{dXSrSSKJr SSKJr SSKJr SSKJr SSKJr SSKJ r SSK J r S rS rS rS rS rS\-rS\-rSrSrSrSrSrSrSr"SS\ R85rS,SjrS,SjrSr S-Sjr!S-Sjr"S.Sjr#Sr$S,S jr%S!r&S,S"jr'S#r(S$r)S%r*S&r+S'r,S(r-S)r.S*r/g+)/zCFlags and helpers for the compute security policies rules commands.)absolute_import)division)unicode_literals) arg_parsers) completers)flags)security_policies_utilsa You can specify an exact match or a partial match by using a field operator and a field value. Available field operators are: - ``EQUALS'': the operator matches if the field value equals the specified value. - ``STARTS_WITH'': the operator matches if the field value starts with the specified value. - ``ENDS_WITH'': the operator matches if the field value ends with the specified value. - ``CONTAINS'': the operator matches if the field value contains the specified value. - ``EQUALS_ANY'': the operator matches if the field value is any value. A field value must be given if the field operator is not ``EQUALS_ANY'', and cannot be given if the field operator is ``EQUALS_ANY''. For example, `--request-header-to-exclude op=EQUALS,val=abc` or `--request-header-to-exclude op=EQUALS_ANY`. This flag can be repeated to specify multiple request headers to exclude. For example, `--request-header-to-exclude op=EQUALS,val=abc --request-header-to-exclude op=STARTS_WITH,val=xyz`. z Target WAF rule set where the request field exclusions being added would apply. This, together with the target rule IDs (if given), determines the target for associating request field exclusions. See `--target-rule-ids`. a Target WAF rule set from where to remove the request field exclusions. This, together with the target rule IDs (if given), determines the target for associating request field exclusions. See `--target-rule-ids`. Note that the removal of request field exclusions is restricted to those associated with a matching target. Set this flag to * if you want to remove request field exclusions regardless of the target. a A comma-separated list of target rule IDs under the WAF rule set where the request field exclusions being added would apply. If omitted, the added request field exclusions will be associated with the rule set only, which would apply to all the rule IDs under the rule set. z A comma-separated list of target rule IDs under the WAF rule set from where to remove the request field exclusions. If omitted, the removal of request field exclusions is restricted to those associated with the rule set only, without specific rule IDs. z Adds a request cookie to the request field exclusions associated with the rule set and rule IDs (if given). This specifies a request cookie whose value will be excluded from inspection during preconfigured WAF evaluation. z{ Removes a request cookie from the existing request field exclusions associated with the rule set and rule IDs (if given). aY Adds a request header to the request field exclusions associated with the rule set and rule IDs (if given). This specifies a request header whose value will be excluded from inspection during preconfigured WAF evaluation. Refer to the syntax under `--request-cookie-to-exclude`. This flag can be repeated to specify multiple request headers. z Removes a request header from the existing request field exclusions associated with the rule set and rule IDs (if given). Refer to the syntax under `--request-cookie-to-exclude`. This flag can be repeated to specify multiple request headers. a Adds a request query parameter to the request field exclusions associated with the rule set and rule IDs (if