5dZddlZddlZddlmZddlmZddlmZddl Z dZ dZ dZ d Z d Zd Zd Z dd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!y)zBCode that's shared between multiple security policies subcommands.N) exceptions)yaml)resource_printerc |dk(rtj|}n tj|}|j}d|vr |d|_ d|vr |d|_ d|vr,tj|djd|_d|vr#|jj!|d|_d |vr|j%|d d  |_d |vr|j)|j+|d d d|_|d d j/dgD].}|j1|d}d|vr |d|_d|vr |d|_d|vr |d|_d|vr |d|_d|vr |d|_d|vr |d|_d|vr |d|_|j/dgD]p}|jA} d|vr |d| _!d|vr#|j@j!|d| _d|vr |d| _"|jFjI| r|j,jJjLjI|1d|d vr|jO|j,_(d|d dvr$|d dd|j,jP_)d |d dvr$|d dd |j,jP_*d!|d dvr$|d dd!|j,jP_+d"|d dvr$|d dd"|j,jP_,d#|d d vr=|j*j[|d d d#|j,jJ_.d$|vr|d$} |j_|_0d%| vr-|j^jc| d%|j`_2d&| vr4|jg| d&j/d'g(|j`_4d)| vr-|j^jk| d)|j`_6d*| vr| d*|j`_7d+| vr| d+|j`_8d,|vr|js|jrju|d,d-.|_;d/|d,vr0|jrjy|d,d/|jv_=d0|d,vr|d,d0|jv_>d1|vr3|j|_@d2|d1vr|d1d2|j_Ad3|vrg} |d3D]r} |j} | d| _C|jj| d4| _E| d5| _F| d6| _Gd7| vr | d7| _H| jI| t| |_Ig}d8|vr|d8D]}|j}|d9|_Kd|vr |d|_ d:|vr|j}d;|d:vrt|d:d;||_Nd<|d:vr |j|d:d<d=>|_Pd?|d:vrk|j}d@|d:d?vrJ|j|d:d?d@j/dAg|d:d?d@j/dBgC|_S||_TdD|d:vr*dE|d:dDvr |j|d:dDdEF|_V||_WdG|vr|j}d3|dGvrKg} |dGd3D]7} |j}| d|_C| dH|_Z| jI|9| |_IdE|dGvr |dGdE|_[dI|dGvr |dGdI|_\dJ|dGvr |dGdJ|_]dK|dGvr |dGdK|_^dL|dGvr |dGdL|__dM|dGvr |dGdM|_`dN|dGvr |dGdN|_a||_bt|dO|_ddP|vr |dP|_e|jI|dQ|vr |dQ|_fdR|vrt|dR|_gdS|vrX|j}d|dSvr&|jj!|dSd|_dT|dSvr |dSdT|_i||_jdU|vrf|j}|dUj/dVg}g}|D]*}|jI|j|dW|dXY,|r||_m||_ndZ|vr|dZ}|j|j|d[d\|d[d]^|d_|d`a|_qdb|vrI|j}dc|dbvr |dbdc|_sdd|dbvr |dbdd|_t||j_ude|vrb|j}d|devr&|jj!|ded|_dT|devr |dedT|_i||j_vdf|vr.|j|dfd\|dfd]^|j_wdg|vr|dg|j_xdh|vr-|jj|dh|j_zdi|vr|di|j_{|j/djgD]l}|j}dk|vr#|jj|dk|_~di|vr |di|_{|jjjI|ndl|vsX|j}|dlj/dmgD]i} |j}!dn| vr | dn|!_| j/dogD]}"|!jjI|" | j/dpgD])}#|!jjIt |#|+| j/dqgD])}$|!j jIt |$|+| j/drgD])}%|!jjIt |%|+| j/dsgD])}&|!jjIt |&|+|jjI|!l||_||_|S#t$r<}t j dj tj|d}~wwxYw)taReturns the security policy read from the given file. Args: input_file: file, A file with a security policy config. messages: messages, The set of available messages. file_format: string, the format of the file to read from Returns: A security policy resource. rzError parsing JSON: {0}N shortName description fingerprintasciitypecloudArmorConfigenableMlr adaptiveProtectionConfiglayer7DdosDefenseConfigenable)r)rthresholdConfigsname)rautoDeployConfidenceThresholdautoDeployExpirationSec#autoDeployImpactedBaselineThresholdautoDeployLoadThresholddetectionAbsoluteQpsdetectionLoadThresholddetectionRelativeToBaselineQpstrafficGranularityConfigsenableEachUniqueValuevalueautoDeployConfig