Class: Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule

Inherits:
Object
  • Object
show all
Extended by:
Protobuf::MessageExts::ClassMethods
Includes:
Protobuf::MessageExts
Defined in:
proto_docs/google/cloud/networksecurity/v1/authz_policy.rb

Overview

Conditions to match against the incoming request.

Defined Under Namespace

Classes: From, HeaderMatch, IpBlock, Principal, RequestResource, StringMatch, To

Instance Attribute Summary collapse

Instance Attribute Details

#from::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From

Returns Optional. Describes properties of a source of a request.

Returns:



138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 138

class AuthzRule
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Determines how a string value should be matched.
  # @!attribute [rw] exact
  #   @return [::String]
  #     The input string must match exactly the string specified here.
  #
  #     Examples:
  #
  #     * ``abc`` only matches the value ``abc``.
  #
  #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
  # @!attribute [rw] prefix
  #   @return [::String]
  #     The input string must have the prefix specified here.
  #     Note: empty prefix is not allowed, please use regex instead.
  #
  #     Examples:
  #
  #     * ``abc`` matches the value ``abc.xyz``
  #
  #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
  # @!attribute [rw] suffix
  #   @return [::String]
  #     The input string must have the suffix specified here.
  #     Note: empty prefix is not allowed, please use regex instead.
  #
  #     Examples:
  #
  #     * ``abc`` matches the value ``xyz.abc``
  #
  #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
  # @!attribute [rw] contains
  #   @return [::String]
  #     The input string must have the substring specified here.
  #     Note: empty contains match is not allowed, please use regex instead.
  #
  #     Examples:
  #
  #     * ``abc`` matches the value ``xyz.abc.def``
  #
  #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
  # @!attribute [rw] ignore_case
  #   @return [::Boolean]
  #     If true, indicates the exact/prefix/suffix/contains matching should be
  #     case insensitive. For example, the matcher ``data`` will match both
  #     input string ``Data`` and ``data`` if set to true.
  class StringMatch
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Represents a range of IP Addresses.
  # @!attribute [rw] prefix
  #   @return [::String]
  #     Required. The address prefix.
  # @!attribute [rw] length
  #   @return [::Integer]
  #     Required. The length of the address range.
  class IpBlock
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Describes the properties of a client VM resource accessing the internal
  # application load balancers.
  # @!attribute [rw] tag_value_id_set
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
  #     Optional. A list of resource tag value permanent IDs to match against
  #     the resource manager tags value associated with the source VM of a
  #     request.
  # @!attribute [rw] iam_service_account
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
  #     Optional. An IAM service account to match against the source
  #     service account of the VM sending the request.
  class RequestResource
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a set of resource tag value permanent IDs to match against
    # the resource manager tags value associated with the source VM of a
    # request.
    # @!attribute [rw] ids
    #   @return [::Array<::Integer>]
    #     Required. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request. The match follows AND semantics which means all
    #     the ids must match. Limited to 5 ids in the Tag value id set.
    class TagValueIdSet
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # Determines how a HTTP header should be matched.
  # @!attribute [rw] name
  #   @return [::String]
  #     Optional. Specifies the name of the header in the request.
  # @!attribute [rw] value
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
  #     Optional. Specifies how the header match will be performed.
  class HeaderMatch
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Describes the properties of a principal to be matched against.
  # @!attribute [rw] principal_selector
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
  #     Optional. An enum to decide what principal value the principal rule
  #     will match against. If not specified, the PrincipalSelector is
  #     CLIENT_CERT_URI_SAN.
  # @!attribute [rw] principal
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
  #     Required. A non-empty string whose value is matched against the
  #     principal value based on the principal_selector. Only exact match can
  #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
  #     CLIENT_CERT_COMMON_NAME selectors.
  class Principal
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The principal value the principal rule will match against.
    module PrincipalSelector
      # Unspecified principal selector. It will be treated as
      # CLIENT_CERT_URI_SAN by default.
      PRINCIPAL_SELECTOR_UNSPECIFIED = 0

      # The principal rule is matched against a list of URI SANs in the
      # validated client's certificate. A match happens when there is any
      # exact URI SAN value match. This is the default principal selector.
      CLIENT_CERT_URI_SAN = 1

