feat: [networksecurity] add networksecurity v1 client library

packages/google-cloud-networksecurity/.eslintignore

@@ -0,0 +1,7 @@
+**/node_modules
+**/.coverage
+build/
+docs/
+protos/
+system-test/
+samples/generated/

packages/google-cloud-networksecurity/.eslintrc.json

@@ -0,0 +1,4 @@
+{
+  "extends": "./node_modules/gts",
+  "root": true
+}

packages/google-cloud-networksecurity/README.md

@@ -74,14 +74,19 @@ Samples are in the [`samples/`][homepage_samples] directory. Each sample's `READ
 | update dns threat detector | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/dns_threat_detector_service.update_dns_threat_detector.js) |
 | create firewall endpoint | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.create_firewall_endpoint.js) |
 | create firewall endpoint association | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.create_firewall_endpoint_association.js) |
+| create project firewall endpoint | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.create_project_firewall_endpoint.js) |
 | delete firewall endpoint | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.delete_firewall_endpoint.js) |
 | delete firewall endpoint association | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.delete_firewall_endpoint_association.js) |
+| delete project firewall endpoint | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.delete_project_firewall_endpoint.js) |
 | get firewall endpoint | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.get_firewall_endpoint.js) |
 | get firewall endpoint association | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.get_firewall_endpoint_association.js) |
+| get project firewall endpoint | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.get_project_firewall_endpoint.js) |
 | list firewall endpoint associations | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.list_firewall_endpoint_associations.js) |
 | list firewall endpoints | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.list_firewall_endpoints.js) |
+| list project firewall endpoints | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.list_project_firewall_endpoints.js) |
 | update firewall endpoint | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.update_firewall_endpoint.js) |
 | update firewall endpoint association | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.update_firewall_endpoint_association.js) |
+| update project firewall endpoint | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/firewall_activation.update_project_firewall_endpoint.js) |
 | create intercept deployment | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/intercept.create_intercept_deployment.js) |
 | create intercept deployment group | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/intercept.create_intercept_deployment_group.js) |
 | create intercept endpoint group | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/intercept.create_intercept_endpoint_group.js) |
@@ -186,6 +191,24 @@ Samples are in the [`samples/`][homepage_samples] directory. Each sample's `READ
 | list security profiles | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/organization_security_profile_group_service.list_security_profiles.js) |
 | update security profile | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/organization_security_profile_group_service.update_security_profile.js) |
 | update security profile group | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/organization_security_profile_group_service.update_security_profile_group.js) |
+| create s a c attachment | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/s_s_e_realm_service.create_s_a_c_attachment.js) |
+| create s a c realm | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/s_s_e_realm_service.create_s_a_c_realm.js) |
+| delete s a c attachment | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/s_s_e_realm_service.delete_s_a_c_attachment.js) |
+| delete s a c realm | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/s_s_e_realm_service.delete_s_a_c_realm.js) |
+| get s a c attachment | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/s_s_e_realm_service.get_s_a_c_attachment.js) |
+| get s a c realm | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/s_s_e_realm_service.get_s_a_c_realm.js) |
+| list s a c attachments | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/s_s_e_realm_service.list_s_a_c_attachments.js) |
+| list s a c realms | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/s_s_e_realm_service.list_s_a_c_realms.js) |
+| create security profile | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/security_profile_group_service.create_security_profile.js) |
+| create security profile group | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/security_profile_group_service.create_security_profile_group.js) |
+| delete security profile | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/security_profile_group_service.delete_security_profile.js) |
+| delete security profile group | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/security_profile_group_service.delete_security_profile_group.js) |
+| get security profile | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/security_profile_group_service.get_security_profile.js) |
+| get security profile group | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/security_profile_group_service.get_security_profile_group.js) |
+| list security profile groups | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/security_profile_group_service.list_security_profile_groups.js) |
+| list security profiles | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/security_profile_group_service.list_security_profiles.js) |
+| update security profile | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/security_profile_group_service.update_security_profile.js) |
+| update security profile group | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/security_profile_group_service.update_security_profile_group.js) |
 | cloud | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1/snippet_metadata_google.cloud.networksecurity.v1.json) |
 | create dns threat detector | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1alpha1/dns_threat_detector_service.create_dns_threat_detector.js) |
 | delete dns threat detector | [source code](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/samples/generated/v1alpha1/dns_threat_detector_service.delete_dns_threat_detector.js) |
@@ -371,7 +394,7 @@ More Information: [Google Cloud Platform Launch Stages][launch_stages]
 
 ## Contributing
 
-Contributions welcome! See the [Contributing Guide](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/CONTRIBUTING.md).
+Contributions welcome! See the [Contributing Guide](https://github.com/googleapis/google-cloud-node/blob/main/CONTRIBUTING.md).
 
