Class: Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy

Inherits:

Object

• Object
• Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy

Extended by:

Protobuf::MessageExts::ClassMethods

Includes:

Protobuf::MessageExts

Defined in:

proto_docs/google/cloud/networksecurity/v1beta1/authorization_policy.rb

Overview

AuthorizationPolicy is a resource that specifies how a server should authorize incoming connections. This resource in itself does not change the configuration unless it's attached to a target https proxy or endpoint config selector resource.

Defined Under Namespace

Modules: Action Classes: LabelsEntry, Rule

Instance Attribute Summary

• #action ⇒ ::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Action

  Required.

• #create_time ⇒ ::Google::Protobuf::Timestamp readonly

  Output only.

• #description ⇒ ::String

  Optional.

• #labels ⇒ ::Google::Protobuf::Map{::String => ::String}

  Optional.

• #name ⇒ ::String

  Required.

• #rules ⇒ ::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule>

  Optional.

• #update_time ⇒ ::Google::Protobuf::Timestamp readonly

  Output only.

Instance Attribute Details

#action ⇒ ::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Action

Returns Required. The action to take when a rule match is found. Possible values are "ALLOW" or "DENY".

Returns:

• (::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Action) —

  Required. The action to take when a rule match is found. Possible values are "ALLOW" or "DENY".

# File 'proto_docs/google/cloud/networksecurity/v1beta1/authorization_policy.rb', line 56

class AuthorizationPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specification of rules.
  # @!attribute [rw] sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Source>]
  #     Optional. List of attributes for the traffic source. All of the sources
  #     must match. A source is a match if both principals and ip_blocks match.
  #     If not set, the action specified in the 'action' field will be applied
  #     without any rule checks for the source.
  # @!attribute [rw] destinations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination>]
  #     Optional. List of attributes for the traffic destination. All of the
  #     destinations must match. A destination is a match if a request matches
  #     all the specified hosts, ports, methods and headers. If not set, the
  #     action specified in the 'action' field will be applied without any rule
  #     checks for the destination.
  class Rule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Specification of traffic source attributes.
    # @!attribute [rw] principals
    #   @return [::Array<::String>]
    #     Optional. List of peer identities to match for authorization. At least
    #     one principal should match. Each peer can be an exact match, or a
    #     prefix match (example, "namespace/*") or a suffix match (example,
    #     "*/service-account") or a presence match "*". Authorization based on
    #     the principal name without certificate validation (configured by
    #     ServerTlsPolicy resource) is considered insecure.
    # @!attribute [rw] ip_blocks
    #   @return [::Array<::String>]
    #     Optional. List of CIDR ranges to match based on source IP address. At
    #     least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR
    #     (e.g., "1.2.3.0/24") are supported. Authorization based on source IP
    #     alone should be avoided. The IP addresses of any load balancers or
    #     proxies should be considered untrusted.
    class Source
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Specification of traffic destination attributes.
    # @!attribute [rw] hosts
    #   @return [::Array<::String>]
    #     Required. List of host names to match. Matched against the ":authority"
    #     header in http requests. At least one host should match. Each host can
    #     be an exact match, or a prefix match (example "mydomain.*") or a suffix
    #     match (example "*.myorg.com") or a presence (any) match "*".
    # @!attribute [rw] ports
    #   @return [::Array<::Integer>]
    #     Required. List of destination ports to match. At least one port should
    #     match.
    # @!attribute [rw] methods
    #   @return [::Array<::String>]
    #     Optional. A list of HTTP methods to match. At least one method should
    #     match. Should not be set for gRPC services.
    # @!attribute [rw] http_header_match
    #   @return [::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination::HttpHeaderMatch]
    #     Optional. Match against key:value pair in http header. Provides a
    #     flexible match based on HTTP headers, for potentially advanced use
    #     cases. At least one header should match. Avoid using header matches to
    #     make authorization decisions unless there is a strong guarantee that
    #     requests arrive through a trusted client or proxy.
    class Destination
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Specification of HTTP header match attributes.
      # @!attribute [rw] regex_match
      #   @return [::String]
      #     Required. The value of the header must match the regular expression
      #     specified in regexMatch. For regular expression grammar,
      #     please see: en.cppreference.com/w/cpp/regex/ecmascript
      #     For matching against a port specified in the HTTP
      #     request, use a headerMatch with headerName set to Host
      #     and a regular expression that satisfies the RFC2616 Host
      #     header's port specifier.
      # @!attribute [rw] header_name
      #   @return [::String]
      #     Required. The name of the HTTP header to match. For matching
      #     against the HTTP request's authority, use a headerMatch
      #     with the header name ":authority". For matching a
      #     request's method, use the headerName ":method".
      class HttpHeaderMatch
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Possible values that define what action to take.
  module Action
    # Default value.
    ACTION_UNSPECIFIED = 0

