// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.networksecurity.v1;

import "google/api/field_behavior.proto";
import "google/api/field_info.proto";
import "google/api/resource.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";

option csharp_namespace = "Google.Cloud.NetworkSecurity.V1";
option go_package = "cloud.google.com/go/networksecurity/apiv1/networksecuritypb;networksecuritypb";
option java_multiple_files = true;
option java_outer_classname = "AuthzPolicyProto";
option java_package = "com.google.cloud.networksecurity.v1";
option php_namespace = "Google\\Cloud\\NetworkSecurity\\V1";
option ruby_package = "Google::Cloud::NetworkSecurity::V1";

// `AuthzPolicy` is a resource that allows to forward traffic to a
// callout backend designed to scan the traffic for security purposes.
message AuthzPolicy {
  option (google.api.resource) = {
    type: "networksecurity.googleapis.com/AuthzPolicy"
    pattern: "projects/{project}/locations/{location}/authzPolicies/{authz_policy}"
    plural: "authzPolicies"
    singular: "authzPolicy"
  };

  // Specifies the set of targets to which this policy should be applied to.
  message Target {
    // Optional. All gateways and forwarding rules referenced by this policy and
    // extensions must share the same load balancing scheme. Required only when
    // targeting forwarding rules. If targeting Secure Web Proxy, this field
    // must be `INTERNAL_MANAGED` or not specified. Must not be specified
    // when targeting Agent Gateway. Supported values:
    // `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
    // to [Backend services
    // overview](https://cloud.google.com/load-balancing/docs/backend-service).
    LoadBalancingScheme load_balancing_scheme = 8
        [(google.api.field_behavior) = OPTIONAL];

    // Required. A list of references to the Forwarding Rules, Secure Web Proxy
    // Gateways, or Agent Gateways on which this policy will be applied.
    repeated string resources = 1 [(google.api.field_behavior) = REQUIRED];
  }

  // Conditions to match against the incoming request.
  message AuthzRule {
    // Determines how a string value should be matched.
    message StringMatch {
      oneof match_pattern {
        // The input string must match exactly the string specified here.
        //
        // Examples:
        //
        // * ``abc`` only matches the value ``abc``.
        string exact = 1;

        // The input string must have the prefix specified here.
        // Note: empty prefix is not allowed, please use regex instead.
        //
        // Examples:
        //
        // * ``abc`` matches the value ``abc.xyz``
        string prefix = 2;

        // The input string must have the suffix specified here.
        // Note: empty prefix is not allowed, please use regex instead.
        //
        // Examples:
        //
        // * ``abc`` matches the value ``xyz.abc``
        string suffix = 3;

        // The input string must have the substring specified here.
        // Note: empty contains match is not allowed, please use regex instead.
        //
        // Examples:
        //
        // * ``abc`` matches the value ``xyz.abc.def``
        string contains = 4;
      }

      // If true, indicates the exact/prefix/suffix/contains matching should be
      // case insensitive. For example, the matcher ``data`` will match both
      // input string ``Data`` and ``data`` if set to true.
      bool ignore_case = 5;
    }

    // Represents a range of IP Addresses.
    message IpBlock {
      // Required. The address prefix.
      string prefix = 1 [(google.api.field_behavior) = REQUIRED];

      // Required. The length of the address range.
      int32 length = 2 [(google.api.field_behavior) = REQUIRED];
    }

    // Describes the properties of a client VM resource accessing the internal
    // application load balancers.
    message RequestResource {
      // Describes a set of resource tag value permanent IDs to match against
      // the resource manager tags value associated with the source VM of a
      // request.
      message TagValueIdSet {
        // Required. A list of resource tag value permanent IDs to match against
        // the resource manager tags value associated with the source VM of a
        // request. The match follows AND semantics which means all
        // the ids must match. Limited to 5 ids in the Tag value id set.
        repeated int64 ids = 1 [(google.api.field_behavior) = REQUIRED];
      }

      // Optional. A list of resource tag value permanent IDs to match against
      // the resource manager tags value associated with the source VM of a
      // request.
      TagValueIdSet tag_value_id_set = 1
          [(google.api.field_behavior) = OPTIONAL];

      // Optional. An IAM service account to match against the source
      // service account of the VM sending the request.
      StringMatch iam_service_account = 2
          [(google.api.field_behavior) = OPTIONAL];
    }

