• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright 2021 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.networksecurity.v1beta1;
18
19import "google/api/field_behavior.proto";
20import "google/api/resource.proto";
21import "google/protobuf/field_mask.proto";
22import "google/protobuf/timestamp.proto";
23
24option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
25option go_package = "cloud.google.com/go/networksecurity/apiv1beta1/networksecuritypb;networksecuritypb";
26option java_multiple_files = true;
27option java_outer_classname = "AuthorizationPolicyProto";
28option java_package = "com.google.cloud.networksecurity.v1beta1";
29option php_namespace = "Google\\Cloud\\NetworkSecurity\\V1beta1";
30option ruby_package = "Google::Cloud::NetworkSecurity::V1beta1";
31
32// AuthorizationPolicy is a resource that specifies how a server
33// should authorize incoming connections. This resource in itself does
34// not change the configuration unless it's attached to a target https
35// proxy or endpoint config selector resource.
36message AuthorizationPolicy {
37  option (google.api.resource) = {
38    type: "networksecurity.googleapis.com/AuthorizationPolicy"
39    pattern: "projects/{project}/locations/{location}/authorizationPolicies/{authorization_policy}"
40  };
41
42  // Specification of rules.
43  message Rule {
44    // Specification of traffic source attributes.
45    message Source {
46      // Optional. List of peer identities to match for authorization. At least
47      // one principal should match. Each peer can be an exact match, or a
48      // prefix match (example, "namespace/*") or a suffix match (example,
49      // "*/service-account") or a presence match "*". Authorization based on
50      // the principal name without certificate validation (configured by
51      // ServerTlsPolicy resource) is considered insecure.
52      repeated string principals = 1 [(google.api.field_behavior) = OPTIONAL];
53
54      // Optional. List of CIDR ranges to match based on source IP address. At
55      // least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR
56      // (e.g., "1.2.3.0/24") are supported. Authorization based on source IP
57      // alone should be avoided. The IP addresses of any load balancers or
58      // proxies should be considered untrusted.
59      repeated string ip_blocks = 2 [(google.api.field_behavior) = OPTIONAL];
60    }
61
62    // Specification of traffic destination attributes.
63    message Destination {
64      // Specification of HTTP header match attributes.
65      message HttpHeaderMatch {
66        oneof type {
67          // Required. The value of the header must match the regular expression
68          // specified in regexMatch. For regular expression grammar,
69          // please see: en.cppreference.com/w/cpp/regex/ecmascript
70          // For matching against a port specified in the HTTP
71          // request, use a headerMatch with headerName set to Host
72          // and a regular expression that satisfies the RFC2616 Host
73          // header's port specifier.
74          string regex_match = 2 [(google.api.field_behavior) = REQUIRED];
75        }
76
77        // Required. The name of the HTTP header to match. For matching
78        // against the HTTP request's authority, use a headerMatch
79        // with the header name ":authority". For matching a
80        // request's method, use the headerName ":method".
81        string header_name = 1 [(google.api.field_behavior) = REQUIRED];
82      }
83
84      // Required. List of host names to match. Matched against the ":authority"
85      // header in http requests. At least one host should match. Each host can
86      // be an exact match, or a prefix match (example "mydomain.*") or a suffix
87      // match (example "*.myorg.com") or a presence (any) match "*".
88      repeated string hosts = 1 [(google.api.field_behavior) = REQUIRED];
89
90      // Required. List of destination ports to match. At least one port should
91      // match.
92      repeated uint32 ports = 2 [(google.api.field_behavior) = REQUIRED];
93
94      // Optional. A list of HTTP methods to match. At least one method should
95      // match. Should not be set for gRPC services.
96      repeated string methods = 4 [(google.api.field_behavior) = OPTIONAL];
97
98      // Optional. Match against key:value pair in http header. Provides a
99      // flexible match based on HTTP headers, for potentially advanced use
100      // cases. At least one header should match. Avoid using header matches to
101      // make authorization decisions unless there is a strong guarantee that
102      // requests arrive through a trusted client or proxy.
103      HttpHeaderMatch http_header_match = 5
104          [(google.api.field_behavior) = OPTIONAL];
105    }
106
107    // Optional. List of attributes for the traffic source. All of the sources
108    // must match. A source is a match if both principals and ip_blocks match.
109    // If not set, the action specified in the 'action' field will be applied
110    // without any rule checks for the source.
111    repeated Source sources = 1 [(google.api.field_behavior) = OPTIONAL];
112
113    // Optional. List of attributes for the traffic destination. All of the
114    // destinations must match. A destination is a match if a request matches
115    // all the specified hosts, ports, methods and headers. If not set, the
116    // action specified in the 'action' field will be applied without any rule
117    // checks for the destination.
118    repeated Destination destinations = 2
119        [(google.api.field_behavior) = OPTIONAL];
120  }
121
122  // Possible values that define what action to take.
123  enum Action {
124    // Default value.
125    ACTION_UNSPECIFIED = 0;
126
127    // Grant access.
128    ALLOW = 1;
129
130    // Deny access.
131    // Deny rules should be avoided unless they are used to provide a default
132    // "deny all" fallback.
133    DENY = 2;
134  }
135
136  // Required. Name of the AuthorizationPolicy resource. It matches pattern
137  // `projects/{project}/locations/{location}/authorizationPolicies/<authorization_policy>`.