given). This specifies a request query parameter in the query string or in the POST body whose value will be excluded from inspection during preconfigured WAF evaluation. Refer to the syntax under `--request-cookie-to-exclude`. This flag can be repeated to specify multiple request query parameters. a Removes a request query parameter from the existing request field exclusions associated with the rule set and rule IDs (if given). Refer to the syntax under `--request-cookie-to-exclude`. This flag can be repeated to specify multiple request query parameters. aX Adds a request URI to the request field exclusions associated with the rule set and rule IDs (if given). This specifies a request URI from the request line to be excluded from inspection during preconfigured WAF evaluation. Refer to the syntax under `--request-cookie-to-exclude`. This flag can be repeated to specify multiple request URIs. z Removes a request URI from the existing request field exclusions associated with the rule set and rule IDs (if given). Refer to the syntax under `--request-cookie-to-exclude`. This flag can be repeated to specify multiple request URIs. a - ``ip'': each client IP address has this limit enforced separately - ``all'': a single limit is applied to all requests matching this rule - ``http-header'': key type takes the value of the HTTP header configured in enforce-on-key-name as the key value - ``xff-ip'': takes the original IP address specified in the X-Forwarded-For header as the key - ``http-cookie'': key type takes the value of the HTTP cookie configured in enforce-on-key-name as the key value - ``http-path'': key type takes the value of the URL path in the request - ``sni'': key type takes the value of the server name indication from the TLS session of the HTTPS request - ``region-code'': key type takes the value of the region code from which the request originates - ``tls-ja3-fingerprint'': key type takes the value of JA3 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3 - ``user-ip'': key type takes the IP address of the originating client, which is resolved based on user-ip-request-headers configured with the security policy - ``tls-ja4-fingerprint'': key type takes the value of JA4 TLS/SSL fingerprint if the client connects using HTTPS, HTTP/2 or HTTP/3 c(^\rSrSrU4SjrSrU=r$)SecurityPolicyRulesCompleterc 2>[[U] "SSS0UD6 g)N collectioncompute.securityPolicyRules)superr __init__)selfkwargs __class__s Glib/googlecloudsdk/command_lib/compute/security_policies/rules/flags.pyr%SecurityPolicyRulesCompleter.__init__s# &6<0<4:<r)__name__ __module__ __qualname____firstlineno__r__static_attributes__ __classcell__)rs@rr r s <>Df b)?57rc[R"SU(aSOS-[SSS[RRUU(aSOSSR U(aSOSU5S 9 $) Nr r!r"rz!compute.regionSecurityPolicyRulesFTr%)r(global_collectionregional_collection region_hiddenscope_flags_usagepluralrequired detailed_help) compute_flagsResourceArgumentr ScopeFlagsUsageDONT_USE_SCOPE_FLAGSr+)r-r.s rPriorityArgumentr<s^  ' ' yb),5=%55JJ " <AddAction..c QWWYrz>The action to take if the request matches the match condition.)choicesrIr6r)N)updater*)r,r6support_fairshareactionss r AddActionrr2sz A M ) ) ) P   ) ?" 