 Please note that this `README.md`
 and a variety of configuration files in this repository (including `.nycrc` and `tsconfig.json`)
@@ -381,7 +404,7 @@ are generated from a central template.
 
 Apache Version 2.0
 
-See [LICENSE](https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-networksecurity/LICENSE)
+See [LICENSE](https://github.com/googleapis/google-cloud-node/blob/main/LICENSE)
 
 [shell_img]: https://gstatic.com/cloudssh/images/open-btn.png
 [projects]: https://console.cloud.google.com/project

packages/google-cloud-networksecurity/protos/google/cloud/networksecurity/v1/authz_policy.proto

@@ -43,15 +43,18 @@ message AuthzPolicy {
   // Specifies the set of targets to which this policy should be applied to.
   message Target {
     // Optional. All gateways and forwarding rules referenced by this policy and
-    // extensions must share the same load balancing scheme. Supported values:
+    // extensions must share the same load balancing scheme. Required only when
+    // targeting forwarding rules. If targeting Secure Web Proxy, this field
+    // must be `INTERNAL_MANAGED` or not specified. Must not be specified
+    // when targeting Agent Gateway. Supported values:
     // `INTERNAL_MANAGED` and `EXTERNAL_MANAGED`. For more information, refer
     // to [Backend services
     // overview](https://cloud.google.com/load-balancing/docs/backend-service).
     LoadBalancingScheme load_balancing_scheme = 8
         [(google.api.field_behavior) = OPTIONAL];
 
-    // Required. A list of references to the Forwarding Rules on which this
-    // policy will be applied.
+    // Required. A list of references to the Forwarding Rules, Secure Web Proxy
+    // Gateways, or Agent Gateways on which this policy will be applied.
     repeated string resources = 1 [(google.api.field_behavior) = REQUIRED];
   }
 
@@ -340,6 +343,13 @@ message AuthzPolicy {
         // request will be denied. This field can be set only for AuthzPolicies
         // targeting AgentGateway resources.
         MCP mcp = 5 [(google.api.field_behavior) = OPTIONAL];
+
+        // Optional. A list of SNIs to match against. The match can be one of
+        // exact, prefix, suffix, or contains (substring match). If there is no
+        // SNI (i.e. plaintext HTTP traffic), the request will be denied.
+        // Matches are always case sensitive unless the ignoreCase is set.
+        // Limited to 10 SNIs per Authorization Policy.
+        repeated StringMatch snis = 7 [(google.api.field_behavior) = OPTIONAL];
       }
 
       // Optional. Describes properties of one or more targets of a request. At
@@ -500,6 +510,15 @@ message AuthzPolicy {
   // to 5 rules.
   repeated AuthzRule http_rules = 7 [(google.api.field_behavior) = OPTIONAL];
 
+  // Optional. A list of authorization network rules to match against the
+  // incoming request. A policy match occurs when at least one network rule
+  // matches the request.
+  // At least one network rule is required for Allow or Deny Action if no HTTP
+  // rules are provided. Network rules are mutually exclusive with HTTP rules.
+  // Limited to 5 rules.
+  repeated AuthzRule network_rules = 12
+      [(google.api.field_behavior) = OPTIONAL];
+
   // Required. Can be one of `ALLOW`, `DENY`, `CUSTOM`.
   //
   // When the action is `CUSTOM`, `customProvider` must be specified.

packages/google-cloud-networksecurity/protos/google/cloud/networksecurity/v1/firewall_activation.proto

@@ -53,6 +53,15 @@ service FirewallActivation {
     option (google.api.method_signature) = "parent";
   }
 
