CloudyScripts 1.9.41 → 1.10.43

data/Rakefile

@@ -12,7 +12,7 @@ require 'rake/testtask'
 
 spec = Gem::Specification.new do |s|
   s.name = 'CloudyScripts'
-  s.version = '1.9.41'
+  s.version = '1.10.43'
   s.has_rdoc = true
   s.extra_rdoc_files = ['README.rdoc', 'LICENSE']
   s.summary = 'Scripts to facilitate programming for infrastructure clouds.'

data/lib/help/state_transition_helper.rb

@@ -231,16 +231,24 @@ module StateTransitionHelper
   def retrieve_security_groups()
     @context[:script].post_message("going to retrieve security groups...")
     sgs = @context[:ec2_api_handler].describe_security_groups()
-    @context[:script].post_message("found #{sgs.size} security groups")
-    @logger.info("found #{sgs.size} security groups")
+    n = 0
+    unless sgs['securityGroupInfo'] == nil
+      n = sgs['securityGroupInfo']['item'].size
+    end
+    @context[:script].post_message("found #{n} security groups")
+    @logger.info("found #{n} security groups")
     @context[:security_groups] = sgs
   end
 
   def retrieve_instances()
     @context[:script].post_message("going to retrieve all instances...")
     inst = @context[:ec2_api_handler].describe_instances()
-    @context[:script].post_message("found #{inst.size} instances")
-    @logger.info("found #{inst.size} instances")
+    n = 0
+    unless inst['reservationSet'] == nil
+      n = inst['reservationSet']['item'].size
+    end
+    @context[:script].post_message("found #{n} instances")
+    @logger.info("found #{n} instances")
     @context[:ec2_instances] = inst
   end
   

data/lib/scripts/ec2/critical_ports_audit.rb

@@ -0,0 +1,85 @@
+require "help/script_execution_state"
+require "scripts/ec2/ec2_script"
+require "help/remote_command_handler"
+#require "help/dm_crypt_helper"
+require "help/ec2_helper"
+require "AWS"
+
+# Checks for all security groups if sensible ports are opened for the wide
+# public.
+#
+
+class CriticalPortsAudit < Ec2Script
+  # Input parameters
+  # * ec2_api_handler => object that allows to access the EC2 API
+  # * :critical_ports => arrays of ports to be checked
+  def initialize(input_params)
+    super(input_params)
+  end
+
+  def check_input_parameters()
+    if @input_params[:ec2_api_handler] == nil
+      raise Exception.new("no EC2 handler specified")
+    end
+    if @input_params[:critical_ports] == nil
+      raise Exception.new("no ports specified")
+    end
+  end
+
+  def load_initial_state()
+    CriticalPortsAuditState.load_state(@input_params)
+  end
+  
+  private
+
+  # Here begins the state machine implementation
+  class CriticalPortsAuditState < ScriptExecutionState
+    def self.load_state(context)
+      state = context[:initial_state] == nil ? RetrievingSecurityGroups.new(context) : context[:initial_state]
+      state
+    end
+  end
+
+  # Nothing done yet. Retrieve all security groups
+  class RetrievingSecurityGroups < CriticalPortsAuditState
+    def enter
+      retrieve_security_groups()
+      CheckingSensiblePorts.new(@context)
+    end
+  end
+
+  # Security groups retrieved. Start analysing them.
+  class CheckingSensiblePorts< CriticalPortsAuditState
+    def enter
+      @context[:result][:affected_groups] = []
+      @context[:security_groups]['securityGroupInfo']['item'].each() do |group_info|
+        post_message("checking group '#{group_info['groupName']}'...")
+        next if group_info['ipPermissions'] == nil || group_info['ipPermissions']['item'] == nil
+        group_info['ipPermissions']['item'].each() do |permission_info|
+          logger.debug("permission_info = #{permission_info.inspect}")
+          next unless permission_info['groups'] == nil #ignore access rights to other groups
+          next unless permission_info['ipRanges']['item'][0]['cidrIp'] == "0.0.0.0/0"
+          #now check if a critical port is within the port-range
+          @context[:critical_ports].each() do |port|
+            if permission_info['fromPort'].to_i <= port && permission_info['toPort'].to_i >= port
+              @context[:result][:affected_groups] << {:name => group_info['groupName'],
+                :from => permission_info['fromPort'], :to => permission_info['toPort'], 
+                :concerned => port, :prot => permission_info['protocol']}
+              post_message("=> found publically accessible port range that contains "+
+                  "critical port for group #{group_info['groupName']}: #{permission_info['fromPort']}-#{permission_info['toPort']}")
+            end
+          end
+        end
+      end
+      Done.new(@context)
+    end
+  end
+
+  # Script done.
+  class Done < CriticalPortsAuditState
+    def done?
+      true
+    end
+  end
+  
+end

data/lib/scripts/ec2/ec2_script.rb

@@ -19,6 +19,7 @@ class Ec2Script
     end
     @result = {:done => false, :failed => false}
     @input_params[:result] = @result
+    @logger.info("input parameters = #{@input_params.inspect}")
   end
 
   def register_state_change_listener(listener)

metadata

@@ -1,13 +1,12 @@
 --- !ruby/object:Gem::Specification 
 name: CloudyScripts
 version: !ruby/object:Gem::Version 
-  hash: 97
   prerelease: false
   segments: 
   - 1
-  - 9
-  - 41
-  version: 1.9.41
+  - 10
+  - 43
+  version: 1.10.43
 platform: ruby
 authors: 
 - Matthias Jung
@@ -15,18 +14,16 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-09-01 00:00:00 +02:00
+date: 2011-09-02 00:00:00 +02:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: amazon-ec2
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        hash: 3
         segments: 
         - 0
         version: "0"
@@ -36,11 +33,9 @@ dependencies:
   name: net-ssh
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement 
-    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        hash: 3
         segments: 
         - 0
         version: "0"
@@ -50,11 +45,9 @@ dependencies:
   name: net-scp
   prerelease: false
   requirement: &id003 !ruby/object:Gem::Requirement 
-    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        hash: 3
         segments: 
         - 0
         version: "0"
@@ -261,6 +254,7 @@ files:
 - lib/scripts/ec2/audit_via_ssh.rb
 - lib/scripts/ec2/copy_ami.rb
 - lib/scripts/ec2/copy_snapshot.rb
+- lib/scripts/ec2/critical_ports_audit.rb
 - lib/scripts/ec2/dm_encrypt.rb
 - lib/scripts/ec2/download_snapshot.rb
 - lib/scripts/ec2/ec2_script.rb
@@ -277,27 +271,23 @@ rdoc_options: []
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      hash: 3
       segments: 
       - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      hash: 3
       segments: 
       - 0
       version: "0"
 requirements: []
 
 rubyforge_project: cloudyscripts
-rubygems_version: 1.3.7
+rubygems_version: 1.3.6
 signing_key: 
 specification_version: 3
 summary: Scripts to facilitate programming for infrastructure clouds.