    // Determines how a HTTP header should be matched.
    message HeaderMatch {
      // Optional. Specifies the name of the header in the request.
      string name = 1 [(google.api.field_behavior) = OPTIONAL];

      // Optional. Specifies how the header match will be performed.
      StringMatch value = 2 [(google.api.field_behavior) = OPTIONAL];
    }

    // Describes the properties of a principal to be matched against.
    message Principal {
      // The principal value the principal rule will match against.
      enum PrincipalSelector {
        // Unspecified principal selector. It will be treated as
        // CLIENT_CERT_URI_SAN by default.
        PRINCIPAL_SELECTOR_UNSPECIFIED = 0;

        // The principal rule is matched against a list of URI SANs in the
        // validated client's certificate. A match happens when there is any
        // exact URI SAN value match. This is the default principal selector.
        CLIENT_CERT_URI_SAN = 1;

        // The principal rule is matched against a list of DNS Name SANs in the
        // validated client's certificate. A match happens when there is any
        // exact DNS Name SAN value match.
        // This is only applicable for Application Load Balancers
        // except for classic Global External Application load balancer.
        // CLIENT_CERT_DNS_NAME_SAN is not supported for INTERNAL_SELF_MANAGED
        // load balancing scheme.
        CLIENT_CERT_DNS_NAME_SAN = 2;

        // The principal rule is matched against the common name in the client's
        // certificate. Authorization against multiple common names in the
        // client certificate is not supported. Requests with multiple common
        // names in the client certificate will be rejected if
        // CLIENT_CERT_COMMON_NAME is set as the principal selector. A match
        // happens when there is an exact common name value match.
        // This is only applicable for Application Load Balancers
        // except for global external Application Load Balancer and
        // classic Application Load Balancer.
        // CLIENT_CERT_COMMON_NAME is not supported for INTERNAL_SELF_MANAGED
        // load balancing scheme.
        CLIENT_CERT_COMMON_NAME = 3;
      }

      // Optional. An enum to decide what principal value the principal rule
      // will match against. If not specified, the PrincipalSelector is
      // CLIENT_CERT_URI_SAN.
      PrincipalSelector principal_selector = 1
          [(google.api.field_behavior) = OPTIONAL];

      // Required. A non-empty string whose value is matched against the
      // principal value based on the principal_selector. Only exact match can
      // be applied for CLIENT_CERT_URI_SAN, CLIENT_CERT_DNS_NAME_SAN,
      // CLIENT_CERT_COMMON_NAME selectors.
      StringMatch principal = 2 [(google.api.field_behavior) = REQUIRED];
    }

    // Describes properties of one or more sources of a request.
    message From {
      // Describes the properties of a single source.
      message RequestSource {
        // Optional. A list of identities derived from the client's certificate.
        // This field will not match on a request unless frontend mutual TLS is
        // enabled for the forwarding rule or Gateway and the client certificate
        // has been successfully validated by mTLS.
        // Each identity is a string whose value is matched against a list of
        // URI SANs, DNS Name SANs, or the common name in the client's
        // certificate. A match happens when any principal matches with the
        // rule. Limited to 50 principals per Authorization Policy for regional
        // internal Application Load Balancers, regional external Application
        // Load Balancers, cross-region internal Application Load Balancers, and
        // Cloud Service Mesh. This field is not supported for global external
        // Application Load Balancers.
        repeated Principal principals = 1
            [(google.api.field_behavior) = OPTIONAL];

        // Optional. A list of IP addresses or IP address ranges to match
        // against the source IP address of the request. Limited to 10 ip_blocks
        // per Authorization Policy
        repeated IpBlock ip_blocks = 2 [(google.api.field_behavior) = OPTIONAL];

        // Optional. A list of resources to match against the resource of the
        // source VM of a request. Limited to 10 resources per Authorization
        // Policy.
        repeated RequestResource resources = 3
            [(google.api.field_behavior) = OPTIONAL];
      }

      // Optional. Describes the properties of a request's sources. At least one
      // of sources or notSources must be specified. Limited to 1 source.
      // A match occurs when ANY source (in sources or notSources) matches the
      // request. Within a single source, the match follows AND semantics
      // across fields and OR semantics within a single field, i.e. a match
      // occurs when ANY principal matches AND ANY ipBlocks match.
      repeated RequestSource sources = 1
          [(google.api.field_behavior) = OPTIONAL];