loadThresholdconfidenceThresholdimpactedBaselineThreshold expirationSecruleVisibilityadvancedOptionsConfig jsonParsingjsonCustomConfig contentTypesr'logLevelrequestBodyInspectionSizeuserIpRequestHeadersddosProtectionConfigddosProtection)r-ddosAdaptiveProtectionddosImpactedBaselineThresholdrecaptchaOptionsConfigredirectSiteKeyuserDefinedFieldsbaseoffsetsizemaskrulesactionmatch versionedExprexpr expression)r< exprOptionsrecaptchaOptionsactionTokenSiteKeyssessionTokenSiteKeys)r?r@config srcIpRanges)rB networkMatchvalues destIpRanges ipProtocolssrcPorts destPortssrcRegionCodessrcAsnsprioritypreviewredirectTarget ruleNumberredirectOptionstarget headerActionrequestHeadersToAdds headerName headerValue)rSrTrateLimitOptionsrateLimitThresholdcount intervalSec)rWrX conformAction exceedAction)rVrYrZexceedActionRpcStatuscodemessageexceedRedirectOptions banThresholdbanDurationSec enforceOnKeyenforceOnKeyNameenforceOnKeyConfigsenforceOnKeyTypepreconfiguredWafConfig exclusions targetRuleSet targetRuleIdsrequestHeadersToExcluderequestCookiesToExcluderequestQueryParamsToExcluderequestUrisToExclude)rloadjson ValueErrorrBadFileExceptionformatsix text_typeSecurityPolicyrrbase64urlsafe_b64decodeencoder TypeValueValuesEnumr SecurityPolicyCloudArmorConfigr &SecurityPolicyAdaptiveProtectionConfig=SecurityPolicyAdaptiveProtectionConfigLayer7DdosDefenseConfigrgetLSecurityPolicyAdaptiveProtectionConfigLayer7DdosDefenseConfigThresholdConfigrrrrrrrdSecurityPolicyAdaptiveProtectionConfigLayer7DdosDefenseConfigThresholdConfigTrafficGranularityConfigrrrappendrr6SecurityPolicyAdaptiveProtectionConfigAutoDeployConfigrrr r!r"RuleVisibilityValueValuesEnumr##SecurityPolicyAdvancedOptionsConfigr$JsonParsingValueValuesEnumr%3SecurityPolicyAdvancedOptionsConfigJsonCustomConfigr&LogLevelValueValuesEnumr)r*r+"SecurityPolicyDdosProtectionConfigDdosProtectionValueValuesEnumr,%DdosAdaptiveProtectionValueValuesEnumr.r/$SecurityPolicyRecaptchaOptionsConfigr0r1SecurityPolicyUserDefinedFieldrBaseValueValuesEnumr3r4r5r6r2SecurityPolicyRuler8SecurityPolicyRuleMatcher ConvertToEnumr:Exprr;$SecurityPolicyRuleMatcherExprOptions4SecurityPolicyRuleMatcherExprOptionsRecaptchaOptionsr>r=SecurityPolicyRuleMatcherConfigrAr9 