feat: add networksecurity v1 client library

Google APIs · copybara-github · commit 29c6482ccb75 · 2026-05-21T14:53:36.000-07:00
PiperOrigin-RevId: 919268561
diff --git a/google/cloud/networksecurity/v1/BUILD.bazel b/google/cloud/networksecurity/v1/BUILD.bazel
@@ -44,6 +44,7 @@ proto_library(
         "security_profile_group_threatprevention.proto",
         "security_profile_group_urlfiltering.proto",
         "server_tls_policy.proto",
+        "sse_realm.proto",
         "tls.proto",
         "tls_inspection_policy.proto",
         "url_list.proto",
@@ -127,6 +128,8 @@ java_gapic_test(
         "com.google.cloud.networksecurity.v1.NetworkSecurityClientTest",
         "com.google.cloud.networksecurity.v1.OrganizationAddressGroupServiceClientTest",
         "com.google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupServiceClientTest",
+        "com.google.cloud.networksecurity.v1.SSERealmServiceClientTest",
+        "com.google.cloud.networksecurity.v1.SecurityProfileGroupServiceClientTest",
     ],
     runtime_deps = [":networksecurity_java_gapic_test"],
 )
@@ -338,7 +341,7 @@ ruby_grpc_library(
 ruby_cloud_gapic_library(
     name = "networksecurity_ruby_gapic",
     srcs = [":networksecurity_proto_with_info"],
-    extra_protoc_parameters = ["ruby-cloud-gem-name=google-cloud-networksecurity-v1"],
+    extra_protoc_parameters = ["ruby-cloud-gem-name=google-cloud-network_security-v1"],
     grpc_service_config = "networksecurity_v1_grpc_service_config.json",
     rest_numeric_enums = True,
     service_yaml = "networksecurity_v1.yaml",
@@ -373,6 +376,7 @@ load(
 
 csharp_proto_library(
     name = "networksecurity_csharp_proto",
+    extra_opts = [],
     deps = [":networksecurity_proto"],
 )
 
diff --git a/google/cloud/networksecurity/v1/authz_policy.proto b/google/cloud/networksecurity/v1/authz_policy.proto
@@ -43,15 +43,18 @@ message AuthzPolicy {
   // Specifies the set of targets to which this policy should be applied to.
   message Target {
     // Optional. All gateways and forwarding rules referenced by this policy and
-    // extensions must share the same load balancing scheme. Supported values:
+    // extensions must share the same load balancing scheme. Required only when
+    // targeting forwarding rules. If targeting Secure Web Proxy, this field
+    // must be `INTERNAL_MANAGED` or not specified. Must not be specified
+    // when targeting Agent Gateway. Supported values:
     // `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
     // to [Backend services
     // overview](https://cloud.google.com/load-balancing/docs/backend-service).
     LoadBalancingScheme load_balancing_scheme = 8
         [(google.api.field_behavior) = OPTIONAL];
 
-    // Required. A list of references to the Forwarding Rules on which this
-    // policy will be applied.
+    // Required. A list of references to the Forwarding Rules, Secure Web Proxy
+    // Gateways, or Agent Gateways on which this policy will be applied.
     repeated string resources = 1 [(google.api.field_behavior) = REQUIRED];
   }
 
@@ -340,6 +343,13 @@ message AuthzPolicy {
         // request will be denied. This field can be set only for AuthzPolicies
         // targeting AgentGateway resources.
         MCP mcp = 5 [(google.api.field_behavior) = OPTIONAL];
+
+        // Optional. A list of SNIs to match against. The match can be one of
+        // exact, prefix, suffix, or contains (substring match). If there is no
+        // SNI (i.e. plaintext HTTP traffic), the request will be denied.
+        // Matches are always case sensitive unless the ignoreCase is set.
+        // Limited to 10 SNIs per Authorization Policy.
+        repeated StringMatch snis = 7 [(google.api.field_behavior) = OPTIONAL];
       }
 
       // Optional. Describes properties of one or more targets of a request. At
@@ -500,6 +510,15 @@ message AuthzPolicy {
   // to 5 rules.
   repeated AuthzRule http_rules = 7 [(google.api.field_behavior) = OPTIONAL];
 
+  // Optional. A list of authorization network rules to match against the
+  // incoming request. A policy match occurs when at least one network rule
+  // matches the request.
+  // At least one network rule is required for Allow or Deny Action if no HTTP
+  // rules are provided. Network rules are mutually exclusive with HTTP rules.
+  // Limited to 5 rules.
+  repeated AuthzRule network_rules = 12
+      [(google.api.field_behavior) = OPTIONAL];
+
   // Required. Can be one of `ALLOW`, `DENY`, `CUSTOM`.
   //
   // When the action is `CUSTOM`, `customProvider` must be specified.
diff --git a/google/cloud/networksecurity/v1/firewall_activation.proto b/google/cloud/networksecurity/v1/firewall_activation.proto
@@ -53,6 +53,15 @@ service FirewallActivation {
     option (google.api.method_signature) = "parent";
   }
 
