Dlp
Package: dlp.options.gloo.solo.io
Types:
Source File: github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/dlp/dlp.proto
FilterConfig
Listener level config for dlp filter
"dlpRules": []dlp.options.gloo.solo.io.DlpRule
"enabledFor": .dlp.options.gloo.solo.io.FilterConfig.EnableFor
| Field | Type | Description |
|---|---|---|
dlpRules |
[]dlp.options.gloo.solo.io.DlpRule | The list of transformation, matcher pairs. The first rule which matches will be applied. |
enabledFor |
.dlp.options.gloo.solo.io.FilterConfig.EnableFor | Whether responses, access logs, or both should be masked by the applied actions. If not defined, masking will only be enabled for responses bodies. |
EnableFor
| Name | Description |
|---|---|
RESPONSE_BODY |
Only enable DLP masking of response bodies. Defaults to this value. |
ACCESS_LOGS |
Only enable DLP masking of access logs. |
ALL |
Enable DLP masking for both responses and access logs. |
DlpRule
Rule which applies a given set of actions to a matching route. The route matching functions exactly the same as the envoy routes in the virtual host.
"matcher": .matchers.core.gloo.solo.io.Matcher
"actions": []dlp.options.gloo.solo.io.Action
| Field | Type | Description |
|---|---|---|
matcher |
.matchers.core.gloo.solo.io.Matcher | Matcher by which to determine if the given transformation should be applied if omitted, will it match all (i.e., default to / prefix matcher). |
actions |
[]dlp.options.gloo.solo.io.Action | List of data loss prevention actions to be applied. These actions will be applied in order, one at a time. |
Config
Route/Vhost level config for dlp filter
If a config is present on the route or vhost level it will completely overwrite the listener level config.
"actions": []dlp.options.gloo.solo.io.Action
"enabledFor": .dlp.options.gloo.solo.io.Config.EnableFor
| Field | Type | Description |
|---|---|---|
actions |
[]dlp.options.gloo.solo.io.Action | List of data loss prevention actions to be applied. These actions will be applied in order, one at a time. |
enabledFor |
.dlp.options.gloo.solo.io.Config.EnableFor | Whether responses, access logs, or both should be masked by the applied actions. If not defined, masking will only be enabled for responses bodies. |
EnableFor
| Name | Description |
|---|---|
RESPONSE_BODY |
Only enable DLP masking of response bodies. Defaults to this value. |
ACCESS_LOGS |
Only enable DLP masking of access logs. |
ALL |
Enable DLP masking for both responses and access logs. |
Action
A single action meant to mask sensitive data. The action type represents a set of pre configured actions, as well as the ability to create custom actions. These actions can also be shadowed, a shadowed action will be recorded in the statistics, and debug logs, but not actually committed in the response body.
To use a pre-made action simply set the action type to anything other than CUSTOM
actionType: VISA
To create a custom action set the custom action field. The default enum value is custom, so that can be left empty.