SecurityPolicyRuleNetworkMatcher5SecurityPolicyRuleNetworkMatcherUserDefinedFieldMatchrDrBrErFrGrHrIrJrCintrKrLrMrN!SecurityPolicyRuleRedirectOptionsrPrO"SecurityPolicyRuleHttpHeaderAction2SecurityPolicyRuleHttpHeaderActionHttpHeaderOptionrRrQ"SecurityPolicyRuleRateLimitOptions+SecurityPolicyRuleRateLimitOptionsThresholdrU+SecurityPolicyRuleRateLimitOptionsRpcStatusr\r]r[r^r_r`EnforceOnKeyValueValuesEnumrarb4SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfigEnforceOnKeyTypeValueValuesEnumrdrc(SecurityPolicyRulePreconfiguredWafConfig1SecurityPolicyRulePreconfiguredWafConfigExclusionrgrhri(ConvertPreconfigWafExclusionRequestFieldrjrkrlrfrer7)' input_filemessages file_formatparsed_security_policyesecurity_policyparsed_threshold_configthreshold_config!parsed_traffic_granularity_configtraffic_granularity_configadvanced_options_configuser_defined_fieldsudfuser_defined_fieldr7rulesecurity_policy_ruler9 expr_options network_matchuser_defined_field_matchredirect_options header_actionheaders_in_ruleheaders_to_add header_to_addrate_limit_optionsexceed_action_rpc_statusexceed_redirect_optionsrAenforce_on_key_configpreconfig_waf_config exclusionexclusion_to_addtarget_rule_idrequest_headerrequest_cookierequest_query_param request_uris' Slib/googlecloudsdk/command_lib/compute/security_policies/security_policies_utils.pySecurityPolicyFromFilersF!YYz2#yy4 ++-/** 6{ CO,,"8"GO,,"(":":}-44W=#?O %%33 "6 * ,11'/'N'N'(:;JG(O(IO$#9977$, J J-.HI*,,46K7 8 9, $:"$$!!$%7!<$="nn&v.o ),C C #$C D 6 #&= =3J %4 0 /2I I #$I J < #&= =3J %4 0 #: :0G "1 - "%< <2I $3 / *-D D #$D E 70G/J/J %r0 +  y y { # #&G G/0GH % : 6 6,4-Z-Z-n-n/7- $ ) 7 7-N. $ * 2299 & %0,..FFWW^^ q$=x34NOO  I I K..? 23MN   ##= >  !!0 2 00AAO "8 $#&&8#: : ##= >  !!6 8 00AAU %(> $)&&8): : ##= >  !!< > 00AA[ 23MN   ##= >  !!0 2 00AAO12LM!##  P P ( ($%?@(**:< =..FFU  6645LM446)//  6 6 % %%m4 6++744  F F2!##&3~r#: G <++<,,  6 6 N N%j1 3++4#&== !"= >++E!88 !"8 9++@5533#FF * *&'=>!#$ 4 %( ! !"8 9 :EMDoDoEVEV !7 8& Eo**A ( !"8 9 : !!7 8- **H !77557*23KLL !9 :;L M,,<22%&9:#BBD #F   1 1 E E&k  #&h- #F  3"%f+  !34;)( D224 d7m + -7mO,h! %  T'] "}}gv.|<% %* DM )!FFH, 4=#? ?MM(,W m(D*)c/4)-g})E**c0"5 N  )+%  tG} $ d7mH5 5#CC M(3MBDEL&+" 4  AAC $~"6 6 " .)*=>cNNP %-0K $ ).1(m $ +  & &'? @ ?-@- ) D0 0&*>&:=&I- # T.1 1'+N';N'K- $ D0 0&*>&:=&I- # n- -#'#7 #C- $~. .$($8$E- ! tN3 3)-n)=>N)O- & ^, ,"&~"6y"A- ,9)&)$z*:&;# d '+I$ ll'( T !.23C.D+  *-d<.@*A' d "#EEG T+, ,88LL()&1   t-. .$():$;H$E  !