      # The principal rule is matched against a list of DNS Name SANs in the
      # validated client's certificate. A match happens when there is any
      # exact DNS Name SAN value match.
      # This is only applicable for Application Load Balancers
      # except for classic Global External Application load balancer.
      # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
      # load balancing scheme.
      CLIENT_CERT_DNS_NAME_SAN = 2

      # The principal rule is matched against the common name in the client's
      # certificate. Authorization against multiple common names in the
      # client certificate is not supported. Requests with multiple common
      # names in the client certificate will be rejected if
      # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
      # happens when there is an exact common name value match.
      # This is only applicable for Application Load Balancers
      # except for global external Application Load Balancer and
      # classic Application Load Balancer.
      # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
      # load balancing scheme.
      CLIENT_CERT_COMMON_NAME = 3
    end
  end

  # Describes properties of one or more sources of a request.
  # @!attribute [rw] sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
  #     Optional. Describes the properties of a request's sources. At least one
  #     of sources or notSources must be specified. Limited to 1 source.
  #     A match occurs when ANY source (in sources or notSources) matches the
  #     request. Within a single source, the match follows AND semantics
  #     across fields and OR semantics within a single field, i.e. a match
  #     occurs when ANY principal matches AND ANY ipBlocks match.
  # @!attribute [rw] not_sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
  #     Optional. Describes the negated properties of request sources. Matches
  #     requests from sources that do not match the criteria specified in this
  #     field. At least one of sources or notSources must be specified.
  class From
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes the properties of a single source.
    # @!attribute [rw] principals
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
    #     Optional. A list of identities derived from the client's certificate.
    #     This field will not match on a request unless frontend mutual TLS is
    #     enabled for the forwarding rule or Gateway and the client certificate
    #     has been successfully validated by mTLS.
    #     Each identity is a string whose value is matched against a list of
    #     URI SANs, DNS Name SANs, or the common name in the client's
    #     certificate. A match happens when any principal matches with the
    #     rule. Limited to 50 principals per Authorization Policy for regional
    #     internal Application Load Balancers, regional external Application
    #     Load Balancers, cross-region internal Application Load Balancers, and
    #     Cloud Service Mesh. This field is not supported for global external
    #     Application Load Balancers.
    # @!attribute [rw] ip_blocks
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
    #     Optional. A list of IP addresses or IP address ranges to match
    #     against the source IP address of the request. Limited to 10 ip_blocks
    #     per Authorization Policy
    # @!attribute [rw] resources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
    #     Optional. A list of resources to match against the resource of the
    #     source VM of a request. Limited to 10 resources per Authorization
    #     Policy.
    class RequestSource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # Describes properties of one or more targets of a request.
  # @!attribute [rw] operations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
  #     Optional. Describes properties of one or more targets of a request. At
  #     least one of operations or notOperations must be specified. Limited to
  #     1 operation. A match occurs when ANY operation (in operations or
  #     notOperations) matches. Within an operation, the match follows AND
  #     semantics across fields and OR semantics within a field, i.e. a match
  #     occurs when ANY path matches AND ANY header matches and ANY method
  #     matches.
  # @!attribute [rw] not_operations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
  #     Optional. Describes the negated properties of the targets of a request.
  #     Matches requests for operations that do not match the criteria
  #     specified in this field. At least one of operations or notOperations
  #     must be specified.
  class To
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] header_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
    #     Optional. A list of headers to match against in http header.
    # @!attribute [rw] hosts
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
