIs per Authorization Policy.
      class RequestOperation
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes a set of HTTP headers to match against.
        # @!attribute [rw] headers
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
        #     Required. A list of headers to match against in http header.
        #     The match can be one of exact, prefix, suffix, or contains
        #     (substring match). The match follows AND semantics which means all
        #     the headers must match. Matches are always case sensitive unless
        #     the ignoreCase is set. Limited to 10 headers per Authorization
        #     Policy.
        class HeaderSet
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP methods to match against.
        # @!attribute [rw] name
        #   @return [::String]
        #     Required. The MCP method to match against. Allowed values are as
        #     follows:
        #     1. `tools`, `prompts`, `resources` - these will match against all
        #        sub methods under the respective methods.
        #     2. `prompts/list`, `tools/list`, `resources/list`,
        #        `resources/templates/list`
        #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
        #        `resources/unsubscribe`, `resources/read`
        #     Params cannot be specified for categories 1 and 2.
        # @!attribute [rw] params
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
        #     Optional. A list of MCP method parameters to match against. The
        #     match can be one of exact, prefix, suffix, or contains (substring
        #     match). Matches are always case sensitive unless the ignoreCase is
        #     set. Limited to 10 MCP method parameters per Authorization Policy.
        class MCPMethod
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP protocol attributes to match against for a
        # given MCP request.
        # @!attribute [rw] base_protocol_methods_option
        #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
        #     Optional. If specified, matches on the MCP protocol’s non-access
        #     specific methods namely:
        #     * initialize
        #     * completion/
        #     * logging/
        #     * notifications/
        #     * ping
        #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
        # @!attribute [rw] methods
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
        #     Optional. A list of MCP methods and associated parameters to match
        #     on. It is recommended to use this field to match on tools, prompts
        #     and resource accesses while setting the baseProtocolMethodsOption
        #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
        #     protocol methods.
        #     Limited to 10 MCP methods per Authorization Policy.
        class MCP
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes the option to match against the base MCP protocol methods.
        module BaseProtocolMethodsOption
          # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
          BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

          # Skip matching on the base MCP protocol methods.
          SKIP_BASE_PROTOCOL_METHODS = 1

          # Match on the base MCP protocol methods.
          MATCH_BASE_PROTOCOL_METHODS = 2
        end
      end
    end
  end

  # Allows delegating authorization decisions to Cloud IAP or to
  # Service Extensions.
  # @!attribute [rw] cloud_iap
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap]
  #     Optional. Delegates authorization decisions to Cloud IAP. Applicable
  #     only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
  #     level is not compatible with Cloud IAP settings in the BackendService.
  #     Enabling IAP in both places will result in request failure. Ensure that
  #     IAP is enabled in either the AuthzPolicy or the BackendService but not in
  #     both places.
  # @!attribute [rw] authz_extension
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension]
  #     Optional. Delegate authorization decision to user authored Service
  #     Extension. Only one of cloudIap or authzExtension can be specified.
  class CustomProvider
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Optional. Delegates authorization decisions to Cloud IAP. Applicable
    # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    # level is not compatible with Cloud IAP settings in the BackendService.
    # Enabling IAP in both places will result in request failure. Ensure that
    # IAP is enabled in either the AuthzPolicy or the BackendService but not in
    # both places.
    class CloudIap
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Optional. Delegate authorization decision to user authored extension.
    # Only one of cloudIap or authzExtension can be specified.
    # @!attribute [rw] resources
    #   @return [::Array<::String>]
    #     Required. A list of references to authorization
    #     extensions that will be invoked for requests matching this policy.
    #     Limited to 1 custom provider.
    class AuthzExtension
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Load balancing schemes supported by the `AuthzPolicy` resource. The valid
  # values are `INTERNAL_MANAGED` and
  # `EXTERNAL_MANAGED`. For more information, refer to [Backend services
  # overview](https://cloud.google.com/load-balancing/docs/backend-service).
  module LoadBalancingScheme
    # Default value. Do not use.
    LOAD_BALANCING_SCHEME_UNSPECIFIED = 0

    # Signifies that this is used for Regional internal or Cross-region
    # internal Application Load Balancing.
    INTERNAL_MANAGED = 1

    # Signifies that this is used for Global external or Regional external
    # Application Load Balancing.
    EXTERNAL_MANAGED = 2

