fix!: updating metadata messages for all long running operations

Google APIs · copybara-github · commit 060a1d361094 · 2022-01-05T16:00:15.000-08:00
This change might be breaking for client libraries in some languages.

PiperOrigin-RevId: 419931787
diff --git a/google/cloud/networksecurity/v1beta1/authorization_policy.proto b/google/cloud/networksecurity/v1beta1/authorization_policy.proto
@@ -22,10 +22,11 @@ import "google/protobuf/field_mask.proto";
 import "google/protobuf/timestamp.proto";
 import "google/api/annotations.proto";
 
+option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
 option go_package = "google.golang.org/genproto/googleapis/cloud/networksecurity/v1beta1;networksecurity";
 option java_multiple_files = true;
+option java_outer_classname = "AuthorizationPolicyProto";
 option java_package = "com.google.cloud.networksecurity.v1beta1";
-option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
 option php_namespace = "Google\\Cloud\\NetworkSecurity\\V1beta1";
 option ruby_package = "Google::Cloud::NetworkSecurity::V1beta1";
 
@@ -46,12 +47,16 @@ message AuthorizationPolicy {
       // Optional. List of peer identities to match for authorization. At least one
       // principal should match. Each peer can be an exact match, or a prefix
       // match (example, "namespace/*") or a suffix match (example, //
-      // */service-account") or a presence match "*".
+      // */service-account") or a presence match "*". Authorization based on the
+      // principal name without certificate validation (configured by
+      // ServerTlsPolicy resource) is considered insecure.
       repeated string principals = 1 [(google.api.field_behavior) = OPTIONAL];
 
       // Optional. List of CIDR ranges to match based on source IP address. At least one
       // IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g.,
-      // "1.2.3.0/24") are supported.
+      // "1.2.3.0/24") are supported. Authorization based on source IP alone
+      // should be avoided. The IP addresses of any load balancers or proxies
+      // should be considered untrusted.
       repeated string ip_blocks = 2 [(google.api.field_behavior) = OPTIONAL];
     }
 
@@ -77,7 +82,7 @@ message AuthorizationPolicy {
         string header_name = 1 [(google.api.field_behavior) = REQUIRED];
       }
 
-      // Required. List of host names to match. Matched against HOST header in
+      // Required. List of host names to match. Matched against the ":authority" header in
       // http requests. At least one host should match. Each host can be an
       // exact match, or a prefix match (example "mydomain.*") or a suffix
       // match (example // *.myorg.com") or a presence(any) match "*".
@@ -90,9 +95,11 @@ message AuthorizationPolicy {
       // match. Should not be set for gRPC services.
       repeated string methods = 4 [(google.api.field_behavior) = OPTIONAL];
 
-      // Optional. Match against key:value pair in http header. Provides a
-      // flexible match based on HTTP headers, for potentially
-      // advanced use cases. At least one header should match.
+      // Optional. Match against key:value pair in http header. Provides a flexible match
+      // based on HTTP headers, for potentially advanced use cases. At least one
+      // header should match. Avoid using header matches to make authorization
+      // decisions unless there is a strong guarantee that requests arrive
+      // through a trusted client or proxy.
       HttpHeaderMatch http_header_match = 5 [(google.api.field_behavior) = OPTIONAL];
     }
 
@@ -119,6 +126,8 @@ message AuthorizationPolicy {
     ALLOW = 1;
 
     // Deny access.
+    // Deny rules should be avoided unless they are used to provide a default
+    // "deny all" fallback.
     DENY = 2;
   }
 
diff --git a/google/cloud/networksecurity/v1beta1/client_tls_policy.proto b/google/cloud/networksecurity/v1beta1/client_tls_policy.proto
@@ -23,10 +23,11 @@ import "google/protobuf/field_mask.proto";
 import "google/protobuf/timestamp.proto";
 import "google/api/annotations.proto";
 
+option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
 option go_package = "google.golang.org/genproto/googleapis/cloud/networksecurity/v1beta1;networksecurity";
 option java_multiple_files = true;
+option java_outer_classname = "ClientTlsPolicyProto";
 option java_package = "com.google.cloud.networksecurity.v1beta1";
-option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
 option php_namespace = "Google\\Cloud\\NetworkSecurity\\V1beta1";
 option ruby_package = "Google::Cloud::NetworkSecurity::V1beta1";
 
diff --git a/google/cloud/networksecurity/v1beta1/common.proto b/google/cloud/networksecurity/v1beta1/common.proto
@@ -20,10 +20,11 @@ import "google/api/field_behavior.proto";
 import "google/protobuf/timestamp.proto";
 import "google/api/annotations.proto";
 
