• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright 2022 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.networksecurity.v1;
18
19import "google/api/field_behavior.proto";
20import "google/api/resource.proto";
21import "google/protobuf/field_mask.proto";
22import "google/protobuf/timestamp.proto";
23
24option csharp_namespace = "Google.Cloud.NetworkSecurity.V1";
25option go_package = "cloud.google.com/go/networksecurity/apiv1/networksecuritypb;networksecuritypb";
26option java_multiple_files = true;
27option java_outer_classname = "AuthorizationPolicyProto";
28option java_package = "com.google.cloud.networksecurity.v1";
29option php_namespace = "Google\\Cloud\\NetworkSecurity\\V1";
30option ruby_package = "Google::Cloud::NetworkSecurity::V1";
31
32// AuthorizationPolicy is a resource that specifies how a server
33// should authorize incoming connections. This resource in itself does
34// not change the configuration unless it's attached to a target https
35// proxy or endpoint config selector resource.
36message AuthorizationPolicy {
37  option (google.api.resource) = {
38    type: "networksecurity.googleapis.com/AuthorizationPolicy"
39    pattern: "projects/{project}/locations/{location}/authorizationPolicies/{authorization_policy}"
40  };
41
42  // Specification of rules.
43  message Rule {
44    // Specification of traffic source attributes.
45    message Source {
46      // Optional. List of peer identities to match for authorization. At least one
47      // principal should match. Each peer can be an exact match, or a prefix
48      // match (example, "namespace/*") or a suffix match (example,
49      // "*/service-account") or a presence match "*". Authorization based on
50      // the principal name without certificate validation (configured by
51      // ServerTlsPolicy resource) is considered insecure.
52      repeated string principals = 1 [(google.api.field_behavior) = OPTIONAL];
53
54      // Optional. List of CIDR ranges to match based on source IP address. At least one
55      // IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g.,
56      // "1.2.3.0/24") are supported. Authorization based on source IP alone
57      // should be avoided. The IP addresses of any load balancers or proxies
58      // should be considered untrusted.
59      repeated string ip_blocks = 2 [(google.api.field_behavior) = OPTIONAL];
60    }
61
62    // Specification of traffic destination attributes.
63    message Destination {
64      // Specification of HTTP header match attributes.
65      message HttpHeaderMatch {
66        oneof type {
67          // Required. The value of the header must match the regular expression
68          // specified in regexMatch. For regular expression grammar,
69          // please see: en.cppreference.com/w/cpp/regex/ecmascript
70          // For matching against a port specified in the HTTP
71          // request, use a headerMatch with headerName set to Host
72          // and a regular expression that satisfies the RFC2616 Host
73          // header's port specifier.
74          string regex_match = 2 [(google.api.field_behavior) = REQUIRED];
75        }
76
77        // Required. The name of the HTTP header to match. For matching
78        // against the HTTP request's authority, use a headerMatch
79        // with the header name ":authority". For matching a
80        // request's method, use the headerName ":method".
81        string header_name = 1 [(google.api.field_behavior) = REQUIRED];
82      }
83
84      // Required. List of host names to match. Matched against the ":authority" header in
85      // http requests. At least one host should match. Each host can be an
86      // exact match, or a prefix match (example "mydomain.*") or a suffix
87      // match (example "*.myorg.com") or a presence (any) match "*".
88      repeated string hosts = 1 [(google.api.field_behavior) = REQUIRED];
89
90      // Required. List of destination ports to match. At least one port should match.
91      repeated uint32 ports = 2 [(google.api.field_behavior) = REQUIRED];
92
93      // Optional. A list of HTTP methods to match. At least one method should
94      // match. Should not be set for gRPC services.
95      repeated string methods = 4 [(google.api.field_behavior) = OPTIONAL];
96
97      // Optional. Match against key:value pair in http header. Provides a flexible match
98      // based on HTTP headers, for potentially advanced use cases. At least one
99      // header should match. Avoid using header matches to make authorization
100      // decisions unless there is a strong guarantee that requests arrive
101      // through a trusted client or proxy.
102      HttpHeaderMatch http_header_match = 5 [(google.api.field_behavior) = OPTIONAL];
103    }
104
105    // Optional. List of attributes for the traffic source. All of the sources must match.
106    // A source is a match if both principals and ip_blocks match. If not set,
107    // the action specified in the 'action' field will be applied without any
108    // rule checks for the source.
109    repeated Source sources = 1 [(google.api.field_behavior) = OPTIONAL];
110
111    // Optional. List of attributes for the traffic destination. All of the destinations
112    // must match. A destination is a match if a request matches all the
113    // specified hosts, ports, methods and headers. If not set, the
114    // action specified in the 'action' field will be applied without any rule
115    // checks for the destination.
116    repeated Destination destinations = 2 [(google.api.field_behavior) = OPTIONAL];
117  }
118
119  // Possible values that define what action to take.
120  enum Action {
121    // Default value.
122    ACTION_UNSPECIFIED = 0;
123
124    // Grant access.
125    ALLOW = 1;
126
127    // Deny access.
128    // Deny rules should be avoided unless they are used to provide a default
129    // "deny all" fallback.