      // Optional. Describes the negated properties of request sources. Matches
      // requests from sources that do not match the criteria specified in this
      // field. At least one of sources or notSources must be specified.
      repeated RequestSource not_sources = 2
          [(google.api.field_behavior) = OPTIONAL];
    }

    // Describes properties of one or more targets of a request.
    message To {
      // Describes properties of one or more targets of a request.
      message RequestOperation {
        // Describes a set of HTTP headers to match against.
        message HeaderSet {
          // Required. A list of headers to match against in http header.
          // The match can be one of exact, prefix, suffix, or contains
          // (substring match). The match follows AND semantics which means all
          // the headers must match. Matches are always case sensitive unless
          // the ignoreCase is set. Limited to 10 headers per Authorization
          // Policy.
          repeated HeaderMatch headers = 1
              [(google.api.field_behavior) = REQUIRED];
        }

        // Describes a set of MCP methods to match against.
        message MCPMethod {
          // Required. The MCP method to match against. Allowed values are as
          // follows:
          // 1. `tools`, `prompts`, `resources` - these will match against all
          //    sub methods under the respective methods.
          // 2. `prompts/list`, `tools/list`, `resources/list`,
          //    `resources/templates/list`
          // 3. `prompts/get`, `tools/call`, `resources/subscribe`,
          //    `resources/unsubscribe`, `resources/read`
          // Params cannot be specified for categories 1 and 2.
          string name = 1 [(google.api.field_behavior) = REQUIRED];

          // Optional. A list of MCP method parameters to match against. The
          // match can be one of exact, prefix, suffix, or contains (substring
          // match). Matches are always case sensitive unless the ignoreCase is
          // set. Limited to 10 MCP method parameters per Authorization Policy.
          repeated StringMatch params = 2
              [(google.api.field_behavior) = OPTIONAL];
        }

        // Describes a set of MCP protocol attributes to match against for a
        // given MCP request.
        message MCP {
          // Optional. If specified, matches on the MCP protocol’s non-access
          // specific methods namely:
          // * initialize
          // * completion/
          // * logging/
          // * notifications/
          // * ping
          // Defaults to SKIP_BASE_PROTOCOL_METHODS if not specified.
          BaseProtocolMethodsOption base_protocol_methods_option = 1
              [(google.api.field_behavior) = OPTIONAL];

          // Optional. A list of MCP methods and associated parameters to match
          // on. It is recommended to use this field to match on tools, prompts
          // and resource accesses while setting the baseProtocolMethodsOption
          // to MATCH_BASE_PROTOCOL_METHODS to match on all the other MCP
          // protocol methods.
          // Limited to 10 MCP methods per Authorization Policy.
          repeated MCPMethod methods = 2
              [(google.api.field_behavior) = OPTIONAL];
        }

        // Describes the option to match against the base MCP protocol methods.
        enum BaseProtocolMethodsOption {
          // Unspecified option. Defaults to SKIP_BASE_PROTOCOL_METHODS.
          BASE_PROTOCOL_METHODS_OPTION_UNSPECIFIED = 0;

          // Skip matching on the base MCP protocol methods.
          SKIP_BASE_PROTOCOL_METHODS = 1;

          // Match on the base MCP protocol methods.
          MATCH_BASE_PROTOCOL_METHODS = 2;
        }

        // Optional. A list of headers to match against in http header.
        HeaderSet header_set = 1 [(google.api.field_behavior) = OPTIONAL];

        // Optional. A list of HTTP Hosts to match against. The match can be one
        // of exact, prefix, suffix, or contains (substring match). Matches are
        // always case sensitive unless the ignoreCase is set. Limited to 10
        // hosts per Authorization Policy.
        repeated StringMatch hosts = 2 [(google.api.field_behavior) = OPTIONAL];

        // Optional. A list of paths to match against. The match can be one of
        // exact, prefix, suffix, or contains (substring match). Matches are
        // always case sensitive unless the ignoreCase is set. Limited to 10
        // paths per Authorization Policy.
        // Note that this path match includes the query parameters. For gRPC
        // services, this should be a fully-qualified name of the form
        // /package.service/method.
        repeated StringMatch paths = 3 [(google.api.field_behavior) = OPTIONAL];

        // Optional. A list of HTTP methods to match against. Each entry must be
        // a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE,
        // OPTIONS). It only allows exact match and is always case sensitive.
        // Limited to 10 methods per Authorization Policy.
        repeated string methods = 4 [(google.api.field_behavior) = OPTIONAL];