    # Signifies that this is used for Cloud Service Mesh. Meant for use by
    # CSM GKE controller only.
    INTERNAL_SELF_MANAGED = 3
  end

  # The action to be applied to this policy. Valid values are
  # `ALLOW`, `DENY`, `CUSTOM`.
  module AuthzAction
    # Unspecified action.
    AUTHZ_ACTION_UNSPECIFIED = 0

    # Allow request to pass through to the backend.
    ALLOW = 1

    # Deny the request and return a HTTP 404 to the client.
    DENY = 2

    # Delegate the authorization decision to an external authorization engine.
    CUSTOM = 3
  end

  # The type of authorization being performed.
  # New values may be added in the future.
  module PolicyProfile
    # Unspecified policy profile.
    POLICY_PROFILE_UNSPECIFIED = 0

    # Applies to request authorization. `CUSTOM` authorization
    # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
    # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
    # events.
    REQUEST_AUTHZ = 1

    # Applies to content security, sanitization, etc. Only
    # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
    # custom provider must support `EXT_PROC_GRPC` protocol only and be capable
    # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
    # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
    # with `FULL_DUPLEX_STREAMED` body send mode.
    CONTENT_AUTHZ = 2
  end
end

#target::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::Target

Returns Required. Specifies the set of resources to which this policy should be applied to.

Returns:



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101

class AuthzPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specifies the set of targets to which this policy should be applied to.
  # @!attribute [rw] load_balancing_scheme
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme]
  #     Optional. All gateways and forwarding rules referenced by this policy and
  #     extensions must share the same load balancing scheme. Required only when
  #     targeting forwarding rules. If targeting Secure Web Proxy, this field
  #     must be `INTERNAL_MANAGED` or not specified. Must not be specified
  #     when targeting Agent Gateway. Supported values:
  #     `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
  #     to [Backend services
  #     overview](https://cloud.google.com/load-balancing/docs/backend-service).
  # @!attribute [rw] resources
  #   @return [::Array<::String>]
  #     Required. A list of references to the Forwarding Rules, Secure Web Proxy
  #     Gateways, or Agent Gateways on which this policy will be applied.
  class Target
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Conditions to match against the incoming request.
  # @!attribute [rw] from
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From]
  #     Optional. Describes properties of a source of a request.
  # @!attribute [rw] to
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To]
  #     Optional. Describes properties of a target of a request.
  # @!attribute [rw] when
  #   @return [::String]
  #     Optional. CEL expression that describes the conditions to be satisfied
  #     for the action. The result of the CEL expression is ANDed with the from
  #     and to. Refer to the CEL language reference for a list of available
  #     attributes.
  class AuthzRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Determines how a string value should be matched.
    # @!attribute [rw] exact
    #   @return [::String]
    #     The input string must match exactly the string specified here.
    #
    #     Examples:
    #
    #     * ``abc`` only matches the value ``abc``.
    #
    #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     The input string must have the prefix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``abc.xyz``
    #
    #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] suffix
    #   @return [::String]
    #     The input string must have the suffix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc``
    #
    #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] contains
    #   @return [::String]
    #     The input string must have the substring specified here.
    #     Note: empty contains match is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc.def``
    #
    #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ignore_case
    #   @return [::Boolean]
    #     If true, indicates the exact/prefix/suffix/contains matching should be
    #     case insensitive. For example, the matcher ``data`` will match both
    #     input string ``Data`` and ``data`` if set to true.
    class StringMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Represents a range of IP Addresses.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     Required. The address prefix.
    # @!attribute [rw] length
    #   @return [::Integer]
    #     Required. The length of the address range.
    class IpBlock
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a client VM resource accessing the internal
    # application load balancers.
    # @!attribute [rw] tag_value_id_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
    #     Optional. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request.
    # @!attribute [rw] iam_service_account
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. An IAM service account to match against the source
    #     service account of the VM sending the request.
    class RequestResource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of resource tag value permanent IDs to match against
      # the resource manager tags value associated with the source VM of a
      # request.
      # @!attribute [rw] ids
      #   @return [::Array<::Integer>]
      #     Required. A list of resource tag value permanent IDs to match against
      #     the resource manager tags value associated with the source VM of a
      #     request. The match follows AND semantics which means all
      #     the ids must match. Limited to 5 ids in the Tag value id set.
      class TagValueIdSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Determines how a HTTP header should be matched.
    # @!attribute [rw] name
    #   @return [::String]
    #     Optional. Specifies the name of the header in the request.
    # @!attribute [rw] value
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. Specifies how the header match will be performed.
    class HeaderMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a principal to be matched against.
    # @!attribute [rw] principal_selector
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
    #     Optional. An enum to decide what principal value the principal rule
    #     will match against. If not specified, the PrincipalSelector is
    #     CLIENT_CERT_URI_SAN.
    # @!attribute [rw] principal
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Required. A non-empty string whose value is matched against the
    #     principal value based on the principal_selector. Only exact match can
    #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
    #     CLIENT_CERT_COMMON_NAME selectors.
    class Principal
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # The principal value the principal rule will match against.
      module PrincipalSelector
        # Unspecified principal selector. It will be treated as
        # CLIENT_CERT_URI_SAN by default.
        PRINCIPAL_SELECTOR_UNSPECIFIED = 0