    # Grant access.
    ALLOW = 1

    # Deny access.
    # Deny rules should be avoided unless they are used to provide a default
    # "deny all" fallback.
    DENY = 2
  end
end

#create_time ⇒ ::Google::Protobuf::Timestamp (readonly)

Returns Output only. The timestamp when the resource was created.

Returns:

• (::Google::Protobuf::Timestamp) —

  Output only. The timestamp when the resource was created.

# File 'proto_docs/google/cloud/networksecurity/v1beta1/authorization_policy.rb', line 56

class AuthorizationPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specification of rules.
  # @!attribute [rw] sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Source>]
  #     Optional. List of attributes for the traffic source. All of the sources
  #     must match. A source is a match if both principals and ip_blocks match.
  #     If not set, the action specified in the 'action' field will be applied
  #     without any rule checks for the source.
  # @!attribute [rw] destinations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination>]
  #     Optional. List of attributes for the traffic destination. All of the
  #     destinations must match. A destination is a match if a request matches
  #     all the specified hosts, ports, methods and headers. If not set, the
  #     action specified in the 'action' field will be applied without any rule
  #     checks for the destination.
  class Rule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Specification of traffic source attributes.
    # @!attribute [rw] principals
    #   @return [::Array<::String>]
    #     Optional. List of peer identities to match for authorization. At least
    #     one principal should match. Each peer can be an exact match, or a
    #     prefix match (example, "namespace/*") or a suffix match (example,
    #     "*/service-account") or a presence match "*". Authorization based on
    #     the principal name without certificate validation (configured by
    #     ServerTlsPolicy resource) is considered insecure.
    # @!attribute [rw] ip_blocks
    #   @return [::Array<::String>]
    #     Optional. List of CIDR ranges to match based on source IP address. At
    #     least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR
    #     (e.g., "1.2.3.0/24") are supported. Authorization based on source IP
    #     alone should be avoided. The IP addresses of any load balancers or
    #     proxies should be considered untrusted.
    class Source
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Specification of traffic destination attributes.
    # @!attribute [rw] hosts
    #   @return [::Array<::String>]
    #     Required. List of host names to match. Matched against the ":authority"
    #     header in http requests. At least one host should match. Each host can
    #     be an exact match, or a prefix match (example "mydomain.*") or a suffix
    #     match (example "*.myorg.com") or a presence (any) match "*".
    # @!attribute [rw] ports
    #   @return [::Array<::Integer>]
    #     Required. List of destination ports to match. At least one port should
    #     match.
    # @!attribute [rw] methods
    #   @return [::Array<::String>]
    #     Optional. A list of HTTP methods to match. At least one method should
    #     match. Should not be set for gRPC services.
    # @!attribute [rw] http_header_match
    #   @return [::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination::HttpHeaderMatch]
    #     Optional. Match against key:value pair in http header. Provides a
    #     flexible match based on HTTP headers, for potentially advanced use
    #     cases. At least one header should match. Avoid using header matches to
    #     make authorization decisions unless there is a strong guarantee that
    #     requests arrive through a trusted client or proxy.
    class Destination
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Specification of HTTP header match attributes.
      # @!attribute [rw] regex_match
      #   @return [::String]
      #     Required. The value of the header must match the regular expression
      #     specified in regexMatch. For regular expression grammar,
      #     please see: en.cppreference.com/w/cpp/regex/ecmascript
      #     For matching against a port specified in the HTTP
      #     request, use a headerMatch with headerName set to Host
      #     and a regular expression that satisfies the RFC2616 Host
      #     header's port specifier.
      # @!attribute [rw] header_name
      #   @return [::String]
      #     Required. The name of the HTTP header to match. For matching
      #     against the HTTP request's authority, use a headerMatch
      #     with the header name ":authority". For matching a
      #     request's method, use the headerName ":method".
      class HttpHeaderMatch
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Possible values that define what action to take.
  module Action
    # Default value.
    ACTION_UNSPECIFIED = 0