/?, 4  CCE ~.223I2N,M   II*<8+M:J - /=- ,,9) t #!"45080[0['SS()=>wG./CD! T  -_=+N;1\ 1 - #&8 8BBD #)*AB B,>'-- $ ),-DE E/A'00 $ ,'  / / E #&8 8$,$N$N$P ! )*AB B::NN&'>?G $ ( +,CD D-?'.. # *&  / / E / /BB*>:7C0@OC  / / < 1 1 !12  / / > / /?G?j?j@G@G 0@  / / < !3 3 !34  / / @),,-BBGFKKM  6 )5=5r5r6S6S)*6 ! 2 6 )5;7s99s>c8|jj|S)aConverts a string version of a versioned expr to the enum representation. Args: versioned_expr: string, string version of versioned expr to convert. messages: messages, The set of available messages. Returns: A versioned expression enum. )rVersionedExprValueValuesEnum)versioned_exprrs rrrs   + + H H c|j}d|vr#|jj|d|_d|vr |d|_|S)aIConverts the request field in preconfigured WAF exclusion configuration. Args: request_field_in_rule: a request field in preconfigured WAF exclusion configuration read from the security policy config file. messages: the set of available messages. Returns: The proto representation of the request field. opval)  P P ( (66 8!/ #6 $#rc.|j}t|||}|jds3|jds"|jds|jdr|j |jn|j }|jdr|j |_|jdr|j|_|jdr|j|_ |jdr|j|_ ||_|S)zOReturns a SecurityPolicyAdaptiveProtectionConfig message with AutoDeployConfig..layer7_ddos_defense_auto_deploy_load_threshold4layer7_ddos_defense_auto_deploy_confidence_threshold;layer7_ddos_defense_auto_deploy_impacted_baseline_threshold.layer7_ddos_defense_auto_deploy_expiration_sec) rrrrrrrrr rr!rr")rrrrrauto_deploy_configs r2CreateAdaptiveProtectionConfigWithAutoDeployConfigrs'__(= d7 9 68;?;K;K @<    G    L M & 6 6 B #33GGI HI  = =& NO  C C, EG  J J2 HI  = =&3E/ ##rc$|j}| |n|j}|jdr*|jj|j|_|jdr!|j |j|_|jdr*|jj|j|_ |r"|jdr|j|_ |jdr|j|_|S)z6Returns a SecurityPolicyAdvancedOptionsConfig message. json_parsingjson_custom_content_typesr( log_levelrequest_body_inspection_sizeuser_ip_request_headers)rrrrrr%rrr&rrr)rr*rr+)rr existing_advanced_options_configenable_large_body_sizerrs rCreateAdvancedOptionsConfigr=s __(*J +&CCE n%44OO    ' 12DD77 E 9, k"44LL NN $ 0 0$! ))5 /0373O3O0  rc|j}| |n|j}|jdr*|jj|j|_|S)5Returns a SecurityPolicyDdosProtectionConfig message.network_ddos_protection)rrrrrr-rrexisting_ddos_protection_configrddos_protection_configs rCreateDdosProtectionConfigrcsg__()H *%BBD /033 & &t'C'C D) rc|j}||n|j}|jdr*|jj|j|_|S)r network_ddos_adaptive_protection)rrrrrr.rs r4CreateDdosProtectionConfigWithDdosAdaptiveProtectionrssm __( ) 4&  6 6 8  894<4_4_5F5F --51 rc|j}||n|j}|jdr|j|_|S)r(network_ddos_impacted_baseline_threshold)rrrrr/rs rBCreateDdosProtectionConfigWithNetworkDdosImpactedBaselineThresholdrsU __( ) 4&  6 6 8  @A 558 rc|j}| |n|j}|jdr*|jj|j|_|S)rddos_protection)rrrrrr-rs rCreateDdosProtectionConfigOldrsg__()H *%BBD '(33 & &t';'; <) rc|j}| |n|j}|jdr|j|_|S)z7Returns a SecurityPolicyRecaptchaOptionsConfig message.recaptcha_redirect_site_key)rrrrr1)rr!existing_recaptcha_options_configrrecaptcha_options_configs rCreateRecaptchaOptionsConfigr sR__(+L ,'DDF 34/3/O/O, !!rc f|j}|j}d}|jds|jdr]|j}|jdr|j|_|jdr|j |_||_d}|jdrt|j|_ d}|jdrt|j|_d}|jds|jdr|j}|jdr3|jj!t#|j$|_|jdr|j(|_||_d}|jd r5|jj/t1|j2|_d}|jd r|j6|_d}|jd rug}|j:j=D]M\} } |j?|jA|j@jCt1| | r| nd O||_"d}|jds|jdr]|j} |jdr|jF| _|jdr|jH| _| |_%d}|jdr|jL|_'d}|r|jds|jdr]|jQ} |jdr|jR| _*|jdr|jV| _,| |_-d}|r|Sd S)z5Returns a SecurityPolicyRuleRateLimitOptions message.Frate_limit_threshold_count!rate_limit_threshold_interval_secTconform_action exceed_actionexceed_redirect_typeexceed_redirect_targetenforce_on_keyenforce_on_key_nameenforce_on_key_configsN)rdrbban_threshold_countban_threshold_interval_secban_duration_secexceed_action_rpc_status_code exceed_action_rpc_status_message).rrrrr rWrrXrV_ConvertConformActionrrY_ConvertExceedActionrrZrrx_ConvertRedirectTyperr rrPr^rConvertEnforceOnKeyrrarrbritemsrrrrcrrr_rr`rrr\rr]r[) rrsupport_fairsharerr is_updatedrate_limit_thresholdrrkv ban_thresholdrs rCreateRateLimitOptionsr&s__(BBD* 34 :;<<> 45#'#B#B  ;<)-)O)O&,@)J &''< ($J o&&:4;M;M&N#J -. /0&HHJ ./  4 4 H H"4#<#<= ?" 01'+'B'B$/F,J &'33OO  3 3 4 6#J +,*.*B*B'J ./++1131##  G G'\\||%a( %&q4 H 4.D*J ,- 34HHJM -. 44m 45"&"A"Am&3#J ()(,(=(=%J 67 9:<<> 78&*&H&H# :;)-)N)N&/G,J) 3t3rc*ddij||S)Nallowr|r8s rrrs 7    //rc0dddddj||S)Nz deny(403)z deny(404)z deny(429)z deny(502))zdeny-403zdeny-404zdeny-429zdeny-502r)r*s rrrs&   C rc @ddddddddd d d d d j||S)NIPALL_IPSALL HTTP_HEADERXFF_IP HTTP_COOKIE HTTP_PATHSNI REGION_CODETLS_JA3_FINGERPRINTUSER_IPTLS_JA4_FINGERPRINT) ipzall-ipsallz http-headerzxff-ipz http-cookiez http-pathsniz region-codeztls-ja3-fingerprintzuser-ipztls-ja4-fingerprintr))rs rrrs>  "" "22 C' (rc|j}|j}d}|jdr5|jjt |j |_d}|jdrD|j|_|j %|jjj|_d}|r|SdS)z4Returns a SecurityPolicyRuleRedirectOptions message.F redirect_typeTredirect_targetN) rrrrxrr=r r>rP EXTERNAL_302)rrrrr!s rCreateRedirectOptionsr@0s__(??A* o&22FF !3!3 4 6J '("22$  4 4 H H <J' 1T1rc,dddj||S)NGOOGLE_RECAPTCHAr?)zgoogle-recaptchaz external-302r))r=s rrrJs ,$ C }%&rc,|jds|jdsy|j}|j}|jdr|j|_|jdr|j |_|j|S)z7Returns a SecurityPolicyRuleMatcherExprOptions