        // Optional. Defines the MCP protocol attributes to match on. If the MCP
        // payload in the request body cannot be successfully parsed, the
        // request will be denied. This field can be set only for AuthzPolicies
        // targeting AgentGateway resources.
        MCP mcp = 5 [(google.api.field_behavior) = OPTIONAL];

        // Optional. A list of SNIs to match against. The match can be one of
        // exact, prefix, suffix, or contains (substring match). If there is no
        // SNI (i.e. plaintext HTTP traffic), the request will be denied.
        // Matches are always case sensitive unless the ignoreCase is set.
        // Limited to 10 SNIs per Authorization Policy.
        repeated StringMatch snis = 7 [(google.api.field_behavior) = OPTIONAL];
      }

      // Optional. Describes properties of one or more targets of a request. At
      // least one of operations or notOperations must be specified. Limited to
      // 1 operation. A match occurs when ANY operation (in operations or
      // notOperations) matches. Within an operation, the match follows AND
      // semantics across fields and OR semantics within a field, i.e. a match
      // occurs when ANY path matches AND ANY header matches and ANY method
      // matches.
      repeated RequestOperation operations = 1
          [(google.api.field_behavior) = OPTIONAL];

      // Optional. Describes the negated properties of the targets of a request.
      // Matches requests for operations that do not match the criteria
      // specified in this field. At least one of operations or notOperations
      // must be specified.
      repeated RequestOperation not_operations = 2
          [(google.api.field_behavior) = OPTIONAL];
    }

    // Optional. Describes properties of a source of a request.
    From from = 1 [(google.api.field_behavior) = OPTIONAL];

    // Optional. Describes properties of a target of a request.
    To to = 2 [(google.api.field_behavior) = OPTIONAL];

    // Optional. CEL expression that describes the conditions to be satisfied
    // for the action. The result of the CEL expression is ANDed with the from
    // and to. Refer to the CEL language reference for a list of available
    // attributes.
    string when = 3 [(google.api.field_behavior) = OPTIONAL];
  }

  // Allows delegating authorization decisions to Cloud IAP or to
  // Service Extensions.
  message CustomProvider {
    // Optional. Delegates authorization decisions to Cloud IAP. Applicable
    // only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    // level is not compatible with Cloud IAP settings in the BackendService.
    // Enabling IAP in both places will result in request failure. Ensure that
    // IAP is enabled in either the AuthzPolicy or the BackendService but not in
    // both places.
    message CloudIap {}

    // Optional. Delegate authorization decision to user authored extension.
    // Only one of cloudIap or authzExtension can be specified.
    message AuthzExtension {
      // Required. A list of references to authorization
      // extensions that will be invoked for requests matching this policy.
      // Limited to 1 custom provider.
      repeated string resources = 1 [(google.api.field_behavior) = REQUIRED];
    }

    // Optional. Delegates authorization decisions to Cloud IAP. Applicable
    // only for managed load balancers. Enabling Cloud IAP at the AuthzPolicy
    // level is not compatible with Cloud IAP settings in the BackendService.
    // Enabling IAP in both places will result in request failure. Ensure that
    // IAP is enabled in either the AuthzPolicy or the BackendService but not in
    // both places.
    CloudIap cloud_iap = 1 [(google.api.field_behavior) = OPTIONAL];

    // Optional. Delegate authorization decision to user authored Service
    // Extension. Only one of cloudIap or authzExtension can be specified.
    AuthzExtension authz_extension = 2 [(google.api.field_behavior) = OPTIONAL];
  }

  // Load balancing schemes supported by the `AuthzPolicy` resource. The valid
  // values are `INTERNAL_MANAGED` and
  // `EXTERNAL_MANAGED`. For more information, refer to [Backend services
  // overview](https://cloud.google.com/load-balancing/docs/backend-service).
  enum LoadBalancingScheme {
    // Default value. Do not use.
    LOAD_BALANCING_SCHEME_UNSPECIFIED = 0;

    // Signifies that this is used for Regional internal or Cross-region
    // internal Application Load Balancing.
    INTERNAL_MANAGED = 1;

    // Signifies that this is used for Global external or Regional external
    // Application Load Balancing.
    EXTERNAL_MANAGED = 2;

    // Signifies that this is used for Cloud Service Mesh. Meant for use by
    // CSM GKE controller only.
    INTERNAL_SELF_MANAGED = 3;
  }