    # Grant access.
    ALLOW = 1

    # Deny access.
    # Deny rules should be avoided unless they are used to provide a default
    # "deny all" fallback.
    DENY = 2
  end
end

#description ⇒ ::String

Returns Optional. Free-text description of the resource.

Returns:

• (::String) —

  Optional. Free-text description of the resource.

# File 'proto_docs/google/cloud/networksecurity/v1beta1/authorization_policy.rb', line 56

class AuthorizationPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specification of rules.
  # @!attribute [rw] sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Source>]
  #     Optional. List of attributes for the traffic source. All of the sources
  #     must match. A source is a match if both principals and ip_blocks match.
  #     If not set, the action specified in the 'action' field will be applied
  #     without any rule checks for the source.
  # @!attribute [rw] destinations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination>]
  #     Optional. List of attributes for the traffic destination. All of the
  #     destinations must match. A destination is a match if a request matches
  #     all the specified hosts, ports, methods and headers. If not set, the
  #     action specified in the 'action' field will be applied without any rule
  #     checks for the destination.
  class Rule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Specification of traffic source attributes.
    # @!attribute [rw] principals
    #   @return [::Array<::String>]
    #     Optional. List of peer identities to match for authorization. At least
    #     one principal should match. Each peer can be an exact match, or a
    #     prefix match (example, "namespace/*") or a suffix match (example,
    #     "*/service-account") or a presence match "*". Authorization based on
    #     the principal name without certificate validation (configured by
    #     ServerTlsPolicy resource) is considered insecure.
    # @!attribute [rw] ip_blocks
    #   @return [::Array<::String>]
    #     Optional. List of CIDR ranges to match based on source IP address. At
    #     least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR
    #     (e.g., "1.2.3.0/24") are supported. Authorization based on source IP
    #     alone should be avoided. The IP addresses of any load balancers or
    #     proxies should be considered untrusted.
    class Source
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Specification of traffic destination attributes.
    # @!attribute [rw] hosts
    #   @return [::Array<::String>]
    #     Required. List of host names to match. Matched against the ":authority"
    #     header in http requests. At least one host should match. Each host can
    #     be an exact match, or a prefix match (example "mydomain.*") or a suffix
    #     match (example "*.myorg.com") or a presence (any) match "*".
    # @!attribute [rw] ports
    #   @return [::Array<::Integer>]
    #     Required. List of destination ports to match. At least one port should
    #     match.
    # @!attribute [rw] methods
    #   @return [::Array<::String>]
    #     Optional. A list of HTTP methods to match. At least one method should
    #     match. Should not be set for gRPC services.
    # @!attribute [rw] http_header_match
    #   @return [::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination::HttpHeaderMatch]
    #     Optional. Match against key:value pair in http header. Provides a
    #     flexible match based on HTTP headers, for potentially advanced use
    #     cases. At least one header should match. Avoid using header matches to
    #     make authorization decisions unless there is a strong guarantee that
    #     requests arrive through a trusted client or proxy.
    class Destination
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Specification of HTTP header match attributes.
      # @!attribute [rw] regex_match
      #   @return [::String]
      #     Required. The value of the header must match the regular expression
      #     specified in regexMatch. For regular expression grammar,
      #     please see: en.cppreference.com/w/cpp/regex/ecmascript
      #     For matching against a port specified in the HTTP
      #     request, use a headerMatch with headerName set to Host
      #     and a regular expression that satisfies the RFC2616 Host
      #     header's port specifier.
      # @!attribute [rw] header_name
      #   @return [::String]
      #     Required. The name of the HTTP header to match. For matching
      #     against the HTTP request's authority, use a headerMatch
      #     with the header name ":authority". For matching a
      #     request's method, use the headerName ":method".
      class HttpHeaderMatch
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Possible values that define what action to take.
  module Action
    # Default value.
    ACTION_UNSPECIFIED = 0

    # Grant access.
    ALLOW = 1

    # Deny access.
    # Deny rules should be avoided unless they are used to provide a default
    # "deny all" fallback.
    DENY = 2
  end
end

#labels ⇒ ::Google::Protobuf::Map{::String => ::String}

Returns Optional. Set of label tags associated with the AuthorizationPolicy resource.