+  // Lists FirewallEndpoints in a given project and location.
+  rpc ListProjectFirewallEndpoints(ListFirewallEndpointsRequest)
+      returns (ListFirewallEndpointsResponse) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*/locations/*}/firewallEndpoints"
+    };
+    option (google.api.method_signature) = "parent";
+  }
+
   // Gets details of a single org Endpoint.
   rpc GetFirewallEndpoint(GetFirewallEndpointRequest)
       returns (FirewallEndpoint) {
@@ -62,6 +71,15 @@ service FirewallActivation {
     option (google.api.method_signature) = "name";
   }
 
+  // Gets details of a single project Endpoint.
+  rpc GetProjectFirewallEndpoint(GetFirewallEndpointRequest)
+      returns (FirewallEndpoint) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/locations/*/firewallEndpoints/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
   // Creates a new FirewallEndpoint in a given organization and location.
   rpc CreateFirewallEndpoint(CreateFirewallEndpointRequest)
       returns (google.longrunning.Operation) {
@@ -77,6 +95,21 @@ service FirewallActivation {
     };
   }
 
+  // Creates a new FirewallEndpoint in a given project and location.
+  rpc CreateProjectFirewallEndpoint(CreateFirewallEndpointRequest)
+      returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      post: "/v1/{parent=projects/*/locations/*}/firewallEndpoints"
+      body: "firewall_endpoint"
+    };
+    option (google.api.method_signature) =
+        "parent,firewall_endpoint,firewall_endpoint_id";
+    option (google.longrunning.operation_info) = {
+      response_type: "FirewallEndpoint"
+      metadata_type: "google.cloud.networksecurity.v1.OperationMetadata"
+    };
+  }
+
   // Deletes a single org Endpoint.
   rpc DeleteFirewallEndpoint(DeleteFirewallEndpointRequest)
       returns (google.longrunning.Operation) {
@@ -90,6 +123,19 @@ service FirewallActivation {
     };
   }
 
+  // Deletes a single project Endpoint.
+  rpc DeleteProjectFirewallEndpoint(DeleteFirewallEndpointRequest)
+      returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      delete: "/v1/{name=projects/*/locations/*/firewallEndpoints/*}"
+    };
+    option (google.api.method_signature) = "name";
+    option (google.longrunning.operation_info) = {
+      response_type: "google.protobuf.Empty"
+      metadata_type: "google.cloud.networksecurity.v1.OperationMetadata"
+    };
+  }
+
   // Update a single org Endpoint.
   rpc UpdateFirewallEndpoint(UpdateFirewallEndpointRequest)
       returns (google.longrunning.Operation) {
@@ -104,6 +150,20 @@ service FirewallActivation {
     };
   }
 
+  // Update a single project Endpoint.
+  rpc UpdateProjectFirewallEndpoint(UpdateFirewallEndpointRequest)
+      returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      patch: "/v1/{firewall_endpoint.name=projects/*/locations/*/firewallEndpoints/*}"
+      body: "firewall_endpoint"
+    };
+    option (google.api.method_signature) = "firewall_endpoint,update_mask";
+    option (google.longrunning.operation_info) = {
+      response_type: "FirewallEndpoint"
+      metadata_type: "google.cloud.networksecurity.v1.OperationMetadata"
+    };
+  }
+
   // Lists Associations in a given project and location.
   rpc ListFirewallEndpointAssociations(ListFirewallEndpointAssociationsRequest)
       returns (ListFirewallEndpointAssociationsResponse) {
@@ -258,10 +318,10 @@ message FirewallEndpoint {
   // https://google.aip.dev/128.
   bool reconciling = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Output only. List of networks that are associated with this endpoint in the
-  // local zone. This is a projection of the FirewallEndpointAssociations
-  // pointing at this endpoint. A network will only appear in this list after
-  // traffic routing is fully configured. Format:
+  // Output only. Deprecated: List of networks that are associated with this
+  // endpoint in the local zone. This is a projection of the
+  // FirewallEndpointAssociations pointing at this endpoint. A network will only
+  // appear in this list after traffic routing is fully configured. Format:
   // projects/{project}/global/networks/{name}.
   repeated string associated_networks = 7
       [deprecated = true, (google.api.field_behavior) = OUTPUT_ONLY];
diff --git a/google/cloud/networksecurity/v1/networksecurity_v1.yaml b/google/cloud/networksecurity/v1/networksecurity_v1.yaml
@@ -13,6 +13,8 @@ apis:
 - name: google.cloud.networksecurity.v1.NetworkSecurity
 - name: google.cloud.networksecurity.v1.OrganizationAddressGroupService
 - name: google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService
+- name: google.cloud.networksecurity.v1.SSERealmService
+- name: google.cloud.networksecurity.v1.SecurityProfileGroupService
 - name: google.iam.v1.IAMPolicy
 - name: google.longrunning.Operations
 
@@ -29,9 +31,8 @@ documentation:
       Lists information about the supported locations for this service.
 