+option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
 option go_package = "google.golang.org/genproto/googleapis/cloud/networksecurity/v1beta1;networksecurity";
 option java_multiple_files = true;
+option java_outer_classname = "CommonProto";
 option java_package = "com.google.cloud.networksecurity.v1beta1";
-option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
 option php_namespace = "Google\\Cloud\\NetworkSecurity\\V1beta1";
 option ruby_package = "Google::Cloud::NetworkSecurity::V1beta1";
 
diff --git a/google/cloud/networksecurity/v1beta1/network_security.proto b/google/cloud/networksecurity/v1beta1/network_security.proto
@@ -23,13 +23,16 @@ import "google/cloud/networksecurity/v1beta1/client_tls_policy.proto";
 import "google/cloud/networksecurity/v1beta1/server_tls_policy.proto";
 import "google/longrunning/operations.proto";
 
+option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
 option go_package = "google.golang.org/genproto/googleapis/cloud/networksecurity/v1beta1;networksecurity";
 option java_multiple_files = true;
 option java_package = "com.google.cloud.networksecurity.v1beta1";
-option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
 option php_namespace = "Google\\Cloud\\NetworkSecurity\\V1beta1";
 option ruby_package = "Google::Cloud::NetworkSecurity::V1beta1";
 
+// Network Security API provides resources to configure authentication and
+// authorization policies. Refer to per API resource documentation for more
+// information.
 service NetworkSecurity {
   option (google.api.default_host) = "networksecurity.googleapis.com";
   option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
@@ -59,7 +62,7 @@ service NetworkSecurity {
     option (google.api.method_signature) = "parent,authorization_policy,authorization_policy_id";
     option (google.longrunning.operation_info) = {
       response_type: "AuthorizationPolicy"
-      metadata_type: "OperationMetadata"
+      metadata_type: "google.cloud.networksecurity.v1beta1.OperationMetadata"
     };
   }
 
@@ -72,7 +75,7 @@ service NetworkSecurity {
     option (google.api.method_signature) = "authorization_policy,update_mask";
     option (google.longrunning.operation_info) = {
       response_type: "AuthorizationPolicy"
-      metadata_type: "OperationMetadata"
+      metadata_type: "google.cloud.networksecurity.v1beta1.OperationMetadata"
     };
   }
 
@@ -84,7 +87,7 @@ service NetworkSecurity {
     option (google.api.method_signature) = "name";
     option (google.longrunning.operation_info) = {
       response_type: "google.protobuf.Empty"
-      metadata_type: "OperationMetadata"
+      metadata_type: "google.cloud.networksecurity.v1beta1.OperationMetadata"
     };
   }
 
@@ -113,7 +116,7 @@ service NetworkSecurity {
     option (google.api.method_signature) = "parent,server_tls_policy,server_tls_policy_id";
     option (google.longrunning.operation_info) = {
       response_type: "ServerTlsPolicy"
-      metadata_type: "OperationMetadata"
+      metadata_type: "google.cloud.networksecurity.v1beta1.OperationMetadata"
     };
   }
 
@@ -126,7 +129,7 @@ service NetworkSecurity {
     option (google.api.method_signature) = "server_tls_policy,update_mask";
     option (google.longrunning.operation_info) = {
       response_type: "ServerTlsPolicy"
-      metadata_type: "OperationMetadata"
+      metadata_type: "google.cloud.networksecurity.v1beta1.OperationMetadata"
     };
   }
 
@@ -138,7 +141,7 @@ service NetworkSecurity {
     option (google.api.method_signature) = "name";
     option (google.longrunning.operation_info) = {
       response_type: "google.protobuf.Empty"
-      metadata_type: "OperationMetadata"
+      metadata_type: "google.cloud.networksecurity.v1beta1.OperationMetadata"
     };
   }
 
@@ -167,7 +170,7 @@ service NetworkSecurity {
     option (google.api.method_signature) = "parent,client_tls_policy,client_tls_policy_id";
     option (google.longrunning.operation_info) = {
       response_type: "ClientTlsPolicy"
-      metadata_type: "OperationMetadata"
+      metadata_type: "google.cloud.networksecurity.v1beta1.OperationMetadata"
     };
   }
 
@@ -180,7 +183,7 @@ service NetworkSecurity {
     option (google.api.method_signature) = "client_tls_policy,update_mask";
     option (google.longrunning.operation_info) = {
       response_type: "ClientTlsPolicy"
-      metadata_type: "OperationMetadata"
+      metadata_type: "google.cloud.networksecurity.v1beta1.OperationMetadata"
     };
   }
 
@@ -192,7 +195,7 @@ service NetworkSecurity {
     option (google.api.method_signature) = "name";
     option (google.longrunning.operation_info) = {
       response_type: "google.protobuf.Empty"
-      metadata_type: "OperationMetadata"
+      metadata_type: "google.cloud.networksecurity.v1beta1.OperationMetadata"
     };
   }
 }
diff --git a/google/cloud/networksecurity/v1beta1/server_tls_policy.proto b/google/cloud/networksecurity/v1beta1/server_tls_policy.proto
@@ -23,16 +23,18 @@ import "google/protobuf/field_mask.proto";
 import "google/protobuf/timestamp.proto";
 import "google/api/annotations.proto";
 
