317 lines
13 KiB
PHP
317 lines
13 KiB
PHP
<?php
|
|
/*
|
|
* Copyright 2014 Google Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
* use this file except in compliance with the License. You may obtain a copy of
|
|
* the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
* License for the specific language governing permissions and limitations under
|
|
* the License.
|
|
*/
|
|
|
|
namespace Google\Service\Compute;
|
|
|
|
class SecurityPolicyRuleRateLimitOptions extends \Google\Collection
|
|
{
|
|
public const ENFORCE_ON_KEY_ALL = 'ALL';
|
|
public const ENFORCE_ON_KEY_HTTP_COOKIE = 'HTTP_COOKIE';
|
|
public const ENFORCE_ON_KEY_HTTP_HEADER = 'HTTP_HEADER';
|
|
public const ENFORCE_ON_KEY_HTTP_PATH = 'HTTP_PATH';
|
|
public const ENFORCE_ON_KEY_IP = 'IP';
|
|
public const ENFORCE_ON_KEY_REGION_CODE = 'REGION_CODE';
|
|
public const ENFORCE_ON_KEY_SNI = 'SNI';
|
|
public const ENFORCE_ON_KEY_TLS_JA3_FINGERPRINT = 'TLS_JA3_FINGERPRINT';
|
|
public const ENFORCE_ON_KEY_TLS_JA4_FINGERPRINT = 'TLS_JA4_FINGERPRINT';
|
|
public const ENFORCE_ON_KEY_USER_IP = 'USER_IP';
|
|
public const ENFORCE_ON_KEY_XFF_IP = 'XFF_IP';
|
|
protected $collection_key = 'enforceOnKeyConfigs';
|
|
/**
|
|
* Can only be specified if the action for the rule is "rate_based_ban". If
|
|
* specified, determines the time (in seconds) the traffic will continue to be
|
|
* banned by the rate limit after the rate falls below the threshold.
|
|
*
|
|
* @var int
|
|
*/
|
|
public $banDurationSec;
|
|
protected $banThresholdType = SecurityPolicyRuleRateLimitOptionsThreshold::class;
|
|
protected $banThresholdDataType = '';
|
|
/**
|
|
* Action to take for requests that are under the configured rate limit
|
|
* threshold. Valid option is "allow" only.
|
|
*
|
|
* @var string
|
|
*/
|
|
public $conformAction;
|
|
/**
|
|
* Determines the key to enforce the rate_limit_threshold on. Possible values
|
|
* are: - ALL: A single rate limit threshold is applied to all the
|
|
* requests matching this rule. This is the default value if "enforceOnKey"
|
|
* is not configured. - IP: The source IP address of the request is the
|
|
* key. Each IP has this limit enforced separately. - HTTP_HEADER: The
|
|
* value of the HTTP header whose name is configured under
|
|
* "enforceOnKeyName". The key value is truncated to the first 128 bytes of
|
|
* the header value. If no such header is present in the request, the key
|
|
* type defaults toALL. - XFF_IP: The first IP address (i.e. the
|
|
* originating client IP address) specified in the list of IPs under
|
|
* X-Forwarded-For HTTP header. If no such header is present or the value
|
|
* is not a valid IP, the key defaults to the source IP address of the
|
|
* request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie
|
|
* whose name is configured under "enforceOnKeyName". The key value is
|
|
* truncated to the first 128 bytes of the cookie value. If no such cookie
|
|
* is present in the request, the key type defaults toALL. - HTTP_PATH: The
|
|
* URL path of the HTTP request. The key value is truncated to the first
|
|
* 128 bytes. - SNI: Server name indication in the TLS session of the
|
|
* HTTPS request. The key value is truncated to the first 128 bytes. The
|
|
* key type defaults to ALL on a HTTP session. - REGION_CODE: The
|
|
* country/region from which the request originates. -
|
|
* TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects
|
|
* using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults
|
|
* to ALL. - USER_IP: The IP address of the originating client, which
|
|
* is resolved based on "userIpRequestHeaders" configured with the security
|
|
* policy. If there is no "userIpRequestHeaders" configuration or an IP
|
|
* address cannot be resolved from it, the key type defaults toIP.
|
|
*
|
|
* - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using
|
|
* HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
|
|
* For "fairshare" action, this value is limited to ALL i.e. a single rate
|
|
* limit threshold is enforced for all the requests matching the rule.
|
|
*
|
|
* @var string
|
|
*/
|
|
public $enforceOnKey;
|
|
protected $enforceOnKeyConfigsType = SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfig::class;
|
|
protected $enforceOnKeyConfigsDataType = 'array';
|
|
/**
|
|
* Rate limit key name applicable only for the following key types:
|
|
* HTTP_HEADER -- Name of the HTTP header whose value is taken as the key
|
|
* value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the
|
|
* key value.
