asbestos 0.0.1

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/asbestos.gemspec

@@ -0,0 +1,26 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'asbestos/metadata'
+
+Gem::Specification.new do |spec|
+  spec.name          = "asbestos"
+  spec.version       = Asbestos::VERSION
+  spec.authors       = ["Michael Shapiro"]
+  spec.email         = ["koudelka@ryoukai.org"]
+  spec.description   = %q{Asbestos is a declarative DSL for building firewall rules (iptables, at this point)}
+  spec.summary       = %q{Declarative firewall(iptables) DSL.}
+  spec.homepage      = Asbestos::HOMEPAGE
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+
+  spec.add_dependency "system-getifaddrs", "~> 0.1.5"
+end

data/bin/asbestos

@@ -0,0 +1,112 @@
+#!/usr/bin/env ruby
+
+require 'asbestos'
+require 'optparse'
+require 'pathname'
+
+options = {
+  :host => Asbestos.hostname
+}
+
+parser = \
+  OptionParser.new do |o|
+    o.banner = "Usage: #{o.program_name} COMMAND [OPTIONS] FILES"
+    o.separator ""
+    o.separator "Commands"
+    o.separator "  rules: generates firewall rules for the given host"
+    #o.separator "  graph: geneates a graphviz visualization of your topology"
+    o.separator ""
+    o.separator "Options"
+
+    o.on("-h", "--host HOST","the host to generate rules for") do |host|
+      options[:host] = host
+    end
+
+    o.on("-D","--debug","dumps lots of information about your topology's hosts/templates/services") do
+      $ASBESTOSDEBUG = true
+    end
+
+    o.on("--debug-stderr","suppresses the line-numbered output on stderr") do
+      options[:stderr] = true
+    end
+
+    o.on("--help","displays this help information") do
+      puts o
+    end
+
+    o.separator ""
+    o.separator "Examples"
+    o.separator "  Generate rules for the current host:"
+    o.separator "  $ #{o.program_name} rules my_services.rb my_hosts.rb"
+    o.separator ""
+    o.separator "  Generate rules for an arbitrary host:"
+    o.separator "  $ #{o.program_name} rules --host some_host my_services.rb my_hosts.rb"
+    o.separator ""
+    o.separator "DSL Examples"
+    o.separator "  Please see #{Asbestos::HOMEPAGE}"
+
+    o.parse!
+  end
+
+command = \
+  if ARGV.first.end_with? '.rb'
+    'rules'
+  else
+    ARGV.shift
+  end
+
+files = ARGV
+
+files.each do |file|
+  require Pathname.new(file).realpath.to_s
+end
+
+if $ASBESTOSDEBUG
+  $stderr.puts "-"*10 + "Asbestos Debug Enabled--" + "-"*10
+  $stderr.puts
+  $stderr.puts "Known RuleSets #{Asbestos::RuleSet.all.keys}"
+  $stderr.puts "Known Services #{Asbestos::Service.all.keys}"
+  $stderr.puts
+  $stderr.puts "Dumping all Hosts:"
+  $stderr.puts
+  Asbestos::Host.all.each do |_, host|
+    $stderr.puts "-"*20 + host.name.to_s + "-"*20
+    $stderr.puts host.debug
+    $stderr.puts host.rules
+    $stderr.puts
+  end
+end
+
+
+
+case command
+  when "rules"
+    if $ASBESTOSDEBUG
+      $stderr.puts '-' * 20
+      $stderr.puts "Running command 'rules' for host #{options[:host]}"
+      $stderr.puts '-' * 20
+    end
+
+    Host.all[options[:host]].tap do |host|
+      unless host
+        puts "Asbestos doesn't know about host '#{options[:host]}'!"
+        puts
+        puts "You've defined hosts:"
+        Host.all.keys.each do |name|
+          puts "  - #{name}"
+        end
+        puts
+        puts "Try `asbestos rules --host #{Host.all.keys.first} #{files.join(' ')}`"
+        exit
+      end
+      host.rules.tap do |rules|
+        rules.each_with_index do |rule, line_number|
+          puts rule
+          $stderr.puts "#{line_number.to_s.rjust(rules.length.to_s.length)}: #{rule}" if options[:stderr]
+        end
+      end
+    end
+  #when "graph"
+  else
+    puts parser
+end