        # The principal rule is matched against a list of URI SANs in the
        # validated client's certificate. A match happens when there is any
        # exact URI SAN value match. This is the default principal selector.
        CLIENT_CERT_URI_SAN = 1

        # The principal rule is matched against a list of DNS Name SANs in the
        # validated client's certificate. A match happens when there is any
        # exact DNS Name SAN value match.
        # This is only applicable for Application Load Balancers
        # except for classic Global External Application load balancer.
        # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_DNS_NAME_SAN = 2

        # The principal rule is matched against the common name in the client's
        # certificate. Authorization against multiple common names in the
        # client certificate is not supported. Requests with multiple common
        # names in the client certificate will be rejected if
        # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
        # happens when there is an exact common name value match.
        # This is only applicable for Application Load Balancers
        # except for global external Application Load Balancer and
        # classic Application Load Balancer.
        # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_COMMON_NAME = 3
      end
    end

    # Describes properties of one or more sources of a request.
    # @!attribute [rw] sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the properties of a request's sources. At least one
    #     of sources or notSources must be specified. Limited to 1 source.
    #     A match occurs when ANY source (in sources or notSources) matches the
    #     request. Within a single source, the match follows AND semantics
    #     across fields and OR semantics within a single field, i.e. a match
    #     occurs when ANY principal matches AND ANY ipBlocks match.
    # @!attribute [rw] not_sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the negated properties of request sources. Matches
    #     requests from sources that do not match the criteria specified in this
    #     field. At least one of sources or notSources must be specified.
    class From
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes the properties of a single source.
      # @!attribute [rw] principals
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
      #     Optional. A list of identities derived from the client's certificate.
      #     This field will not match on a request unless frontend mutual TLS is
      #     enabled for the forwarding rule or Gateway and the client certificate
      #     has been successfully validated by mTLS.
      #     Each identity is a string whose value is matched against a list of
      #     URI SANs, DNS Name SANs, or the common name in the client's
      #     certificate. A match happens when any principal matches with the
      #     rule. Limited to 50 principals per Authorization Policy for regional
      #     internal Application Load Balancers, regional external Application
      #     Load Balancers, cross-region internal Application Load Balancers, and
      #     Cloud Service Mesh. This field is not supported for global external
      #     Application Load Balancers.
      # @!attribute [rw] ip_blocks
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
      #     Optional. A list of IP addresses or IP address ranges to match
      #     against the source IP address of the request. Limited to 10 ip_blocks
      #     per Authorization Policy
      # @!attribute [rw] resources
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
      #     Optional. A list of resources to match against the resource of the
      #     source VM of a request. Limited to 10 resources per Authorization
      #     Policy.
      class RequestSource
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes properties of one or more targets of a request. At
    #     least one of operations or notOperations must be specified. Limited to
    #     1 operation. A match occurs when ANY operation (in operations or
    #     notOperations) matches. Within an operation, the match follows AND
    #     semantics across fields and OR semantics within a field, i.e. a match
    #     occurs when ANY path matches AND ANY header matches and ANY method
    #     matches.
    # @!attribute [rw] not_operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes the negated properties of the targets of a request.
    #     Matches requests for operations that do not match the criteria
    #     specified in this field. At least one of operations or notOperations
    #     must be specified.
    class To
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes properties of one or more targets of a request.
      # @!attribute [rw] header_set
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
      #     Optional. A list of headers to match against in http header.
      # @!attribute [rw] hosts
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of HTTP Hosts to match against. The match can be one
      #     of exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     hosts per Authorization Policy.
      # @!attribute [rw] paths
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of paths to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     paths per Authorization Policy.
      #     Note that this path match includes the query parameters. For gRPC
      #     services, this should be a fully-qualified name of the form
      #     /package.service/method.
      # @!attribute [rw] methods
      #   @return [::Array<::String>]
      #     Optional. A list of HTTP methods to match against. Each entry must be
      #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
      #     OPTIONS). It only allows exact match and is always case sensitive.
      #     Limited to 10 methods per Authorization Policy.
      # @!attribute [rw] mcp
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
      #     Optional. Defines the MCP protocol attributes to match on. If the MCP
