Class: Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To

Inherits:
Object
  • Object
show all
Extended by:
Protobuf::MessageExts::ClassMethods
Includes:
Protobuf::MessageExts
Defined in:
proto_docs/google/cloud/networksecurity/v1/authz_policy.rb

Overview

Describes properties of one or more targets of a request.

Defined Under Namespace

Classes: RequestOperation

Instance Attribute Summary collapse

Instance Attribute Details

#not_operations::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>

Returns Optional. Describes the negated properties of the targets of a request. Matches requests for operations that do not match the criteria specified in this field. At least one of operations or notOperations must be specified.

Returns:



362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 362

class To
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes properties of one or more targets of a request.
  # @!attribute [rw] header_set
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
  #     Optional. A list of headers to match against in http header.
  # @!attribute [rw] hosts
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
  #     Optional. A list of HTTP Hosts to match against. The match can be one
  #     of exact, prefix, suffix, or contains (substring match). Matches are
  #     always case sensitive unless the ignoreCase is set. Limited to 10
  #     hosts per Authorization Policy.
  # @!attribute [rw] paths
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
  #     Optional. A list of paths to match against. The match can be one of
  #     exact, prefix, suffix, or contains (substring match). Matches are
  #     always case sensitive unless the ignoreCase is set. Limited to 10
  #     paths per Authorization Policy.
  #     Note that this path match includes the query parameters. For gRPC
  #     services, this should be a fully-qualified name of the form
  #     /package.service/method.
  # @!attribute [rw] methods
  #   @return [::Array<::String>]
  #     Optional. A list of HTTP methods to match against. Each entry must be
  #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
  #     OPTIONS). It only allows exact match and is always case sensitive.
  #     Limited to 10 methods per Authorization Policy.
  # @!attribute [rw] mcp
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
  #     Optional. Defines the MCP protocol attributes to match on. If the MCP
  #     payload in the request body cannot be successfully parsed, the
  #     request will be denied. This field can be set only for AuthzPolicies
  #     targeting AgentGateway resources.
  # @!attribute [rw] snis
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
  #     Optional. A list of SNIs to match against. The match can be one of
  #     exact, prefix, suffix, or contains (substring match). If there is no
  #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
  #     Matches are always case sensitive unless the ignoreCase is set.
  #     Limited to 10 SNIs per Authorization Policy.
  class RequestOperation
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a set of HTTP headers to match against.
    # @!attribute [rw] headers
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
    #     Required. A list of headers to match against in http header.
    #     The match can be one of exact, prefix, suffix, or contains
    #     (substring match). The match follows AND semantics which means all
    #     the headers must match. Matches are always case sensitive unless
    #     the ignoreCase is set. Limited to 10 headers per Authorization
    #     Policy.
    class HeaderSet
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes a set of MCP methods to match against.
    # @!attribute [rw] name
    #   @return [::String]
    #     Required. The MCP method to match against. Allowed values are as
    #     follows:
    #     1. `tools`, `prompts`, `resources` - these will match against all
    #        sub methods under the respective methods.
    #     2. `prompts/list`, `tools/list`, `resources/list`,
    #        `resources/templates/list`
    #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
    #        `resources/unsubscribe`, `resources/read`
    #     Params cannot be specified for categories 1 and 2.
    # @!attribute [rw] params
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
    #     Optional. A list of MCP method parameters to match against. The
    #     match can be one of exact, prefix, suffix, or contains (substring
    #     match). Matches are always case sensitive unless the ignoreCase is
    #     set. Limited to 10 MCP method parameters per Authorization Policy.
    class MCPMethod
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes a set of MCP protocol attributes to match against for a
    # given MCP request.
    # @!attribute [rw] base_protocol_methods_option
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
    #     Optional. If specified, matches on the MCP protocol’s non-access
    #     specific methods namely:
    #     * initialize
    #     * completion/
    #     * logging/
    #     * notifications/
    #     * ping
    #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
    # @!attribute [rw] methods
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
    #     Optional. A list of MCP methods and associated parameters to match
    #     on. It is recommended to use this field to match on tools, prompts
    #     and resource accesses while setting the baseProtocolMethodsOption
    #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
    #     protocol methods.
    #     Limited to 10 MCP methods per Authorization Policy.
    class MCP
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the option to match against the base MCP protocol methods.
    module BaseProtocolMethodsOption
      # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
      BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

      # Skip matching on the base MCP protocol methods.
      SKIP_BASE_PROTOCOL_METHODS = 1

      # Match on the base MCP protocol methods.
      MATCH_BASE_PROTOCOL_METHODS = 2
    end
  end
end

#operations::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>

Returns Optional. Describes properties of one or more targets of a request. At least one of operations or notOperations must be specified. Limited to 1 operation. A match occurs when ANY operation (in operations or notOperations) matches. Within an operation, the match follows AND semantics across fields and OR semantics within a field, i.e. a match occurs when ANY path matches AND ANY header matches and ANY method matches.

