RubyGems - CloudyScripts - Versions diffs - 1.9.41 → 1.10.43 - Mend

CloudyScripts 1.9.41 → 1.10.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

data/Rakefile +1 -1
data/lib/help/state_transition_helper.rb +12 -4
data/lib/scripts/ec2/critical_ports_audit.rb +85 -0
data/lib/scripts/ec2/ec2_script.rb +1 -0
metadata +6 -16

data/Rakefile CHANGED

@@ -12,7 +12,7 @@ require 'rake/testtask'
 spec = Gem::Specification.new do |s|
   s.name = 'CloudyScripts'
-  s.version = '1.9.41'
+  s.version = '1.10.43'
   s.has_rdoc = true
   s.extra_rdoc_files = ['README.rdoc', 'LICENSE']
   s.summary = 'Scripts to facilitate programming for infrastructure clouds.'

data/lib/help/state_transition_helper.rb CHANGED

@@ -231,16 +231,24 @@ module StateTransitionHelper
   def retrieve_security_groups()
     @context[:script].post_message("going to retrieve security groups...")
     sgs = @context[:ec2_api_handler].describe_security_groups()
-    @context[:script].post_message("found #{sgs.size} security groups")
-    @logger.info("found #{sgs.size} security groups")
+    n = 0
+    unless sgs['securityGroupInfo'] == nil
+      n = sgs['securityGroupInfo']['item'].size
+    end
+    @context[:script].post_message("found #{n} security groups")
+    @logger.info("found #{n} security groups")
     @context[:security_groups] = sgs
   end
   def retrieve_instances()
     @context[:script].post_message("going to retrieve all instances...")
     inst = @context[:ec2_api_handler].describe_instances()
-    @context[:script].post_message("found #{inst.size} instances")
-    @logger.info("found #{inst.size} instances")
+    n = 0
+    unless inst['reservationSet'] == nil
+      n = inst['reservationSet']['item'].size
+    end
+    @context[:script].post_message("found #{n} instances")
+    @logger.info("found #{n} instances")
     @context[:ec2_instances] = inst
   end

data/lib/scripts/ec2/critical_ports_audit.rb ADDED

@@ -0,0 +1,85 @@
+require "help/script_execution_state"
+require "scripts/ec2/ec2_script"
+require "help/remote_command_handler"
+#require "help/dm_crypt_helper"
+require "help/ec2_helper"
+require "AWS"
+# Checks for all security groups if sensible ports are opened for the wide
+# public.
+#
+class CriticalPortsAudit < Ec2Script
+  # Input parameters
+  # * ec2_api_handler => object that allows to access the EC2 API
+  # * :critical_ports => arrays of ports to be checked
+  def initialize(input_params)
+    super(input_params)
+  end
+  def check_input_parameters()
+    if @input_params[:ec2_api_handler] == nil
+      raise Exception.new("no EC2 handler specified")
+    end
+    if @input_params[:critical_ports] == nil
+      raise Exception.new("no ports specified")
+    end
+  end
+  def load_initial_state()
+    CriticalPortsAuditState.load_state(@input_params)
+  end
+  private
+  # Here begins the state machine implementation
+  class CriticalPortsAuditState < ScriptExecutionState
+    def self.load_state(context)
+      state = context[:initial_state] == nil ? RetrievingSecurityGroups.new(context) : context[:initial_state]
+      state
+    end
+  end
+  # Nothing done yet. Retrieve all security groups
+  class RetrievingSecurityGroups < CriticalPortsAuditState
+    def enter
+      retrieve_security_groups()
+      CheckingSensiblePorts.new(@context)
+    end
+  end
+  # Security groups retrieved. Start analysing them.
+  class CheckingSensiblePorts< CriticalPortsAuditState
+    def enter
+      @context[:result][:affected_groups] = []
+      @context[:security_groups]['securityGroupInfo']['item'].each() do |group_info|
+        post_message("checking group '#{group_info['groupName']}'...")
+        next if group_info['ipPermissions'] == nil || group_info['ipPermissions']['item'] == nil
+        group_info['ipPermissions']['item'].each() do |permission_info|
+          logger.debug("permission_info = #{permission_info.inspect}")
+          next unless permission_info['groups'] == nil #ignore access rights to other groups
+          next unless permission_info['ipRanges']['item'][0]['cidrIp'] == "0.0.0.0/0"
+          #now check if a critical port is within the port-range
+          @context[:critical_ports].each() do |port|
+            if permission_info['fromPort'].to_i <= port && permission_info['toPort'].to_i >= port
+              @context[:result][:affected_groups] << {:name => group_info['groupName'],
+                :from => permission_info['fromPort'], :to => permission_info['toPort'],
+                :concerned => port, :prot => permission_info['protocol']}
+              post_message("=> found publically accessible port range that contains "+
+                  "critical port for group #{group_info['groupName']}: #{permission_info['fromPort']}-#{permission_info['toPort']}")
+            end
+          end
+        end
+      end
+      Done.new(@context)
+    end
+  end
+  # Script done.
+  class Done < CriticalPortsAuditState
+    def done?
+      true
+    end
+  end
+end

data/lib/scripts/ec2/ec2_script.rb CHANGED

@@ -19,6 +19,7 @@ class Ec2Script
     end
     @result = {:done => false, :failed => false}
     @input_params[:result] = @result
+    @logger.info("input parameters = #{@input_params.inspect}")
   end
   def register_state_change_listener(listener)

metadata CHANGED

@@ -1,13 +1,12 @@
 --- !ruby/object:Gem::Specification
 name: CloudyScripts
 version: !ruby/object:Gem::Version
-  hash: 97
   prerelease: false
   segments:
   - 1
-  - 9
-  - 41
-  version: 1.9.41
+  - 10
+  - 43
+  version: 1.10.43
 platform: ruby
 authors:
 - Matthias Jung
@@ -15,18 +14,16 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-09-01 00:00:00 +02:00
+date: 2011-09-02 00:00:00 +02:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
   name: amazon-ec2
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        hash: 3
         segments:
         - 0
         version: "0"
@@ -36,11 +33,9 @@ dependencies:
   name: net-ssh
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        hash: 3
         segments:
         - 0
         version: "0"
@@ -50,11 +45,9 @@ dependencies:
   name: net-scp
   prerelease: false
   requirement: &id003 !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        hash: 3
         segments:
         - 0
         version: "0"
@@ -261,6 +254,7 @@ files:
 - lib/scripts/ec2/audit_via_ssh.rb
 - lib/scripts/ec2/copy_ami.rb
 - lib/scripts/ec2/copy_snapshot.rb
+- lib/scripts/ec2/critical_ports_audit.rb
 - lib/scripts/ec2/dm_encrypt.rb
 - lib/scripts/ec2/download_snapshot.rb
 - lib/scripts/ec2/ec2_script.rb
@@ -277,27 +271,23 @@ rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      hash: 3
       segments:
       - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      hash: 3
       segments:
       - 0
       version: "0"
 requirements: []
 rubyforge_project: cloudyscripts
-rubygems_version: 1.3.7
+rubygems_version: 1.3.6
 signing_key:
 specification_version: 3
 summary: Scripts to facilitate programming for infrastructure clouds.