google.cloud.forseti.common.gcp_type.firewall_rule module

A Firewall.

See: https://cloud.google.com/compute/docs/reference/latest/firewalls

exception Error[source]

Bases: exceptions.Exception

Base error class for the module.

class FirewallAction(firewall_rules=None, firewall_rule_action='allowed')[source]

Bases: object

An association of allowed or denied ports and protocols.

MATCH_ANY = '*'
VALID_ACTIONS = frozenset(['denied', 'allowed'])
__eq__(other)[source]

Equals.

Parameters:other (FirewallAction) – The FirewallAction to compare to.
Returns:If this action is the exact same as the other FirewallAction.
Return type:bool
__gt__(other)[source]

Greater than.

Parameters:other (FirewallAction) – The FirewallAction to compare to.
Returns:Whether this action is a superset of the other action.
Return type:bool
__lt__(other)[source]

Less than.

Parameters:other (FirewallAction) – The FirewallAction to compare to.
Returns:Whether this action is a subset of the other action.
Return type:bool
__str__()[source]

String representation.

Returns:A string representation of FirewallAction.
Return type:str
any_value

Returns whether this rule matches any value.

Returns:Whether this rule matches any value.
Return type:bool
applies_to_all

Returns whether this applies to all ports and protocols or not.

Returns:Whether this applies to all ports and protocols or not.
Return type:bool
expanded_rules

Returns an expanded set of ports.

Returns:A dict of protocol to all port numbers.
Return type:dict
is_equivalent(other)[source]

Returns whether this action and another are functionally equivalent.

Parameters:other (FirewallAction) – Another FirewallAction.
Returns:Whether these two FirewallActions are functionally equivalent.
Return type:bool
json_dict()[source]

Gets the JSON key and values for the firewall action.

Returns:Of key (‘allowed’ or ‘denied’) and the firewall rules.
Return type:tuple
Raises:InvalidFirewallActionError – If a rule is not formatted for the API.
static ports_are_equal(ports_1, ports_2)[source]

Returns whether two port lists are the same.

Parameters:
  • ports_1 (list) – A list of string port numbers.
  • ports_2 (list) – A list of string port numbers.
Returns:

Whether ports_1 have the same ports as ports_2.

Return type:

bool

static ports_are_subset(ports_1, ports_2)[source]

Returns whether one port list is a subset of another.

Parameters:
  • ports_1 (list) – A list of string port numbers.
  • ports_2 (list) – A list of string port numbers.
Returns:

Whether ports_1 are a subset of ports_2 or not.

Return type:

bool

validate()[source]

Validates that the firewall rules are valid for use in the API.

Raises:InvalidFirewallActionError – If a rule is not formatted for the API.
class FirewallRule(validate=False, **kwargs)[source]

Bases: object

Represents Firewall resource.

__eq__(other)[source]

Test whether this policy is the same as the other policy.

Parameters:other (FirewallRule) – object to compare to
Returns:comparison result
Return type:bool
__gt__(other)[source]

Test whether this policy contains the other policy.

Checks if this rule is a superset of the allowed/denied ports and protocols that are in the other rule.

Parameters:other (FirewallRule) – object to compare to
Returns:comparison result
Return type:bool
__lt__(other)[source]

Test whether this policy is contained in another policy.

Checks if this rule is a subset of the allowed/denied ports and protocols that are in the other rule.

Parameters:other (FirewallRule) – object to compare to
Returns:comparison result
Return type:bool
__str__()[source]

String representation.

Returns:A string representation of FirewallRule.
Return type:str
static _transform(firewall_dict, project_id=None, validate=None)[source]

Transforms firewall dictionary into FirewallRule.

Parameters:
  • firewall_dict (dict) – A dictionary with firewall field names matching the API field names.
  • project_id (str) – A project id string.
  • validate (bool) – Whether to validate this FirewallRule or not.
Returns:

A FirewallRule created from the input dictionary.

Return type:

FirewallRule

_validate_direction()[source]

Checks that the direction and associated fields are valid.

Raises:

InvalidFirewallRuleError – If: * Direction is ‘ingress’ and

  • there are no source ranges or tags
  • _destination_ranges is not set
  • Direction is ‘egress’ and * there are no source ranges or tags * _destination_ranges is set
_validate_keys()[source]

Checks that required keys and value restrictions.

Required fields: name and network Length restrictions:

  • name <= 63 characters
  • <= 256 values: sourceRanges, sourceTags, targetTags, destinationRanges
Raises:InvalidFirewallRuleError – If keys don’t meet requirements.
_validate_priority()[source]

Checks that the priority of the rule is a valid value.

Raises:InvalidFirewallRuleError – If the priority can’t be converted to an int or if it is outside the allowed range.
as_json()[source]

Returns a valid JSON representation of this firewall rule.

This rule must be valid to return the representation.

Returns:

A string JSON dump of the firewall rule.

Return type:

str

Raises:
destination_ranges

The sorted destination ranges for this policy.

