Class: Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule
- Inherits:
-
Object
- Object
- Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule
- Extended by:
- Protobuf::MessageExts::ClassMethods
- Includes:
- Protobuf::MessageExts
- Defined in:
- proto_docs/google/cloud/networksecurity/v1/authz_policy.rb
Overview
Conditions to match against the incoming request.
Defined Under Namespace
Classes: From, HeaderMatch, IpBlock, Principal, RequestResource, StringMatch, To
Instance Attribute Summary collapse
-
#from ⇒ ::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From
Optional.
-
#to ⇒ ::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To
Optional.
-
#when ⇒ ::String
Optional.
Instance Attribute Details
#from ⇒ ::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From
Returns Optional. Describes properties of a source of a request.
138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 138 class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end |
#to ⇒ ::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To
Returns Optional. Describes properties of a target of a request.
138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 138 class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end |
#when ⇒ ::String
Returns Optional. CEL expression that describes the conditions to be satisfied for the action. The result of the CEL expression is ANDed with the from and to. Refer to the CEL language reference for a list of available attributes.
138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 |
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 138 class AuthzRule include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Determines how a string value should be matched. # @!attribute [rw] exact # @return [::String] # The input string must match exactly the string specified here. # # Examples: # # * ``abc`` only matches the value ``abc``. # # Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] prefix # @return [::String] # The input string must have the prefix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``abc.xyz`` # # Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] suffix # @return [::String] # The input string must have the suffix specified here. # Note: empty prefix is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc`` # # Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] contains # @return [::String] # The input string must have the substring specified here. # Note: empty contains match is not allowed, please use regex instead. # # Examples: # # * ``abc`` matches the value ``xyz.abc.def`` # # Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared. # @!attribute [rw] ignore_case # @return [::Boolean] # If true, indicates the exact/prefix/suffix/contains matching should be # case insensitive. For example, the matcher ``data`` will match both # input string ``Data`` and ``data`` if set to true. class StringMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Represents a range of IP Addresses. # @!attribute [rw] prefix # @return [::String] # Required. The address prefix. # @!attribute [rw] length # @return [::Integer] # Required. The length of the address range. class IpBlock include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a client VM resource accessing the internal # application load balancers. # @!attribute [rw] tag_value_id_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet] # Optional. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] iam_service_account # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. An IAM service account to match against the source # service account of the VM sending the request. class RequestResource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. # @!attribute [rw] ids # @return [::Array<::Integer>] # Required. A list of resource tag value permanent IDs to match against # the resource manager tags value associated with the source VM of a # request. The match follows AND semantics which means all # the ids must match. Limited to 5 ids in the Tag value id set. class TagValueIdSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Determines how a HTTP header should be matched. # @!attribute [rw] name # @return [::String] # Optional. Specifies the name of the header in the request. # @!attribute [rw] value # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Optional. Specifies how the header match will be performed. class HeaderMatch include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the properties of a principal to be matched against. # @!attribute [rw] principal_selector # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector] # Optional. An enum to decide what principal value the principal rule # will match against. If not specified, the PrincipalSelector is # CLIENT_CERT_URI_SAN. # @!attribute [rw] principal # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch] # Required. A non-empty string whose value is matched against the # principal value based on the principal_selector. Only exact match can # be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN, # CLIENT_CERT_COMMON_NAME selectors. class Principal include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # The principal value the principal rule will match against. module PrincipalSelector # Unspecified principal selector. It will be treated as # CLIENT_CERT_URI_SAN by default. PRINCIPAL_SELECTOR_UNSPECIFIED = 0 # The principal rule is matched against a list of URI SANs in the # validated client's certificate. A match happens when there is any # exact URI SAN value match. This is the default principal selector. CLIENT_CERT_URI_SAN = 1 # The principal rule is matched against a list of DNS Name SANs in the # validated client's certificate. A match happens when there is any # exact DNS Name SAN value match. # This is only applicable for Application Load Balancers # except for classic Global External Application load balancer. # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_DNS_NAME_SAN = 2 # The principal rule is matched against the common name in the client's # certificate. Authorization against multiple common names in the # client certificate is not supported. Requests with multiple common # names in the client certificate will be rejected if # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match # happens when there is an exact common name value match. # This is only applicable for Application Load Balancers # except for global external Application Load Balancer and # classic Application Load Balancer. # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED # load balancing scheme. CLIENT_CERT_COMMON_NAME = 3 end end # Describes properties of one or more sources of a request. # @!attribute [rw] sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the properties of a request's sources. At least one # of sources or notSources must be specified. Limited to 1 source. # A match occurs when ANY source (in sources or notSources) matches the # request. Within a single source, the match follows AND semantics # across fields and OR semantics within a single field, i.e. a match # occurs when ANY principal matches AND ANY ipBlocks match. # @!attribute [rw] not_sources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>] # Optional. Describes the negated properties of request sources. Matches # requests from