138  string name = 1 [(google.api.field_behavior) = REQUIRED];
139
140  // Optional. Free-text description of the resource.
141  string description = 2 [(google.api.field_behavior) = OPTIONAL];
142
143  // Output only. The timestamp when the resource was created.
144  google.protobuf.Timestamp create_time = 3
145      [(google.api.field_behavior) = OUTPUT_ONLY];
146
147  // Output only. The timestamp when the resource was updated.
148  google.protobuf.Timestamp update_time = 4
149      [(google.api.field_behavior) = OUTPUT_ONLY];
150
151  // Optional. Set of label tags associated with the AuthorizationPolicy
152  // resource.
153  map<string, string> labels = 5 [(google.api.field_behavior) = OPTIONAL];
154
155  // Required. The action to take when a rule match is found. Possible values
156  // are "ALLOW" or "DENY".
157  Action action = 6 [(google.api.field_behavior) = REQUIRED];
158
159  // Optional. List of rules to match. Note that at least one of the rules must
160  // match in order for the action specified in the 'action' field to be taken.
161  // A rule is a match if there is a matching source and destination. If left
162  // blank, the action specified in the `action` field will be applied on every
163  // request.
164  repeated Rule rules = 7 [(google.api.field_behavior) = OPTIONAL];
165}
166
167// Request used with the ListAuthorizationPolicies method.
168message ListAuthorizationPoliciesRequest {
169  // Required. The project and location from which the AuthorizationPolicies
170  // should be listed, specified in the format
171  // `projects/{project}/locations/{location}`.
172  string parent = 1 [
173    (google.api.field_behavior) = REQUIRED,
174    (google.api.resource_reference) = {
175      type: "locations.googleapis.com/Location"
176    }
177  ];
178
179  // Maximum number of AuthorizationPolicies to return per call.
180  int32 page_size = 2;
181
182  // The value returned by the last
183  // `ListAuthorizationPoliciesResponse` Indicates that this is a
184  // continuation of a prior `ListAuthorizationPolicies` call, and
185  // that the system should return the next page of data.
186  string page_token = 3;
187}
188
189// Response returned by the ListAuthorizationPolicies method.
190message ListAuthorizationPoliciesResponse {
191  // List of AuthorizationPolicies resources.
192  repeated AuthorizationPolicy authorization_policies = 1;
193
194  // If there might be more results than those appearing in this response, then
195  // `next_page_token` is included. To get the next set of results, call this
196  // method again using the value of `next_page_token` as `page_token`.
197  string next_page_token = 2;
198}
199
200// Request used by the GetAuthorizationPolicy method.
201message GetAuthorizationPolicyRequest {
202  // Required. A name of the AuthorizationPolicy to get. Must be in the format
203  // `projects/{project}/locations/{location}/authorizationPolicies/*`.
204  string name = 1 [
205    (google.api.field_behavior) = REQUIRED,
206    (google.api.resource_reference) = {
207      type: "networksecurity.googleapis.com/AuthorizationPolicy"
208    }
209  ];
210}
211
212// Request used by the CreateAuthorizationPolicy method.
213message CreateAuthorizationPolicyRequest {
214  // Required. The parent resource of the AuthorizationPolicy. Must be in the
215  // format `projects/{project}/locations/{location}`.
216  string parent = 1 [
217    (google.api.field_behavior) = REQUIRED,
218    (google.api.resource_reference) = {
219      child_type: "networksecurity.googleapis.com/AuthorizationPolicy"
220    }
221  ];
222
223  // Required. Short name of the AuthorizationPolicy resource to be created.
224  // This value should be 1-63 characters long, containing only
225  // letters, numbers, hyphens, and underscores, and should not start
226  // with a number. E.g. "authz_policy".
227  string authorization_policy_id = 2 [(google.api.field_behavior) = REQUIRED];
228
229  // Required. AuthorizationPolicy resource to be created.
230  AuthorizationPolicy authorization_policy = 3
231      [(google.api.field_behavior) = REQUIRED];
232}
233
234// Request used by the UpdateAuthorizationPolicy method.
235message UpdateAuthorizationPolicyRequest {
236  // Optional. Field mask is used to specify the fields to be overwritten in the
237  // AuthorizationPolicy resource by the update.
238  // The fields specified in the update_mask are relative to the resource, not
239  // the full request. A field will be overwritten if it is in the mask. If the
240  // user does not provide a mask then all fields will be overwritten.
241  google.protobuf.FieldMask update_mask = 1
242      [(google.api.field_behavior) = OPTIONAL];
243
244  // Required. Updated AuthorizationPolicy resource.
245  AuthorizationPolicy authorization_policy = 2
246      [(google.api.field_behavior) = REQUIRED];
247}
248
249// Request used by the DeleteAuthorizationPolicy method.
250message DeleteAuthorizationPolicyRequest {
251  // Required. A name of the AuthorizationPolicy to delete. Must be in the
252  // format `projects/{project}/locations/{location}/authorizationPolicies/*`.
253  string name = 1 [
254    (google.api.field_behavior) = REQUIRED,
255    (google.api.resource_reference) = {
256      type: "networksecurity.googleapis.com/AuthorizationPolicy"
257    }
258  ];
259}
260