// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.ces.v1beta;

import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/protobuf/timestamp.proto";

option go_package = "cloud.google.com/go/ces/apiv1beta/cespb;cespb";
option java_multiple_files = true;
option java_outer_classname = "SecuritySettingsProto";
option java_package = "com.google.cloud.ces.v1beta";

// Project/Location level security settings for CES.
message SecuritySettings {
  option (google.api.resource) = {
    type: "ces.googleapis.com/SecuritySettings"
    pattern: "projects/{project}/locations/{location}/securitySettings"
    plural: "securitySettings"
    singular: "securitySettings"
  };

  // Identifier. The unique identifier of the security settings.
  // Format: `projects/{project}/locations/{location}/securitySettings`
  string name = 1 [(google.api.field_behavior) = IDENTIFIER];

  // Optional. Endpoint control related settings.
  EndpointControlPolicy endpoint_control_policy = 2
      [(google.api.field_behavior) = OPTIONAL];

  // Output only. Create time of the security settings.
  google.protobuf.Timestamp create_time = 3
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Last update time of the security settings.
  google.protobuf.Timestamp update_time = 4
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Etag of the security settings.
  string etag = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Defines project/location level endpoint control policy.
message EndpointControlPolicy {
  // Defines the scope in which this policy's allowed_origins list is
  // enforced.
  enum EnforcementScope {
    // Unspecified. This policy will be treated as VPCSC_ONLY.
    ENFORCEMENT_SCOPE_UNSPECIFIED = 0;

    // This policy applies only when VPC-SC is active.
    VPCSC_ONLY = 1;

    // This policy ALWAYS applies, regardless of VPC-SC status.
    ALWAYS = 2;
  }

  // Optional. The scope in which this policy's allowed_origins list is
  // enforced.
  EnforcementScope enforcement_scope = 1
      [(google.api.field_behavior) = OPTIONAL];

  // Optional. The allowed HTTP(s) origins that tools in the App are able to
  // directly call. The enforcement depends on the value of
  // enforcement_scope and the VPC-SC status of the project.
  // If a port number is not provided, all ports will be allowed. Otherwise,
  // the port number must match exactly. For example, "https://example.com"
  // will match "https://example.com:443" and any other port.
  // "https://example.com:443" will only match "https://example.com:443".
  repeated string allowed_origins = 2 [(google.api.field_behavior) = OPTIONAL];
}