|
|
*
|
|
* @var string
|
|
*/
|
|
public $enforceOnKeyName;
|
|
/**
|
|
* Action to take for requests that are above the configured rate limit
|
|
* threshold, to either deny with a specified HTTP response code, or redirect
|
|
* to a different endpoint. Valid options are `deny(STATUS)`, where valid
|
|
* values for `STATUS` are 403, 404, 429, and 502, and `redirect`, where the
|
|
* redirect parameters come from `exceedRedirectOptions` below. The `redirect`
|
|
* action is only supported in Global Security Policies of type CLOUD_ARMOR.
|
|
*
|
|
* @var string
|
|
*/
|
|
public $exceedAction;
|
|
protected $exceedRedirectOptionsType = SecurityPolicyRuleRedirectOptions::class;
|
|
protected $exceedRedirectOptionsDataType = '';
|
|
protected $rateLimitThresholdType = SecurityPolicyRuleRateLimitOptionsThreshold::class;
|
|
protected $rateLimitThresholdDataType = '';
|
|
|
|
/**
|
|
* Can only be specified if the action for the rule is "rate_based_ban". If
|
|
* specified, determines the time (in seconds) the traffic will continue to be
|
|
* banned by the rate limit after the rate falls below the threshold.
|
|
*
|
|
* @param int $banDurationSec
|
|
*/
|
|
public function setBanDurationSec($banDurationSec)
|
|
{
|
|
$this->banDurationSec = $banDurationSec;
|
|
}
|
|
/**
|
|
* @return int
|
|
*/
|
|
public function getBanDurationSec()
|
|
{
|
|
return $this->banDurationSec;
|
|
}
|
|
/**
|
|
* Can only be specified if the action for the rule is "rate_based_ban". If
|
|
* specified, the key will be banned for the configured 'ban_duration_sec'
|
|
* when the number of requests that exceed the 'rate_limit_threshold' also
|
|
* exceed this 'ban_threshold'.
|
|
*
|
|
* @param SecurityPolicyRuleRateLimitOptionsThreshold $banThreshold
|
|
*/
|
|
public function setBanThreshold(SecurityPolicyRuleRateLimitOptionsThreshold $banThreshold)
|
|
{
|
|
$this->banThreshold = $banThreshold;
|
|
}
|
|
/**
|
|
* @return SecurityPolicyRuleRateLimitOptionsThreshold
|
|
*/
|
|
public function getBanThreshold()
|
|
{
|
|
return $this->banThreshold;
|
|
}
|
|
/**
|
|
* Action to take for requests that are under the configured rate limit
|
|
* threshold. Valid option is "allow" only.
|
|
*
|
|
* @param string $conformAction
|
|
*/
|
|
public function setConformAction($conformAction)
|
|
{
|
|
$this->conformAction = $conformAction;
|
|
}
|
|
/**
|
|
* @return string
|
|
*/
|
|
public function getConformAction()
|
|
{
|
|
return $this->conformAction;
|
|
}
|
|
/**
|
|
* Determines the key to enforce the rate_limit_threshold on. Possible values
|
|
* are: - ALL: A single rate limit threshold is applied to all the
|
|
* requests matching this rule. This is the default value if "enforceOnKey"
|
|
* is not configured. - IP: The source IP address of the request is the
|
|
* key. Each IP has this limit enforced separately. - HTTP_HEADER: The
|
|
* value of the HTTP header whose name is configured under
|
|
* "enforceOnKeyName". The key value is truncated to the first 128 bytes of
|
|
* the header value. If no such header is present in the request, the key
|
|
* type defaults toALL. - XFF_IP: The first IP address (i.e. the
|
|
* originating client IP address) specified in the list of IPs under
|
|
* X-Forwarded-For HTTP header. If no such header is present or the value
|
|
* is not a valid IP, the key defaults to the source IP address of the
|
|
* request i.e. key type IP. - HTTP_COOKIE: The value of the HTTP cookie
|
|
* whose name is configured under "enforceOnKeyName". The key value is
|
|
* truncated to the first 128 bytes of the cookie value. If no such cookie
|
|
* is present in the request, the key type defaults toALL. - HTTP_PATH: The
|
|
* URL path of the HTTP request. The key value is truncated to the first
|
|
* 128 bytes. - SNI: Server name indication in the TLS session of the
|
|
* HTTPS request. The key value is truncated to the first 128 bytes. The
|
|
* key type defaults to ALL on a HTTP session. - REGION_CODE: The
|
|
* country/region from which the request originates. -
|
|
* TLS_JA3_FINGERPRINT: JA3 TLS/SSL fingerprint if the client connects
|
|
* using HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults
|
|
* to ALL. - USER_IP: The IP address of the originating client, which
|
|
* is resolved based on "userIpRequestHeaders" configured with the security
|
|
* policy. If there is no "userIpRequestHeaders" configuration or an IP
|
|
* address cannot be resolved from it, the key type defaults toIP.
|
|
*
|
|
* - TLS_JA4_FINGERPRINT: JA4 TLS/SSL fingerprint if the client connects using
|
|
* HTTPS, HTTP/2 or HTTP/3. If not available, the key type defaults to ALL.
|
|
* For "fairshare" action, this value is limited to ALL i.e. a single rate
|
|
* limit threshold is enforced for all the requests matching the rule.