+  // Lists FirewallEndpoints in a given project and location.
+  rpc ListProjectFirewallEndpoints(ListFirewallEndpointsRequest)
+      returns (ListFirewallEndpointsResponse) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*/locations/*}/firewallEndpoints"
+    };
+    option (google.api.method_signature) = "parent";
+  }
+
   // Gets details of a single org Endpoint.
   rpc GetFirewallEndpoint(GetFirewallEndpointRequest)
       returns (FirewallEndpoint) {
@@ -62,6 +71,15 @@ service FirewallActivation {
     option (google.api.method_signature) = "name";
   }
 
+  // Gets details of a single project Endpoint.
+  rpc GetProjectFirewallEndpoint(GetFirewallEndpointRequest)
+      returns (FirewallEndpoint) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/locations/*/firewallEndpoints/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
   // Creates a new FirewallEndpoint in a given organization and location.
   rpc CreateFirewallEndpoint(CreateFirewallEndpointRequest)
       returns (google.longrunning.Operation) {
@@ -77,6 +95,21 @@ service FirewallActivation {
     };
   }
 
+  // Creates a new FirewallEndpoint in a given project and location.
+  rpc CreateProjectFirewallEndpoint(CreateFirewallEndpointRequest)
+      returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      post: "/v1/{parent=projects/*/locations/*}/firewallEndpoints"
+      body: "firewall_endpoint"
+    };
+    option (google.api.method_signature) =
+        "parent,firewall_endpoint,firewall_endpoint_id";
+    option (google.longrunning.operation_info) = {
+      response_type: "FirewallEndpoint"
+      metadata_type: "google.cloud.networksecurity.v1.OperationMetadata"
+    };
+  }
+
   // Deletes a single org Endpoint.
   rpc DeleteFirewallEndpoint(DeleteFirewallEndpointRequest)
       returns (google.longrunning.Operation) {
@@ -90,6 +123,19 @@ service FirewallActivation {
     };
   }
 
+  // Deletes a single project Endpoint.
+  rpc DeleteProjectFirewallEndpoint(DeleteFirewallEndpointRequest)
+      returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      delete: "/v1/{name=projects/*/locations/*/firewallEndpoints/*}"
+    };
+    option (google.api.method_signature) = "name";
+    option (google.longrunning.operation_info) = {
+      response_type: "google.protobuf.Empty"
+      metadata_type: "google.cloud.networksecurity.v1.OperationMetadata"
+    };
+  }
+
   // Update a single org Endpoint.
   rpc UpdateFirewallEndpoint(UpdateFirewallEndpointRequest)
       returns (google.longrunning.Operation) {
@@ -104,6 +150,20 @@ service FirewallActivation {
     };
   }
 
+  // Update a single project Endpoint.
+  rpc UpdateProjectFirewallEndpoint(UpdateFirewallEndpointRequest)
+      returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      patch: "/v1/{firewall_endpoint.name=projects/*/locations/*/firewallEndpoints/*}"
+      body: "firewall_endpoint"
+    };
+    option (google.api.method_signature) = "firewall_endpoint,update_mask";
+    option (google.longrunning.operation_info) = {
+      response_type: "FirewallEndpoint"
+      metadata_type: "google.cloud.networksecurity.v1.OperationMetadata"
+    };
+  }
+
   // Lists Associations in a given project and location.
   rpc ListFirewallEndpointAssociations(ListFirewallEndpointAssociationsRequest)
       returns (ListFirewallEndpointAssociationsResponse) {
@@ -258,10 +318,10 @@ message FirewallEndpoint {
   // https://google.aip.dev/128.
   bool reconciling = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Output only. List of networks that are associated with this endpoint in the
-  // local zone. This is a projection of the FirewallEndpointAssociations
-  // pointing at this endpoint. A network will only appear in this list after
-  // traffic routing is fully configured. Format:
+  // Output only. Deprecated: List of networks that are associated with this
+  // endpoint in the local zone. This is a projection of the
+  // FirewallEndpointAssociations pointing at this endpoint. A network will only
+  // appear in this list after traffic routing is fully configured. Format:
   // projects/{project}/global/networks/{name}.
   repeated string associated_networks = 7
       [deprecated = true, (google.api.field_behavior) = OUTPUT_ONLY];