Proto: dlp_policy.proto

Package: security.policy.gloo.solo.io

DLPPolicyReport

FieldDescription
workspaces(repeated DLPPolicyReport.WorkspacesEntry)

The status of the resource in each workspace that it exists in.
selectedRoutes(repeated common.gloo.solo.io.RouteReference)

A list of references to all routes selected by the policy.

DLPPolicyReport.WorkspacesEntry

FieldDescription
key(string)

value(common.gloo.solo.io.Report)

DLPPolicySpec

Use a DLPPolicy (data loss prevention policy) to prevent sensitive data from being exposed. Gloo Gateway completes a series of regex replacements on the body or headers of responses that it processes. DLPPolicies are applied at the Route level.

FieldDescription
applyToRoutes(repeated common.gloo.solo.io.RouteSelector)

Select the routes that the policy applies to. If empty, the policy applies to all routes in the workspace.
config(DLPPolicySpec.Config)

The details of the DLP policy to apply to the selected routes.

DLPPolicySpec.Config

Whether actions apply to responses, access logs, or both. If empty, masking is enabled for responses bodies only.

FieldDescription
actions(repeated DlpAction)

List of data loss prevention actions to be applied. These actions are applied in order, one at a time.
sanitize(DLPPolicySpec.Config.Sanitize)

Whether actions apply to responses, access logs, or both. If empty, masking is enabled for responses bodies only.

DLPPolicyStatus

The status of the DLPPolicy.

FieldDescription
common(common.gloo.solo.io.Status)

The state and workspace conditions of the applied resource.
numSelectedRoutes(uint32)

A count of references to all routes selected by the policy.

DlpAction

A single DLP action to mask sensitive data. You can apply preconfigured actions, create custom actions, and write key-value (header) actions. These actions can also be shadowed. A shadowed action is recorded in the statistics and debug logs, but is not committed in the response body.

To use a predefined action, set the predefinedAction to one of the predefined actions.

  - predefinedAction: VISA
  

To create a custom action, specify the configuration in the customAction field. The default enum value is custom, so that can be left empty.

  
- customAction:
    name: test
    regexActions:
    - regex: "hello"
    - regex: "world"
    maskChar: Y
    percent: 60
  

To create a key-value action, specify the configuration in the keyValueAction field. The default enum value is custom, so that can be left empty.

  
- keyValueAction:
    keysToMask:
    - x-my-header-01
    maskChar: _
    name: kv-action-1
    percent: 100
  
FieldDescription
predefinedAction(DlpAction.PredefinedAction)

The predefined action to apply.
customAction(DlpCustomAction)

The custom action to apply.
keyValueAction(DlpKeyValueAction)

The key-value action to apply. Key-values actions affect access logs and response headers, but not response bodies.
shadow(google.protobuf.BoolValue)

If enabled, the action is recorded in debug logs, but not applied to response bodies or headers.

DlpCustomAction

A custom action that you define to apply to the response body.

The list of regex strings are applied in order. For instance, if the response body contains hello world, and you define the following custom action:

  customAction:
    name: test
    regexActions:
    - regex: "hello"
    - regex: "world"
    maskChar: Y
    percent: 60
  

The result is masked in this way: YYYlo YYYld

If mask_char and percent are not defined, the result is masked in this way: XXXXo XXXXd

FieldDescription
name(string)

The name of the custom action. This name is used for logging and debugging purposes.
maskChar(google.protobuf.StringValue)

The masking character to replace the sensitive data. Default: X
percent(google.protobuf.FloatValue)

The percent of the string to mask with the mask_char. Rounds the ratio (percent/100) by using std::round. Default: 75%
regexActions(repeated envoy.config.filter.http.transformation_ee.v2.RegexAction)

List of regexes to apply to the response body. Data that matches the regexes is masked. Regexes are applied iteratively in the order that they are specified.

DlpKeyValueAction

A key-value action to apply to response headers.

FieldDescription
name(string)

The name of the key-value action. This name is used for logging and debugging purposes.
maskChar(google.protobuf.StringValue)

The masking character to replace the sensitive data. Default: X
percent(google.protobuf.FloatValue)

The percent of the string to mask with the mask_char. Rounds the ratio (percent/100) by using std::round. Default: 75%
keysToMask(repeated string)

Required: The keys for which corresponding header names or dynamic metadata values are masked.

DLPPolicySpec.Config.Sanitize

NameNumberDescription
ALL0Enable DLP masking for both responses bodies and access logs. Default value.
ACCESS_LOGS1Enable DLP masking for access logs only.
RESPONSE_BODY2Enable DLP masking for response bodies only.

DlpAction.PredefinedAction

The following pre-defined actions map to subgroup 1 of the listed regex patterns:

SSN:

  • ‘(?:^|\D)([0-9]{9})(?:\D|$)’
  • ‘(?:^|\D)([0-9]{3}-[0-9]{2}-[0-9]{4})(?:\D|$)’
  • ‘(?:^|\D)([0-9]{3}\ [0-9]{2}\ [0-9]{4})(?:\D|$)’

MASTERCARD:

  • ‘(?:^|\D)(5[1-5][0-9]{2}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’

VISA:

  • ‘(?:^|\D)(4[0-9]{3}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’

AMEX:

  • ‘(?:^|\D)((?:34|37)[0-9]{2}(?:\ |-|)[0-9]{6}(?:\ |-|)[0-9]{5})(?:\D|$)’

DISCOVER:

  • ‘(?:^|\D)(6011(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’

JCB:

  • ‘(?:^|\D)(3[0-9]{3}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4}(?:\ |-|)[0-9]{4})(?:\D|$)’
  • ‘(?:^|\D)((?:2131|1800)[0-9]{11})(?:\D|$)’

DINERS_CLUB:

  • ‘(?:^|\D)(30[0-5][0-9](?:\ |-|)[0-9]{6}(?:\ |-|)[0-9]{4})(?:\D|$)’
  • ‘(?:^|\D)((?:36|38)[0-9]{2}(?:\ |-|)[0-9]{6}(?:\ |-|)[0-9]{4})(?:\D|$)’

CREDIT_CARD_TRACKERS:

  • ‘([1-9][0-9]{2}-[0-9]{2}-[0-9]{4}^\d)’
  • ‘(?:^|\D)(%?[Bb]\d{13,19}^[-/.\w\s]{2,26}^[0-9][0-9][01][0-9][0-9]{3})’
  • ‘(?:^|\D)(;\d{13,19}=(?:\d{3}|)(?:\d{4}|=))’

ALL_CREDIT_CARDS:

  • (All credit card related regexes from above)
NameNumberDescription
ALL_CREDIT_CARDS0
SSN1
MASTERCARD2
VISA3
AMEX4
DISCOVER5
JCB6
DINERS_CLUB7
CREDIT_CARD_TRACKERS8