  // The action to be applied to this policy. Valid values are
  // `ALLOW`, `DENY`, `CUSTOM`.
  enum AuthzAction {
    // Unspecified action.
    AUTHZ_ACTION_UNSPECIFIED = 0;

    // Allow request to pass through to the backend.
    ALLOW = 1;

    // Deny the request and return a HTTP 404 to the client.
    DENY = 2;

    // Delegate the authorization decision to an external authorization engine.
    CUSTOM = 3;
  }

  // The type of authorization being performed.
  // New values may be added in the future.
  enum PolicyProfile {
    // Unspecified policy profile.
    POLICY_PROFILE_UNSPECIFIED = 0;

    // Applies to request authorization. `CUSTOM` authorization
    // policies with Authz extensions will be allowed with `EXT_AUTHZ_GRPC` or
    // `EXT_PROC_GRPC` protocols. Extensions are invoked only for request header
    // events.
    REQUEST_AUTHZ = 1;

    // Applies to content security, sanitization, etc. Only
    // `CUSTOM` action is allowed in this policy profile. AuthzExtensions in the
    // custom provider must support `EXT_PROC_GRPC` protocol only and be capable
    // of receiving all `EXT_PROC_GRPC` events (REQUEST_HEADERS, REQUEST_BODY,
    // REQUEST_TRAILERS, RESPONSE_HEADERS, RESPONSE_BODY, RESPONSE_TRAILERS)
    // with `FULL_DUPLEX_STREAMED` body send mode.
    CONTENT_AUTHZ = 2;
  }

  // Required. Identifier. Name of the `AuthzPolicy` resource in the following
  // format:
  // `projects/{project}/locations/{location}/authzPolicies/{authz_policy}`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.field_behavior) = IDENTIFIER
  ];

  // Output only. The timestamp when the resource was created.
  google.protobuf.Timestamp create_time = 2
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The timestamp when the resource was updated.
  google.protobuf.Timestamp update_time = 3
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. A human-readable description of the resource.
  string description = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Set of labels associated with the `AuthzPolicy` resource.
  //
  // The format must comply with [the following
  // requirements](/compute/docs/labeling-resources#requirements).
  map<string, string> labels = 5 [(google.api.field_behavior) = OPTIONAL];

  // Required. Specifies the set of resources to which this policy should be
  // applied to.
  Target target = 6 [(google.api.field_behavior) = REQUIRED];

  // Optional. A list of authorization HTTP rules to match against the incoming
  // request. A policy match occurs when at least one HTTP rule matches the
  // request or when no HTTP rules are specified in the policy.
  // At least one HTTP Rule is required for Allow or Deny Action. Limited
  // to 5 rules.
  repeated AuthzRule http_rules = 7 [(google.api.field_behavior) = OPTIONAL];

  // Optional. A list of authorization network rules to match against the
  // incoming request. A policy match occurs when at least one network rule
  // matches the request.
  // At least one network rule is required for Allow or Deny Action if no HTTP
  // rules are provided. Network rules are mutually exclusive with HTTP rules.
  // Limited to 5 rules.
  repeated AuthzRule network_rules = 12
      [(google.api.field_behavior) = OPTIONAL];

  // Required. Can be one of `ALLOW`, `DENY`, `CUSTOM`.
  //
  // When the action is `CUSTOM`, `customProvider` must be specified.
  //
  // When the action is `ALLOW`, only requests matching the policy will
  // be allowed.
  //
  // When the action is `DENY`, only requests matching the policy will be
  // denied.
  //
  // When a request arrives, the policies are evaluated in the following order:
  //
  // 1. If there is a `CUSTOM` policy that matches the request, the `CUSTOM`
  // policy is evaluated using the custom authorization providers and the
  // request is denied if the provider rejects the request.
  //
  // 2. If there are any `DENY` policies that match the request, the request
  // is denied.
  //
  // 3. If there are no `ALLOW` policies for the resource or if any of the
  // `ALLOW` policies match the request, the request is allowed.
  //
  // 4. Else the request is denied by default if none of the configured
  // AuthzPolicies with `ALLOW` action match the request.
  AuthzAction action = 8 [(google.api.field_behavior) = REQUIRED];

  // Optional. Required if the action is `CUSTOM`. Allows delegating
  // authorization decisions to Cloud IAP or to Service Extensions. One of
  // `cloudIap` or `authzExtension` must be specified.
  CustomProvider custom_provider = 10 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Immutable. Defines the type of authorization being performed.
  // If not specified, `REQUEST_AUTHZ` is applied. This field cannot be changed
  // once AuthzPolicy is created.
  PolicyProfile policy_profile = 11 [
    (google.api.field_behavior) = OPTIONAL,
    (google.api.field_behavior) = IMMUTABLE
  ];
}