    #     Optional. A list of HTTP Hosts to match against. The match can be one
    #     of exact, prefix, suffix, or contains (substring match). Matches are
    #     always case sensitive unless the ignoreCase is set. Limited to 10
    #     hosts per Authorization Policy.
    # @!attribute [rw] paths
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
    #     Optional. A list of paths to match against. The match can be one of
    #     exact, prefix, suffix, or contains (substring match). Matches are
    #     always case sensitive unless the ignoreCase is set. Limited to 10
    #     paths per Authorization Policy.
    #     Note that this path match includes the query parameters. For gRPC
    #     services, this should be a fully-qualified name of the form
    #     /package.service/method.
    # @!attribute [rw] methods
    #   @return [::Array<::String>]
    #     Optional. A list of HTTP methods to match against. Each entry must be
    #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
    #     OPTIONS). It only allows exact match and is always case sensitive.
    #     Limited to 10 methods per Authorization Policy.
    # @!attribute [rw] mcp
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
    #     Optional. Defines the MCP protocol attributes to match on. If the MCP
    #     payload in the request body cannot be successfully parsed, the
    #     request will be denied. This field can be set only for AuthzPolicies
    #     targeting AgentGateway resources.
    # @!attribute [rw] snis
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
    #     Optional. A list of SNIs to match against. The match can be one of
    #     exact, prefix, suffix, or contains (substring match). If there is no
    #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
    #     Matches are always case sensitive unless the ignoreCase is set.
    #     Limited to 10 SNIs per Authorization Policy.
    class RequestOperation
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of HTTP headers to match against.
      # @!attribute [rw] headers
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
      #     Required. A list of headers to match against in http header.
      #     The match can be one of exact, prefix, suffix, or contains
      #     (substring match). The match follows AND semantics which means all
      #     the headers must match. Matches are always case sensitive unless
      #     the ignoreCase is set. Limited to 10 headers per Authorization
      #     Policy.
      class HeaderSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes a set of MCP methods to match against.
      # @!attribute [rw] name
      #   @return [::String]
      #     Required. The MCP method to match against. Allowed values are as
      #     follows:
      #     1. `tools`, `prompts`, `resources` - these will match against all
      #        sub methods under the respective methods.
      #     2. `prompts/list`, `tools/list`, `resources/list`,
      #        `resources/templates/list`
      #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
      #        `resources/unsubscribe`, `resources/read`
      #     Params cannot be specified for categories 1 and 2.
      # @!attribute [rw] params
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of MCP method parameters to match against. The
      #     match can be one of exact, prefix, suffix, or contains (substring
      #     match). Matches are always case sensitive unless the ignoreCase is
      #     set. Limited to 10 MCP method parameters per Authorization Policy.
      class MCPMethod
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes a set of MCP protocol attributes to match against for a
      # given MCP request.
      # @!attribute [rw] base_protocol_methods_option
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
      #     Optional. If specified, matches on the MCP protocol’s non-access
      #     specific methods namely:
      #     * initialize
      #     * completion/
      #     * logging/
      #     * notifications/
      #     * ping
      #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
      # @!attribute [rw] methods
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
      #     Optional. A list of MCP methods and associated parameters to match
      #     on. It is recommended to use this field to match on tools, prompts
      #     and resource accesses while setting the baseProtocolMethodsOption
      #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
      #     protocol methods.
      #     Limited to 10 MCP methods per Authorization Policy.
      class MCP
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes the option to match against the base MCP protocol methods.
      module BaseProtocolMethodsOption
        # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
        BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

