474 lines
19 KiB
Python
474 lines
19 KiB
Python
# -*- coding: utf-8 -*- #
|
|
# Copyright 2020 Google Inc. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""Command for updating security policies."""
|
|
|
|
from __future__ import absolute_import
|
|
from __future__ import division
|
|
from __future__ import unicode_literals
|
|
|
|
from googlecloudsdk.api_lib.compute import base_classes
|
|
from googlecloudsdk.api_lib.compute.security_policies import client
|
|
from googlecloudsdk.calliope import base
|
|
from googlecloudsdk.calliope import exceptions
|
|
from googlecloudsdk.command_lib.compute import scope as compute_scope
|
|
from googlecloudsdk.command_lib.compute.security_policies import flags
|
|
from googlecloudsdk.command_lib.compute.security_policies import security_policies_utils
|
|
|
|
|
|
@base.ReleaseTracks(base.ReleaseTrack.GA)
|
|
@base.DefaultUniverseOnly
|
|
class UpdateGa(base.UpdateCommand):
|
|
"""Update a Compute Engine security policy.
|
|
|
|
*{command}* is used to update security policies.
|
|
|
|
## EXAMPLES
|
|
|
|
To update the description run this:
|
|
|
|
$ {command} SECURITY_POLICY --description='new description'
|
|
"""
|
|
|
|
SECURITY_POLICY_ARG = None
|
|
|
|
@classmethod
|
|
def Args(cls, parser):
|
|
cls.SECURITY_POLICY_ARG = flags.SecurityPolicyMultiScopeArgument()
|
|
cls.SECURITY_POLICY_ARG.AddArgument(parser, operation_type='update')
|
|
parser.add_argument(
|
|
'--description',
|
|
help=('An optional, textual description for the security policy.'))
|
|
|
|
flags.AddCloudArmorAdaptiveProtection(parser)
|
|
flags.AddAdvancedOptions(parser)
|
|
flags.AddRecaptchaOptions(parser)
|
|
flags.AddDdosProtectionConfigWithAdvancedPreview(parser)
|
|
|
|
def _ValidateArgs(self, args):
|
|
"""Validates that at least one field to update is specified.
|
|
|
|
Args:
|
|
args: The arguments given to the update command.
|
|
"""
|
|
|
|
if not (args.IsSpecified('description') or
|
|
args.IsSpecified('enable_layer7_ddos_defense') or
|
|
args.IsSpecified('layer7_ddos_defense_rule_visibility') or
|
|
args.IsSpecified('json_parsing') or
|
|
args.IsSpecified('json_custom_content_types') or
|
|
args.IsSpecified('log_level') or
|
|
args.IsSpecified('recaptcha_redirect_site_key') or
|
|
args.IsSpecified('network_ddos_protection') or
|
|
args.IsSpecified('user_ip_request_headers')):
|
|
parameter_names = [
|
|
'--description', '--enable-layer7-ddos-defense',
|
|
'--layer7-ddos-defense-rule-visibility', '--json-parsing',
|
|
'--json-custom-content-types', '--log-level',
|
|
'--recaptcha-redirect-site-key', '--network-ddos-protection',
|
|
'--user-ip-request-headers'
|
|
]
|
|
raise exceptions.MinimumArgumentException(
|
|
parameter_names, 'Please specify at least one property to update')
|
|
|
|
def Run(self, args):
|
|
self._ValidateArgs(args)
|
|
field_mask = []
|
|
|
|
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
|
|
ref = self.SECURITY_POLICY_ARG.ResolveAsResource(
|
|
args, holder.resources, default_scope=compute_scope.ScopeEnum.GLOBAL)
|
|
security_policy = client.SecurityPolicy(
|
|
ref=ref, compute_client=holder.client)
|
|
existing_security_policy = security_policy.Describe()[0]
|
|
description = existing_security_policy.description
|
|
adaptive_protection_config = (
|
|
existing_security_policy.adaptiveProtectionConfig)
|
|
advanced_options_config = existing_security_policy.advancedOptionsConfig
|
|
recaptcha_options_config = existing_security_policy.recaptchaOptionsConfig
|
|
ddos_protection_config = existing_security_policy.ddosProtectionConfig
|
|
|
|
if args.description is not None:
|
|
description = args.description
|
|
if (args.IsSpecified('enable_layer7_ddos_defense') or