      #     payload in the request body cannot be successfully parsed, the
      #     request will be denied. This field can be set only for AuthzPolicies
      #     targeting AgentGateway resources.
      # @!attribute [rw] snis
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of SNIs to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). If there is no
      #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
      #     Matches are always case sensitive unless the ignoreCase is set.
      #     Limited to 10 SNIs per Authorization Policy.
      class RequestOperation
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes a set of HTTP headers to match against.
        # @!attribute [rw] headers
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
        #     Required. A list of headers to match against in http header.
        #     The match can be one of exact, prefix, suffix, or contains
        #     (substring match). The match follows AND semantics which means all
        #     the headers must match. Matches are always case sensitive unless
        #     the ignoreCase is set. Limited to 10 headers per Authorization
        #     Policy.
        class HeaderSet
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP methods to match against.
        # @!attribute [rw] name
        #   @return [::String]
        #     Required. The MCP method to match against. Allowed values are as
        #     follows:
        #     1. `tools`, `prompts`, `resources` - these will match against all
        #        sub methods under the respective methods.
        #     2. `prompts/list`, `tools/list`, `resources/list`,
        #        `resources/templates/list`
        #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
        #        `resources/unsubscribe`, `resources/read`
        #     Params cannot be specified for categories 1 and 2.
        # @!attribute [rw] params
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
        #     Optional. A list of MCP method parameters to match against. The
        #     match can be one of exact, prefix, suffix, or contains (substring
        #     match). Matches are always case sensitive unless the ignoreCase is
        #     set. Limited to 10 MCP method parameters per Authorization Policy.
        class MCPMethod
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP protocol attributes to match against for a
        # given MCP request.
        # @!attribute [rw] base_protocol_methods_option
        #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
        #     Optional. If specified, matches on the MCP protocol’s non-access
        #     specific methods namely:
        #     * initialize
        #     * completion/
        #     * logging/
        #     * notifications/
        #     * ping
        #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
        # @!attribute [rw] methods
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
        #     Optional. A list of MCP methods and associated parameters to match
        #     on. It is recommended to use this field to match on tools, prompts
        #     and resource accesses while setting the baseProtocolMethodsOption
        #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
        #     protocol methods.
        #     Limited to 10 MCP methods per Authorization Policy.
        class MCP
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes the option to match against the base MCP protocol methods.
        module BaseProtocolMethodsOption
          # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
          BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

          # Skip matching on the base MCP protocol methods.
          SKIP_BASE_PROTOCOL_METHODS = 1

          # Match on the base MCP protocol methods.
          MATCH_BASE_PROTOCOL_METHODS = 2
        end
      end
    end
  end

  # Allows delegating authorization decisions to Cloud IAP or to
  # Service Extensions.
  # @!attribute [rw] cloud_iap
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap]
  #     Optional. Delegates authorization decisions to Cloud IAP. Applicable
  #     only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
  #     level is not compatible with Cloud IAP settings in the BackendService.
  #     Enabling IAP in both places will result in request failure. Ensure that
  #     IAP is enabled in either the AuthzPolicy or the BackendService but not in
  #     both places.
  # @!attribute [rw] authz_extension
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension]
  #     Optional. Delegate authorization decision to user authored Service
  #     Extension. Only one of cloudIap or authzExtension can be specified.
  class CustomProvider
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Optional. Delegates authorization decisions to Cloud IAP. Applicable
    # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    # level is not compatible with Cloud IAP settings in the BackendService.
    # Enabling IAP in both places will result in request failure. Ensure that
    # IAP is enabled in either the AuthzPolicy or the BackendService but not in
    # both places.
    class CloudIap
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Optional. Delegate authorization decision to user authored extension.
    # Only one of cloudIap or authzExtension can be specified.
    # @!attribute [rw] resources
    #   @return [::Array<::String>]
    #     Required. A list of references to authorization
    #     extensions that will be invoked for requests matching this policy.
    #     Limited to 1 custom provider.
    class AuthzExtension
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Load balancing schemes supported by the `AuthzPolicy` resource. The valid
  # values are `INTERNAL_MANAGED` and
  # `EXTERNAL_MANAGED`. For more information, refer to [Backend services
  # overview](https://cloud.google.com/load-balancing/docs/backend-service).
  module LoadBalancingScheme
    # Default value. Do not use.
    LOAD_BALANCING_SCHEME_UNSPECIFIED = 0

