Class: Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule

Inherits:

Object

Object
Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule

show all

Extended by:: Protobuf::MessageExts::ClassMethods

Includes:: Protobuf::MessageExts

Defined in:: proto_docs/google/cloud/networksecurity/v1beta1/authorization_policy.rb

Overview

Specification of rules.

Defined Under Namespace

Classes: Destination, Source

Instance Attribute Summary collapse

#destinations ⇒ ::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination>
Optional.
#sources ⇒ ::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Source>
Optional.

Instance Attribute Details

#destinations ⇒ `::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination>`

Returns Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.

Returns:

(::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination>) —
Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.

# File 'proto_docs/google/cloud/networksecurity/v1beta1/authorization_policy.rb', line 74

class Rule
  include ::Google::Protobuf::MessageExts
  extend ::Google::Protobuf::MessageExts::ClassMethods

  # Specification of traffic source attributes.
  # @!attribute [rw] principals
  #   @return [::Array<::String>]
  #     Optional. List of peer identities to match for authorization. At least
  #     one principal should match. Each peer can be an exact match, or a
  #     prefix match (example, "namespace/*") or a suffix match (example,
  #     "*/service-account") or a presence match "*". Authorization based on
  #     the principal name without certificate validation (configured by
  #     ServerTlsPolicy resource) is considered insecure.
  # @!attribute [rw] ip_blocks
  #   @return [::Array<::String>]
  #     Optional. List of CIDR ranges to match based on source IP address. At
  #     least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR
  #     (e.g., "1.2.3.0/24") are supported. Authorization based on source IP
  #     alone should be avoided. The IP addresses of any load balancers or
  #     proxies should be considered untrusted.
  class Source
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods
  end

  # Specification of traffic destination attributes.
  # @!attribute [rw] hosts
  #   @return [::Array<::String>]
  #     Required. List of host names to match. Matched against the ":authority"
  #     header in http requests. At least one host should match. Each host can
  #     be an exact match, or a prefix match (example "mydomain.*") or a suffix
  #     match (example "*.myorg.com") or a presence (any) match "*".
  # @!attribute [rw] ports
  #   @return [::Array<::Integer>]
  #     Required. List of destination ports to match. At least one port should
  #     match.
  # @!attribute [rw] methods
  #   @return [::Array<::String>]
  #     Optional. A list of HTTP methods to match. At least one method should
  #     match. Should not be set for gRPC services.
  # @!attribute [rw] http_header_match
  #   @return [::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Destination::HttpHeaderMatch]
  #     Optional. Match against key:value pair in http header. Provides a
  #     flexible match based on HTTP headers, for potentially advanced use
  #     cases. At least one header should match. Avoid using header matches to
  #     make authorization decisions unless there is a strong guarantee that
  #     requests arrive through a trusted client or proxy.
  class Destination
    include ::Google::Protobuf::MessageExts
    extend ::Google::Protobuf::MessageExts::ClassMethods

    # Specification of HTTP header match attributes.
    # @!attribute [rw] regex_match
    #   @return [::String]
    #     Required. The value of the header must match the regular expression
    #     specified in regexMatch. For regular expression grammar,
    #     please see: en.cppreference.com/w/cpp/regex/ecmascript
    #     For matching against a port specified in the HTTP
    #     request, use a headerMatch with headerName set to Host
    #     and a regular expression that satisfies the RFC2616 Host
    #     header's port specifier.
    # @!attribute [rw] header_name
    #   @return [::String]
    #     Required. The name of the HTTP header to match. For matching
    #     against the HTTP request's authority, use a headerMatch
    #     with the header name ":authority". For matching a
    #     request's method, use the headerName ":method".
    class HttpHeaderMatch
      include ::Google::Protobuf::MessageExts
      extend ::Google::Protobuf::MessageExts::ClassMethods
    end
  end
end

#sources ⇒ `::Array<::Google::Cloud::NetworkSecurity::V1beta1::AuthorizationPolicy::Rule::Source>`

Returns Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.