Returns:

  • (::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation>)

    Optional. Describes properties of one or more targets of a request. At least one of operations or notOperations must be specified. Limited to 1 operation. A match occurs when ANY operation (in operations or notOperations) matches. Within an operation, the match follows AND semantics across fields and OR semantics within a field, i.e. a match occurs when ANY path matches AND ANY header matches and ANY method matches.



362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
# File 'proto_docs/google/cloud/networksecurity/v1/authz_policy.rb', line 362

class To
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Describes properties of one or more targets of a request.
  # @!attribute [rw] header_set
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::HeaderSet]
  #     Optional. A list of headers to match against in http header.
  # @!attribute [rw] hosts
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
  #     Optional. A list of HTTP Hosts to match against. The match can be one
  #     of exact, prefix, suffix, or contains (substring match). Matches are
  #     always case sensitive unless the ignoreCase is set. Limited to 10
  #     hosts per Authorization Policy.
  # @!attribute [rw] paths
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
  #     Optional. A list of paths to match against. The match can be one of
  #     exact, prefix, suffix, or contains (substring match). Matches are
  #     always case sensitive unless the ignoreCase is set. Limited to 10
  #     paths per Authorization Policy.
  #     Note that this path match includes the query parameters. For gRPC
  #     services, this should be a fully-qualified name of the form
  #     /package.service/method.
  # @!attribute [rw] methods
  #   @return [::Array<::String>]
  #     Optional. A list of HTTP methods to match against. Each entry must be
  #     a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
  #     OPTIONS). It only allows exact match and is always case sensitive.
  #     Limited to 10 methods per Authorization Policy.
  # @!attribute [rw] mcp
  #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCP]
  #     Optional. Defines the MCP protocol attributes to match on. If the MCP
  #     payload in the request body cannot be successfully parsed, the
  #     request will be denied. This field can be set only for AuthzPolicies
  #     targeting AgentGateway resources.
  # @!attribute [rw] snis
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
  #     Optional. A list of SNIs to match against. The match can be one of
  #     exact, prefix, suffix, or contains (substring match). If there is no
  #     SNI (i.e. plaintext HTTP traffic), the request will be denied.
  #     Matches are always case sensitive unless the ignoreCase is set.
  #     Limited to 10 SNIs per Authorization Policy.
  class RequestOperation
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Describes a set of HTTP headers to match against.
    # @!attribute [rw] headers
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::HeaderMatch>]
    #     Required. A list of headers to match against in http header.
    #     The match can be one of exact, prefix, suffix, or contains
    #     (substring match). The match follows AND semantics which means all
    #     the headers must match. Matches are always case sensitive unless
    #     the ignoreCase is set. Limited to 10 headers per Authorization
    #     Policy.
    class HeaderSet
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes a set of MCP methods to match against.
    # @!attribute [rw] name
    #   @return [::String]
    #     Required. The MCP method to match against. Allowed values are as
    #     follows:
    #     1. `tools`, `prompts`, `resources` - these will match against all
    #        sub methods under the respective methods.
    #     2. `prompts/list`, `tools/list`, `resources/list`,
    #        `resources/templates/list`
    #     3. `prompts/get`, `tools/call`, `resources/subscribe`,
    #        `resources/unsubscribe`, `resources/read`
    #     Params cannot be specified for categories 1 and 2.
    # @!attribute [rw] params
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::StringMatch>]
    #     Optional. A list of MCP method parameters to match against. The
    #     match can be one of exact, prefix, suffix, or contains (substring
    #     match). Matches are always case sensitive unless the ignoreCase is
    #     set. Limited to 10 MCP method parameters per Authorization Policy.
    class MCPMethod
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes a set of MCP protocol attributes to match against for a
    # given MCP request.
    # @!attribute [rw] base_protocol_methods_option
    #   @return [::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::BaseProtocolMethodsOption]
    #     Optional. If specified, matches on the MCP protocol’s non-access
    #     specific methods namely:
    #     * initialize
    #     * completion/
    #     * logging/
    #     * notifications/
    #     * ping
    #     Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
    # @!attribute [rw] methods
    #   @return [::Array<::Google::Cloud::NetworkSecurity::V1::AuthzPolicy::AuthzRule::To::RequestOperation::MCPMethod>]
    #     Optional. A list of MCP methods and associated parameters to match
    #     on. It is recommended to use this field to match on tools, prompts
    #     and resource accesses while setting the baseProtocolMethodsOption
    #     to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
    #     protocol methods.
    #     Limited to 10 MCP methods per Authorization Policy.
    class MCP
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Describes the option to match against the base MCP protocol methods.
    module BaseProtocolMethodsOption
      # Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
      BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0

      # Skip matching on the base MCP protocol methods.
      SKIP_BASE_PROTOCOL_METHODS = 1

      # Match on the base MCP protocol methods.
      MATCH_BASE_PROTOCOL_METHODS = 2
    end
  end
end