'F NN $    K Mrc$URSSS9 g)*Adds the preview argument to the argparse.z --descriptionz.An optional, textual description for the rule.rLNr*r,s rAddDescriptionrwhsLNrclU(aS[R0nOSSS.nUR"SSS0UD6 g)rtaction store_trueN)rydefaultr)z.If specified, the action will not be enforced.)z --preview)rStoreTrueFalseActionr*)r, for_updaters r AddPreviewr~nsB 88 9F$ 6F ; rcRSS/nURSUSSS9 URSSS 9 g ) z6Adds redirect action related argument to the argparse.google-recaptcha external-302z--redirect-typec"UR5$rfrgris rrk$AddRedirectOptions..rmrz} Type for the redirect action. Default to ``external-302'' if unspecified while --redirect-target is given. rnrIr)z--redirect-targetz URL target for the redirect action. Must be specified if the redirect type is ``external-302''. Cannot be specified if the redirect type is ``google-recaptcha''. rLNru)r, redirect_types rAddRedirectOptionsrzsJ%~6-      rc URS[SS9 URS[SS9 S/nURSUSS S 9 /S QnURS US SS 9 SS/nURSUSSS 9 URSSS9 /SQnURSUSS[-S 9 URSSS9 URS[R"[ R SSS 9S!S"[-S#-S$9 URS%[S&S9 URS'[S(S9 URS)[S*S9 U(a&URS+[S,S9 URS-S.S9 g/g/)0z5Adds rate limiting related arguments to the argparse.z--rate-limit-threshold-countzTNumber of HTTP(S) requests for calculating the threshold for rate limiting requests.)rIr)z#--rate-limit-threshold-interval-seczIInterval over which the threshold for rate limiting requests is computed.r]z--conform-actionc"UR5$rfrgris rrk%AddRateLimitOptions..rmrzAction to take when requests are under the given threshold. When requests are throttled, this is also the action for all requests which are not dropped.r)r_r`zdeny-429rar^rbz--exceed-actionc"UR5$rfrgris rrkrrmra Action to take when requests are above the given threshold. When a request is denied, return the specified HTTP response code. When a request is redirected, use the redirect options based on --exceed-redirect-type and --exceed-redirect-target below. rrz--exceed-redirect-typec"UR5$rfrgris rrkrrmrzR Type for the redirect action that is configured as the exceed action. z--exceed-redirect-targetz URL target for the redirect action that is configured as the exceed action when the redirect type is ``external-302''. rL) ipallz http-headerzxff-ipz http-cookiez http-pathsniz region-codeztls-ja3-fingerprintzuser-ipztls-ja4-fingerprintz--enforce-on-keyc"UR5$rfrgris rrkrrmrzQ Different key types available to enforce the rate limit threshold limit on:z--enforce-on-key-namea6 Determines the key name for the rate limit key. Applicable only for the following rate limit key types: - http-header: The name of the HTTP header whose value is taken as the key value. - http-cookie: The name of the HTTP cookie whose value is taken as the key value. z--enforce-on-key-configs) element_type min_length max_lengthz[[all],[ip],[xff-ip],[http-cookie=HTTP_COOKIE],[http-header=HTTP_HEADER],[http-path],[sni],[region-code],[tls-ja3-fingerprint],[user-ip],[tls-ja4-fingerprint]]zZ Specify up to 3 key type/name pairs to rate limit. Valid key types are: z Key names are only applicable to the following key types: - http-header: The name of the HTTP header whose value is taken as the key value. - http-cookie: The name of the HTTP cookie whose value is taken as the key value. rHz--ban-threshold-counta Number of HTTP(S) requests for calculating the threshold for banning requests. Can only be specified if the action for the rule is ``rate-based-ban''. If specified, the key will be banned for the configured ``BAN_DURATION_SEC'' when the number of requests that exceed the ``RATE_LIMIT_THRESHOLD_COUNT'' also exceed this ``BAN_THRESHOLD_COUNT''. z--ban-threshold-interval-secax Interval over which the threshold for banning requests is computed. Can only be specified if the action for the rule is ``rate-based-ban''. If specified, the key will be banned for the configured ``BAN_DURATION_SEC'' when the number of requests that exceed the ``RATE_LIMIT_THRESHOLD_COUNT'' also exceed this ``BAN_THRESHOLD_COUNT''. z--ban-duration-secz Can only be