        # Skip matching on the base MCP protocol methods.
        SKIP_BASE_PROTOCOL_METHODS = 1

        # Match on the base MCP protocol methods.
        MATCH_BASE_PROTOCOL_METHODS = 2
      end
    end
  end
end

#to::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To

Returns Optional. Describes properties of a target of a request.

Returns:



138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 138

class AuthzRule
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Determines how a string value should be matched.
  # @!attribute [rw] exact
  #   @return [::String]
  #     The input string must match exactly the string specified here.
  #
  #     Examples:
  #
  #     * ``abc`` only matches the value ``abc``.
  #
  #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
  # @!attribute [rw] prefix
  #   @return [::String]
  #     The input string must have the prefix specified here.
  #     Note: empty prefix is not allowed, please use regex instead.
  #
  #     Examples:
  #
  #     * ``abc`` matches the value ``abc.xyz``
  #
  #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
  # @!attribute [rw] suffix
  #   @return [::String]
  #     The input string must have the suffix specified here.
  #     Note: empty prefix is not allowed, please use regex instead.
  #
  #     Examples:
  #
  #     * ``abc`` matches the value ``xyz.abc``
  #
  #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
  # @!attribute [rw] contains
  #   @return [::String]
  #     The input string must have the substring specified here.
  #     Note: empty contains match is not allowed, please use regex instead.
  #
  #     Examples:
  #
  #     * ``abc`` matches the value ``xyz.abc.def``
  #
  #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
  # @!attribute [rw] ignore_case
  #   @return [::Boolean]
  #     If true, indicates the exact/prefix/suffix/contains matching should be
  #     case insensitive. For example, the matcher ``data`` will match both
  #     input string ``Data`` and ``data`` if set to true.
  class StringMatch
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Represents a range of IP Addresses.
  # @!attribute [rw] prefix
  #   @return [::String]
  #     Required. The address prefix.
  # @!attribute [rw] length
  #   @return [::Integer]
  #     Required. The length of the address range.
  class IpBlock
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Describes the properties of a client VM resource accessing the internal
  # application load balancers.
  # @!attribute [rw] tag_value_id_set
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
  #     Optional. A list of resource tag value permanent IDs to match against
  #     the resource manager tags value associated with the source VM of a
  #     request.
  # @!attribute [rw] iam_service_account
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
  #     Optional. An IAM service account to match against the source
  #     service account of the VM sending the request.
  class RequestResource
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a set of resource tag value permanent IDs to match against
    # the resource manager tags value associated with the source VM of a
    # request.
    # @!attribute [rw] ids
    #   @return [::Array<::Integer>]
    #     Required. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request. The match follows AND semantics which means all
    #     the ids must match. Limited to 5 ids in the Tag value id set.
    class TagValueIdSet
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # Determines how a HTTP header should be matched.
  # @!attribute [rw] name
  #   @return [::String]
  #     Optional. Specifies the name of the header in the request.
  # @!attribute [rw] value
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
  #     Optional. Specifies how the header match will be performed.
  class HeaderMatch
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Describes the properties of a principal to be matched against.
  # @!attribute [rw] principal_selector
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
  #     Optional. An enum to decide what principal value the principal rule
  #     will match against. If not specified, the PrincipalSelector is
  #     CLIENT_CERT_URI_SAN.
  # @!attribute [rw] principal
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
  #     Required. A non-empty string whose value is matched against the
  #     principal value based on the principal_selector. Only exact match can
  #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
  #     CLIENT_CERT_COMMON_NAME selectors.
  class Principal
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The principal value the principal rule will match against.
    module PrincipalSelector
      # Unspecified principal selector. It will be treated as
      # CLIENT_CERT_URI_SAN by default.
      PRINCIPAL_SELECTOR_UNSPECIFIED = 0

      # The principal rule is matched against a list of URI SANs in the
      # validated client's certificate. A match happens when there is any
      # exact URI SAN value match. This is the default principal selector.
      CLIENT_CERT_URI_SAN = 1

      # The principal rule is matched against a list of DNS Name SANs in the
      # validated client's certificate. A match happens when there is any
      # exact DNS Name SAN value match.
      # This is only applicable for Application Load Balancers
      # except for classic Global External Application load balancer.
      # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
      # load balancing scheme.
      CLIENT_CERT_DNS_NAME_SAN = 2

      # The principal rule is matched against the common name in the client's
      # certificate. Authorization against multiple common names in the
      # client certificate is not supported. Requests with multiple common
      # names in the client certificate will be rejected if
      # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
      # happens when there is an exact common name value match.
      # This is only applicable for Application Load Balancers
      # except for global external Application Load Balancer and
      # classic Application Load Balancer.
      # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
      # load balancing scheme.
      CLIENT_CERT_COMMON_NAME = 3
    end
  end

