// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.securitycenter.v2;

import "google/api/field_behavior.proto";

option csharp_namespace = "Google.Cloud.SecurityCenter.V2";
option go_package = "cloud.google.com/go/securitycenter/apiv2/securitycenterpb;securitycenterpb";
option java_multiple_files = true;
option java_outer_classname = "IpRulesProto";
option java_package = "com.google.cloud.securitycenter.v2";
option php_namespace = "Google\\Cloud\\SecurityCenter\\V2";
option ruby_package = "Google::Cloud::SecurityCenter::V2";

// IP rules associated with the finding.
message IpRules {
  // The type of direction that the rule is applicable to, one of ingress or
  // egress. Not applicable to OPEN_X_PORT findings.
  enum Direction {
    // Unspecified direction value.
    DIRECTION_UNSPECIFIED = 0;

    // Ingress direction value.
    INGRESS = 1;

    // Egress direction value.
    EGRESS = 2;
  }

  // The direction that the rule is applicable to, one of ingress or egress.
  Direction direction = 1;

  // The list of allow rules specified by this firewall. Each rule specifies a
  // protocol and port-range tuple that describes a permitted connection.
  oneof rules {
    // Tuple with allowed rules.
    Allowed allowed = 2;

    // Tuple with denied rules.
    Denied denied = 3;
  }

  // If source IP ranges are specified, the firewall rule applies only to
  // traffic that has a source IP address in these ranges. These ranges must be
  // expressed in CIDR format. Only supports IPv4.
  repeated string source_ip_ranges = 4;

  // If destination IP ranges are specified, the firewall rule applies only to
  // traffic that has a destination IP address in these ranges. These ranges
  // must be expressed in CIDR format. Only supports IPv4.
  repeated string destination_ip_ranges = 5;

  // Name of the network protocol service, such as FTP, that is exposed by the
  // open port. Follows the naming convention available at:
  // https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.
  repeated string exposed_services = 6;
}

// IP rule information.
message IpRule {
  // A port range which is inclusive of the min and max values.
  // Values are between 0 and 2^16-1. The max can be equal / must be not smaller
  // than the min value. If min and max are equal this indicates that it is a
  // single port.
  message PortRange {
    // Minimum port value.
    int64 min = 1;

    // Maximum port value.
    int64 max = 2;
  }

  // The IP protocol this rule applies to. This value can either be one of the
  // following well known protocol strings (TCP, UDP, ICMP, ESP, AH, IPIP,
  // SCTP) or a string representation of the integer value.
  string protocol = 1;

  // Optional. An optional list of ports to which this rule applies. This field
  // is only applicable for the UDP or (S)TCP protocols. Each entry must be
  // either an integer or a range including a min and max port number.
  repeated PortRange port_ranges = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Allowed IP rule.
message Allowed {
  // Optional. Optional list of allowed IP rules.
  repeated IpRule ip_rules = 1 [(google.api.field_behavior) = OPTIONAL];
}

// Denied IP rule.
message Denied {
  // Optional. Optional list of denied IP rules.
  repeated IpRule ip_rules = 1 [(google.api.field_behavior) = OPTIONAL];
}