       This method lists locations based on the resource scope provided in
-      the [ListLocationsRequest.name] field:
-
-      * **Global locations**: If `name` is empty, the method lists the
+      the [ListLocationsRequest.name][google.cloud.location.ListLocationsRequest.name] field: *
+      **Global locations**: If `name` is empty, the method lists the
       public locations available to all projects. * **Project-specific
       locations**: If `name` follows the format
       `projects/{project}`, the method lists locations visible to that
@@ -76,12 +77,11 @@ http:
   - selector: google.cloud.location.Locations.ListLocations
     get: '/v1/{name=projects/*}/locations'
     additional_bindings:
-    - get: '/v1/{name=organizations/*/locations/*}'
+    - get: '/v1/{name=organizations/*}/locations'
   - selector: google.iam.v1.IAMPolicy.GetIamPolicy
     get: '/v1/{resource=projects/*/locations/*/addressGroups/*}:getIamPolicy'
     additional_bindings:
     - get: '/v1/{resource=projects/*/locations/*/authorizationPolicies/*}:getIamPolicy'
-    - get: '/v1/{resource=organizations/*/locations/*/addressGroups/*}:getIamPolicy'
     - get: '/v1/{resource=projects/*/locations/*/serverTlsPolicies/*}:getIamPolicy'
     - get: '/v1/{resource=projects/*/locations/*/clientTlsPolicies/*}:getIamPolicy'
     - get: '/v1/{resource=projects/*/locations/*/authzPolicies/*}:getIamPolicy'
@@ -91,8 +91,6 @@ http:
     additional_bindings:
     - post: '/v1/{resource=projects/*/locations/*/authorizationPolicies/*}:setIamPolicy'
       body: '*'
-    - post: '/v1/{resource=organizations/*/locations/*/addressGroups/*}:setIamPolicy'
-      body: '*'
     - post: '/v1/{resource=projects/*/locations/*/serverTlsPolicies/*}:setIamPolicy'
       body: '*'
     - post: '/v1/{resource=projects/*/locations/*/clientTlsPolicies/*}:setIamPolicy'
@@ -103,10 +101,10 @@ http:
     post: '/v1/{resource=projects/*/locations/*/addressGroups/*}:testIamPermissions'
     body: '*'
     additional_bindings:
-    - post: '/v1/{resource=projects/*/locations/*/authorizationPolicies/*}:testIamPermissions'
-      body: '*'
     - post: '/v1/{resource=organizations/*/locations/*/addressGroups/*}:testIamPermissions'
       body: '*'
+    - post: '/v1/{resource=projects/*/locations/*/authorizationPolicies/*}:testIamPermissions'
+      body: '*'
     - post: '/v1/{resource=projects/*/locations/*/serverTlsPolicies/*}:testIamPermissions'
       body: '*'
     - post: '/v1/{resource=projects/*/locations/*/clientTlsPolicies/*}:testIamPermissions'
@@ -174,6 +172,14 @@ authentication:
     oauth:
       canonical_scopes: |-
         https://www.googleapis.com/auth/cloud-platform
+  - selector: 'google.cloud.networksecurity.v1.SSERealmService.*'
+    oauth:
+      canonical_scopes: |-
+        https://www.googleapis.com/auth/cloud-platform
+  - selector: 'google.cloud.networksecurity.v1.SecurityProfileGroupService.*'
+    oauth:
+      canonical_scopes: |-
+        https://www.googleapis.com/auth/cloud-platform
   - selector: 'google.iam.v1.IAMPolicy.*'
     oauth:
       canonical_scopes: |-
@@ -190,3 +196,38 @@ publishing:
   github_label: 'api: networksecurity'
   doc_tag_prefix: networksecurity
   organization: CLOUD
+  library_settings:
+  - version: google.cloud.networksecurity.v1
+    launch_stage: GA
+    java_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    cpp_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    php_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    python_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    node_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    dotnet_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    ruby_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    go_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
diff --git a/google/cloud/networksecurity/v1/security_profile_group_service.proto b/google/cloud/networksecurity/v1/security_profile_group_service.proto
diff --git a/google/cloud/networksecurity/v1/sse_realm.proto b/google/cloud/networksecurity/v1/sse_realm.proto
