1// Copyright 2022 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.networksecurity.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/cloud/networksecurity/v1/tls.proto"; 22import "google/protobuf/field_mask.proto"; 23import "google/protobuf/timestamp.proto"; 24 25option csharp_namespace = "Google.Cloud.NetworkSecurity.V1"; 26option go_package = "cloud.google.com/go/networksecurity/apiv1/networksecuritypb;networksecuritypb"; 27option java_multiple_files = true; 28option java_outer_classname = "ServerTlsPolicyProto"; 29option java_package = "com.google.cloud.networksecurity.v1"; 30option php_namespace = "Google\\Cloud\\NetworkSecurity\\V1"; 31option ruby_package = "Google::Cloud::NetworkSecurity::V1"; 32 33// ServerTlsPolicy is a resource that specifies how a server should authenticate 34// incoming requests. This resource itself does not affect configuration unless 35// it is attached to a target https proxy or endpoint config selector resource. 36message ServerTlsPolicy { 37 option (google.api.resource) = { 38 type: "networksecurity.googleapis.com/ServerTlsPolicy" 39 pattern: "projects/{project}/locations/{location}/serverTlsPolicies/{server_tls_policy}" 40 }; 41 42 // Specification of the MTLSPolicy. 43 message MTLSPolicy { 44 // 45 // Defines the mechanism to obtain the Certificate Authority certificate to 46 // validate the client certificate. 47 repeated ValidationCA client_validation_ca = 1; 48 } 49 50 // Required. Name of the ServerTlsPolicy resource. It matches the pattern 51 // `projects/*/locations/{location}/serverTlsPolicies/{server_tls_policy}` 52 string name = 1 [(google.api.field_behavior) = REQUIRED]; 53 54 // Free-text description of the resource. 55 string description = 2; 56 57 // Output only. The timestamp when the resource was created. 58 google.protobuf.Timestamp create_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 59 60 // Output only. The timestamp when the resource was updated. 61 google.protobuf.Timestamp update_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 62 63 // Set of label tags associated with the resource. 64 map<string, string> labels = 5; 65 66 // 67 // Determines if server allows plaintext connections. If set to true, server 68 // allows plain text connections. By default, it is set to false. This setting 69 // is not exclusive of other encryption modes. For example, if `allow_open` 70 // and `mtls_policy` are set, server allows both plain text and mTLS 71 // connections. See documentation of other encryption modes to confirm 72 // compatibility. 73 // 74 // Consider using it if you wish to upgrade in place your deployment to TLS 75 // while having mixed TLS and non-TLS traffic reaching port :80. 76 bool allow_open = 6; 77 78 // 79 // Defines a mechanism to provision server identity (public and private keys). 80 // Cannot be combined with `allow_open` as a permissive mode that allows both 81 // plain text and TLS is not supported. 82 CertificateProvider server_certificate = 7; 83 84 // 85 // Defines a mechanism to provision peer validation certificates for peer to 86 // peer authentication (Mutual TLS - mTLS). If not specified, client 87 // certificate will not be requested. The connection is treated as TLS and not 88 // mTLS. If `allow_open` and `mtls_policy` are set, server allows both plain 89 // text and mTLS connections. 90 MTLSPolicy mtls_policy = 8; 91} 92 93// Request used by the ListServerTlsPolicies method. 94message ListServerTlsPoliciesRequest { 95 // Required. The project and location from which the ServerTlsPolicies should 96 // be listed, specified in the format `projects/*/locations/{location}`. 97 string parent = 1 [ 98 (google.api.field_behavior) = REQUIRED, 99 (google.api.resource_reference) = { 100 type: "locations.googleapis.com/Location" 101 } 102 ]; 103 104 // Maximum number of ServerTlsPolicies to return per call. 105 int32 page_size = 2; 106 107 // The value returned by the last `ListServerTlsPoliciesResponse` 108 // Indicates that this is a continuation of a prior 109 // `ListServerTlsPolicies` call, and that the system 110 // should return the next page of data. 111 string page_token = 3; 112} 113 114// Response returned by the ListServerTlsPolicies method. 115message ListServerTlsPoliciesResponse { 116 // List of ServerTlsPolicy resources. 117 repeated ServerTlsPolicy server_tls_policies = 1; 118 119 // If there might be more results than those appearing in this response, then 120 // `next_page_token` is included. To get the next set of results, call this 121 // method again using the value of `next_page_token` as `page_token`. 122 string next_page_token = 2; 123} 124 125// Request used by the GetServerTlsPolicy method. 126message GetServerTlsPolicyRequest { 127 // Required. A name of the ServerTlsPolicy to get. Must be in the format 128 // `projects/*/locations/{location}/serverTlsPolicies/*`. 129 string name = 1 [ 130 (google.api.field_behavior) = REQUIRED, 131 (google.api.resource_reference) = { 132 type: "networksecurity.googleapis.com/ServerTlsPolicy" 133 } 134 ]; 135} 136 137// Request used by the CreateServerTlsPolicy method. 138message CreateServerTlsPolicyRequest { 139 // Required. The parent resource of the ServerTlsPolicy. Must be in 140 // the format `projects/*/locations/{location}`. 141 string parent = 1 [ 142 (google.api.field_behavior) = REQUIRED, 143 (google.api.resource_reference) = { 144 child_type: "networksecurity.googleapis.com/ServerTlsPolicy" 145 } 146 ]; 147 148 // Required. Short name of the ServerTlsPolicy resource to be created. This value should 149 // be 1-63 characters long, containing only letters, numbers, hyphens, and 150 // underscores, and should not start with a number. E.g. "server_mtls_policy". 151 string server_tls_policy_id = 2 [(google.api.field_behavior) = REQUIRED]; 152 153 // Required. ServerTlsPolicy resource to be created. 154 ServerTlsPolicy server_tls_policy = 3 [(google.api.field_behavior) = REQUIRED]; 155} 156 157// Request used by UpdateServerTlsPolicy method. 158message UpdateServerTlsPolicyRequest { 159 // Optional. Field mask is used to specify the fields to be overwritten in the 160 // ServerTlsPolicy resource by the update. The fields 161 // specified in the update_mask are relative to the resource, not 162 // the full request. A field will be overwritten if it is in the 163 // mask. If the user does not provide a mask then all fields will be 164 // overwritten. 165 google.protobuf.FieldMask update_mask = 1 [(google.api.field_behavior) = OPTIONAL]; 166 167 // Required. Updated ServerTlsPolicy resource. 168 ServerTlsPolicy server_tls_policy = 2 [(google.api.field_behavior) = REQUIRED]; 169} 170 171// Request used by the DeleteServerTlsPolicy method. 172message DeleteServerTlsPolicyRequest { 173 // Required. A name of the ServerTlsPolicy to delete. Must be in 174 // the format `projects/*/locations/{location}/serverTlsPolicies/*`. 175 string name = 1 [ 176 (google.api.field_behavior) = REQUIRED, 177 (google.api.resource_reference) = { 178 type: "networksecurity.googleapis.com/ServerTlsPolicy" 179 } 180 ]; 181} 182