    # Signifies that this is used for Regional internal or Cross-region
    # internal Application Load Balancing.
    INTERNAL_MANAGED = 1

    # Signifies that this is used for Global external or Regional external
    # Application Load Balancing.
    EXTERNAL_MANAGED = 2

    # Signifies that this is used for Cloud Service Mesh. Meant for use by
    # CSM GKE controller only.
    INTERNAL_SELF_MANAGED = 3
  end

  # The action to be applied to this policy. Valid values are
  # `ALLOW`, `DENY`, `CUSTOM`.
  module AuthzAction
    # Unspecified action.
    AUTHZ_ACTION_UNSPECIFIED = 0

    # Allow request to pass through to the backend.
    ALLOW = 1

    # Deny the request and return a HTTP 404 to the client.
    DENY = 2

    # Delegate the authorization decision to an external authorization engine.
    CUSTOM = 3
  end

  # The type of authorization being performed.
  # New values may be added in the future.
  module PolicyProfile
    # Unspecified policy profile.
    POLICY_PROFILE_UNSPECIFIED = 0

    # Applies to request authorization. `CUSTOM` authorization
    # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
    # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
    # events.
    REQUEST_AUTHZ = 1

    # Applies to content security, sanitization, etc. Only
    # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
    # custom provider must support `EXT_PROC_GRPC` protocol only and be capable
    # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
    # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
    # with `FULL_DUPLEX_STREAMED` body send mode.
    CONTENT_AUTHZ = 2
  end
end

#update_time::Google::Protobuf::Timestamp (readonly)

Returns Output only. The timestamp when the resource was updated.

Returns:



