Core classes for firewall policy enforcement.
Simplifies the interface with the compute API for managing firewall policies.
DuplicateFirewallRuleNameError
[source]¶Bases: google.cloud.forseti.enforcer.gce_firewall_enforcer.Error
Raised if a rule name is reused in a policy, names must be unique.
EmptyProposedFirewallRuleSetError
[source]¶Bases: google.cloud.forseti.enforcer.gce_firewall_enforcer.FirewallEnforcementFailedError
Raised if the proposed firewall rule set is empty.
FirewallEnforcementDeleteFailedError
[source]¶Bases: google.cloud.forseti.enforcer.gce_firewall_enforcer.FirewallEnforcementFailedError
Deletion of a firewall rule failed.
FirewallEnforcementFailedError
[source]¶Bases: google.cloud.forseti.enforcer.gce_firewall_enforcer.Error
Updating firewall for project failed.
FirewallEnforcementInsertFailedError
[source]¶Bases: google.cloud.forseti.enforcer.gce_firewall_enforcer.FirewallEnforcementFailedError
Insertion of a firewall rule failed.
FirewallEnforcementUpdateFailedError
[source]¶Bases: google.cloud.forseti.enforcer.gce_firewall_enforcer.FirewallEnforcementFailedError
Update of a firewall rule failed.
FirewallEnforcer
(project, compute_client, expected_rules, current_rules=None, project_sema=None, operation_sema=None, add_rule_callback=None)[source]¶Bases: object
Enforce a set of firewall rules for use with GCE projects.
_apply_change
(firewall_function, rules)[source]¶Modify the firewall using the passed in function and rules.
If self.operation_sema is defined, then the number of outstanding changes is limited to the number of semaphore locks that can be acquired.
Parameters: |
|
---|---|
Returns: |
|
Return type: | tuple |
_apply_change_set
(delete_before_insert, network)[source]¶Updates project firewall rules based on the generated changeset.
Extends self._(deleted|inserted|updated)_rules with the rules changed by these operations.
Parameters: |
|
---|---|
Returns: |
|
Return type: | int |
_build_change_set
(networks=None)[source]¶Enumerate changes between the current and expected firewall rules.
Parameters: | networks (list) – The network names to restrict rules to. If no networks specified then all rules are returned. |
---|
_check_change_operation_order
(insert_count, delete_count)[source]¶Check if enough quota to do the firewall changes insert first.
If current usage is near the limit, check if deleting current rules before adding the new rules would allow the project to stay below quota.
Parameters: |
|
---|---|
Returns: |
|
Return type: | bool |
Raises: |
|
_delete_rules
(network)[source]¶Delete old rules from the project firewall.
Parameters: | network (str) – The network name to restrict rules to. If no network specified then all unexpected rules are deleted. |
---|---|
Returns: | The count of rules deleted. |
Return type: | int |
Raises: | FirewallEnforcementDeleteFailedError – Raised if one or more changes
fails. |
_insert_rules
(network)[source]¶Insert new rules into the project firewall.
Parameters: | network (str) – The network name to restrict rules to. If no network specified then all new rules are inserted. |
---|---|
Returns: | The count of rules inserted. |
Return type: | int |
Raises: | FirewallEnforcementInsertFailedError – Raised if one or more changes
fails. |
_update_rules
(network)[source]¶Update existing rules in the project firewall using patch.
Parameters: | network (str) – The network name to restrict rules to. If no network specified then all changed rules are updated. |
---|---|
Returns: | The count of rules updated. |
Return type: | int |
Raises: | FirewallEnforcementUpdateFailedError – Raised if one or more changes
fails. |
_validate_change_set
(networks=None)[source]¶Validate the changeset will not leave the project in a bad state.
Parameters: | networks (list) – The network names to restrict rules to. If no networks specified then all rules are returned. |
---|---|
Raises: |
|
apply_firewall
(prechange_callback=None, networks=None, allow_empty_ruleset=False)[source]¶Enforce the expected firewall rules on the project.
Parameters: |
|
---|---|
Returns: |
|
Return type: | int |
Raises: |
Any rules changed before the error occurred can be retrieved by calling the Get(Deleted|Inserted|Updated)Rules methods. |
get_deleted_rules
()[source]¶Returns the list of deleted rules.
Returns: | The list of deleted rules. |
---|---|
Return type: | list |
get_inserted_rules
()[source]¶Returns the list of inserted rules.
Returns: | The list of inserted rules. |
---|---|
Return type: | list |
FirewallQuotaExceededError
[source]¶Bases: google.cloud.forseti.enforcer.gce_firewall_enforcer.FirewallEnforcementFailedError
Raised if the proposed changes would exceed firewall quota.