Returns:

• (::Google::Protobuf::Map{::String => ::String}) —

  Optional. Set of label tags associated with the AuthorizationPolicy resource.

# File 'proto_docs/google/cloud/networksecurity/v1beta1/authorization_policy.rb', line 56

class AuthorizationPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specification of rules.
  # @!attribute [rw] sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Source>]
  #     Optional. List of attributes for the traffic source. All of the sources
  #     must match. A source is a match if both principals and ip_blocks match.
  #     If not set, the action specified in the 'action' field will be applied
  #     without any rule checks for the source.
  # @!attribute [rw] destinations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination>]
  #     Optional. List of attributes for the traffic destination. All of the
  #     destinations must match. A destination is a match if a request matches
  #     all the specified hosts, ports, methods and headers. If not set, the
  #     action specified in the 'action' field will be applied without any rule
  #     checks for the destination.
  class Rule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Specification of traffic source attributes.
    # @!attribute [rw] principals
    #   @return [::Array<::String>]
    #     Optional. List of peer identities to match for authorization. At least
    #     one principal should match. Each peer can be an exact match, or a
    #     prefix match (example, "namespace/*") or a suffix match (example,
    #     "*/service-account") or a presence match "*". Authorization based on
    #     the principal name without certificate validation (configured by
    #     ServerTlsPolicy resource) is considered insecure.
    # @!attribute [rw] ip_blocks
    #   @return [::Array<::String>]
    #     Optional. List of CIDR ranges to match based on source IP address. At
    #     least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR
    #     (e.g., "1.2.3.0/24") are supported. Authorization based on source IP
    #     alone should be avoided. The IP addresses of any load balancers or
    #     proxies should be considered untrusted.
    class Source
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Specification of traffic destination attributes.
    # @!attribute [rw] hosts
    #   @return [::Array<::String>]
    #     Required. List of host names to match. Matched against the ":authority"
    #     header in http requests. At least one host should match. Each host can
    #     be an exact match, or a prefix match (example "mydomain.*") or a suffix
    #     match (example "*.myorg.com") or a presence (any) match "*".
    # @!attribute [rw] ports
    #   @return [::Array<::Integer>]
    #     Required. List of destination ports to match. At least one port should
    #     match.
    # @!attribute [rw] methods
    #   @return [::Array<::String>]
    #     Optional. A list of HTTP methods to match. At least one method should
    #     match. Should not be set for gRPC services.
    # @!attribute [rw] http_header_match
    #   @return [::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination::HttpHeaderMatch]
    #     Optional. Match against key:value pair in http header. Provides a
    #     flexible match based on HTTP headers, for potentially advanced use
    #     cases. At least one header should match. Avoid using header matches to
    #     make authorization decisions unless there is a strong guarantee that
    #     requests arrive through a trusted client or proxy.
    class Destination
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Specification of HTTP header match attributes.
      # @!attribute [rw] regex_match
      #   @return [::String]
      #     Required. The value of the header must match the regular expression
      #     specified in regexMatch. For regular expression grammar,
      #     please see: en.cppreference.com/w/cpp/regex/ecmascript
      #     For matching against a port specified in the HTTP
      #     request, use a headerMatch with headerName set to Host
      #     and a regular expression that satisfies the RFC2616 Host
      #     header's port specifier.
      # @!attribute [rw] header_name
      #   @return [::String]
      #     Required. The name of the HTTP header to match. For matching
      #     against the HTTP request's authority, use a headerMatch
      #     with the header name ":authority". For matching a
      #     request's method, use the headerName ":method".
      class HttpHeaderMatch
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Possible values that define what action to take.
  module Action
    # Default value.
    ACTION_UNSPECIFIED = 0

    # Grant access.
    ALLOW = 1

    # Deny access.
    # Deny rules should be avoided unless they are used to provide a default
    # "deny all" fallback.
    DENY = 2
  end
end

#name ⇒ ::String

Returns Required. Name of the AuthorizationPolicy resource. It matches pattern projects/{project}/locations/{location}/authorizationPolicies/<authorization_policy>.