data/examples/0_simple.rb

@@ -0,0 +1,5 @@
+
+host 'app_host' do
+  runs :ssh
+  runs :http
+end

data/examples/10_kitchen_sink.rb

@@ -0,0 +1,72 @@
+#
+# This is just a large contrived example. :)
+#
+
+address :the_office, "1.2.3.4"
+
+
+
+host_template "squidco_host" do
+  interface :loopback, :lo0
+  interface :internal, :bond0
+  interface :external, :bond1
+
+  accept_from_self
+  allow_related_established
+  icmp_protection allowed_from: :the_office
+  sanity_check
+
+  runs :ssh, on: :internal, port: 22022
+  runs :ssh, on: :external, port: 22022, from: :the_office
+  runs :monit, on: :external, from: :the_office
+end
+
+host_template "vps_host" do
+  interface :external, :eth0
+
+  runs :ssh, on: :external, port: 22022
+  runs :worker_status, on: :external, from: :the_office
+end
+
+
+
+service :worker_status do
+  port 1337
+end
+
+
+
+2.times do |i|
+  squidco_host "loadbalancer_#{i}" do
+    group :loadbalancers
+
+    runs :http, on: :external
+  end
+end
+
+5.times do |i|
+  squidco_host "app_#{i}" do
+    group :app_hosts
+
+    runs :http, on: :internal, from: {:loadbalancers => :internal}
+    runs :http, on: :external, from: :the_office
+  end
+end
+
+3.times do |i|
+  squidco_host "db_#{i}" do
+    group :db_hosts
+
+    runs :mongodb, on: :internal, from: {:app_hosts  => :internal}
+  end
+end
+
+squidco_host "background_queue" do
+  runs :redis, on: :external, from: [:the_office, {:background_workers => :external}]
+end
+
+5.times do |i|
+  vps_host "worker_#{i}" do
+    group :background_workers
+  end
+end

data/examples/1_two_hosts.rb

@@ -0,0 +1,18 @@
+
+host 'app_host' do
+  interface :internal, :eth0
+  # 'internal' is an arbitrary name, you can make it anything you want
+
+  runs :ssh
+  runs :http
+end
+
+host 'db_host' do
+  runs :ssh
+  runs :mongodb, from: { Host['app_host'] => :internal }
+end
+
+host 'db_host_more_specific' do
+  runs :ssh
+  runs :mongodb, from: { Host['app_host'] => :internal }
+end

data/examples/2_accept_from_many.rb

@@ -0,0 +1,19 @@
+
+host 'app_host' do
+  interface :internal, :eth0
+
+  runs :ssh
+  runs :http
+end
+
+host 'dax' do
+  interface :internal, :eth0
+end
+
+host 'db_host' do
+  interface :internal, :eth0
+
+  runs :ssh
+  runs :mongodb, on: :internal, from: { Host['app_host'] => :internal,
+                                        Host['dax']      => :internal }
+end

data/examples/3_groups.rb

@@ -0,0 +1,39 @@
+
+host 'app_host_0' do
+  group :app_hosts
+
+  interface :internal, :eth0
+
+  runs :ssh
+  runs :http
+end
+
+host 'app_host_1' do
+  group :app_hosts
+
+  interface :internal, :eth0
+
+  runs :ssh
+  runs :http
+end
+
+host 'app_host_2' do
+  group :app_hosts
+
+  interface :internal, :eth0
+
+  runs :ssh
+  runs :http
+end
+
+host 'dax' do
+  interface :internal, :eth0
+end
+
+host 'db_host' do
+  interface :internal, :eth0
+
+  runs :ssh
+  runs :mongodb, on: :internal, from: { :app_hosts  => :internal,
+                                        Host['dax'] => :internal }
+end

data/examples/4_host_templates.rb

@@ -0,0 +1,29 @@
+
+host_template 'app_host' do
+  group :app_hosts
+
+  interface :internal, :eth0
+
+  runs :ssh
+  runs :http
+end
+
+0.upto(2) do |i|
+  app_host "app_host_#{i}"
+end
+
+app_host 'app_host_3' do
+  runs :nfs
+end
+
+host 'dax' do
+  interface :internal, :eth0
+end
+
+host 'db_host' do
+  interface :internal, :eth0
+
+  runs :ssh
+  runs :mongodb, on: :internal, from: { :app_hosts  => :internal,
+                                        Host['dax'] => :internal }
+end

data/examples/5_static_addresses.rb

@@ -0,0 +1,7 @@
+
+address :load_balancers, ['lb0.myprovider.com', 'lb1.myprovider.com']
+address :monitoring, 'pinger.monitoringservice.com'
+
+host 'app_host' do
+  runs :http, from: [:load_balancers, :monitoring]
+end