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 101

class AuthzPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specifies the set of targets to which this policy should be applied to.
  # @!attribute [rw] load_balancing_scheme
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::LoadBalancingScheme]
  #     Optional. All gateways and forwarding rules referenced by this policy and
  #     extensions must share the same load balancing scheme. Required only when
  #     targeting forwarding rules. If targeting Secure Web Proxy, this field
  #     must be `INTERNAL_MANAGED` or not specified. Must not be specified
  #     when targeting Agent Gateway. Supported values:
  #     `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
  #     to [Backend services
  #     overview](https://cloud.google.com/load-balancing/docs/backend-service).
  # @!attribute [rw] resources
  #   @return [::Array<::String>]
  #     Required. A list of references to the Forwarding Rules, Secure Web Proxy
  #     Gateways, or Agent Gateways on which this policy will be applied.
  class Target
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Conditions to match against the incoming request.
  # @!attribute [rw] from
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From]
  #     Optional. Describes properties of a source of a request.
  # @!attribute [rw] to
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To]
  #     Optional. Describes properties of a target of a request.
  # @!attribute [rw] when
  #   @return [::String]
  #     Optional. CEL expression that describes the conditions to be satisfied
  #     for the action. The result of the CEL expression is ANDed with the from
  #     and to. Refer to the CEL language reference for a list of available
  #     attributes.
  class AuthzRule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Determines how a string value should be matched.
    # @!attribute [rw] exact
    #   @return [::String]
    #     The input string must match exactly the string specified here.
    #
    #     Examples:
    #
    #     * ``abc`` only matches the value ``abc``.
    #
    #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     The input string must have the prefix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``abc.xyz``
    #
    #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] suffix
    #   @return [::String]
    #     The input string must have the suffix specified here.
    #     Note: empty prefix is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc``
    #
    #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] contains
    #   @return [::String]
    #     The input string must have the substring specified here.
    #     Note: empty contains match is not allowed, please use regex instead.
    #
    #     Examples:
    #
    #     * ``abc`` matches the value ``xyz.abc.def``
    #
    #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
    # @!attribute [rw] ignore_case
    #   @return [::Boolean]
    #     If true, indicates the exact/prefix/suffix/contains matching should be
    #     case insensitive. For example, the matcher ``data`` will match both
    #     input string ``Data`` and ``data`` if set to true.
    class StringMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Represents a range of IP Addresses.
    # @!attribute [rw] prefix
    #   @return [::String]
    #     Required. The address prefix.
    # @!attribute [rw] length
    #   @return [::Integer]
    #     Required. The length of the address range.
    class IpBlock
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a client VM resource accessing the internal
    # application load balancers.
    # @!attribute [rw] tag_value_id_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
    #     Optional. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request.
    # @!attribute [rw] iam_service_account
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. An IAM service account to match against the source
    #     service account of the VM sending the request.
    class RequestResource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of resource tag value permanent IDs to match against
      # the resource manager tags value associated with the source VM of a
      # request.
      # @!attribute [rw] ids
      #   @return [::Array<::Integer>]
      #     Required. A list of resource tag value permanent IDs to match against
      #     the resource manager tags value associated with the source VM of a
      #     request. The match follows AND semantics which means all
      #     the ids must match. Limited to 5 ids in the Tag value id set.
      class TagValueIdSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Determines how a HTTP header should be matched.
    # @!attribute [rw] name
    #   @return [::String]
    #     Optional. Specifies the name of the header in the request.
    # @!attribute [rw] value
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Optional. Specifies how the header match will be performed.
    class HeaderMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the properties of a principal to be matched against.
    # @!attribute [rw] principal_selector
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
    #     Optional. An enum to decide what principal value the principal rule
    #     will match against. If not specified, the PrincipalSelector is
    #     CLIENT_CERT_URI_SAN.
    # @!attribute [rw] principal
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
    #     Required. A non-empty string whose value is matched against the
    #     principal value based on the principal_selector. Only exact match can
    #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
    #     CLIENT_CERT_COMMON_NAME selectors.
    class Principal
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # The principal value the principal rule will match against.
      module PrincipalSelector
        # Unspecified principal selector. It will be treated as
        # CLIENT_CERT_URI_SAN by default.
        PRINCIPAL_SELECTOR_UNSPECIFIED = 0

        # The principal rule is matched against a list of URI SANs in the
        # validated client's certificate. A match happens when there is any
        # exact URI SAN value match. This is the default principal selector.
        CLIENT_CERT_URI_SAN = 1

        # The principal rule is matched against a list of DNS Name SANs in the
        # validated client's certificate. A match happens when there is any
        # exact DNS Name SAN value match.
        # This is only applicable for Application Load Balancers
        # except for classic Global External Application load balancer.
        # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_DNS_NAME_SAN = 2

        # The principal rule is matched against the common name in the client's
        # certificate. Authorization against multiple common names in the
        # client certificate is not supported. Requests with multiple common
        # names in the client certificate will be rejected if
        # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
        # happens when there is an exact common name value match.
        # This is only applicable for Application Load Balancers
        # except for global external Application Load Balancer and
        # classic Application Load Balancer.
        # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
        # load balancing scheme.
        CLIENT_CERT_COMMON_NAME = 3
      end
    end