  # Describes properties of one or more sources of a request.
  # @!attribute [rw] sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
  #     Optional. Describes the properties of a request's sources. At least one
  #     of sources or notSources must be specified. Limited to 1 source.
  #     A match occurs when ANY source (in sources or notSources) matches the
  #     request. Within a single source, the match follows AND semantics
  #     across fields and OR semantics within a single field, i.e. a match
  #     occurs when ANY principal matches AND ANY ipBlocks match.
  # @!attribute [rw] not_sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
  #     Optional. Describes the negated properties of request sources. Matches
  #     requests from sources that do not match the criteria specified in this
  #     field. At least one of sources or notSources must be specified.
  class From
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes the properties of a single source.
    # @!attribute [rw] principals
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
    #     Optional. A list of identities derived from the client's certificate.
    #     This field will not match on a request unless frontend mutual TLS is
    #     enabled for the forwarding rule or Gateway and the client certificate
    #     has been successfully validated by mTLS.
    #     Each identity is a string whose value is matched against a list of
    #     URI SANs, DNS Name SANs, or the common name in the client's
    #     certificate. A match happens when any principal matches with the
    #     rule. Limited to 50 principals per Authorization Policy for regional
    #     internal Application Load Balancers, regional external Application
    #     Load Balancers, cross-region internal Application Load Balancers, and
    #     Cloud Service Mesh. This field is not supported for global external
    #     Application Load Balancers.
    # @!attribute [rw] ip_blocks
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
    #     Optional. A list of IP addresses or IP address ranges to match
    #     against the source IP address of the request. Limited to 10 ip_blocks
    #     per Authorization Policy
    # @!attribute [rw] resources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
    #     Optional. A list of resources to match against the resource of the
    #     source VM of a request. Limited to 10 resources per Authorization
    #     Policy.
    class RequestSource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # Describes properties of one or more targets of a request.
  # @!attribute [rw] operations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
  #     Optional. Describes properties of one or more targets of a request. At
  #     least one of operations or notOperations must be specified. Limited to
  #     1 operation. A match occurs when ANY operation (in operations or
  #     notOperations) matches. Within an operation, the match follows AND
  #     semantics across fields and OR semantics within a field, i.e. a match
  #     occurs when ANY path matches AND ANY header matches and ANY method
  #     matches.
  # @!attribute [rw] not_operations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
  #     Optional. Describes the negated properties of the targets of a request.
  #     Matches requests for operations that do not match the criteria
  #     specified in this field. At least one of operations or notOperations
  #     must be specified.
  class To
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] header_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
    #     Optional. A list of headers to match against in http header.
    # @!attribute [rw] hosts
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
    #     Optional. A list of HTTP Hosts to match against. The match can be one
    #     of exact, prefix, suffix, or contains (substring match). Matches are
    #     always case sensitive unless the ignoreCase is set. Limited to 10
    #     hosts per Authorization Policy.
    # @!attribute [rw] paths
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
    #     Optional. A list of paths to match against. The match can be one of
    #     exact, prefix, suffix, or contains (substring match). Matches are
    #     always case sensitive unless the ignoreCase is set. Limited to 10
    #     paths per Authorization Policy.
    #     Note that this path match includes the query parameters. For gRPC
    #     services, this should be a fully-qualified name of the form
    #     /package.service/method.
    # @!attribute [rw] methods
    #   @return [::Array<::String>]
    #     Optional. A list of HTTP methods to match against. Each entry must be
    #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
    #     OPTIONS). It only allows exact match and is always case sensitive.
    #     Limited to 10 methods per Authorization Policy.
    # @!attribute [rw] mcp
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
    #     Optional. Defines the MCP protocol attributes to match on. If the MCP
    #     payload in the request body cannot be successfully parsed, the
    #     request will be denied. This field can be set only for AuthzPolicies
    #     targeting AgentGateway resources.
    # @!attribute [rw] snis
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
    #     Optional. A list of SNIs to match against. The match can be one of
    #     exact, prefix, suffix, or contains (substring match). If there is no
    #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
    #     Matches are always case sensitive unless the ignoreCase is set.
    #     Limited to 10 SNIs per Authorization Policy.
    class RequestOperation
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of HTTP headers to match against.
      # @!attribute [rw] headers
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
      #     Required. A list of headers to match against in http header.
      #     The match can be one of exact, prefix, suffix, or contains
      #     (substring match). The match follows AND semantics which means all
      #     the headers must match. Matches are always case sensitive unless
      #     the ignoreCase is set. Limited to 10 headers per Authorization
      #     Policy.
      class HeaderSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes a set of MCP methods to match against.
      # @!attribute [rw] name
      #   @return [::String]
      #     Required. The MCP method to match against. Allowed values are as
      #     follows:
      #     1. `tools`, `prompts`, `resources` - these will match against all
      #        sub methods under the respective methods.
      #     2. `prompts/list`, `tools/list`, `resources/list`,
      #        `resources/templates/list`
      #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
      #        `resources/unsubscribe`, `resources/read`
      #     Params cannot be specified for categories 1 and 2.
      # @!attribute [rw] params
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of MCP method parameters to match against. The
      #     match can be one of exact, prefix, suffix, or contains (substring
      #     match). Matches are always case sensitive unless the ignoreCase is
      #     set. Limited to 10 MCP method parameters per Authorization Policy.
      class MCPMethod
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes a set of MCP protocol attributes to match against for a
      # given MCP request.
      # @!attribute [rw] base_protocol_methods_option
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
      #     Optional. If specified, matches on the MCP protocol’s non-access
      #     specific methods namely:
      #     * initialize
      #     * completion/
      #     * logging/
      #     * notifications/
      #     * ping
      #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
      # @!attribute [rw] methods
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
      #     Optional. A list of MCP methods and associated parameters to match
      #     on. It is recommended to use this field to match on tools, prompts
      #     and resource accesses while setting the baseProtocolMethodsOption
      #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
      #     protocol methods.
      #     Limited to 10 MCP methods per Authorization Policy.
      class MCP
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes the option to match against the base MCP protocol methods.
      module BaseProtocolMethodsOption
        # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
        BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