|
|
args.IsSpecified('layer7_ddos_defense_rule_visibility')):
|
|
adaptive_protection_config = (
|
|
security_policies_utils.CreateAdaptiveProtectionConfig(
|
|
holder.client, args, adaptive_protection_config))
|
|
if (args.IsSpecified('json_parsing') or
|
|
args.IsSpecified('json_custom_content_types') or
|
|
args.IsSpecified('log_level') or
|
|
args.IsSpecified('user_ip_request_headers')):
|
|
advanced_options_config = (
|
|
security_policies_utils.CreateAdvancedOptionsConfig(
|
|
holder.client,
|
|
args,
|
|
advanced_options_config,
|
|
enable_large_body_size=False,
|
|
)
|
|
)
|
|
if args.IsSpecified('recaptcha_redirect_site_key'):
|
|
recaptcha_options_config = (
|
|
security_policies_utils.CreateRecaptchaOptionsConfig(
|
|
holder.client, args, recaptcha_options_config))
|
|
if args.IsSpecified('network_ddos_protection'):
|
|
ddos_protection_config = (
|
|
security_policies_utils.CreateDdosProtectionConfig(
|
|
holder.client, args, ddos_protection_config))
|
|
field_mask.append('ddos_protection_config')
|
|
|
|
updated_security_policy = holder.client.messages.SecurityPolicy(
|
|
description=description,
|
|
adaptiveProtectionConfig=adaptive_protection_config,
|
|
advancedOptionsConfig=advanced_options_config,
|
|
recaptchaOptionsConfig=recaptcha_options_config,
|
|
ddosProtectionConfig=ddos_protection_config,
|
|
fingerprint=existing_security_policy.fingerprint)
|
|
|
|
return security_policy.Patch(
|
|
security_policy=updated_security_policy,
|
|
field_mask=','.join(field_mask))
|
|
|
|
|
|
@base.ReleaseTracks(base.ReleaseTrack.BETA)
|
|
@base.DefaultUniverseOnly
|
|
class UpdateBeta(UpdateGa):
|
|
"""Update a Compute Engine security policy.
|
|
|
|
*{command}* is used to update security policies.
|
|
|
|
## EXAMPLES
|
|
|
|
To update the description run this:
|
|
|
|
$ {command} SECURITY_POLICY --description='new description'
|
|
"""
|
|
|
|
SECURITY_POLICY_ARG = None
|
|
|
|
@classmethod
|
|
def Args(cls, parser):
|
|
cls.SECURITY_POLICY_ARG = flags.SecurityPolicyMultiScopeArgument()
|
|
cls.SECURITY_POLICY_ARG.AddArgument(parser, operation_type='update')
|
|
parser.add_argument(
|
|
'--description',
|
|
help=('An optional, textual description for the security policy.'))
|
|
|
|
flags.AddCloudArmorAdaptiveProtection(parser)
|
|
flags.AddCloudArmorAdaptiveProtectionAutoDeploy(parser)
|
|
flags.AddAdvancedOptions(parser, enable_large_body_size=True)
|
|
flags.AddRecaptchaOptions(parser)
|
|
flags.AddDdosProtectionConfigWithAdvancedPreview(parser)
|
|
|
|
def _ValidateArgs(self, args):
|
|
"""Validates that at least one field to update is specified.
|
|
|
|
Args:
|
|
args: The arguments given to the update command.
|
|
"""
|
|
if not (
|
|
args.IsSpecified('description')
|
|
or args.IsSpecified('enable_layer7_ddos_defense')
|
|
or args.IsSpecified('layer7_ddos_defense_rule_visibility')
|
|
or args.IsSpecified('json_parsing')
|
|
or args.IsSpecified('json_custom_content_types')
|
|
or args.IsSpecified('log_level')
|
|
or args.IsSpecified('request_body_inspection_size')
|
|
or args.IsSpecified('user_ip_request_headers')
|
|
or args.IsSpecified('recaptcha_redirect_site_key')
|
|
or args.IsSpecified('network_ddos_protection')
|
|
or args.IsSpecified('layer7_ddos_defense_auto_deploy_load_threshold')
|
|
or args.IsSpecified(
|
|
'layer7_ddos_defense_auto_deploy_confidence_threshold'
|
|
)
|
|
or args.IsSpecified(
|
|
'layer7_ddos_defense_auto_deploy_impacted_baseline_threshold'
|
|
)
|
|
or args.IsSpecified('layer7_ddos_defense_auto_deploy_expiration_sec')
|
|
):
|
|
parameter_names = [
|
|
'--description',
|
|
'--enable-layer7-ddos-defense',
|
|
'--layer7-ddos-defense-rule-visibility',
