googleapis · parthea · Jan 9, 2022 · Jan 6, 2022 · Jan 6, 2022 · Jan 9, 2022
diff --git a/google/cloud/network_security_v1beta1/services/network_security/async_client.py b/google/cloud/network_security_v1beta1/services/network_security/async_client.py
@@ -57,7 +57,10 @@
 
 
 class NetworkSecurityAsyncClient:
-    """"""
+    """Network Security API provides resources to configure
+    authentication and authorization policies. Refer to per API
+    resource documentation for more information.
+    """
 
     _client: NetworkSecurityClient
 

diff --git a/google/cloud/network_security_v1beta1/services/network_security/client.py b/google/cloud/network_security_v1beta1/services/network_security/client.py
@@ -93,7 +93,10 @@ def get_transport_class(cls, label: str = None,) -> Type[NetworkSecurityTranspor
 
 
 class NetworkSecurityClient(metaclass=NetworkSecurityClientMeta):
-    """"""
+    """Network Security API provides resources to configure
+    authentication and authorization policies. Refer to per API
+    resource documentation for more information.
+    """
 
     @staticmethod
     def _get_default_mtls_endpoint(api_endpoint):

diff --git a/google/cloud/network_security_v1beta1/services/network_security/transports/grpc.py b/google/cloud/network_security_v1beta1/services/network_security/transports/grpc.py
@@ -44,6 +44,10 @@
 class NetworkSecurityGrpcTransport(NetworkSecurityTransport):
     """gRPC backend transport for NetworkSecurity.
 
+    Network Security API provides resources to configure
+    authentication and authorization policies. Refer to per API
+    resource documentation for more information.
+
     This class defines the same methods as the primary client, so the
     primary client can load the underlying transport implementation
     and call it.

diff --git a/google/cloud/network_security_v1beta1/services/network_security/transports/grpc_asyncio.py b/google/cloud/network_security_v1beta1/services/network_security/transports/grpc_asyncio.py
@@ -45,6 +45,10 @@
 class NetworkSecurityGrpcAsyncIOTransport(NetworkSecurityTransport):
     """gRPC AsyncIO backend transport for NetworkSecurity.
 
+    Network Security API provides resources to configure
+    authentication and authorization policies. Refer to per API
+    resource documentation for more information.
+
     This class defines the same methods as the primary client, so the
     primary client can load the underlying transport implementation
     and call it.

diff --git a/google/cloud/network_security_v1beta1/types/authorization_policy.py b/google/cloud/network_security_v1beta1/types/authorization_policy.py
@@ -104,12 +104,18 @@ class Source(proto.Message):
                     authorization. At least one principal should match. Each
                     peer can be an exact match, or a prefix match (example,
                     "namespace/*") or a suffix match (example, //
-                    */service-account") or a presence match "*".
+                    */service-account") or a presence match "*". Authorization
+                    based on the principal name without certificate validation
+                    (configured by ServerTlsPolicy resource) is considered
+                    insecure.
                 ip_blocks (Sequence[str]):
                     Optional. List of CIDR ranges to match based
                     on source IP address. At least one IP block
                     should match. Single IP (e.g., "1.2.3.4") and
                     CIDR (e.g., "1.2.3.0/24") are supported.
+                    Authorization based on source IP alone should be
+                    avoided. The IP addresses of any load balancers
+                    or proxies should be considered untrusted.
             """
 
             principals = proto.RepeatedField(proto.STRING, number=1,)
@@ -120,11 +126,11 @@ class Destination(proto.Message):
 
             Attributes:
                 hosts (Sequence[str]):
-                    Required. List of host names to match. Matched against HOST
-                    header in http requests. At least one host should match.
-                    Each host can be an exact match, or a prefix match (example
-                    "mydomain.*") or a suffix match (example // *.myorg.com") or
-                    a presence(any) match "*".
+                    Required. List of host names to match. Matched against the
+                    ":authority" header in http requests. At least one host
+                    should match. Each host can be an exact match, or a prefix
+                    match (example "mydomain.*") or a suffix match (example //
+                    *.myorg.com") or a presence(any) match "*".
                 ports (Sequence[int]):
                     Required. List of destination ports to match.
                     At least one port should match.
@@ -136,7 +142,11 @@ class Destination(proto.Message):
                     Optional. Match against key:value pair in
                     http header. Provides a flexible match based on
                     HTTP headers, for potentially advanced use
-                    cases. At least one header should match.
+                    cases. At least one header should match. Avoid
+                    using header matches to make authorization
+                    decisions unless there is a strong guarantee
+                    that requests arrive through a trusted client or
+                    proxy.
             """
 
             class HttpHeaderMatch(proto.Message):

diff --git a/google/cloud/network_security_v1beta1/types/server_tls_policy.py b/google/cloud/network_security_v1beta1/types/server_tls_policy.py
@@ -46,45 +46,44 @@ class ServerTlsPolicy(proto.Message):
             the pattern
             ``projects/*/locations/{location}/serverTlsPolicies/{server_tls_policy}``
         description (str):
-            Optional. Free-text description of the
-            resource.
+            Free-text description of the resource.
         create_time (google.protobuf.timestamp_pb2.Timestamp):
             Output only. The timestamp when the resource
             was created.
         update_time (google.protobuf.timestamp_pb2.Timestamp):
             Output only. The timestamp when the resource
             was updated.
         labels (Sequence[google.cloud.network_security_v1beta1.types.ServerTlsPolicy.LabelsEntry]):
-            Optional. Set of label tags associated with
-            the resource.
+            Set of label tags associated with the
+            resource.
         allow_open (bool):
-            Optional. Determines if server allows plaintext connections.
-            If set to true, server allows plain text connections. By
-            default, it is set to false. This setting is not exclusive
-            of other encryption modes. For example, if allow_open and
-            mtls_policy are set, server allows both plain text and mTLS
-            connections. See documentation of other encryption modes to
-            confirm compatibility.
+            Determines if server allows plaintext connections. If set to
+            true, server allows plain text connections. By default, it
+            is set to false. This setting is not exclusive of other
+            encryption modes. For example, if ``allow_open`` and
+            ``mtls_policy`` are set, server allows both plain text and
+            mTLS connections. See documentation of other encryption
+            modes to confirm compatibility.
         server_certificate (google.cloud.network_security_v1beta1.types.CertificateProvider):
-            Optional. Defines a mechanism to provision server identity
-            (public and private keys). Cannot be combined with
-            allow_open as a permissive mode that allows both plain text
-            and TLS is not supported.
+            Defines a mechanism to provision server identity (public and
+            private keys). Cannot be combined with ``allow_open`` as a
+            permissive mode that allows both plain text and TLS is not
+            supported.
         mtls_policy (google.cloud.network_security_v1beta1.types.ServerTlsPolicy.MTLSPolicy):
-            Optional. Defines a mechanism to provision peer validation
+            Defines a mechanism to provision peer validation
             certificates for peer to peer authentication (Mutual TLS -
             mTLS). If not specified, client certificate will not be
             requested. The connection is treated as TLS and not mTLS. If
-            allow_open and mtls_policy are set, server allows both plain
-            text and mTLS connections.
+            ``allow_open`` and ``mtls_policy`` are set, server allows
+            both plain text and mTLS connections.
     """
 
     class MTLSPolicy(proto.Message):
         r"""Specification of the MTLSPolicy.
 
         Attributes:
             client_validation_ca (Sequence[google.cloud.network_security_v1beta1.types.ValidationCA]):
-                Required. Defines the mechanism to obtain the
+                Defines the mechanism to obtain the
                 Certificate Authority certificate to validate
                 the client certificate.
         """