        # Skip matching on the base MCP protocol methods.
        SKIP_BASE_PROTOCOL_METHODS = 1

        # Match on the base MCP protocol methods.
        MATCH_BASE_PROTOCOL_METHODS = 2
      end
    end
  end
end

#when::String

Returns Optional. CEL expression that describes the conditions to be satisfied for the action. The result of the CEL expression is ANDed with the from and to. Refer to the CEL language reference for a list of available attributes.

Returns:

  • (::String)

    Optional. CEL expression that describes the conditions to be satisfied for the action. The result of the CEL expression is ANDed with the from and to. Refer to the CEL language reference for a list of available attributes.



138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 138

class AuthzRule
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Determines how a string value should be matched.
  # @!attribute [rw] exact
  #   @return [::String]
  #     The input string must match exactly the string specified here.
  #
  #     Examples:
  #
  #     * ``abc`` only matches the value ``abc``.
  #
  #     Note: The following fields are mutually exclusive: `exact`, `prefix`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
  # @!attribute [rw] prefix
  #   @return [::String]
  #     The input string must have the prefix specified here.
  #     Note: empty prefix is not allowed, please use regex instead.
  #
  #     Examples:
  #
  #     * ``abc`` matches the value ``abc.xyz``
  #
  #     Note: The following fields are mutually exclusive: `prefix`, `exact`, `suffix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
  # @!attribute [rw] suffix
  #   @return [::String]
  #     The input string must have the suffix specified here.
  #     Note: empty prefix is not allowed, please use regex instead.
  #
  #     Examples:
  #
  #     * ``abc`` matches the value ``xyz.abc``
  #
  #     Note: The following fields are mutually exclusive: `suffix`, `exact`, `prefix`, `contains`. If a field in that set is populated, all other fields in the set will automatically be cleared.
  # @!attribute [rw] contains
  #   @return [::String]
  #     The input string must have the substring specified here.
  #     Note: empty contains match is not allowed, please use regex instead.
  #
  #     Examples:
  #
  #     * ``abc`` matches the value ``xyz.abc.def``
  #
  #     Note: The following fields are mutually exclusive: `contains`, `exact`, `prefix`, `suffix`. If a field in that set is populated, all other fields in the set will automatically be cleared.
  # @!attribute [rw] ignore_case
  #   @return [::Boolean]
  #     If true, indicates the exact/prefix/suffix/contains matching should be
  #     case insensitive. For example, the matcher ``data`` will match both
  #     input string ``Data`` and ``data`` if set to true.
  class StringMatch
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Represents a range of IP Addresses.
  # @!attribute [rw] prefix
  #   @return [::String]
  #     Required. The address prefix.
  # @!attribute [rw] length
  #   @return [::Integer]
  #     Required. The length of the address range.
  class IpBlock
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Describes the properties of a client VM resource accessing the internal
  # application load balancers.
  # @!attribute [rw] tag_value_id_set
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource::TagValueIdSet]
  #     Optional. A list of resource tag value permanent IDs to match against
  #     the resource manager tags value associated with the source VM of a
  #     request.
  # @!attribute [rw] iam_service_account
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
  #     Optional. An IAM service account to match against the source
  #     service account of the VM sending the request.
  class RequestResource
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a set of resource tag value permanent IDs to match against
    # the resource manager tags value associated with the source VM of a
    # request.
    # @!attribute [rw] ids
    #   @return [::Array<::Integer>]
    #     Required. A list of resource tag value permanent IDs to match against
    #     the resource manager tags value associated with the source VM of a
    #     request. The match follows AND semantics which means all
    #     the ids must match. Limited to 5 ids in the Tag value id set.
    class TagValueIdSet
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # Determines how a HTTP header should be matched.
  # @!attribute [rw] name
  #   @return [::String]
  #     Optional. Specifies the name of the header in the request.
  # @!attribute [rw] value
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
  #     Optional. Specifies how the header match will be performed.
  class HeaderMatch
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Describes the properties of a principal to be matched against.
  # @!attribute [rw] principal_selector
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal::PrincipalSelector]
  #     Optional. An enum to decide what principal value the principal rule
  #     will match against. If not specified, the PrincipalSelector is
  #     CLIENT_CERT_URI_SAN.
  # @!attribute [rw] principal
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch]
  #     Required. A non-empty string whose value is matched against the
  #     principal value based on the principal_selector. Only exact match can
  #     be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
  #     CLIENT_CERT_COMMON_NAME selectors.
  class Principal
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # The principal value the principal rule will match against.
    module PrincipalSelector
      # Unspecified principal selector. It will be treated as
      # CLIENT_CERT_URI_SAN by default.
      PRINCIPAL_SELECTOR_UNSPECIFIED = 0

