A Firewall.
See: https://cloud.google.com/compute/docs/reference/latest/firewalls
FirewallAction
(firewall_rules=None, firewall_rule_action='allowed')[source]¶Bases: object
An association of allowed or denied ports and protocols.
MATCH_ANY
= '*'¶VALID_ACTIONS
= frozenset({'allowed', 'denied'})¶__eq__
(other)[source]¶Equals.
Parameters: | other (FirewallAction) – The FirewallAction to compare to. |
---|---|
Returns: | If this action is the exact same as the other FirewallAction. |
Return type: | bool |
__gt__
(other)[source]¶Greater than.
Parameters: | other (FirewallAction) – The FirewallAction to compare to. |
---|---|
Returns: | Whether this action is a superset of the other action. |
Return type: | bool |
__lt__
(other)[source]¶Less than.
Parameters: | other (FirewallAction) – The FirewallAction to compare to. |
---|---|
Returns: | Whether this action is a subset of the other action. |
Return type: | bool |
__str__
()[source]¶String representation.
Returns: | A string representation of FirewallAction. |
---|---|
Return type: | str |
any_value
¶Returns whether this rule matches any value.
Returns: | Whether this rule matches any value. |
---|---|
Return type: | bool |
applies_to_all
¶Returns whether this applies to all ports and protocols or not.
Returns: | Whether this applies to all ports and protocols or not. |
---|---|
Return type: | bool |
expanded_rules
¶Returns an expanded set of ports.
Returns: | A dict of protocol to all port numbers. |
---|---|
Return type: | dict |
is_equivalent
(other)[source]¶Returns whether this action and another are functionally equivalent.
Parameters: | other (FirewallAction) – Another FirewallAction. |
---|---|
Returns: | Whether these two FirewallActions are functionally equivalent. |
Return type: | bool |
json_dict
()[source]¶Gets the JSON key and values for the firewall action.
Returns: | Of key (‘allowed’ or ‘denied’) and the firewall rules. |
---|---|
Return type: | tuple |
Raises: | InvalidFirewallActionError – If a rule is not formatted for the API. |
ports_are_equal
(ports_1, ports_2)[source]¶Returns whether two port lists are the same.
Parameters: |
|
---|---|
Returns: | Whether ports_1 have the same ports as ports_2. |
Return type: | bool |
ports_are_subset
(ports_1, ports_2)[source]¶Returns whether one port list is a subset of another.
Parameters: |
|
---|---|
Returns: | Whether ports_1 are a subset of ports_2 or not. |
Return type: | bool |
validate
()[source]¶Validates that the firewall rules are valid for use in the API.
Raises: | InvalidFirewallActionError – If a rule is not formatted for the API. |
---|
FirewallRule
(validate=False, **kwargs)[source]¶Bases: object
Represents Firewall resource.
__eq__
(other)[source]¶Test whether this policy is the same as the other policy.
Parameters: | other (FirewallRule) – object to compare to |
---|---|
Returns: | comparison result |
Return type: | bool |
__gt__
(other)[source]¶Test whether this policy contains the other policy.
Checks if this rule is a superset of the allowed/denied ports and protocols that are in the other rule.
Parameters: | other (FirewallRule) – object to compare to |
---|---|
Returns: | comparison result |
Return type: | bool |
__lt__
(other)[source]¶Test whether this policy is contained in another policy.
Checks if this rule is a subset of the allowed/denied ports and protocols that are in the other rule.
Parameters: | other (FirewallRule) – object to compare to |
---|---|
Returns: | comparison result |
Return type: | bool |
__str__
()[source]¶String representation.
Returns: | A string representation of FirewallRule. |
---|---|
Return type: | str |
_transform
(firewall_dict, project_id=None, validate=None)[source]¶Transforms firewall dictionary into FirewallRule.
Parameters: |
|
---|---|
Returns: | A FirewallRule created from the input dictionary. |
Return type: |
_validate_direction
()[source]¶Checks that the direction and associated fields are valid.
Raises: |
|
---|
_validate_keys
()[source]¶Checks that required keys and value restrictions.
Required fields: name and network Length restrictions:
- name <= 63 characters
- <= 256 values: sourceRanges, sourceTags, targetTags, destinationRanges
Raises: | InvalidFirewallRuleError – If keys don’t meet requirements. |
---|
_validate_priority
()[source]¶Checks that the priority of the rule is a valid value.
Raises: | InvalidFirewallRuleError – If the priority can’t be converted to an int
or if it is outside the allowed range. |
---|
as_json
()[source]¶Returns a valid JSON representation of this firewall rule.
This rule must be valid to return the representation.
Returns: | A string JSON dump of the firewall rule. |
---|---|
Return type: | str |
Raises: |
|
destination_ranges
¶The sorted destination ranges for this policy.
