Skip to content

feat: [networksecurity] Publish proto definitions for AuthzPolicy, TlsInspectionPolicy, GatewaySecurityPolicy, GatewaySecurityPolicyRule, and UrlList #7862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gcf-owl-bot wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: [networksecurity] Publish proto definitions for AuthzPolicy, TlsInspectionPolicy, GatewaySecurityPolicy, GatewaySecurityPolicyRule, and UrlList #7862

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
59104e4
feat: Publish proto definitions for AuthzPolicy, TlsInspectionPolicy,…
gcf-owl-bot[bot] Mar 26, 2026
45f7ac7
🦉 Updates from OwlBot post-processor
gcf-owl-bot[bot] Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 96 additions & 1 deletion packages/google-cloud-networksecurity/README.md
View file
Open in desktop

Large diffs are not rendered by default.

9 changes: 4 additions & 5 deletions ...s/google-cloud-networksecurity/protos/google/cloud/networksecurity/v1/address_group.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2025 Google LLC
// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
Expand All @@ -19,8 +19,11 @@ package google.cloud.networksecurity.v1;
import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/field_info.proto";
import "google/api/resource.proto";
import "google/cloud/networksecurity/v1/common.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";

Expand All @@ -31,10 +34,6 @@ option java_outer_classname = "AddressGroupProto";
option java_package = "com.google.cloud.networksecurity.v1";
option php_namespace = "Google\\Cloud\\NetworkSecurity\\V1";
option ruby_package = "Google::Cloud::NetworkSecurity::V1";
option (google.api.resource_definition) = {
type: "networksecurity.googleapis.com/OrganizationLocation"
pattern: "organizations/{organization}/locations/{location}"
};

// AddressGroup is a resource that manages a collection of IP or Domain Names,
// it can be used in Firewall Policy to represent allow or deny traffic from
Expand Down
88 changes: 49 additions & 39 deletions ...e-cloud-networksecurity/protos/google/cloud/networksecurity/v1/authorization_policy.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2025 Google LLC
// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -43,19 +43,19 @@ message AuthorizationPolicy {
message Rule {
// Specification of traffic source attributes.
message Source {
// Optional. List of peer identities to match for authorization. At least one
// principal should match. Each peer can be an exact match, or a prefix
// match (example, "namespace/*") or a suffix match (example,
// Optional. List of peer identities to match for authorization. At least
// one principal should match. Each peer can be an exact match, or a
// prefix match (example, "namespace/*") or a suffix match (example,
// "*/service-account") or a presence match "*". Authorization based on
// the principal name without certificate validation (configured by
// ServerTlsPolicy resource) is considered insecure.
repeated string principals = 1 [(google.api.field_behavior) = OPTIONAL];

// Optional. List of CIDR ranges to match based on source IP address. At least one
// IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g.,
// "1.2.3.0/24") are supported. Authorization based on source IP alone
// should be avoided. The IP addresses of any load balancers or proxies
// should be considered untrusted.
// Optional. List of CIDR ranges to match based on source IP address. At
// least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR
// (e.g., "1.2.3.0/24") are supported. Authorization based on source IP
// alone should be avoided. The IP addresses of any load balancers or
// proxies should be considered untrusted.
repeated string ip_blocks = 2 [(google.api.field_behavior) = OPTIONAL];
}

Expand All @@ -81,39 +81,42 @@ message AuthorizationPolicy {
string header_name = 1 [(google.api.field_behavior) = REQUIRED];
}

// Required. List of host names to match. Matched against the ":authority" header in
// http requests. At least one host should match. Each host can be an
// exact match, or a prefix match (example "mydomain.*") or a suffix
// Required. List of host names to match. Matched against the ":authority"
// header in http requests. At least one host should match. Each host can
// be an exact match, or a prefix match (example "mydomain.*") or a suffix
// match (example "*.myorg.com") or a presence (any) match "*".
repeated string hosts = 1 [(google.api.field_behavior) = REQUIRED];

// Required. List of destination ports to match. At least one port should match.
// Required. List of destination ports to match. At least one port should
// match.
repeated uint32 ports = 2 [(google.api.field_behavior) = REQUIRED];

// Optional. A list of HTTP methods to match. At least one method should
// match. Should not be set for gRPC services.
repeated string methods = 4 [(google.api.field_behavior) = OPTIONAL];

// Optional. Match against key:value pair in http header. Provides a flexible match
// based on HTTP headers, for potentially advanced use cases. At least one
// header should match. Avoid using header matches to make authorization
// decisions unless there is a strong guarantee that requests arrive
// through a trusted client or proxy.
HttpHeaderMatch http_header_match = 5 [(google.api.field_behavior) = OPTIONAL];
// Optional. Match against key:value pair in http header. Provides a
// flexible match based on HTTP headers, for potentially advanced use
// cases. At least one header should match. Avoid using header matches to
// make authorization decisions unless there is a strong guarantee that
// requests arrive through a trusted client or proxy.
HttpHeaderMatch http_header_match = 5
[(google.api.field_behavior) = OPTIONAL];
}