      # The principal rule is matched against a list of URI SANs in the
      # validated client's certificate. A match happens when there is any
      # exact URI SAN value match. This is the default principal selector.
      CLIENT_CERT_URI_SAN = 1

      # The principal rule is matched against a list of DNS Name SANs in the
      # validated client's certificate. A match happens when there is any
      # exact DNS Name SAN value match.
      # This is only applicable for Application Load Balancers
      # except for classic Global External Application load balancer.
      # CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
      # load balancing scheme.
      CLIENT_CERT_DNS_NAME_SAN = 2

      # The principal rule is matched against the common name in the client's
      # certificate. Authorization against multiple common names in the
      # client certificate is not supported. Requests with multiple common
      # names in the client certificate will be rejected if
      # CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
      # happens when there is an exact common name value match.
      # This is only applicable for Application Load Balancers
      # except for global external Application Load Balancer and
      # classic Application Load Balancer.
      # CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
      # load balancing scheme.
      CLIENT_CERT_COMMON_NAME = 3
    end
  end

  # Describes properties of one or more sources of a request.
  # @!attribute [rw] sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
  #     Optional. Describes the properties of a request's sources. At least one
  #     of sources or notSources must be specified. Limited to 1 source.
  #     A match occurs when ANY source (in sources or notSources) matches the
  #     request. Within a single source, the match follows AND semantics
  #     across fields and OR semantics within a single field, i.e. a match
  #     occurs when ANY principal matches AND ANY ipBlocks match.
  # @!attribute [rw] not_sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::From::RequestSource>]
  #     Optional. Describes the negated properties of request sources. Matches
  #     requests from sources that do not match the criteria specified in this
  #     field. At least one of sources or notSources must be specified.
  class From
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes the properties of a single source.
    # @!attribute [rw] principals
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::Principal>]
    #     Optional. A list of identities derived from the client's certificate.
    #     This field will not match on a request unless frontend mutual TLS is
    #     enabled for the forwarding rule or Gateway and the client certificate
    #     has been successfully validated by mTLS.
    #     Each identity is a string whose value is matched against a list of
    #     URI SANs, DNS Name SANs, or the common name in the client's
    #     certificate. A match happens when any principal matches with the
    #     rule. Limited to 50 principals per Authorization Policy for regional
    #     internal Application Load Balancers, regional external Application
    #     Load Balancers, cross-region internal Application Load Balancers, and
    #     Cloud Service Mesh. This field is not supported for global external
    #     Application Load Balancers.
    # @!attribute [rw] ip_blocks
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::IpBlock>]
    #     Optional. A list of IP addresses or IP address ranges to match
    #     against the source IP address of the request. Limited to 10 ip_blocks
    #     per Authorization Policy
    # @!attribute [rw] resources
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::RequestResource>]
    #     Optional. A list of resources to match against the resource of the
    #     source VM of a request. Limited to 10 resources per Authorization
    #     Policy.
    class RequestSource
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end