customAction:
name: test
regex:
- "hello"
- "world"
maskChar: Y
percent: 60
"actionType": .dlp.options.gloo.solo.io.Action.ActionType
"customAction": .dlp.options.gloo.solo.io.CustomAction
"keyValueAction": .dlp.options.gloo.solo.io.KeyValueAction
"shadow": bool
| Field | Type | Description |
|---|---|---|
actionType |
.dlp.options.gloo.solo.io.Action.ActionType | The action type to implement. |
customAction |
.dlp.options.gloo.solo.io.CustomAction | The custom user action to be applied. This field will only be used if the custom action type is specified above. |
keyValueAction |
.dlp.options.gloo.solo.io.KeyValueAction | The key/value action to be applied. This field will only be used if the KEYVALUE action type is specified above will only affect access logs and response headers, not response bodies. |
shadow |
bool |
Shadow represents whether the action should be taken, or just recorded. |
ActionType
The following pre-made action types map to subgroup 1 of the listed regex patterns:
SSN:
- ‘(?:^|\D)([0-9]{9})(?:\D|$)’
- ‘(?:^|\D)([0-9]{3}-[0-9]{2}-[0-9]{4})(?:\D|$)’
- ‘(?:^|\D)([0-9]{3}\ [0-9]{2}\ [0-9]{4})(?:\D|$)’
MASTERCARD:
- ‘(?:^|\D)(5[1-5][0-9]{2}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’
VISA:
- ‘(?:^|\D)(4[0-9]{3}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’
AMEX:
- ‘(?:^|\D)((?:34|37)[0-9]{2}(?:\ |-|)[0-9]{6}(?:\ |-|)[0-9]{5})(?:\D|$)’
DISCOVER:
- ‘(?:^|\D)(6011(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’
JCB:
- ‘(?:^|\D)(3[0-9]{3}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’
- ‘(?:^|\D)((?:2131|1800)[0-9]{11})(?:\D|$)’
DINERS_CLUB:
- ‘(?:^|\D)(30[0-5][0-9](?:\ |-|)[0-9]{6}(?:\ |-|)[0-9]{4})(?:\D|$)’
- ‘(?:^|\D)((?:36|38)[0-9]{2}(?:\ |-|)[0-9]{6}(?:\ |-|)[0-9]{4})(?:\D|$)’
CREDIT_CARD_TRACKERS:
- ‘([1-9][0-9]{2}-[0-9]{2}-[0-9]{4}^\d)’
- ‘(?:^|\D)(%?[Bb]\d{13,19}^[-/.\w\s]{2,26}^[0-9][0-9][01][0-9][0-9]{3})’
- ‘(?:^|\D)(;\d{13,19}=(?:\d{3}|)(?:\d{4}|=))’
ALL_CREDIT_CARDS:
- (All credit card related regexes from above)
ALL_CREDIT_CARDS_COMBINED:
- Same as ALL_CREDIT_CARDS but using a single action instead of multiple which should be marginally faster
| Name | Description |
|---|---|
CUSTOM |
|
SSN |
|
MASTERCARD |
|
VISA |
|
AMEX |
|
DISCOVER |
|
JCB |
|
DINERS_CLUB |
|
CREDIT_CARD_TRACKERS |
|
ALL_CREDIT_CARDS |
|
KEYVALUE |
|
ALL_CREDIT_CARDS_COMBINED |
CustomAction
A user defined custom action to carry out on the response body.
The list of regex strings are applied in order. So for instance, if there is a response body with the content:
hello world
And there is a custom action
customAction:
name: test
regex:
- "hello"
- "world"
maskChar: Y
percent: 60
the result would be:
YYYlo YYYld
If the mask_char, and percent were left to default, the result would be:
XXXXo XXXXd
"name": string
"regex": []string
"maskChar": string
"percent": .solo.io.envoy.type.Percent
"regexActions": []envoy.config.filter.http.transformation_ee.v2.RegexAction
| Field | Type | Description |
|---|---|---|
name |
string |
The name of the custom action. This name is used for logging and debugging purposes. |
regex |
[]string |
The list of regex strings which will be applied in order. |
maskChar |
string |
The masking character for the sensitive data. default value: X. |
percent |
.solo.io.envoy.type.Percent | The percent of the string which will be masked by the mask_char default value: 75% rounds ratio (percent/100) by std::round http://www.cplusplus.com/reference/cmath/round/. |
regexActions |
[]envoy.config.filter.http.transformation_ee.v2.RegexAction | List of regexes to apply to the response body to match data which should be masked. They will be applied iteratively in the order which they are specified. If this field and regex are both provided, all the regexes will be applied iteratively in the order provided, starting with the ones from regex. |
KeyValueAction
"name": string
"maskChar": string
"percent": .solo.io.envoy.type.Percent
"keyToMask": string
| Field | Type | Description |
|---|---|---|
name |
string |
The name of the key/value action. This name is used for logging and debugging purposes. |
maskChar |
string |
The masking character for the sensitive data. default value: X. |
percent |
.solo.io.envoy.type.Percent | The percent of the string which will be masked by the mask_char default value: 75% rounds ratio (percent/100) by std::round http://www.cplusplus.com/reference/cmath/round/. |
keyToMask |
string |
The key for which corresponding header names/dynamic metadata values should be censored Must be specified. |