Returns:Sorted destination ips ranges.
Return type:list
firewall_action

The protocols and ports allowed or denied by this policy.

https://cloud.google.com/compute/docs/reference/beta/firewalls

Returns:
An object that represents what ports and protocols are
allowed or denied.
Return type:FirewallAction
Raises:ValueError – If there are both allow and deny actions for a rule.
classmethod from_dict(firewall_dict, project_id=None, validate=False)[source]

Creates an unvalidated FirewallRule from a dictionary.

Parameters:
  • firewall_dict (dict) – A dict with firewall keys and values.
  • project_id (str) – A string project id.
  • validate (bool) – Whether to validate this rule or not.
Returns:

A validated FirewallRule from the JSON string.

Return type:

FirewallRule

Raises:
classmethod from_json(json_string, project_id=None)[source]

Creates a validated FirewallRule from a valid firewall JSON.

Parameters:
  • json_string (str) – A valid firewall JSON string.
  • project_id (str) – A string project id.
Returns:

A validated FirewallRule from the JSON string.

Return type:

FirewallRule

Raises:
is_equivalent(other)[source]

Test whether this policy is equivalent to the other policy.

Parameters:other (FirewallRule) – object to compare to
Returns:comparison result
Return type:bool
priority

The effective priority of the firewall rule.

Per https://cloud.google.com/compute/docs/reference/latest/firewalls the default priority is 1000.

Returns:Rule priority (lower is more important)
Return type:int
source_ranges

The sorted source ranges for this policy.

Returns:Sorted source ips ranges.
Return type:list
source_service_accounts

The sorted source tags for this policy.

Returns:Sorted source tags.
Return type:list
source_tags

The sorted source tags for this policy.

Returns:Sorted source tags.
Return type:list
target_service_accounts

The sorted target tags for this policy.

Returns:Sorted target tags.
Return type:list
target_tags

The sorted target tags for this policy.

Returns:Sorted target tags.
Return type:list
validate()[source]

Validates that a rule is valid.

Validation is based on reference: https://cloud.google.com/compute/docs/reference/beta/firewalls and https://cloud.google.com/compute/docs/vpc/firewalls#gcp_firewall_rule_summary_table

Returns:If rule is valid.
Return type:bool
Raises:InvalidFirewallRuleError – One or more rules failed validation.
exception InvalidFirewallActionError[source]

Bases: google.cloud.forseti.common.gcp_type.firewall_rule.Error

Raised if a firewall action doesn’t look like a firewall rule should.

exception InvalidFirewallRuleError[source]

Bases: google.cloud.forseti.common.gcp_type.firewall_rule.Error

Raised if a firewall rule doesn’t look like a firewall rule should.

expand_port_range(port_range)[source]

Expands a port range.

From https://cloud.google.com/compute/docs/reference/beta/firewalls, ports can be of the form “<number>-<number>”.

Parameters:port_range (string) – A string of format “<number_1>-<number_2>”.
Returns:A list of string integers from number_1 to number_2.
Return type:list
expand_ports(ports)[source]

Expands all ports in a list.

From https://cloud.google.com/compute/docs/reference/beta/firewalls, ports can be of the form “<number” or “<number>-<number>”.

Parameters:ports (list) – A list of strings of format “<number>” or “<number_1>-<number_2>”.
Returns:A list of all port number strings with the ranges expanded.
Return type:list
ip_in_range(ip_addr, ip_range)[source]

Checks whether the ip/ip range is in another ip range.

Examples

ip_in_range(1.1.1.1, 0.0.0.0/0) = True ip_in_range(1.1.1.1/24, 0.0.0.0/0) = True ip_in_range(0.0.0.0/0, 1.1.1.1) = False

Parameters:
  • ip_addr (string) – A list of string IP addresses.
  • ip_range (string) – A list of string IP addresses.
Returns:

Whether the ip / ip range is in another ip range.

Return type:

bool

ips_in_list(ips, ips_list)[source]

Checks whether the ips and ranges are all in a list.

Examples

ips_in_list([1.1.1.1], [0.0.0.0/0]) = True ips_in_list([1.1.1.1/24], [0.0.0.0/0]) = True ips_in_list([1.1.1.1, 1.1.1.2], [0.0.0.0/0]) = True ips_in_list([1.1.1.1, 2.2.2.2], [1.1.1.0/24, 2.2.2.0/24]) = True ips_in_list([0.0.0.0/0], [1.1.1.1]) = False

Parameters:
  • ips (list) – A list of string IP addresses.
  • ips_list (list) – A list of string IP addresses.
Returns:

Whether the ips are all in the given ips_list.

Return type:

bool

sort_rules(rules)[source]

Sorts firewall rules by protocol and sorts ports.

Parameters:rules (list) – A list of firewall rule dictionaries.
Returns:A list of sorted firewall rules.
Return type:list
validate_port(port)[source]

Validates that a string is a valid port number.

Parameters:port (str) – A port number string.
Returns:The integer port number.
Return type:int
Raises:InvalidFirewallActionError – If the port string isn’t a valid port.
validate_port_range(port_range)[source]

Validates that a string is a valid port number.

Parameters:port_range (str) – A port range string.
Raises:InvalidFirewallActionError – If the port range isn’t a valid range.