    # Describes properties of one or more sources of a request.
    # @!attribute [rw] sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the properties of a request's sources. At least one
    #     of sources or notSources must be specified. Limited to 1 source.
    #     A match occurs when ANY source (in sources or notSources) matches the
    #     request. Within a single source, the match follows AND semantics
    #     across fields and OR semantics within a single field, i.e. a match
    #     occurs when ANY principal matches AND ANY ipBlocks match.
    # @!attribute [rw] not_sources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
    #     Optional. Describes the negated properties of request sources. Matches
    #     requests from sources that do not match the criteria specified in this
    #     field. At least one of sources or notSources must be specified.
    class From
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes the properties of a single source.
      # @!attribute [rw] principals
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
      #     Optional. A list of identities derived from the client's certificate.
      #     This field will not match on a request unless frontend mutual TLS is
      #     enabled for the forwarding rule or Gateway and the client certificate
      #     has been successfully validated by mTLS.
      #     Each identity is a string whose value is matched against a list of
      #     URI SANs, DNS Name SANs, or the common name in the client's
      #     certificate. A match happens when any principal matches with the
      #     rule. Limited to 50 principals per Authorization Policy for regional
      #     internal Application Load Balancers, regional external Application
      #     Load Balancers, cross-region internal Application Load Balancers, and
      #     Cloud Service Mesh. This field is not supported for global external
      #     Application Load Balancers.
      # @!attribute [rw] ip_blocks
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
      #     Optional. A list of IP addresses or IP address ranges to match
      #     against the source IP address of the request. Limited to 10 ip_blocks
      #     per Authorization Policy
      # @!attribute [rw] resources
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
      #     Optional. A list of resources to match against the resource of the
      #     source VM of a request. Limited to 10 resources per Authorization
      #     Policy.
      class RequestSource
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes properties of one or more targets of a request. At
    #     least one of operations or notOperations must be specified. Limited to
    #     1 operation. A match occurs when ANY operation (in operations or
    #     notOperations) matches. Within an operation, the match follows AND
    #     semantics across fields and OR semantics within a field, i.e. a match
    #     occurs when ANY path matches AND ANY header matches and ANY method
    #     matches.
    # @!attribute [rw] not_operations
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
    #     Optional. Describes the negated properties of the targets of a request.
    #     Matches requests for operations that do not match the criteria
    #     specified in this field. At least one of operations or notOperations
    #     must be specified.
    class To
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes properties of one or more targets of a request.
      # @!attribute [rw] header_set
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
      #     Optional. A list of headers to match against in http header.
      # @!attribute [rw] hosts
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of HTTP Hosts to match against. The match can be one
      #     of exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     hosts per Authorization Policy.
      # @!attribute [rw] paths
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of paths to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). Matches are
      #     always case sensitive unless the ignoreCase is set. Limited to 10
      #     paths per Authorization Policy.
      #     Note that this path match includes the query parameters. For gRPC
      #     services, this should be a fully-qualified name of the form
      #     /package.service/method.
      # @!attribute [rw] methods
      #   @return [::Array<::String>]
      #     Optional. A list of HTTP methods to match against. Each entry must be
      #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
      #     OPTIONS). It only allows exact match and is always case sensitive.
      #     Limited to 10 methods per Authorization Policy.
      # @!attribute [rw] mcp
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
      #     Optional. Defines the MCP protocol attributes to match on. If the MCP
      #     payload in the request body cannot be successfully parsed, the
      #     request will be denied. This field can be set only for AuthzPolicies
      #     targeting AgentGateway resources.
      # @!attribute [rw] snis
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of SNIs to match against. The match can be one of
      #     exact, prefix, suffix, or contains (substring match). If there is no
      #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
      #     Matches are always case sensitive unless the ignoreCase is set.
      #     Limited to 10 SNIs per Authorization Policy.
      class RequestOperation
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods

        # Describes a set of HTTP headers to match against.
        # @!attribute [rw] headers
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
        #     Required. A list of headers to match against in http header.
        #     The match can be one of exact, prefix, suffix, or contains
        #     (substring match). The match follows AND semantics which means all
        #     the headers must match. Matches are always case sensitive unless
        #     the ignoreCase is set. Limited to 10 headers per Authorization
        #     Policy.
        class HeaderSet
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP methods to match against.
        # @!attribute [rw] name
        #   @return [::String]
        #     Required. The MCP method to match against. Allowed values are as
        #     follows:
        #     1. `tools`, `prompts`, `resources` - these will match against all
        #        sub methods under the respective methods.
        #     2. `prompts/list`, `tools/list`, `resources/list`,
        #        `resources/templates/list`
        #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
        #        `resources/unsubscribe`, `resources/read`
        #     Params cannot be specified for categories 1 and 2.
        # @!attribute [rw] params
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
        #     Optional. A list of MCP method parameters to match against. The
        #     match can be one of exact, prefix, suffix, or contains (substring
        #     match). Matches are always case sensitive unless the ignoreCase is
        #     set. Limited to 10 MCP method parameters per Authorization Policy.
        class MCPMethod
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes a set of MCP protocol attributes to match against for a
        # given MCP request.
        # @!attribute [rw] base_protocol_methods_option
        #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
        #     Optional. If specified, matches on the MCP protocol’s non-access
        #     specific methods namely:
        #     * initialize
        #     * completion/
        #     * logging/
        #     * notifications/
        #     * ping
        #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
        # @!attribute [rw] methods
        #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
        #     Optional. A list of MCP methods and associated parameters to match
        #     on. It is recommended to use this field to match on tools, prompts
        #     and resource accesses while setting the baseProtocolMethodsOption
        #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
        #     protocol methods.
        #     Limited to 10 MCP methods per Authorization Policy.
        class MCP
          include ::Google::Protobuf::MessageExts
          extend ::Google::Protobuf::MessageExts::ClassMethods
        end

