On this page

DlpPolicy

DlpPolicy API reference.

Proto: dlp_policy.proto

Package: security.policy.gloo.solo.io

DLPPolicyReport

Field	Description
`workspaces`	(`repeated DLPPolicyReport.WorkspacesEntry`) The status of the resource in each workspace that it exists in.
`selectedRoutes`	(`repeated common.gloo.solo.io.RouteReference`) A list of references to all routes selected by the policy.

DLPPolicyReport.WorkspacesEntry

Field	Description
`key`	(`string`)
`value`	(`common.gloo.solo.io.Report`)

DLPPolicySpec

Use a DLPPolicy (data loss prevention policy) to prevent sensitive data from being exposed. Gloo Gateway completes a series of regex replacements on the body or headers of responses that it processes. DLPPolicies are applied at the Route level.

Field	Description
`applyToRoutes`	(`repeated common.gloo.solo.io.RouteSelector`) Select the routes that the policy applies to. If empty, the policy applies to all routes in the workspace.
`config`	(`DLPPolicySpec.Config`) The details of the DLP policy to apply to the selected routes.

DLPPolicySpec.Config

Whether actions apply to responses, access logs, or both. If empty, masking is enabled for responses bodies only.

Field	Description
`actions`	(`repeated DlpAction`) List of data loss prevention actions to be applied. These actions are applied in order, one at a time.
`sanitize`	(`DLPPolicySpec.Config.Sanitize`) Whether actions apply to responses, access logs, or both. If empty, masking is enabled for responses bodies only.

DLPPolicyStatus

The status of the DLPPolicy.

Field	Description
`common`	(`common.gloo.solo.io.Status`) The state and workspace conditions of the applied resource.
`numSelectedRoutes`	(`uint32`) A count of references to all routes selected by the policy.

DlpAction

A single DLP action to mask sensitive data. You can apply preconfigured actions, create custom actions, and write key-value (header) actions. These actions can also be shadowed. A shadowed action is recorded in the statistics and debug logs, but is not committed in the response body.

To use a predefined action, set the predefinedAction to one of the predefined actions.

  - predefinedAction: VISA

To create a custom action, specify the configuration in the customAction field. The default enum value is custom, so that can be left empty.

  
- customAction:
    name: test
    regexActions:
    - regex: "hello"
    - regex: "world"
    maskChar: Y
    percent: 60

To create a key-value action, specify the configuration in the keyValueAction field. The default enum value is custom, so that can be left empty.

  
- keyValueAction:
    keysToMask:
    - x-my-header-01
    maskChar: _
    name: kv-action-1
    percent: 100

Field	Description
`predefinedAction`	(`DlpAction.PredefinedAction`) The predefined action to apply.
`customAction`	(`DlpCustomAction`) The custom action to apply.
`keyValueAction`	(`DlpKeyValueAction`) The key-value action to apply. Key-values actions affect access logs and response headers, but not response bodies.
`shadow`	(`google.protobuf.BoolValue`) If enabled, the action is recorded in debug logs, but not applied to response bodies or headers.

DlpCustomAction

A custom action that you define to apply to the response body.

The list of regex strings are applied in order. For instance, if the response body contains hello world, and you define the following custom action:

  customAction:
name: test
regexActions:
- regex: "hello"
- regex: "world"
maskChar: Y
percent: 60

The result is masked in this way: YYYlo YYYld

If mask_char and percent are not defined, the result is masked in this way: XXXXo XXXXd

Field	Description
`name`	(`string`) The name of the custom action. This name is used for logging and debugging purposes.
`maskChar`	(`google.protobuf.StringValue`) The masking character to replace the sensitive data. Default: `X`
`percent`	(`google.protobuf.FloatValue`) The percent of the string to mask with the `mask_char`. Rounds the ratio (percent/100) by using std::round. Default: 75%
`regexActions`	(`repeated envoy.config.filter.http.transformation_ee.v2.RegexAction`) List of regexes to apply to the response body. Data that matches the regexes is masked. Regexes are applied iteratively in the order that they are specified.

DlpKeyValueAction

A key-value action to apply to response headers.

Field	Description
`name`	(`string`) The name of the key-value action. This name is used for logging and debugging purposes.
`maskChar`	(`google.protobuf.StringValue`) The masking character to replace the sensitive data. Default: `X`
`percent`	(`google.protobuf.FloatValue`) The percent of the string to mask with the `mask_char`. Rounds the ratio (percent/100) by using std::round. Default: 75%
`keysToMask`	(`repeated string`) Required: The keys for which corresponding header names or dynamic metadata values are masked.

DLPPolicySpec.Config.Sanitize

Name	Number	Description
`ALL`	0	Enable DLP masking for both responses bodies and access logs. Default value.
`ACCESS_LOGS`	1	Enable DLP masking for access logs only.
`RESPONSE_BODY`	2	Enable DLP masking for response bodies only.

DlpAction.PredefinedAction

The following pre-defined actions map to subgroup 1 of the listed regex patterns:

SSN:

‘(?:^|\D)([0-9]{9})(?:\D|$)’
‘(?:^|\D)([0-9]{3}-[0-9]{2}-[0-9]{4})(?:\D|$)’
‘(?:^|\D)([0-9]{3}\ [0-9]{2}\ [0-9]{4})(?:\D|$)’

MASTERCARD:

‘(?:^|\D)(5[1-5][0-9]{2}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’

VISA:

‘(?:^|\D)(4[0-9]{3}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’

AMEX:

‘(?:^|\D)((?:34|37)[0-9]{2}(?:\ |-|)[0-9]{6}(?:\ |-|)[0-9]{5})(?:\D|$)’

DISCOVER:

‘(?:^|\D)(6011(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’

JCB:

‘(?:^|\D)(3[0-9]{3}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’
‘(?:^|\D)((?:2131|1800)[0-9]{11})(?:\D|$)’

DINERS_CLUB:

‘(?:^|\D)(30[0-5][0-9](?:\ |-|)[0-9]{6}(?:\ |-|)[0-9]{4})(?:\D|$)’
‘(?:^|\D)((?:36|38)[0-9]{2}(?:\ |-|)[0-9]{6}(?:\ |-|)[0-9]{4})(?:\D|$)’

CREDIT_CARD_TRACKERS:

‘([1-9][0-9]{2}-[0-9]{2}-[0-9]{4}^\d)’
‘(?:^|\D)(%?[Bb]\d{13,19}^[-/.\w\s]{2,26}^[0-9][0-9][01][0-9][0-9]{3})’
‘(?:^|\D)(;\d{13,19}=(?:\d{3}|)(?:\d{4}|=))’

ALL_CREDIT_CARDS:

(All credit card related regexes from above)

Name	Number	Description
`ALL_CREDIT_CARDS`	0
`SSN`	1
`MASTERCARD`	2
`VISA`	3
`AMEX`	4
`DISCOVER`	5
`JCB`	6
`DINERS_CLUB`	7
`CREDIT_CARD_TRACKERS`	8

DlpPolicy

DLPPolicyReport link

DLPPolicyReport.WorkspacesEntry link

DLPPolicySpec link

DLPPolicySpec.Config link

DLPPolicyStatus link

DlpAction link

DlpCustomAction link

DlpKeyValueAction link

DLPPolicySpec.Config.Sanitize link

DlpAction.PredefinedAction link