|
|
'--json-parsing',
|
|
'--json-custom-content-types',
|
|
'--log-level',
|
|
'--user-ip-request-headers',
|
|
'--request-body-inspection-size',
|
|
'--recaptcha-redirect-site-key',
|
|
'--network-ddos-protection',
|
|
'--layer7-ddos-defense-auto-deploy-load-threshold',
|
|
'--layer7-ddos-defense-auto-deploy-confidence-threshold',
|
|
'--layer7-ddos-defense-auto-deploy-impacted-baseline-threshold',
|
|
'--layer7-ddos-defense-auto-deploy-expiration-sec',
|
|
]
|
|
raise exceptions.MinimumArgumentException(
|
|
parameter_names, 'Please specify at least one property to update')
|
|
|
|
def Run(self, args):
|
|
self._ValidateArgs(args)
|
|
field_mask = []
|
|
|
|
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
|
|
ref = self.SECURITY_POLICY_ARG.ResolveAsResource(
|
|
args, holder.resources, default_scope=compute_scope.ScopeEnum.GLOBAL)
|
|
security_policy = client.SecurityPolicy(
|
|
ref=ref, compute_client=holder.client)
|
|
existing_security_policy = security_policy.Describe()[0]
|
|
description = existing_security_policy.description
|
|
adaptive_protection_config = (
|
|
existing_security_policy.adaptiveProtectionConfig)
|
|
advanced_options_config = existing_security_policy.advancedOptionsConfig
|
|
recaptcha_options_config = existing_security_policy.recaptchaOptionsConfig
|
|
ddos_protection_config = existing_security_policy.ddosProtectionConfig
|
|
|
|
if args.description is not None:
|
|
description = args.description
|
|
if (args.IsSpecified('enable_layer7_ddos_defense') or
|
|
args.IsSpecified('layer7_ddos_defense_rule_visibility') or
|
|
args.IsSpecified('layer7_ddos_defense_auto_deploy_load_threshold') or
|
|
args.IsSpecified('layer7_ddos_defense_auto_deploy_confidence_threshold')
|
|
or args.IsSpecified(
|
|
'layer7_ddos_defense_auto_deploy_impacted_baseline_threshold') or
|
|
args.IsSpecified('layer7_ddos_defense_auto_deploy_expiration_sec')):
|
|
adaptive_protection_config = (
|
|
security_policies_utils
|
|
.CreateAdaptiveProtectionConfigWithAutoDeployConfig(
|
|
holder.client, args, adaptive_protection_config))
|
|
if (
|
|
args.IsSpecified('json_parsing')
|
|
or args.IsSpecified('json_custom_content_types')
|
|
or args.IsSpecified('log_level')
|
|
or args.IsSpecified('request_body_inspection_size')
|
|
or args.IsSpecified('user_ip_request_headers')
|
|
):
|
|
advanced_options_config = (
|
|
security_policies_utils.CreateAdvancedOptionsConfig(
|
|
holder.client,
|
|
args,
|
|
advanced_options_config,
|
|
enable_large_body_size=True,
|
|
)
|
|
)
|
|
if args.IsSpecified('recaptcha_redirect_site_key'):
|
|
recaptcha_options_config = (
|
|
security_policies_utils.CreateRecaptchaOptionsConfig(
|
|
holder.client, args, recaptcha_options_config))
|
|
if args.IsSpecified('network_ddos_protection'):
|
|
ddos_protection_config = (
|
|
security_policies_utils.CreateDdosProtectionConfig(
|
|
holder.client, args, ddos_protection_config))
|
|
field_mask.append('ddos_protection_config')
|
|
|
|
updated_security_policy = holder.client.messages.SecurityPolicy(
|
|
description=description,
|
|
adaptiveProtectionConfig=adaptive_protection_config,
|
|
advancedOptionsConfig=advanced_options_config,
|
|
recaptchaOptionsConfig=recaptcha_options_config,
|
|
ddosProtectionConfig=ddos_protection_config,
|
|
fingerprint=existing_security_policy.fingerprint)
|
|
|
|
return security_policy.Patch(
|
|
security_policy=updated_security_policy,
|
|
field_mask=','.join(field_mask))
|
|
|
|
|
|
@base.ReleaseTracks(base.ReleaseTrack.ALPHA)
|
|
@base.DefaultUniverseOnly
|
|
class UpdateAlpha(UpdateBeta):
|
|
"""Update a Compute Engine security policy.
|
|
|
|
*{command}* is used to update security policies.