message.recaptcha_action_site_keysrecaptcha_session_site_keysN)r>)rrrrDr?rEr@r)rrrrecaptcha_optionss rCreateExpressionOptionsrGQs  "    : ;  __(CCE 23,0,K,K) 34-1-M-M*  6 6( 7 rcH|j}|j}g}d}t|ddyg}|jD]N}|j d}|d} |dj d} |j |j | | P||_|j d d }t|d d$|j|_ |j d d }t|d d$|j|_ |j dd }t|dd$|j|_ |j dd }t|dd$|j|_|j dd }t|dd$|j |_|j dd }t|dd$|j$|_|j dd }t|dd;|j(D cgc] } t+| c} |_|j dd }|r||fSdgfScc} w)z3Returns a SecurityPolicyRuleNetworkMatcher message.Fnetwork_user_defined_fieldsN;r:)rrDz!network_match.user_defined_fieldsTnetwork_src_ip_rangesznetwork_match.src_ip_rangesnetwork_dest_ip_rangesznetwork_match.dest_ip_rangesnetwork_ip_protocolsznetwork_match.ip_protocolsnetwork_src_portsznetwork_match.src_portsnetwork_dest_portsznetwork_match.dest_portsnetwork_src_region_codesznetwork_match.src_region_codesnetwork_src_asnsznetwork_match.src_asns)rrgetattrrIsplitrrr2rMrBrNrErOrFrPrGrQrHrRrIrSrrJ) rrrnetwork_matcher update_maskr!rrparsedrrDasns rCreateNetworkMatcherrZgsM__(==?/+* T0$7C">>"'',f AYdays#f   H H I  ?)#'#>#>O 56J T)40<"&";";O34J T&-9#55O01J T'.: $ 7 7O12J T-t4@%)%B%BO"78J T%t,8373H3HI3HCs3x3HIO/0J+5/; 'ED":E Js(HcF|j}|j}|j|_|jj t |j |_|j|_|j|_t|dd|j|_ |S)z1Returns a SecurityPolicyUserDefinedField message.r6N) rruser_defined_field_namerr_ConvertUserDefinedFieldBaser3r4r5rTr6)rrrrs rCreateUserDefinedFieldr^s__(>>@ 88--AA &tyy 1 #kk II T64 ,"ii rc0dddddj||S)NIPV4IPV6TCPUDP)ipv4ipv6tcpudpr))r3s rr]r]s#&u E I I D rc^|j}|j}|j|_|j dr|j |_|j dr|j|_|j dr|j|_ |j dr|j|_ |r|j dr|j|_|j dr|j|_|j dr|j"|_|j dr~g}|j&D]f}|j)}d |vr#|j(j+|d |_d |vr |d |_d |vr |d |_|j3|h||_|S) z_Returns a SecurityPolicyAdaptiveProtectionConfigLayer7DdosDefenseConfigThresholdConfig message.auto_deploy_load_threshold auto_deploy_confidence_threshold'auto_deploy_impacted_baseline_thresholdauto_deploy_expiration_secdetection_load_thresholddetection_absolute_qps"detection_relative_to_baseline_qpstraffic_granularity_configsr rr)rr}threshold_config_namerrrirrjrrkrrlrrmrrnrrorrpr~rxr rrrr)rrsupport_granularity_configrrrparg_traffic_granularity_configrs r&CreateLayer7DdosDefenseThresholdConfigrts __([[]44 23/3/N/N, 89 --2 ?@ 448 23/3/N/N, 23040M0M- 01.2.I.I+ <=  1 15 56$&!,0,L,L (  y y { # 3 3,4-Z-Z-n-n,V4- $ ) 4 4-K. $ * #&D D,-DE % : $**+EF!-M"4O0 r)F)"__doc__rurngooglecloudsdk.calliopergooglecloudsdk.corergooglecloudsdk.core.resourcerrrrrrrrrrrrrrrr r&rrrr@rrGrZr^r]rtrrrzsI .$9 cL , B$:"$LLQ#!L   & & " "V4r0("24&,5Fp* 7r