Returns:

• (::String) —

  Required. Name of the AuthorizationPolicy resource. It matches pattern projects/{project}/locations/{location}/authorizationPolicies/<authorization_policy>.

# File 'proto_docs/google/cloud/networksecurity/v1beta1/authorization_policy.rb', line 56

class AuthorizationPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specification of rules.
  # @!attribute [rw] sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Source>]
  #     Optional. List of attributes for the traffic source. All of the sources
  #     must match. A source is a match if both principals and ip_blocks match.
  #     If not set, the action specified in the 'action' field will be applied
  #     without any rule checks for the source.
  # @!attribute [rw] destinations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination>]
  #     Optional. List of attributes for the traffic destination. All of the
  #     destinations must match. A destination is a match if a request matches
  #     all the specified hosts, ports, methods and headers. If not set, the
  #     action specified in the 'action' field will be applied without any rule
  #     checks for the destination.
  class Rule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Specification of traffic source attributes.
    # @!attribute [rw] principals
    #   @return [::Array<::String>]
    #     Optional. List of peer identities to match for authorization. At least
    #     one principal should match. Each peer can be an exact match, or a
    #     prefix match (example, "namespace/*") or a suffix match (example,
    #     "*/service-account") or a presence match "*". Authorization based on
    #     the principal name without certificate validation (configured by
    #     ServerTlsPolicy resource) is considered insecure.
    # @!attribute [rw] ip_blocks
    #   @return [::Array<::String>]
    #     Optional. List of CIDR ranges to match based on source IP address. At
    #     least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR
    #     (e.g., "1.2.3.0/24") are supported. Authorization based on source IP
    #     alone should be avoided. The IP addresses of any load balancers or
    #     proxies should be considered untrusted.
    class Source
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Specification of traffic destination attributes.
    # @!attribute [rw] hosts
    #   @return [::Array<::String>]
    #     Required. List of host names to match. Matched against the ":authority"
    #     header in http requests. At least one host should match. Each host can
    #     be an exact match, or a prefix match (example "mydomain.*") or a suffix
    #     match (example "*.myorg.com") or a presence (any) match "*".
    # @!attribute [rw] ports
    #   @return [::Array<::Integer>]
    #     Required. List of destination ports to match. At least one port should
    #     match.
    # @!attribute [rw] methods
    #   @return [::Array<::String>]
    #     Optional. A list of HTTP methods to match. At least one method should
    #     match. Should not be set for gRPC services.
    # @!attribute [rw] http_header_match
    #   @return [::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination::HttpHeaderMatch]
    #     Optional. Match against key:value pair in http header. Provides a
    #     flexible match based on HTTP headers, for potentially advanced use
    #     cases. At least one header should match. Avoid using header matches to
    #     make authorization decisions unless there is a strong guarantee that
    #     requests arrive through a trusted client or proxy.
    class Destination
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Specification of HTTP header match attributes.
      # @!attribute [rw] regex_match
      #   @return [::String]
      #     Required. The value of the header must match the regular expression
      #     specified in regexMatch. For regular expression grammar,
      #     please see: en.cppreference.com/w/cpp/regex/ecmascript
      #     For matching against a port specified in the HTTP
      #     request, use a headerMatch with headerName set to Host
      #     and a regular expression that satisfies the RFC2616 Host
      #     header's port specifier.
      # @!attribute [rw] header_name
      #   @return [::String]
      #     Required. The name of the HTTP header to match. For matching
      #     against the HTTP request's authority, use a headerMatch
      #     with the header name ":authority". For matching a
      #     request's method, use the headerName ":method".
      class HttpHeaderMatch
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Possible values that define what action to take.
  module Action
    # Default value.
    ACTION_UNSPECIFIED = 0

    # Grant access.
    ALLOW = 1

    # Deny access.
    # Deny rules should be avoided unless they are used to provide a default
    # "deny all" fallback.
    DENY = 2
  end
end

#rules ⇒ ::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule>

Returns Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the action field will be applied on every request.