Returns: | Sorted destination ips ranges. |
---|---|
Return type: | list |
firewall_action
¶The protocols and ports allowed or denied by this policy.
https://cloud.google.com/compute/docs/reference/beta/firewalls
Returns: |
|
---|---|
Return type: | FirewallAction |
Raises: | ValueError – If there are both allow and deny actions for a rule. |
from_dict
(firewall_dict, project_id=None, validate=False)[source]¶Creates an unvalidated FirewallRule from a dictionary.
Parameters: |
|
---|---|
Returns: | A validated FirewallRule from the JSON string. |
Return type: | |
Raises: |
|
from_json
(json_string, project_id=None)[source]¶Creates a validated FirewallRule from a valid firewall JSON.
Parameters: |
|
---|---|
Returns: | A validated FirewallRule from the JSON string. |
Return type: | |
Raises: |
|
is_equivalent
(other)[source]¶Test whether this policy is equivalent to the other policy.
Parameters: | other (FirewallRule) – object to compare to |
---|---|
Returns: | comparison result |
Return type: | bool |
priority
¶The effective priority of the firewall rule.
Per https://cloud.google.com/compute/docs/reference/latest/firewalls the default priority is 1000.
Returns: | Rule priority (lower is more important) |
---|---|
Return type: | int |
source_ranges
¶The sorted source ranges for this policy.
Returns: | Sorted source ips ranges. |
---|---|
Return type: | list |
source_service_accounts
¶The sorted source tags for this policy.
Returns: | Sorted source tags. |
---|---|
Return type: | list |
The sorted source tags for this policy.
Returns: | Sorted source tags. |
---|---|
Return type: | list |
target_service_accounts
¶The sorted target tags for this policy.
Returns: | Sorted target tags. |
---|---|
Return type: | list |
The sorted target tags for this policy.
Returns: | Sorted target tags. |
---|---|
Return type: | list |
validate
()[source]¶Validates that a rule is valid.
Validation is based on reference: https://cloud.google.com/compute/docs/reference/beta/firewalls and https://cloud.google.com/compute/docs/vpc/firewalls#gcp_firewall_rule_summary_table
Returns: | If rule is valid. |
---|---|
Return type: | bool |
Raises: | InvalidFirewallRuleError – One or more rules failed validation. |
InvalidFirewallActionError
[source]¶Bases: google.cloud.forseti.common.gcp_type.firewall_rule.Error
Raised if a firewall action doesn’t look like a firewall rule should.
InvalidFirewallRuleError
[source]¶Bases: google.cloud.forseti.common.gcp_type.firewall_rule.Error
Raised if a firewall rule doesn’t look like a firewall rule should.
expand_port_range
(port_range)[source]¶Expands a port range.
From https://cloud.google.com/compute/docs/reference/beta/firewalls, ports can be of the form “<number>-<number>”.
Parameters: | port_range (string) – A string of format “<number_1>-<number_2>”. |
---|---|
Returns: | A list of string integers from number_1 to number_2. |
Return type: | list |
expand_ports
(ports)[source]¶Expands all ports in a list.
From https://cloud.google.com/compute/docs/reference/beta/firewalls, ports can be of the form “<number” or “<number>-<number>”.
Parameters: | ports (list) – A list of strings of format “<number>” or “<number_1>-<number_2>”. |
---|---|
Returns: | A list of all port number strings with the ranges expanded. |
Return type: | list |
ip_in_range
(ip_addr, ip_range)[source]¶Checks whether the ip/ip range is in another ip range.
Examples
ip_in_range(1.1.1.1, 0.0.0.0/0) = True ip_in_range(1.1.1.1/24, 0.0.0.0/0) = True ip_in_range(0.0.0.0/0, 1.1.1.1) = False
Parameters: |
|
---|---|
Returns: | Whether the ip / ip range is in another ip range. |
Return type: | bool |
ips_in_list
(ips, ips_list)[source]¶Checks whether the ips and ranges are all in a list.
Examples
ips_in_list([1.1.1.1], [0.0.0.0/0]) = True ips_in_list([1.1.1.1/24], [0.0.0.0/0]) = True ips_in_list([1.1.1.1, 1.1.1.2], [0.0.0.0/0]) = True ips_in_list([1.1.1.1, 2.2.2.2], [1.1.1.0/24, 2.2.2.0/24]) = True ips_in_list([0.0.0.0/0], [1.1.1.1]) = False
Parameters: |
|
---|---|
Returns: | Whether the ips are all in the given ips_list. |
Return type: | bool |
sort_rules
(rules)[source]¶Sorts firewall rules by protocol and sorts ports.
Parameters: | rules (list) – A list of firewall rule dictionaries. |
---|---|
Returns: | A list of sorted firewall rules. |
Return type: | list |
validate_port
(port)[source]¶Validates that a string is a valid port number.
Parameters: | port (str) – A port number string. |
---|---|
Returns: | The integer port number. |
Return type: | int |
Raises: | InvalidFirewallActionError – If the port string isn’t a valid port. |
validate_port_range
(port_range)[source]¶Validates that a string is a valid port number.
Parameters: | port_range (str) – A port range string. |
---|---|
Raises: | InvalidFirewallActionError – If the port range isn’t a valid range. |