sources that do not match the criteria specified in this # field. At least one of sources or notSources must be specified. class From include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes the properties of a single source. # @!attribute [rw] principals # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>] # Optional. A list of identities derived from the client's certificate. # This field will not match on a request unless frontend mutual TLS is # enabled for the forwarding rule or Gateway and the client certificate # has been successfully validated by mTLS. # Each identity is a string whose value is matched against a list of # URI SANs, DNS Name SANs, or the common name in the client's # certificate. A match happens when any principal matches with the # rule. Limited to 50 principals per Authorization Policy for regional # internal Application Load Balancers, regional external Application # Load Balancers, cross-region internal Application Load Balancers, and # Cloud Service Mesh. This field is not supported for global external # Application Load Balancers. # @!attribute [rw] ip_blocks # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>] # Optional. A list of IP addresses or IP address ranges to match # against the source IP address of the request. Limited to 10 ip_blocks # per Authorization Policy # @!attribute [rw] resources # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>] # Optional. A list of resources to match against the resource of the # source VM of a request. Limited to 10 resources per Authorization # Policy. class RequestSource include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end end # Describes properties of one or more targets of a request. # @!attribute [rw] operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes properties of one or more targets of a request. At # least one of operations or notOperations must be specified. Limited to # 1 operation. A match occurs when ANY operation (in operations or # notOperations) matches. Within an operation, the match follows AND # semantics across fields and OR semantics within a field, i.e. a match # occurs when ANY path matches AND ANY header matches and ANY method # matches. # @!attribute [rw] not_operations # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>] # Optional. Describes the negated properties of the targets of a request. # Matches requests for operations that do not match the criteria # specified in this field. At least one of operations or notOperations # must be specified. class To include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes properties of one or more targets of a request. # @!attribute [rw] header_set # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet] # Optional. A list of headers to match against in http header. # @!attribute [rw] hosts # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of HTTP Hosts to match against. The match can be one # of exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # hosts per Authorization Policy. # @!attribute [rw] paths # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of paths to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). Matches are # always case sensitive unless the ignoreCase is set. Limited to 10 # paths per Authorization Policy. # Note that this path match includes the query parameters. For gRPC # services, this should be a fully-qualified name of the form # /package.service/method. # @!attribute [rw] methods # @return [::Array<::String>] # Optional. A list of HTTP methods to match against. Each entry must be # a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, # OPTIONS). It only allows exact match and is always case sensitive. # Limited to 10 methods per Authorization Policy. # @!attribute [rw] mcp # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP] # Optional. Defines the MCP protocol attributes to match on. If the MCP # payload in the request body cannot be successfully parsed, the # request will be denied. This field can be set only for AuthzPolicies # targeting AgentGateway resources. # @!attribute [rw] snis # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of SNIs to match against. The match can be one of # exact, prefix, suffix, or contains (substring match). If there is no # SNI (i.e. plaintext HTTP traffic), the request will be denied. # Matches are always case sensitive unless the ignoreCase is set. # Limited to 10 SNIs per Authorization Policy. class RequestOperation include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods # Describes a set of HTTP headers to match against. # @!attribute [rw] headers # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>] # Required. A list of headers to match against in http header. # The match can be one of exact, prefix, suffix, or contains # (substring match). The match follows AND semantics which means all # the headers must match. Matches are always case sensitive unless # the ignoreCase is set. Limited to 10 headers per Authorization # Policy. class HeaderSet include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP methods to match against. # @!attribute [rw] name # @return [::String] # Required. The MCP method to match against. Allowed values are as # follows: # 1. `tools`, `prompts`, `resources` - these will match against all # sub methods under the respective methods. # 2. `prompts/list`, `tools/list`, `resources/list`, # `resources/templates/list` # 3. `prompts/get`, `tools/call`, `resources/subscribe`, # `resources/unsubscribe`, `resources/read` # Params cannot be specified for categories 1 and 2. # @!attribute [rw] params # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>] # Optional. A list of MCP method parameters to match against. The # match can be one of exact, prefix, suffix, or contains (substring # match). Matches are always case sensitive unless the ignoreCase is # set. Limited to 10 MCP method parameters per Authorization Policy. class MCPMethod include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes a set of MCP protocol attributes to match against for a # given MCP request. # @!attribute [rw] base_protocol_methods_option # @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption] # Optional. If specified, matches on the MCP protocol’s non-access # specific methods namely: # * initialize # * completion/ # * logging/ # * notifications/ # * ping # Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified. # @!attribute [rw] methods # @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>] # Optional. A list of MCP methods and associated parameters to match # on. It is recommended to use this field to match on tools, prompts # and resource accesses while setting the baseProtocolMethodsOption # to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP # protocol methods. # Limited to 10 MCP methods per Authorization Policy. class MCP include ::Google::Protobuf::MessageExts extend ::Google::Protobuf::MessageExts::ClassMethods end # Describes the option to match against the base MCP protocol methods. module BaseProtocolMethodsOption # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS. BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0 # Skip matching on the base MCP protocol methods. SKIP_BASE_PROTOCOL_METHODS = 1 # Match on the base MCP protocol methods. MATCH_BASE_PROTOCOL_METHODS = 2 end end end end |