Returns:

• (::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule>) —

  Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the action field will be applied on every request.

# File 'proto_docs/google/cloud/networksecurity/v1beta1/authorization_policy.rb', line 56

class AuthorizationPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specification of rules.
  # @!attribute [rw] sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Source>]
  #     Optional. List of attributes for the traffic source. All of the sources
  #     must match. A source is a match if both principals and ip_blocks match.
  #     If not set, the action specified in the 'action' field will be applied
  #     without any rule checks for the source.
  # @!attribute [rw] destinations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination>]
  #     Optional. List of attributes for the traffic destination. All of the
  #     destinations must match. A destination is a match if a request matches
  #     all the specified hosts, ports, methods and headers. If not set, the
  #     action specified in the 'action' field will be applied without any rule
  #     checks for the destination.
  class Rule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Specification of traffic source attributes.
    # @!attribute [rw] principals
    #   @return [::Array<::String>]
    #     Optional. List of peer identities to match for authorization. At least
    #     one principal should match. Each peer can be an exact match, or a
    #     prefix match (example, "namespace/*") or a suffix match (example,
    #     "*/service-account") or a presence match "*". Authorization based on
    #     the principal name without certificate validation (configured by
    #     ServerTlsPolicy resource) is considered insecure.
    # @!attribute [rw] ip_blocks
    #   @return [::Array<::String>]
    #     Optional. List of CIDR ranges to match based on source IP address. At
    #     least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR
    #     (e.g., "1.2.3.0/24") are supported. Authorization based on source IP
    #     alone should be avoided. The IP addresses of any load balancers or
    #     proxies should be considered untrusted.
    class Source
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Specification of traffic destination attributes.
    # @!attribute [rw] hosts
    #   @return [::Array<::String>]
    #     Required. List of host names to match. Matched against the ":authority"
    #     header in http requests. At least one host should match. Each host can
    #     be an exact match, or a prefix match (example "mydomain.*") or a suffix
    #     match (example "*.myorg.com") or a presence (any) match "*".
    # @!attribute [rw] ports
    #   @return [::Array<::Integer>]
    #     Required. List of destination ports to match. At least one port should
    #     match.
    # @!attribute [rw] methods
    #   @return [::Array<::String>]
    #     Optional. A list of HTTP methods to match. At least one method should
    #     match. Should not be set for gRPC services.
    # @!attribute [rw] http_header_match
    #   @return [::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination::HttpHeaderMatch]
    #     Optional. Match against key:value pair in http header. Provides a
    #     flexible match based on HTTP headers, for potentially advanced use
    #     cases. At least one header should match. Avoid using header matches to
    #     make authorization decisions unless there is a strong guarantee that
    #     requests arrive through a trusted client or proxy.
    class Destination
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Specification of HTTP header match attributes.
      # @!attribute [rw] regex_match
      #   @return [::String]
      #     Required. The value of the header must match the regular expression
      #     specified in regexMatch. For regular expression grammar,
      #     please see: en.cppreference.com/w/cpp/regex/ecmascript
      #     For matching against a port specified in the HTTP
      #     request, use a headerMatch with headerName set to Host
      #     and a regular expression that satisfies the RFC2616 Host
      #     header's port specifier.
      # @!attribute [rw] header_name
      #   @return [::String]
      #     Required. The name of the HTTP header to match. For matching
      #     against the HTTP request's authority, use a headerMatch
      #     with the header name ":authority". For matching a
      #     request's method, use the headerName ":method".
      class HttpHeaderMatch
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Possible values that define what action to take.
  module Action
    # Default value.
    ACTION_UNSPECIFIED = 0

    # Grant access.
    ALLOW = 1

    # Deny access.
    # Deny rules should be avoided unless they are used to provide a default
    # "deny all" fallback.
    DENY = 2
  end
end

#update_time ⇒ ::Google::Protobuf::Timestamp (readonly)

Returns Output only. The timestamp when the resource was updated.