// Optional. List of attributes for the traffic source. All of the sources must match.
// A source is a match if both principals and ip_blocks match. If not set,
// the action specified in the 'action' field will be applied without any
// rule checks for the source.
// Optional. List of attributes for the traffic source. All of the sources
// must match. A source is a match if both principals and ip_blocks match.
// If not set, the action specified in the 'action' field will be applied
// without any rule checks for the source.
repeated Source sources = 1 [(google.api.field_behavior) = OPTIONAL];

// Optional. List of attributes for the traffic destination. All of the destinations
// must match. A destination is a match if a request matches all the
// specified hosts, ports, methods and headers. If not set, the
// Optional. List of attributes for the traffic destination. All of the
// destinations must match. A destination is a match if a request matches
// all the specified hosts, ports, methods and headers. If not set, the
// action specified in the 'action' field will be applied without any rule
// checks for the destination.
repeated Destination destinations = 2 [(google.api.field_behavior) = OPTIONAL];
repeated Destination destinations = 2
[(google.api.field_behavior) = OPTIONAL];
}

// Possible values that define what action to take.
Expand All @@ -138,22 +141,26 @@ message AuthorizationPolicy {
string description = 2 [(google.api.field_behavior) = OPTIONAL];

// Output only. The timestamp when the resource was created.
google.protobuf.Timestamp create_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
google.protobuf.Timestamp create_time = 3
[(google.api.field_behavior) = OUTPUT_ONLY];

// Output only. The timestamp when the resource was updated.
google.protobuf.Timestamp update_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
google.protobuf.Timestamp update_time = 4
[(google.api.field_behavior) = OUTPUT_ONLY];

// Optional. Set of label tags associated with the AuthorizationPolicy resource.
// Optional. Set of label tags associated with the AuthorizationPolicy
// resource.
map<string, string> labels = 5 [(google.api.field_behavior) = OPTIONAL];

// Required. The action to take when a rule match is found. Possible values
// are "ALLOW" or "DENY".
Action action = 6 [(google.api.field_behavior) = REQUIRED];

// Optional. List of rules to match. Note that at least one of the rules must match in
// order for the action specified in the 'action' field to be taken. A rule is
// a match if there is a matching source and destination. If left blank, the
// action specified in the `action` field will be applied on every request.
// Optional. List of rules to match. Note that at least one of the rules must
// match in order for the action specified in the 'action' field to be taken.
// A rule is a match if there is a matching source and destination. If left
// blank, the action specified in the `action` field will be applied on every
// request.
repeated Rule rules = 7 [(google.api.field_behavior) = OPTIONAL];
}

Expand Down Expand Up @@ -220,7 +227,8 @@ message CreateAuthorizationPolicyRequest {
string authorization_policy_id = 2 [(google.api.field_behavior) = REQUIRED];

// Required. AuthorizationPolicy resource to be created.
AuthorizationPolicy authorization_policy = 3 [(google.api.field_behavior) = REQUIRED];
AuthorizationPolicy authorization_policy = 3
[(google.api.field_behavior) = REQUIRED];
}

// Request used by the UpdateAuthorizationPolicy method.
Expand All @@ -230,16 +238,18 @@ message UpdateAuthorizationPolicyRequest {
// The fields specified in the update_mask are relative to the resource, not
// the full request. A field will be overwritten if it is in the mask. If the
// user does not provide a mask then all fields will be overwritten.
google.protobuf.FieldMask update_mask = 1 [(google.api.field_behavior) = OPTIONAL];
google.protobuf.FieldMask update_mask = 1
[(google.api.field_behavior) = OPTIONAL];

// Required. Updated AuthorizationPolicy resource.
AuthorizationPolicy authorization_policy = 2 [(google.api.field_behavior) = REQUIRED];
AuthorizationPolicy authorization_policy = 2
[(google.api.field_behavior) = REQUIRED];
}

// Request used by the DeleteAuthorizationPolicy method.
message DeleteAuthorizationPolicyRequest {
// Required. A name of the AuthorizationPolicy to delete. Must be in the format
// `projects/{project}/locations/{location}/authorizationPolicies/*`.
// Required. A name of the AuthorizationPolicy to delete. Must be in the
// format `projects/{project}/locations/{location}/authorizationPolicies/*`.
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(google.api.resource_reference) = {
Expand Down
Loading
Loading