|
|
|
|
## EXAMPLES
|
|
|
|
To update the description run this:
|
|
|
|
$ {command} SECURITY_POLICY --description='new description'
|
|
"""
|
|
|
|
SECURITY_POLICY_ARG = None
|
|
|
|
@classmethod
|
|
def Args(cls, parser):
|
|
cls.SECURITY_POLICY_ARG = flags.SecurityPolicyMultiScopeArgument()
|
|
cls.SECURITY_POLICY_ARG.AddArgument(parser, operation_type='update')
|
|
parser.add_argument(
|
|
'--description',
|
|
help=('An optional, textual description for the security policy.'))
|
|
|
|
flags.AddCloudArmorAdaptiveProtection(parser)
|
|
flags.AddCloudArmorAdaptiveProtectionAutoDeploy(parser)
|
|
flags.AddAdvancedOptions(parser, enable_large_body_size=True)
|
|
flags.AddRecaptchaOptions(parser)
|
|
flags.AddDdosProtectionConfigWithAdvancedPreview(parser)
|
|
flags.AddDdosProtectionConfigOld(parser)
|
|
flags.AddNetworkDdosAdaptiveProtection(parser)
|
|
flags.AddNetworkDdosImpactedBaselineThreshold(parser)
|
|
|
|
parser.add_argument(
|
|
'--enable-ml',
|
|
action='store_true',
|
|
default=None,
|
|
help=('Whether to enable Cloud Armor Adaptive Protection'))
|
|
|
|
def _ValidateArgs(self, args):
|
|
"""Validates that at least one field to update is specified.
|
|
|
|
Args:
|
|
args: The arguments given to the update command.
|
|
"""
|
|
|
|
if not (
|
|
args.IsSpecified('description')
|
|
or args.IsSpecified('enable_ml')
|
|
or args.IsSpecified('enable_layer7_ddos_defense')
|
|
or args.IsSpecified('layer7_ddos_defense_rule_visibility')
|
|
or args.IsSpecified('json_parsing')
|
|
or args.IsSpecified('json_custom_content_types')
|
|
or args.IsSpecified('log_level')
|
|
or args.IsSpecified('request_body_inspection_size')
|
|
or args.IsSpecified('user_ip_request_headers')
|
|
or args.IsSpecified('recaptcha_redirect_site_key')
|
|
or args.IsSpecified('network_ddos_protection')
|
|
or args.IsSpecified('network_ddos_adaptive_protection')
|
|
or args.IsSpecified('network_ddos_impacted_baseline_threshold')
|
|
or args.IsSpecified('clear_network_ddos_impacted_baseline_threshold')
|
|
or args.IsSpecified('ddos_protection')
|
|
):
|
|
parameter_names = [
|
|
'--description',
|
|
'--enable-ml',
|
|
'--enable-layer7-ddos-defense',
|
|
'--layer7-ddos-defense-rule-visibility',
|
|
'--json-parsing',
|
|
'--json-custom-content-types',
|
|
'--log-level',
|
|
'--request-body-inspection-size',
|
|
'--user-ip-request-headers',
|
|
'--recaptcha-redirect-site-key',
|
|
'--network-ddos-protection',
|
|
'--network-ddos-adaptive-protection',
|
|
'--network-ddos-impacted-baseline-threshold',
|
|
'--clear-network-ddos-impacted-baseline-threshold',
|
|
'--ddos-protection',
|
|
]
|
|
raise exceptions.MinimumArgumentException(
|
|
parameter_names, 'Please specify at least one property to update')
|
|
|
|
def Run(self, args):
|
|
self._ValidateArgs(args)
|
|
field_mask = []
|
|
|
|
holder = base_classes.ComputeApiHolder(self.ReleaseTrack())
|
|
ref = self.SECURITY_POLICY_ARG.ResolveAsResource(
|
|
args, holder.resources, default_scope=compute_scope.ScopeEnum.GLOBAL)
|
|
security_policy = client.SecurityPolicy(
|
|
ref=ref, compute_client=holder.client)
|
|
existing_security_policy = security_policy.Describe()[0]
|
|
description = existing_security_policy.description
|
|
cloud_armor_config = existing_security_policy.cloudArmorConfig
|
|
adaptive_protection_config = (
|
|
existing_security_policy.adaptiveProtectionConfig)
|
|
advanced_options_config = existing_security_policy.advancedOptionsConfig
|
|
recaptcha_options_config = existing_security_policy.recaptchaOptionsConfig
|
|
ddos_protection_config = existing_security_policy.ddosProtectionConfig
|
|
|
|
if args.description is not None:
|
|
description = args.description
|
|
if args.enable_ml is not None:
|
|
cloud_armor_config = security_policies_utils.CreateCloudArmorConfig(
|
|
holder.client, args)
|
|
if (args.IsSpecified('enable_layer7_ddos_defense') or
|
|
args.IsSpecified('layer7_ddos_defense_rule_visibility') or
|
|
args.IsSpecified('layer7_ddos_defense_auto_deploy_load_threshold') or
|
|
args.IsSpecified('layer7_ddos_defense_auto_deploy_confidence_threshold')
|
|
or args.IsSpecified(
|
|
'layer7_ddos_defense_auto_deploy_impacted_baseline_threshold') or
|
|
args.IsSpecified('layer7_ddos_defense_auto_deploy_expiration_sec')):
|
|
adaptive_protection_config = (
|
|
security_policies_utils
|
|
.CreateAdaptiveProtectionConfigWithAutoDeployConfig(
|
|
holder.client, args, adaptive_protection_config))
|
|
if (
|
|
args.IsSpecified('json_parsing')
|
|
or args.IsSpecified('json_custom_content_types')
|
|
or args.IsSpecified('log_level')
|
|
or args.IsSpecified('request_body_inspection_size')
|
|
or args.IsSpecified('user_ip_request_headers')
|
|
):
|
|
advanced_options_config = (
|
|
security_policies_utils.CreateAdvancedOptionsConfig(
|
|
holder.client,
|
|
args,
|
|
advanced_options_config,
|
|
enable_large_body_size=True,
|
|
)
|
|
)
|
|
if args.IsSpecified('recaptcha_redirect_site_key'):
|
|
recaptcha_options_config = (
|
|
security_policies_utils.CreateRecaptchaOptionsConfig(
|
|
holder.client, args, recaptcha_options_config))
|
|
if args.IsSpecified('ddos_protection'):
|
|
ddos_protection_config = (
|
|
security_policies_utils.CreateDdosProtectionConfigOld(
|
|
holder.client, args, ddos_protection_config))
|
|
if 'ddos_protection_config' not in field_mask:
|
|
field_mask.append('ddos_protection_config')
|
|
if args.IsSpecified('network_ddos_protection'):
|
|
ddos_protection_config = (
|
|
security_policies_utils.CreateDdosProtectionConfig(
|
|
holder.client, args, ddos_protection_config))
|
|
if 'ddos_protection_config' not in field_mask:
|
|
field_mask.append('ddos_protection_config')
|
|
if args.IsSpecified('network_ddos_adaptive_protection'):
|
|
ddos_protection_config = security_policies_utils.CreateDdosProtectionConfigWithDdosAdaptiveProtection(
|
|
holder.client, args, ddos_protection_config
|
|
)
|
|
if 'ddos_protection_config' not in field_mask:
|
|
field_mask.append('ddos_protection_config')
|
|
if args.IsSpecified('network_ddos_impacted_baseline_threshold'):
|
|
ddos_protection_config = security_policies_utils.CreateDdosProtectionConfigWithNetworkDdosImpactedBaselineThreshold(
|
|
holder.client, args, ddos_protection_config
|
|
)
|
|
if 'ddos_protection_config' not in field_mask:
|
|
field_mask.append('ddos_protection_config')
|
|
field_mask.append(
|
|
'ddos_protection_config.ddos_impacted_baseline_threshold'
|
|
)
|
|
elif args.IsSpecified('clear_network_ddos_impacted_baseline_threshold'):
|
|
if ddos_protection_config is None:
|
|
ddos_protection_config = (
|
|
holder.client.messages.SecurityPolicyDdosProtectionConfig()
|
|
)
|
|
ddos_protection_config.ddosImpactedBaselineThreshold = None
|
|
if 'ddos_protection_config' not in field_mask:
|
|
field_mask.append('ddos_protection_config')
|
|
field_mask.append(
|
|
'ddos_protection_config.ddos_impacted_baseline_threshold'
|
|
)
|
|
|
|
updated_security_policy = holder.client.messages.SecurityPolicy(
|
|
description=description,
|
|
cloudArmorConfig=cloud_armor_config,
|
|
adaptiveProtectionConfig=adaptive_protection_config,
|
|
advancedOptionsConfig=advanced_options_config,
|
|
recaptchaOptionsConfig=recaptcha_options_config,
|
|
ddosProtectionConfig=ddos_protection_config,
|
|
fingerprint=existing_security_policy.fingerprint)
|
|
|
|
return security_policy.Patch(
|
|
security_policy=updated_security_policy,
|
|
field_mask=','.join(field_mask))
|