data/examples/6_interface_addresses.rb

@@ -0,0 +1,19 @@
+
+host 'dax' do
+  interface :external, :eth0  #=> address is "dax_external"
+  interface :dmz, [:eth1, :eth2]  #=> addresses are "dax_dmz_eth1" and "dax_dmz_eth2"
+
+  runs :ssh, from: {Host['kira'] => :external}
+end
+
+
+host 'kira' do
+  group :developers
+
+  interface :external, :eth3 do |host|
+    [host.groups.join, host.name, 'foo'].join('_')
+  end
+  #=> address is "developers_kira_foo"
+
+  interface :internal, :eth4, 'bar' #=> address is "bar"
+end

data/examples/7_services.rb

@@ -0,0 +1,9 @@
+
+service :my_service do
+  ports 1337
+  protocols :tcp, :udp
+end
+
+host 'app_host' do
+  runs :my_service
+end

data/examples/8_rule_sets.rb

@@ -0,0 +1,37 @@
+rule_set :icmp_protection do
+  accept :chain     => :output,
+         :protocol  => :icmp,
+         :icmp_type => 'echo-request',
+         :comment   => "allow us to ping others"
+
+  accept :protocol  => :icmp,
+         :icmp_type => 'echo-reply',
+         :comment   => "allow us to receive ping responses"
+
+
+  interfaces[:external].each do |interface|
+    from_each_address(allowed_from) do |address|
+      accept :protocol  => :icmp,
+             :icmp_type => 'echo-request',
+             :interface => interface,
+             :remote_address => address,
+             :limit   => '22s',
+             :comment => "allow icmp from #{address}"
+    end
+
+    drop :protocol  => :icmp,
+         :interface => interface,
+         :comment   => "drop any icmp packets that haven't been explicitly allowed"
+  end
+end
+
+address :monitoring, 'pinger.monitoringservice.com'
+
+host 'app_host' do
+  interface :external, ['eth1', 'eth1:0']
+
+  icmp_protection allowed_from: :monitoring
+
+  runs :ssh
+end
+

data/examples/9_literal_commands.rb

@@ -0,0 +1,8 @@
+
+rule_set :creates_chaos do
+  command "-A INPUT -m statistic --mode random --probability 0.01 -j REJECT --reject-with host-unreach"
+end
+
+host 'app_host' do
+  creates_chaos
+end

data/lib/asbestos.rb

@@ -0,0 +1,108 @@
+require 'asbestos/metadata'
+
+require 'socket'
+require 'system/getifaddrs'
+
+require 'forwardable'
+
+
+module Asbestos
+
+  def self.hostname
+    Socket.gethostname[/[^.]*/]
+  end
+
+  def self.interfaces
+    System.get_ifaddrs
+  end
+
+  def self.os
+    case
+      when RUBY_PLATFORM[/linux/i]
+        :linux
+      when RUBY_PLATFORM[/darwin/i]
+        :darwin
+    end
+  end
+
+  def self.firewall
+    case os
+      when :linux
+        Asbestos::Firewall::IPTables
+      when :darwin
+        #FIXME
+        Asbestos::Firewall::IPTables
+    end
+  end
+
+  def self.reset!
+    [
+      Host.all,
+      Host.groups,
+      HostTemplate.all,
+      Address.all,
+      RuleSet.all,
+      Service.all,
+    ].each do |collection|
+      collection.delete_if {|_| true}
+    end
+  end
+
+  #
+  # Didn't want to monkeypatch the Hash class.
+  #
+  def self.with_indifferent_access!(hash)
+    class << hash
+      def [](key)
+        fetch key.to_sym
+      rescue KeyError # key not found
+        nil
+      end
+
+      def []=(key, value)
+        store key.to_sym, value
+      end
+    end
+  end
+
+  module ClassCollection
+    def self.included(base)
+      base.extend ClassMethods
+    end
+
+    module ClassMethods
+      def class_collection(name, base = self)
+        # this is a little nasty, the 'name' variable isn't available
+        # in the scope of the eigenclass, so we have to class_eval
+        # the eigenclass
+        (class << base; self; end).instance_eval do
+          extend ::Forwardable
+
+          attr_accessor name
+          def_delegators name, :[], :[]= if name == :all
+        end
+
+        Hash.new.tap do |hash|
+          Asbestos.with_indifferent_access! hash
+          base.instance_variable_set "@#{name}", hash
+        end
+      end
+    end
+
+  end
+
+end
+
+
+
+
+require 'asbestos/rule_set'
+require 'asbestos/service'
+require 'asbestos/host_template'
+require 'asbestos/host'
+require 'asbestos/address'
+require 'asbestos/dsl'
+
+%w{firewalls services rule_sets}.each do |dir|
+  Dir["#{File.dirname(__FILE__)}/asbestos/#{dir}/*.rb"].each { |f| require File.expand_path(f) }
+end