130    DENY = 2;
131  }
132
133  // Required. Name of the AuthorizationPolicy resource. It matches pattern
134  // `projects/{project}/locations/{location}/authorizationPolicies/<authorization_policy>`.
135  string name = 1 [(google.api.field_behavior) = REQUIRED];
136
137  // Optional. Free-text description of the resource.
138  string description = 2 [(google.api.field_behavior) = OPTIONAL];
139
140  // Output only. The timestamp when the resource was created.
141  google.protobuf.Timestamp create_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
142
143  // Output only. The timestamp when the resource was updated.
144  google.protobuf.Timestamp update_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
145
146  // Optional. Set of label tags associated with the AuthorizationPolicy resource.
147  map<string, string> labels = 5 [(google.api.field_behavior) = OPTIONAL];
148
149  // Required. The action to take when a rule match is found. Possible values
150  // are "ALLOW" or "DENY".
151  Action action = 6 [(google.api.field_behavior) = REQUIRED];
152
153  // Optional. List of rules to match. Note that at least one of the rules must match in
154  // order for the action specified in the 'action' field to be taken. A rule is
155  // a match if there is a matching source and destination. If left blank, the
156  // action specified in the `action` field will be applied on every request.
157  repeated Rule rules = 7 [(google.api.field_behavior) = OPTIONAL];
158}
159
160// Request used with the ListAuthorizationPolicies method.
161message ListAuthorizationPoliciesRequest {
162  // Required. The project and location from which the AuthorizationPolicies
163  // should be listed, specified in the format
164  // `projects/{project}/locations/{location}`.
165  string parent = 1 [
166    (google.api.field_behavior) = REQUIRED,
167    (google.api.resource_reference) = {
168      type: "locations.googleapis.com/Location"
169    }
170  ];
171
172  // Maximum number of AuthorizationPolicies to return per call.
173  int32 page_size = 2;
174
175  // The value returned by the last
176  // `ListAuthorizationPoliciesResponse` Indicates that this is a
177  // continuation of a prior `ListAuthorizationPolicies` call, and
178  // that the system should return the next page of data.
179  string page_token = 3;
180}
181
182// Response returned by the ListAuthorizationPolicies method.
183message ListAuthorizationPoliciesResponse {
184  // List of AuthorizationPolicies resources.
185  repeated AuthorizationPolicy authorization_policies = 1;
186
187  // If there might be more results than those appearing in this response, then
188  // `next_page_token` is included. To get the next set of results, call this
189  // method again using the value of `next_page_token` as `page_token`.
190  string next_page_token = 2;
191}
192
193// Request used by the GetAuthorizationPolicy method.
194message GetAuthorizationPolicyRequest {
195  // Required. A name of the AuthorizationPolicy to get. Must be in the format
196  // `projects/{project}/locations/{location}/authorizationPolicies/*`.
197  string name = 1 [
198    (google.api.field_behavior) = REQUIRED,
199    (google.api.resource_reference) = {
200      type: "networksecurity.googleapis.com/AuthorizationPolicy"
201    }
202  ];
203}
204
205// Request used by the CreateAuthorizationPolicy method.
206message CreateAuthorizationPolicyRequest {
207  // Required. The parent resource of the AuthorizationPolicy. Must be in the
208  // format `projects/{project}/locations/{location}`.
209  string parent = 1 [
210    (google.api.field_behavior) = REQUIRED,
211    (google.api.resource_reference) = {
212      child_type: "networksecurity.googleapis.com/AuthorizationPolicy"
213    }
214  ];
215
216  // Required. Short name of the AuthorizationPolicy resource to be created.
217  // This value should be 1-63 characters long, containing only
218  // letters, numbers, hyphens, and underscores, and should not start
219  // with a number. E.g. "authz_policy".
220  string authorization_policy_id = 2 [(google.api.field_behavior) = REQUIRED];
221
222  // Required. AuthorizationPolicy resource to be created.
223  AuthorizationPolicy authorization_policy = 3 [(google.api.field_behavior) = REQUIRED];
224}
225
226// Request used by the UpdateAuthorizationPolicy method.
227message UpdateAuthorizationPolicyRequest {
228  // Optional. Field mask is used to specify the fields to be overwritten in the
229  // AuthorizationPolicy resource by the update.
230  // The fields specified in the update_mask are relative to the resource, not
231  // the full request. A field will be overwritten if it is in the mask. If the
232  // user does not provide a mask then all fields will be overwritten.
233  google.protobuf.FieldMask update_mask = 1 [(google.api.field_behavior) = OPTIONAL];
234
235  // Required. Updated AuthorizationPolicy resource.
236  AuthorizationPolicy authorization_policy = 2 [(google.api.field_behavior) = REQUIRED];
237}
238
239// Request used by the DeleteAuthorizationPolicy method.
240message DeleteAuthorizationPolicyRequest {
241  // Required. A name of the AuthorizationPolicy to delete. Must be in the format
242  // `projects/{project}/locations/{location}/authorizationPolicies/*`.
243  string name = 1 [
244    (google.api.field_behavior) = REQUIRED,
245    (google.api.resource_reference) = {
246      type: "networksecurity.googleapis.com/AuthorizationPolicy"
247    }
248  ];
249}
250