|
|
*
|
|
* Accepted values: ALL, HTTP_COOKIE, HTTP_HEADER, HTTP_PATH, IP, REGION_CODE,
|
|
* SNI, TLS_JA3_FINGERPRINT, TLS_JA4_FINGERPRINT, USER_IP, XFF_IP
|
|
*
|
|
* @param self::ENFORCE_ON_KEY_* $enforceOnKey
|
|
*/
|
|
public function setEnforceOnKey($enforceOnKey)
|
|
{
|
|
$this->enforceOnKey = $enforceOnKey;
|
|
}
|
|
/**
|
|
* @return self::ENFORCE_ON_KEY_*
|
|
*/
|
|
public function getEnforceOnKey()
|
|
{
|
|
return $this->enforceOnKey;
|
|
}
|
|
/**
|
|
* If specified, any combination of values of
|
|
* enforce_on_key_type/enforce_on_key_name is treated as the key on which
|
|
* ratelimit threshold/action is enforced. You can specify up to 3
|
|
* enforce_on_key_configs. If enforce_on_key_configs is specified,
|
|
* enforce_on_key must not be specified.
|
|
*
|
|
* @param SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfig[] $enforceOnKeyConfigs
|
|
*/
|
|
public function setEnforceOnKeyConfigs($enforceOnKeyConfigs)
|
|
{
|
|
$this->enforceOnKeyConfigs = $enforceOnKeyConfigs;
|
|
}
|
|
/**
|
|
* @return SecurityPolicyRuleRateLimitOptionsEnforceOnKeyConfig[]
|
|
*/
|
|
public function getEnforceOnKeyConfigs()
|
|
{
|
|
return $this->enforceOnKeyConfigs;
|
|
}
|
|
/**
|
|
* Rate limit key name applicable only for the following key types:
|
|
* HTTP_HEADER -- Name of the HTTP header whose value is taken as the key
|
|
* value. HTTP_COOKIE -- Name of the HTTP cookie whose value is taken as the
|
|
* key value.
|
|
*
|
|
* @param string $enforceOnKeyName
|
|
*/
|
|
public function setEnforceOnKeyName($enforceOnKeyName)
|
|
{
|
|
$this->enforceOnKeyName = $enforceOnKeyName;
|
|
}
|
|
/**
|
|
* @return string
|
|
*/
|
|
public function getEnforceOnKeyName()
|
|
{
|
|
return $this->enforceOnKeyName;
|
|
}
|
|
/**
|
|
* Action to take for requests that are above the configured rate limit
|
|
* threshold, to either deny with a specified HTTP response code, or redirect
|
|
* to a different endpoint. Valid options are `deny(STATUS)`, where valid
|
|
* values for `STATUS` are 403, 404, 429, and 502, and `redirect`, where the
|
|
* redirect parameters come from `exceedRedirectOptions` below. The `redirect`
|
|
* action is only supported in Global Security Policies of type CLOUD_ARMOR.
|
|
*
|
|
* @param string $exceedAction
|
|
*/
|
|
public function setExceedAction($exceedAction)
|
|
{
|
|
$this->exceedAction = $exceedAction;
|
|
}
|
|
/**
|
|
* @return string
|
|
*/
|
|
public function getExceedAction()
|
|
{
|
|
return $this->exceedAction;
|
|
}
|
|
/**
|
|
* Parameters defining the redirect action that is used as the exceed action.
|
|
* Cannot be specified if the exceed action is not redirect. This field is
|
|
* only supported in Global Security Policies of type CLOUD_ARMOR.
|
|
*
|
|
* @param SecurityPolicyRuleRedirectOptions $exceedRedirectOptions
|
|
*/
|
|
public function setExceedRedirectOptions(SecurityPolicyRuleRedirectOptions $exceedRedirectOptions)
|
|
{
|
|
$this->exceedRedirectOptions = $exceedRedirectOptions;
|
|
}
|
|
/**
|
|
* @return SecurityPolicyRuleRedirectOptions
|
|
*/
|
|
public function getExceedRedirectOptions()
|
|
{
|
|
return $this->exceedRedirectOptions;
|
|
}
|
|
/**
|
|
* Threshold at which to begin ratelimiting.
|
|
*
|
|
* @param SecurityPolicyRuleRateLimitOptionsThreshold $rateLimitThreshold
|
|
*/
|
|
public function setRateLimitThreshold(SecurityPolicyRuleRateLimitOptionsThreshold $rateLimitThreshold)
|
|
{
|
|
$this->rateLimitThreshold = $rateLimitThreshold;
|
|
}
|
|
/**
|
|
* @return SecurityPolicyRuleRateLimitOptionsThreshold
|
|
*/
|
|
public function getRateLimitThreshold()
|
|
{
|
|
return $this->rateLimitThreshold;
|
|
}
|
|
}
|
|
|
|
// Adding a class alias for backwards compatibility with the previous class name.
|
|
class_alias(SecurityPolicyRuleRateLimitOptions::class, 'Google_Service_Compute_SecurityPolicyRuleRateLimitOptions');
|