specified if the action for the rule is ``rate-based-ban''. If specified, determines the time (in seconds) the traffic will continue to be banned by the rate limit after the rate falls below the threshold. z--exceed-action-rpc-status-codez?Status code, which should be an enum value of [google.rpc.Code]z"--exceed-action-rpc-status-messagez5Developer-facing error message, should be in English.N)r*int,_RATE_LIMIT_ENFORCE_ON_KEY_TYPES_DESCRIPTIONrrOr ParseEnforceOnKeyConfig)r,support_rpc_statusconform_actionsexceed_actionsexceed_redirect_typesenforce_on_keys rAddRateLimitOptionsrs(  $  !#  +   I/  % '.     .~>#      .   U4 5         .FF p  5  5   4      $         )  M P  ,EHrcNURSS[R"5SS9 g)z5Adds request-headers-to-add argument to the argparse.z--request-headers-to-addREQUEST_HEADERS_TO_ADDzt A comma-separated list of header names and header values to add to requests that match this rule. )r&rIr)N)r*rArgDictrvs rAddRequestHeadersToAddr5s, &      rcHURSSU(a[O[S9 g)z.Adds target-rule-set argument to the argparse.z--target-rule-setTrTN)r*0_WAF_EXCLUSION_TARGET_RULE_SET_HELP_TEXT_FOR_ADD3_WAF_EXCLUSION_TARGET_RULE_SET_HELP_TEXT_FOR_REMOVEr,is_adds rAddTargetRuleSetrAs'  <H JrcpURS[R"5SU(a[O[S9 g)z.Adds target-rule-ids argument to the argparse.z--target-rule-idsRULE_IDrHN)r*rrO0_WAF_EXCLUSION_TARGET_RULE_IDS_HELP_TEXT_FOR_ADD3_WAF_EXCLUSION_TARGET_RULE_IDS_HELP_TEXT_FOR_REMOVErs rAddTargetRuleIdsrJs3      <H JrcURS[R"[[S.S/S9SU(a[O[ S9 g)z8Adds request-cookie-to-exclude argument to the argparse.z--request-cookie-to-excludeopvalrspec required_keysappendrIryr)N)r*rrstr/_WAF_EXCLUSION_REQUEST_COOKIE_HELP_TEXT_FOR_ADD2_WAF_EXCLUSION_REQUEST_COOKIE_HELP_TEXT_FOR_REMOVErs rAddRequestCookierTI#    !6  #   ;G IrcURS[R"[[S.S/S9SU(a[O[ S9 g)z8Adds request-header-to-exclude argument to the argparse.z--request-header-to-excluderrrrrN)r*rrr/_WAF_EXCLUSION_REQUEST_HEADER_HELP_TEXT_FOR_ADD2_WAF_EXCLUSION_REQUEST_HEADER_HELP_TEXT_FOR_REMOVErs rAddRequestHeaderrbrrcURS[R"[[S.S/S9SU(a[O[ S9 g)z=Adds request-query-param-to-exclude argument to the argparse.z --request-query-param-to-excluderrrrrN)r*rrr4_WAF_EXCLUSION_REQUEST_QUERY_PARAM_HELP_TEXT_FOR_ADD7_WAF_EXCLUSION_REQUEST_QUERY_PARAM_HELP_TEXT_FOR_REMOVErs rAddRequestQueryParamrpsJ(    !6  #   @L NrcURS[R"[[S.S/S9SU(a[O[ S9 g)z5Adds request-uri-to-exclude argument to the argparse.z--request-uri-to-excluderrrrrN)r*rrr,_WAF_EXCLUSION_REQUEST_URI_HELP_TEXT_FOR_ADD/_WAF_EXCLUSION_REQUEST_URI_HELP_TEXT_FOR_REMOVErs r AddRequestUrir~sI    !6  #   8D FrcURS[R"5SSS9 URS[R"5SSS9 g)zBAdds reCAPTCHA token evaluation related arguments to the argparse.z--recaptcha-action-site-keysSITE_KEYz A comma-separated list of site keys to be used during the validation of reCAPTCHA action-tokens. The provided site keys need to be created from the reCAPTCHA API under the same project where the security policy is created. rHz--recaptcha-session-site-keysz A comma-separated list of site keys to be used during the validation of reCAPTCHA session-tokens. The provided site keys need to be created from the reCAPTCHA API under the same project where the security policy is created. N)r*rrOrvs rAddRecaptchaOptionsrsX$       %      rN)F)T)TF)0__doc__ __future__rrrgooglecloudsdk.callioper"googlecloudsdk.command_lib.computercompute_completersrr84googlecloudsdk.command_lib.compute.security_policiesr &_WAF_EXCLUSION_REQUEST_FIELD_HELP_TEXTrrrrrrrrrrrrrListCommandCompleterr r/r<r?rRr[rrrwr~rrrrrrrrrrrrrrs.J&'/OEX*&.40 7340733- 3-/ 6-6-2 3/62 84;70,3/0,4<#5#J#J< 75"H PB0L %3MlN  .cHL  JJ I I N Fr