// Message for creating an `AuthzPolicy` resource.
message CreateAuthzPolicyRequest {
  // Required. The parent resource of the `AuthzPolicy` resource. Must be in
  // the format `projects/{project}/locations/{location}`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "networksecurity.googleapis.com/AuthzPolicy"
    }
  ];

  // Required. User-provided ID of the `AuthzPolicy` resource to be created.
  string authz_policy_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. `AuthzPolicy` resource to be created.
  AuthzPolicy authz_policy = 3 [(google.api.field_behavior) = REQUIRED];

  // Optional. An optional request ID to identify requests. Specify a unique
  // request ID so that if you must retry your request, the server can ignore
  // the request if it has already been completed. The server guarantees
  // that for at least 60 minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and the
  // request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, ignores the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 4 [
    (google.api.field_info).format = UUID4,
    (google.api.field_behavior) = OPTIONAL
  ];
}

// Message for requesting list of `AuthzPolicy` resources.
message ListAuthzPoliciesRequest {
  // Required. The project and location from which the `AuthzPolicy` resources
  // are listed, specified in the following format:
  // `projects/{project}/locations/{location}`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "networksecurity.googleapis.com/AuthzPolicy"
    }
  ];

  // Optional. Requested page size. The server might return fewer items than
  // requested. If unspecified, the server picks an appropriate default.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. A token identifying a page of results that the server returns.
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Filtering results.
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Hint for how to order the results.
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Message for response to listing `AuthzPolicy` resources.
message ListAuthzPoliciesResponse {
  // The list of `AuthzPolicy` resources.
  repeated AuthzPolicy authz_policies = 1;

  // A token identifying a page of results that the server returns.
  string next_page_token = 2;

  // Locations that could not be reached.
  repeated string unreachable = 3;
}

// Message for getting a `AuthzPolicy` resource.
message GetAuthzPolicyRequest {
  // Required. A name of the `AuthzPolicy` resource to get. Must be in the
  // format
  // `projects/{project}/locations/{location}/authzPolicies/{authz_policy}`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "networksecurity.googleapis.com/AuthzPolicy"
    }
  ];
}

// Message for updating an `AuthzPolicy` resource.
message UpdateAuthzPolicyRequest {
  // Required. Used to specify the fields to be overwritten in the
  // `AuthzPolicy` resource by the update.
  // The fields specified in the `update_mask` are relative to the resource, not
  // the full request. A field is overwritten if it is in the mask. If the
  // user does not specify a mask, then all fields are overwritten.
  google.protobuf.FieldMask update_mask = 1
      [(google.api.field_behavior) = REQUIRED];

  // Required. `AuthzPolicy` resource being updated.
  AuthzPolicy authz_policy = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. An optional request ID to identify requests. Specify a unique
  // request ID so that if you must retry your request, the server can ignore
  // the request if it has already been completed. The server guarantees
  // that for at least 60 minutes since the first request.
  //
  // For example, consider a situation where you make an initial request and the
  // request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, ignores the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 3 [
    (google.api.field_info).format = UUID4,
    (google.api.field_behavior) = OPTIONAL
  ];
}

// Message for deleting an `AuthzPolicy` resource.
message DeleteAuthzPolicyRequest {
  // Required. The name of the `AuthzPolicy` resource to delete. Must be in
  // the format
  // `projects/{project}/locations/{location}/authzPolicies/{authz_policy}`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "networksecurity.googleapis.com/AuthzPolicy"
    }
  ];

  // Optional. An optional request ID to identify requests. Specify a unique
  // request ID so that if you must retry your request, the server can ignore
  // the request if it has already been completed. The server guarantees
  // that for at least 60 minutes after the first request.
  //
  // For example, consider a situation where you make an initial request and the
  // request times out. If you make the request again with the same request
  // ID, the server can check if original operation with the same request ID
  // was received, and if so, ignores the second request. This prevents
  // clients from accidentally creating duplicate commitments.
  //
  // The request ID must be a valid UUID with the exception that zero UUID is
  // not supported (00000000-0000-0000-0000-000000000000).
  string request_id = 2 [
    (google.api.field_info).format = UUID4,
    (google.api.field_behavior) = OPTIONAL
  ];
}