  # Describes properties of one or more targets of a request.
  # @!attribute [rw] operations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
  #     Optional. Describes properties of one or more targets of a request. At
  #     least one of operations or notOperations must be specified. Limited to
  #     1 operation. A match occurs when ANY operation (in operations or
  #     notOperations) matches. Within an operation, the match follows AND
  #     semantics across fields and OR semantics within a field, i.e. a match
  #     occurs when ANY path matches AND ANY header matches and ANY method
  #     matches.
  # @!attribute [rw] not_operations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>]
  #     Optional. Describes the negated properties of the targets of a request.
  #     Matches requests for operations that do not match the criteria
  #     specified in this field. At least one of operations or notOperations
  #     must be specified.
  class To
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes properties of one or more targets of a request.
    # @!attribute [rw] header_set
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
    #     Optional. A list of headers to match against in http header.
    # @!attribute [rw] hosts
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
    #     Optional. A list of HTTP Hosts to match against. The match can be one
    #     of exact, prefix, suffix, or contains (substring match). Matches are
    #     always case sensitive unless the ignoreCase is set. Limited to 10
    #     hosts per Authorization Policy.
    # @!attribute [rw] paths
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
    #     Optional. A list of paths to match against. The match can be one of
    #     exact, prefix, suffix, or contains (substring match). Matches are
    #     always case sensitive unless the ignoreCase is set. Limited to 10
    #     paths per Authorization Policy.
    #     Note that this path match includes the query parameters. For gRPC
    #     services, this should be a fully-qualified name of the form
    #     /package.service/method.
    # @!attribute [rw] methods
    #   @return [::Array<::String>]
    #     Optional. A list of HTTP methods to match against. Each entry must be
    #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
    #     OPTIONS). It only allows exact match and is always case sensitive.
    #     Limited to 10 methods per Authorization Policy.
    # @!attribute [rw] mcp
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
    #     Optional. Defines the MCP protocol attributes to match on. If the MCP
    #     payload in the request body cannot be successfully parsed, the
    #     request will be denied. This field can be set only for AuthzPolicies
    #     targeting AgentGateway resources.
    # @!attribute [rw] snis
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
    #     Optional. A list of SNIs to match against. The match can be one of
    #     exact, prefix, suffix, or contains (substring match). If there is no
    #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
    #     Matches are always case sensitive unless the ignoreCase is set.
    #     Limited to 10 SNIs per Authorization Policy.
    class RequestOperation
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Describes a set of HTTP headers to match against.
      # @!attribute [rw] headers
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
      #     Required. A list of headers to match against in http header.
      #     The match can be one of exact, prefix, suffix, or contains
      #     (substring match). The match follows AND semantics which means all
      #     the headers must match. Matches are always case sensitive unless
      #     the ignoreCase is set. Limited to 10 headers per Authorization
      #     Policy.
      class HeaderSet
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes a set of MCP methods to match against.
      # @!attribute [rw] name
      #   @return [::String]
      #     Required. The MCP method to match against. Allowed values are as
      #     follows:
      #     1. `tools`, `prompts`, `resources` - these will match against all
      #        sub methods under the respective methods.
      #     2. `prompts/list`, `tools/list`, `resources/list`,
      #        `resources/templates/list`
      #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
      #        `resources/unsubscribe`, `resources/read`
      #     Params cannot be specified for categories 1 and 2.
      # @!attribute [rw] params
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
      #     Optional. A list of MCP method parameters to match against. The
      #     match can be one of exact, prefix, suffix, or contains (substring
      #     match). Matches are always case sensitive unless the ignoreCase is
      #     set. Limited to 10 MCP method parameters per Authorization Policy.
      class MCPMethod
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes a set of MCP protocol attributes to match against for a
      # given MCP request.
      # @!attribute [rw] base_protocol_methods_option
      #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
      #     Optional. If specified, matches on the MCP protocol’s non-access
      #     specific methods namely:
      #     * initialize
      #     * completion/
      #     * logging/
      #     * notifications/
      #     * ping
      #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
      # @!attribute [rw] methods
      #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
      #     Optional. A list of MCP methods and associated parameters to match
      #     on. It is recommended to use this field to match on tools, prompts
      #     and resource accesses while setting the baseProtocolMethodsOption
      #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
      #     protocol methods.
      #     Limited to 10 MCP methods per Authorization Policy.
      class MCP
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end

      # Describes the option to match against the base MCP protocol methods.
      module BaseProtocolMethodsOption
        # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
        BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

        # Skip matching on the base MCP protocol methods.
        SKIP_BASE_PROTOCOL_METHODS = 1

        # Match on the base MCP protocol methods.
        MATCH_BASE_PROTOCOL_METHODS = 2
      end
    end
  end
end