+option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
 option go_package = "google.golang.org/genproto/googleapis/cloud/networksecurity/v1beta1;networksecurity";
 option java_multiple_files = true;
+option java_outer_classname = "ServerTlsPolicyProto";
 option java_package = "com.google.cloud.networksecurity.v1beta1";
-option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
 option php_namespace = "Google\\Cloud\\NetworkSecurity\\V1beta1";
 option ruby_package = "Google::Cloud::NetworkSecurity::V1beta1";
 
 // ServerTlsPolicy is a resource that specifies how a server should authenticate
 // incoming requests. This resource itself does not affect configuration unless
 // it is attached to a target https proxy or endpoint config selector resource.
+//
 message ServerTlsPolicy {
   option (google.api.resource) = {
     type: "networksecurity.googleapis.com/ServerTlsPolicy"
@@ -41,45 +43,50 @@ message ServerTlsPolicy {
 
   // Specification of the MTLSPolicy.
   message MTLSPolicy {
-    // Required. Defines the mechanism to obtain the Certificate Authority certificate to
+    //
+    // Defines the mechanism to obtain the Certificate Authority certificate to
     // validate the client certificate.
-    repeated ValidationCA client_validation_ca = 1 [(google.api.field_behavior) = REQUIRED];
+    repeated ValidationCA client_validation_ca = 1;
   }
 
   // Required. Name of the ServerTlsPolicy resource. It matches the pattern
   // `projects/*/locations/{location}/serverTlsPolicies/{server_tls_policy}`
   string name = 1 [(google.api.field_behavior) = REQUIRED];
 
-  // Optional. Free-text description of the resource.
-  string description = 2 [(google.api.field_behavior) = OPTIONAL];
+  // Free-text description of the resource.
+  string description = 2;
 
   // Output only. The timestamp when the resource was created.
   google.protobuf.Timestamp create_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
 
   // Output only. The timestamp when the resource was updated.
   google.protobuf.Timestamp update_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Optional. Set of label tags associated with the resource.
-  map<string, string> labels = 5 [(google.api.field_behavior) = OPTIONAL];
+  // Set of label tags associated with the resource.
+  map<string, string> labels = 5;
 
-  // Optional. Determines if server allows plaintext connections. If set to true, server
+  //
+  // Determines if server allows plaintext connections. If set to true, server
   // allows plain text connections. By default, it is set to false. This setting
-  // is not exclusive of other encryption modes. For example, if allow_open and
-  // mtls_policy are set, server allows both plain text and mTLS connections.
-  // See documentation of other encryption modes to confirm compatibility.
-  bool allow_open = 6 [(google.api.field_behavior) = OPTIONAL];
-
-  // Optional. Defines a mechanism to provision server identity (public and private keys).
-  // Cannot be combined with allow_open as a permissive mode that allows both
+  // is not exclusive of other encryption modes. For example, if `allow_open`
+  // and `mtls_policy` are set, server allows both plain text and mTLS
+  // connections. See documentation of other encryption modes to confirm
+  // compatibility.
+  bool allow_open = 6;
+
+  //
+  // Defines a mechanism to provision server identity (public and private keys).
+  // Cannot be combined with `allow_open` as a permissive mode that allows both
   // plain text and TLS is not supported.
-  CertificateProvider server_certificate = 7 [(google.api.field_behavior) = OPTIONAL];
+  CertificateProvider server_certificate = 7;
 
-  // Optional. Defines a mechanism to provision peer validation certificates for peer to
+  //
+  // Defines a mechanism to provision peer validation certificates for peer to
   // peer authentication (Mutual TLS - mTLS). If not specified, client
   // certificate will not be requested. The connection is treated as TLS and not
-  // mTLS. If allow_open and mtls_policy are set, server allows both plain text
-  // and mTLS connections.
-  MTLSPolicy mtls_policy = 8 [(google.api.field_behavior) = OPTIONAL];
+  // mTLS. If `allow_open` and `mtls_policy` are set, server allows both plain
+  // text and mTLS connections.
+  MTLSPolicy mtls_policy = 8;
 }
 
 // Request used by the ListServerTlsPolicies method.
diff --git a/google/cloud/networksecurity/v1beta1/tls.proto b/google/cloud/networksecurity/v1beta1/tls.proto
@@ -19,10 +19,11 @@ package google.cloud.networksecurity.v1beta1;
 import "google/api/field_behavior.proto";
 import "google/api/annotations.proto";
 
+option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
 option go_package = "google.golang.org/genproto/googleapis/cloud/networksecurity/v1beta1;networksecurity";
 option java_multiple_files = true;
+option java_outer_classname = "TlsProto";
 option java_package = "com.google.cloud.networksecurity.v1beta1";
-option csharp_namespace = "Google.Cloud.NetworkSecurity.V1Beta1";
 option php_namespace = "Google\\Cloud\\NetworkSecurity\\V1beta1";
 option ruby_package = "Google::Cloud::NetworkSecurity::V1beta1";
 
