// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.networksecurity.v1;

import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";

option csharp_namespace = "Google.Cloud.NetworkSecurity.V1";
option go_package = "cloud.google.com/go/networksecurity/apiv1/networksecuritypb;networksecuritypb";
option java_multiple_files = true;
option java_outer_classname = "GatewaySecurityPolicyRuleProto";
option java_package = "com.google.cloud.networksecurity.v1";
option php_namespace = "Google\\Cloud\\NetworkSecurity\\V1";
option ruby_package = "Google::Cloud::NetworkSecurity::V1";

// The GatewaySecurityPolicyRule resource is in a nested collection within a
// GatewaySecurityPolicy and represents a traffic matching condition and
// associated action to perform.
message GatewaySecurityPolicyRule {
  option (google.api.resource) = {
    type: "networksecurity.googleapis.com/GatewaySecurityPolicyRule"
    pattern: "projects/{project}/locations/{location}/gatewaySecurityPolicies/{gateway_security_policy}/rules/{rule}"
  };

  // enum to define the primitive action.
  enum BasicProfile {
    // If there is not a mentioned action for the target.
    BASIC_PROFILE_UNSPECIFIED = 0;

    // Allow the matched traffic.
    ALLOW = 1;

    // Deny the matched traffic.
    DENY = 2;
  }

  oneof profile {
    // Required. Profile which tells what the primitive action should be.
    BasicProfile basic_profile = 9 [(google.api.field_behavior) = REQUIRED];
  }

  // Required. Immutable. Name of the resource. ame is the full resource name so
  // projects/{project}/locations/{location}/gatewaySecurityPolicies/{gateway_security_policy}/rules/{rule}
  // rule should match the
  // pattern: (^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$).
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.field_behavior) = IMMUTABLE
  ];

  // Output only. Time when the rule was created.
  google.protobuf.Timestamp create_time = 2
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Time when the rule was updated.
  google.protobuf.Timestamp update_time = 3
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Required. Whether the rule is enforced.
  bool enabled = 4 [(google.api.field_behavior) = REQUIRED];

  // Required. Priority of the rule.
  // Lower number corresponds to higher precedence.
  int32 priority = 5 [(google.api.field_behavior) = REQUIRED];

  // Optional. Free-text description of the resource.
  string description = 6 [(google.api.field_behavior) = OPTIONAL];

  // Required. CEL expression for matching on session criteria.
  string session_matcher = 7 [(google.api.field_behavior) = REQUIRED];

  // Optional. CEL expression for matching on L7/application level criteria.
  string application_matcher = 8 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Flag to enable TLS inspection of traffic matching on
  // <session_matcher>, can only be true if the parent GatewaySecurityPolicy
  // references a TLSInspectionConfig.
  bool tls_inspection_enabled = 10 [(google.api.field_behavior) = OPTIONAL];
}

// Methods for GatewaySecurityPolicy RULES/GatewaySecurityPolicyRules.
// Request used by the CreateGatewaySecurityPolicyRule method.
message CreateGatewaySecurityPolicyRuleRequest {
  // Required. The parent where this rule will be created.
  // Format :
  // projects/{project}/location/{location}/gatewaySecurityPolicies/*
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "networksecurity.googleapis.com/GatewaySecurityPolicyRule"
    }
  ];

  // Required. The rule to be created.
  GatewaySecurityPolicyRule gateway_security_policy_rule = 2
      [(google.api.field_behavior) = REQUIRED];

  // The ID to use for the rule, which will become the final component of
  // the rule's resource name.
  // This value should be 4-63 characters, and valid characters
  // are /[a-z][0-9]-/.
  string gateway_security_policy_rule_id = 3;
}

// Request used by the GetGatewaySecurityPolicyRule method.
message GetGatewaySecurityPolicyRuleRequest {
  // Required. The name of the GatewaySecurityPolicyRule to retrieve.
  // Format:
  // projects/{project}/location/{location}/gatewaySecurityPolicies/*/rules/*
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "networksecurity.googleapis.com/GatewaySecurityPolicyRule"
    }
  ];
}

// Request used by the UpdateGatewaySecurityPolicyRule method.
message UpdateGatewaySecurityPolicyRuleRequest {
  // Optional. Field mask is used to specify the fields to be overwritten in the
  // GatewaySecurityPolicy resource by the update.
  // The fields specified in the update_mask are relative to the resource, not
  // the full request. A field will be overwritten if it is in the mask. If the
  // user does not provide a mask then all fields will be overwritten.
  google.protobuf.FieldMask update_mask = 1
      [(google.api.field_behavior) = OPTIONAL];

  // Required. Updated GatewaySecurityPolicyRule resource.
  GatewaySecurityPolicyRule gateway_security_policy_rule = 2
      [(google.api.field_behavior) = REQUIRED];
}

// Request used with the ListGatewaySecurityPolicyRules method.
message ListGatewaySecurityPolicyRulesRequest {
  // Required. The project, location and GatewaySecurityPolicy from which the
  // GatewaySecurityPolicyRules should be listed, specified in the format
  // `projects/{project}/locations/{location}/gatewaySecurityPolicies/{gatewaySecurityPolicy}`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "networksecurity.googleapis.com/GatewaySecurityPolicy"
    }
  ];

  // Maximum number of GatewaySecurityPolicyRules to return per call.
  int32 page_size = 2;

  // The value returned by the last
  // 'ListGatewaySecurityPolicyRulesResponse' Indicates that this is a
  // continuation of a prior 'ListGatewaySecurityPolicyRules' call, and
  // that the system should return the next page of data.
  string page_token = 3;
}

// Response returned by the ListGatewaySecurityPolicyRules method.
message ListGatewaySecurityPolicyRulesResponse {
  // List of GatewaySecurityPolicyRule resources.
  repeated GatewaySecurityPolicyRule gateway_security_policy_rules = 1;

  // If there might be more results than those appearing in this response, then
  // 'next_page_token' is included. To get the next set of results, call this
  // method again using the value of 'next_page_token' as 'page_token'.
  string next_page_token = 2;

  // Locations that could not be reached.
  repeated string unreachable = 3;
}

// Request used by the DeleteGatewaySecurityPolicyRule method.
message DeleteGatewaySecurityPolicyRuleRequest {
  // Required. A name of the GatewaySecurityPolicyRule to delete. Must be in the
  // format
  // `projects/{project}/locations/{location}/gatewaySecurityPolicies/{gatewaySecurityPolicy}/rules/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "networksecurity.googleapis.com/GatewaySecurityPolicyRule"
    }
  ];
}