Returns:

• (::Google::Protobuf::Timestamp) —

  Output only. The timestamp when the resource was updated.

# File 'proto_docs/google/cloud/networksecurity/v1beta1/authorization_policy.rb', line 56

class AuthorizationPolicy
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specification of rules.
  # @!attribute [rw] sources
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Source>]
  #     Optional. List of attributes for the traffic source. All of the sources
  #     must match. A source is a match if both principals and ip_blocks match.
  #     If not set, the action specified in the 'action' field will be applied
  #     without any rule checks for the source.
  # @!attribute [rw] destinations
  #   @return [::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination>]
  #     Optional. List of attributes for the traffic destination. All of the
  #     destinations must match. A destination is a match if a request matches
  #     all the specified hosts, ports, methods and headers. If not set, the
  #     action specified in the 'action' field will be applied without any rule
  #     checks for the destination.
  class Rule
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Specification of traffic source attributes.
    # @!attribute [rw] principals
    #   @return [::Array<::String>]
    #     Optional. List of peer identities to match for authorization. At least
    #     one principal should match. Each peer can be an exact match, or a
    #     prefix match (example, "namespace/*") or a suffix match (example,
    #     "*/service-account") or a presence match "*". Authorization based on
    #     the principal name without certificate validation (configured by
    #     ServerTlsPolicy resource) is considered insecure.
    # @!attribute [rw] ip_blocks
    #   @return [::Array<::String>]
    #     Optional. List of CIDR ranges to match based on source IP address. At
    #     least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR
    #     (e.g., "1.2.3.0/24") are supported. Authorization based on source IP
    #     alone should be avoided. The IP addresses of any load balancers or
    #     proxies should be considered untrusted.
    class Source
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end

    # Specification of traffic destination attributes.
    # @!attribute [rw] hosts
    #   @return [::Array<::String>]
    #     Required. List of host names to match. Matched against the ":authority"
    #     header in http requests. At least one host should match. Each host can
    #     be an exact match, or a prefix match (example "mydomain.*") or a suffix
    #     match (example "*.myorg.com") or a presence (any) match "*".
    # @!attribute [rw] ports
    #   @return [::Array<::Integer>]
    #     Required. List of destination ports to match. At least one port should
    #     match.
    # @!attribute [rw] methods
    #   @return [::Array<::String>]
    #     Optional. A list of HTTP methods to match. At least one method should
    #     match. Should not be set for gRPC services.
    # @!attribute [rw] http_header_match
    #   @return [::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination::HttpHeaderMatch]
    #     Optional. Match against key:value pair in http header. Provides a
    #     flexible match based on HTTP headers, for potentially advanced use
    #     cases. At least one header should match. Avoid using header matches to
    #     make authorization decisions unless there is a strong guarantee that
    #     requests arrive through a trusted client or proxy.
    class Destination
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods

      # Specification of HTTP header match attributes.
      # @!attribute [rw] regex_match
      #   @return [::String]
      #     Required. The value of the header must match the regular expression
      #     specified in regexMatch. For regular expression grammar,
      #     please see: en.cppreference.com/w/cpp/regex/ecmascript
      #     For matching against a port specified in the HTTP
      #     request, use a headerMatch with headerName set to Host
      #     and a regular expression that satisfies the RFC2616 Host
      #     header's port specifier.
      # @!attribute [rw] header_name
      #   @return [::String]
      #     Required. The name of the HTTP header to match. For matching
      #     against the HTTP request's authority, use a headerMatch
      #     with the header name ":authority". For matching a
      #     request's method, use the headerName ":method".
      class HttpHeaderMatch
        include ::Google::Protobuf::MessageExts
        extend ::Google::Protobuf::MessageExts::ClassMethods
      end
    end
  end

  # @!attribute [rw] key
  #   @return [::String]
  # @!attribute [rw] value
  #   @return [::String]
  class LabelsEntry
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Possible values that define what action to take.
  module Action
    # Default value.
    ACTION_UNSPECIFIED = 0

    # Grant access.
    ALLOW = 1

    # Deny access.
    # Deny rules should be avoided unless they are used to provide a default
    # "deny all" fallback.
    DENY = 2
  end
end