        # Describes the option to match against the base MCP protocol methods.
        module BaseProtocolMethodsOption
          # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
          BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

          # Skip matching on the base MCP protocol methods.
          SKIP_BASE_PROTOCOL_METHODS = 1

          # Match on the base MCP protocol methods.
          MATCH_BASE_PROTOCOL_METHODS = 2
        end
      end
    end
  end

  # Allows delegating authorization decisions to Cloud IAP or to
  # Service Extensions.
  # @!attribute [rw] cloud_iap
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::CloudIap]
  #     Optional. Delegates authorization decisions to Cloud IAP. Applicable
  #     only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
  #     level is not compatible with Cloud IAP settings in the BackendService.
  #     Enabling IAP in both places will result in request failure. Ensure that
  #     IAP is enabled in either the AuthzPolicy or the BackendService but not in
  #     both places.
  # @!attribute [rw] authz_extension
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::CustomProvider::AuthzExtension]
  #     Optional. Delegate authorization decision to user authored Service
  #     Extension. Only one of cloudIap or authzExtension can be specified.
  class CustomProvider
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Optional. Delegates authorization decisions to Cloud IAP. Applicable
    # only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    # level is not compatible with Cloud IAP settings in the BackendService.
    # Enabling IAP in both places will result in request failure. Ensure that
    # IAP is enabled in either the AuthzPolicy or the BackendService but not in
    # both places.
    class CloudIap
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Optional. Delegate authorization decision to user authored extension.
    # Only one of cloudIap or authzExtension can be specified.
    # @!attribute [rw] resources
    #   @return [::Array<::String>]
    #     Required. A list of references to authorization
    #     extensions that will be invoked for requests matching this policy.
    #     Limited to 1 custom provider.
    class AuthzExtension
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Load balancing schemes supported by the `AuthzPolicy` resource. The valid
  # values are `INTERNAL_MANAGED` and
  # `EXTERNAL_MANAGED`. For more information, refer to [Backend services
  # overview](https://cloud.google.com/load-balancing/docs/backend-service).
  module LoadBalancingScheme
    # Default value. Do not use.
    LOAD_BALANCING_SCHEME_UNSPECIFIED = 0

    # Signifies that this is used for Regional internal or Cross-region
    # internal Application Load Balancing.
    INTERNAL_MANAGED = 1

    # Signifies that this is used for Global external or Regional external
    # Application Load Balancing.
    EXTERNAL_MANAGED = 2

    # Signifies that this is used for Cloud Service Mesh. Meant for use by
    # CSM GKE controller only.
    INTERNAL_SELF_MANAGED = 3
  end

  # The action to be applied to this policy. Valid values are
  # `ALLOW`, `DENY`, `CUSTOM`.
  module AuthzAction
    # Unspecified action.
    AUTHZ_ACTION_UNSPECIFIED = 0

    # Allow request to pass through to the backend.
    ALLOW = 1

    # Deny the request and return a HTTP 404 to the client.
    DENY = 2

    # Delegate the authorization decision to an external authorization engine.
    CUSTOM = 3
  end

  # The type of authorization being performed.
  # New values may be added in the future.
  module PolicyProfile
    # Unspecified policy profile.
    POLICY_PROFILE_UNSPECIFIED = 0

    # Applies to request authorization. `CUSTOM` authorization
    # policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
    # `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
    # events.
    REQUEST_AUTHZ = 1

    # Applies to content security, sanitization, etc. Only
    # `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
    # custom provider must support `EXT_PROC_GRPC` protocol only and be capable
    # of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
    # REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
    # with `FULL_DUPLEX_STREAMED` body send mode.
    CONTENT_AUTHZ = 2
  end
end