FirewallRuleValidationError
[source]¶Bases: google.cloud.forseti.enforcer.gce_firewall_enforcer.Error
Raised if a firewall rule fails validation.
FirewallRules
(project, rules=None, add_rule_callback=None)[source]¶Bases: object
A collection of validated firewall rules.
DEFAULT_DIRECTION
= 'INGRESS'¶DEFAULT_DISABLED
= False¶DEFAULT_LOGCONFIG
= {'enable': False}¶DEFAULT_PRIORITY
= 1000¶__eq__
(other)[source]¶Equality.
Parameters: | other (FirewallRules) – The other object to compare with. |
---|---|
Returns: | True if equal, else false. |
Return type: | bool |
__ne__
(other)[source]¶Not Equal.
Parameters: | other (FirewallRules) – The other object to compare with. |
---|---|
Returns: | True if not equal, else false. |
Return type: | bool |
_check_rule_before_adding
(rule)[source]¶Validates that a rule is valid and not a duplicate.
Validation is based on reference: https://cloud.google.com/compute/docs/reference/beta/firewalls and https://cloud.google.com/compute/docs/vpc/firewalls#gcp_firewall_rule_summary_table If add_rule_callback is set, this will also confirm that add_rule_callback returns True for the rule, otherwise it will not add the rule.
Parameters: | rule (dict) – The rule to validate. |
---|---|
Returns: |
|
Return type: | bool |
Raises: |
|
_order_lists_in_rule
(unsorted_rule)[source]¶Recursively iterates a rule dictionary and sorts any lists.
This ensures that two rule with the same polices, but with unordered lists will compare equal when tested.
Parameters: | unsorted_rule (dict) – A rule dictionary that has not been sorted. |
---|---|
Returns: | A new rule dictionary with the lists sorted |
Return type: | dict |
add_rule
(rule, network_name=None)[source]¶Adds rule to the self.rules dictionary.
Parameters: |
|
---|---|
Raises: |
|
add_rules
(rules, network_name=None)[source]¶Adds rules from a list of rule dicts.
Parameters: |
|
---|---|
Raises: |
|
add_rules_from_api
(compute_client)[source]¶Loads rules from compute.firewalls().list().
Parameters: | compute_client (object) – A ComputeClient instance for interfacing with GCE API. |
---|---|
Raises: |
|
add_rules_from_json
(json_rules)[source]¶Import rules from a json string as exported by as_json.
The JSON string should be an array of Firewall resource objects, see https://cloud.google.com/compute/docs/reference/latest/firewalls for details. Only the fields in ALLOWED_RULE_ITEMS are permitted.
The legacy format from older versions of GCE Enforcer is also supported. This format wraps the array of Firewall resources in a dictionary under the key ‘items’.
Parameters: | json_rules (str) – The JSON formatted string containing the rules to import. |
---|---|
Raises: |
|
as_json
()[source]¶Export rules to a json string.
The JSON string should be an array of Firewall resource objects, see https://cloud.google.com/compute/docs/reference/latest/firewalls for details. Only the fields in ALLOWED_RULE_ITEMS are permitted.
Returns: |
|
---|---|
Return type: | str |
InvalidFirewallRuleError
[source]¶Bases: google.cloud.forseti.enforcer.gce_firewall_enforcer.Error
Raised if a firewall rule doesn’t look like a firewall rule should.
NetworkImpactValidationError
[source]¶Bases: google.cloud.forseti.enforcer.gce_firewall_enforcer.FirewallEnforcementFailedError
Raised if a firewall rule is to be applied to a disallowed network.
_is_successful
(operation)[source]¶Checks if the operation finished with no errors.
If the operation response contains an ‘error’ key, then the error code is checked. Any error code that is not ignored causes this to return False.
Parameters: | operation (dict) – A Compute GlobalOperations response object from an API call. |
---|---|
Returns: |
|
Return type: | bool |
build_network_url
(project, network)[source]¶Render the network url from project and network names.
Parameters: |
|
---|---|
Returns: | The fully qualified network url for the given project/network. |
Return type: | str |
filter_rules_by_network
(rules, network)[source]¶Returns the subset of rules that apply to the specified network(s).
Parameters: |
|
---|---|
Returns: | A list of rules that apply to the filtered networks. |
Return type: | list |
get_network_name_from_url
(network_url)[source]¶Given a network URL, return the name of the network.
Parameters: | network_url (str) – The fully qualified network url, such as (‘<root>/compute/v1/projects/my-proj/global/networks/my-network’) |
---|---|
Returns: | The network name, my-network in the previous example |
Return type: | str |