dlp.proto
Package: dlp.options.gloo.solo.io
Types:
Source File: github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/dlp/dlp.proto
FilterConfig
Listener level config for dlp filter
"dlpRules": []dlp.options.gloo.solo.io.DlpRule
"enabledFor": .dlp.options.gloo.solo.io.FilterConfig.EnableFor
| Field | Type | Description |
|---|---|---|
dlpRules |
[]dlp.options.gloo.solo.io.DlpRule | The list of transformation, matcher pairs. The first rule which matches will be applied. |
enabledFor |
.dlp.options.gloo.solo.io.FilterConfig.EnableFor | Whether responses, access logs, or both should be masked by the applied actions. If not defined, masking will only be enabled for responses bodies. |
EnableFor
| Name | Description |
|---|---|
RESPONSE_BODY |
Only enable DLP masking of response bodies. Defaults to this value. |
ACCESS_LOGS |
Only enable DLP masking of access logs. |
ALL |
Enable DLP masking for both responses and access logs. |
DlpRule
Rule which applies a given set of actions to a matching route. The route matching functions exactly the same as the envoy routes in the virtual host.
"matcher": .matchers.core.gloo.solo.io.Matcher
"actions": []dlp.options.gloo.solo.io.Action
| Field | Type | Description |
|---|---|---|
matcher |
.matchers.core.gloo.solo.io.Matcher | Matcher by which to determine if the given transformation should be applied if omitted, will it match all (i.e., default to / prefix matcher). |
actions |
[]dlp.options.gloo.solo.io.Action | List of data loss prevention actions to be applied. These actions will be applied in order, one at a time. |
Config
Route/Vhost level config for dlp filter
If a config is present on the route or vhost level it will completely overwrite the listener level config.
"actions": []dlp.options.gloo.solo.io.Action
"enabledFor": .dlp.options.gloo.solo.io.Config.EnableFor
| Field | Type | Description |
|---|---|---|
actions |
[]dlp.options.gloo.solo.io.Action | List of data loss prevention actions to be applied. These actions will be applied in order, one at a time. |
enabledFor |
.dlp.options.gloo.solo.io.Config.EnableFor | Whether responses, access logs, or both should be masked by the applied actions. If not defined, masking will only be enabled for responses bodies. |
EnableFor
| Name | Description |
|---|---|
RESPONSE_BODY |
Only enable DLP masking of response bodies. Defaults to this value. |
ACCESS_LOGS |
Only enable DLP masking of access logs. |
ALL |
Enable DLP masking for both responses and access logs. |
Action
A single action meant to mask sensitive data. The action type represents a set of pre configured actions, as well as the ability to create custom actions. These actions can also be shadowed, a shadowed action will be recorded in the statistics, and debug logs, but not actually committed in the response body.
To use a pre-made action simply set the action type to anything other than CUSTOM
actionType: VISA
To create a custom action set the custom action field. The default enum value is custom, so that can be left empty.
customAction:
name: test
regex:
- "hello"
- "world"
maskChar: Y
percent: 60
"actionType": .dlp.options.gloo.solo.io.Action.ActionType
"customAction": .dlp.options.gloo.solo.io.CustomAction
"shadow": bool
| Field | Type | Description |
|---|---|---|
actionType |
.dlp.options.gloo.solo.io.Action.ActionType | The action type to implement. |
customAction |
.dlp.options.gloo.solo.io.CustomAction | The custom user action to be applied. This field will only be used if the custom action type is specified above. |
shadow |
bool |
Shadow represents whether the action should be taken, or just recorded. |
ActionType
The following pre-made action types map to the following regex matchers:
SSN:
- ‘(?!\D)[0-9]{9}(?=\D|$)’
- ‘(?!\D)[0-9]{3}-[0-9]{2}-[0-9]{4}(?=\D|$)’
- ‘(?!\D)[0-9]{3}\ [0-9]{2}\ [0-9]{4}(?=\D|$)’
MASTERCARD:
- ‘(?!\D)5[1-5][0-9]{2}(\ |-|)[0-9]{4}(\ |-|)[0-9]{4}(\ |-|)[0-9]{4}(?=\D|$)’
VISA:
- ‘(?!\D)4[0-9]{3}(\ |-|)[0-9]{4}(\ |-|)[0-9]{4}(\ |-|)[0-9]{4}(?=\D|$)’
AMEX:
- ‘(?!\D)(34|37)[0-9]{2}(\ |-|)[0-9]{6}(\ |-|)[0-9]{5}(?=\D|$)’
DISCOVER:
- ‘(?!\D)6011(\ |-|)[0-9]{4}(\ |-|)[0-9]{4}(\ |-|)[0-9]{4}(?=\D|$)’
JCB:
- ‘(?!\D)3[0-9]{3}(\ |-|)[0-9]{4}(\ |-|)[0-9]{4}(\ |-|)[0-9]{4}(?=\D|$)’
- ‘(?!\D)(2131|1800)[0-9]{11}(?=\D|$)’
DINERS_CLUB:
- ‘(?!\D)30[0-5][0-9](\ |-|)[0-9]{6}(\ |-|)[0-9]{4}(?=\D|$)’
- ‘(?!\D)(36|38)[0-9]{2}(\ |-|)[0-9]{6}(\ |-|)[0-9]{4}(?=\D|$)’
CREDIT_CARD_TRACKERS:
- ‘[1-9][0-9]{2}-[0-9]{2}-[0-9]{4}^\d’
- ‘(?!\D)%?[Bb]\d{13,19}^[-/.\w\s]{2,26}^[0-9][0-9][01][0-9][0-9]{3}’
- ‘(?!\D);\d{13,19}=(\d{3}|)(\d{4}|=)’
ALL_CREDIT_CARDS:
- (All credit card related regexes from above)
| Name | Description |
|---|---|
CUSTOM |
|
SSN |
|
MASTERCARD |
|
VISA |
|
AMEX |
|
DISCOVER |
|
JCB |
|
DINERS_CLUB |
|
CREDIT_CARD_TRACKERS |
|
ALL_CREDIT_CARDS |
CustomAction
A user defined custom action to carry out on the response body.
The list of regex strings are applied in order. So for instance, if there is a response body with the content:
hello world
And there is a custom action
customAction:
name: test
regex:
- "hello"
- "world"
maskChar: Y
percent: 60
the result would be:
YYYlo YYYld
If the mask_char, and percent were left to default, the result would be:
XXXXo XXXXd
"name": string
"regex": []string
"maskChar": string
"percent": .solo.io.envoy.type.Percent
| Field | Type | Description |
|---|---|---|
name |
string |
The name of the custom action. This name is used for logging and debugging purposes. |
regex |
[]string |
The list of regex strings which will be applied in order. |
maskChar |
string |
The masking character for the sensitive data. default value: X. |
percent |
.solo.io.envoy.type.Percent | The percent of the string which will be masked by the mask_char default value: 75% rounds ratio (percent/100) by std::round http://www.cplusplus.com/reference/cmath/round/. |