RubyGems - aws_security_viz - Versions diffs - 0.1.0 - Mend

aws_security_viz 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

checksums.yaml +7 -0
data/.gitignore +33 -0
data/.travis.yml +6 -0
data/Gemfile +3 -0
data/Gemfile.lock +126 -0
data/LICENSE.md +21 -0
data/README.md +71 -0
data/Rakefile +2 -0
data/Vagrantfile +17 -0
data/aws_security_viz.gemspec +34 -0
data/config/boot.rb +4 -0
data/exe/aws_security_viz +21 -0
data/images/sample.png +0 -0
data/lib/aws_config.rb +22 -0
data/lib/aws_security_viz.rb +44 -0
data/lib/color_picker.rb +18 -0
data/lib/debug/parse_log.rb +26 -0
data/lib/debug_graph.rb +24 -0
data/lib/ec2/ip_permission.rb +33 -0
data/lib/ec2/security_groups.rb +77 -0
data/lib/ec2/traffic.rb +32 -0
data/lib/exclusions.rb +14 -0
data/lib/export/html/view.html +36 -0
data/lib/graph.rb +40 -0
data/lib/provider/ec2.rb +87 -0
data/lib/provider/json.rb +92 -0
data/lib/version.rb +3 -0
data/opts.yml.sample +10 -0
data/spec/integration/dummy.dot +49 -0
data/spec/integration/dummy.json +64 -0
data/spec/integration/visualize_aws_spec.rb +21 -0
data/spec/spec_helper.rb +24 -0
data/spec/support/matchers/graph.rb +8 -0
data/spec/visualize_aws_spec.rb +132 -0
metadata +210 -0

data/lib/debug/parse_log.rb ADDED Viewed

@@ -0,0 +1,26 @@
+require_relative '../graph.rb'
+require 'organic_hash'
+@oh = OrganicHash.new
+def h(s)
+  @oh.hash(s)
+end
+def debug
+  g = Graph.new
+  File.readlines('debug-output.log').map do |l|
+    type, left, right = l.split(/\W+/)
+    if type=="node"
+      g.add_node(h(left))
+    elsif type=="edge"
+      g.add_edge(h(left), h(right), {})
+    end
+  end
+  g.output(:svg => 'test.svg', :use => 'sfdp')
+end
+if __FILE__ == $0
+  debug
+end

data/lib/debug_graph.rb ADDED Viewed

@@ -0,0 +1,24 @@
+require 'digest'
+class DebugGraph
+  def initialize
+    @g = Graph.new
+  end
+  def add_node(name)
+    @g.add_node(h(name)) if name
+  end
+  def add_edge(from, to, opts)
+    @g.add_edge(h(from), h(to), opts.update(label: h(opts[:label])))
+  end
+  def output(opts)
+    @g.output(opts)
+  end
+  private
+  def h(msg)
+    Digest::SHA256.hexdigest msg
+  end
+end

data/lib/ec2/ip_permission.rb ADDED Viewed

@@ -0,0 +1,33 @@
+require_relative 'traffic.rb'
+class IpPermission
+  def initialize(group, ip, ingress, exclusions)
+    @group = group
+    @ip = ip
+    @ingress = ingress
+    @exclusions = exclusions
+  end
+  def traffic
+    cidr_traffic + group_traffic
+  end
+  private
+  def port_range
+    @ip.protocol == '-1' ? '*' : [@ip.from, @ip.to].uniq.join('-') + '/' + @ip.protocol
+  end
+  def cidr_traffic
+    @ip.ip_ranges.collect { |range|
+      Traffic.new(@ingress, range.cidr_ip, @group.name, port_range)
+    }
+  end
+  def group_traffic
+    @ip.groups
+      .select { |gp| !@exclusions.match(gp.name)}
+      .collect { |gp|
+      Traffic.new(@ingress, gp.name, @group.name, port_range)
+    }
+  end
+end

data/lib/ec2/security_groups.rb ADDED Viewed

@@ -0,0 +1,77 @@
+require 'set'
+require 'forwardable'
+require_relative 'ip_permission.rb'
+class SecurityGroups
+  include Enumerable
+  def initialize(provider, config)
+    @groups = provider.security_groups
+    @config = config
+  end
+  def each(&block)
+    groups = @groups.select { |sg| !@config.exclusions.match(sg.name) }
+    groups.each { |group|
+      if block_given?
+        block.call SecurityGroup.new(@groups, group, @config)
+      else
+        yield SecurityGroup.new(@groups, group, @config)
+      end
+    }
+  end
+  def size
+    @groups.size
+  end
+end
+class SecurityGroup
+  extend Forwardable
+  def_delegator :@group, :name
+  def initialize(all_groups, group, config)
+    @all_groups = all_groups
+    @group = group
+    @config = config
+  end
+  def permissions
+    ingress_permissions = @group.ip_permissions.collect { |ip|
+      IpPermission.new(@group, ip, true, @config.exclusions)
+    }
+    egress_permissions = @group.ip_permissions_egress.collect { |ip|
+      IpPermission.new(@group, ip, false, @config.exclusions)
+    }
+    ingress_permissions + egress_permissions
+  end
+  def traffic
+    all_traffic = permissions.collect { |permission|
+      permission.traffic
+    }.flatten.uniq
+    CidrGroupMapping.new(@all_groups, @config.groups).map(all_traffic)
+  end
+end
+class CidrGroupMapping
+  def initialize(all_groups, user_groups)
+    @all_groups = all_groups
+    @user_groups = user_groups
+  end
+  def map(all_traffic)
+    traffic = all_traffic.collect { |traffic|
+      traffic.copy(mapping(traffic.from), mapping(traffic.to))
+    }
+    traffic.uniq.group_by {|t| [t.from, t.to, t.ingress]}.collect {|k,v| Traffic.grouped(v)}.uniq
+  end
+  private
+  def mapping(val)
+    group = @all_groups.find { |g| g.group_id == val }
+    name = group.nil? ? val : group.name
+    @user_groups[name] ? @user_groups[name] : name
+  end
+end

data/lib/ec2/traffic.rb ADDED Viewed

@@ -0,0 +1,32 @@
+class Traffic
+  attr_accessor :from, :to, :port_range, :ingress
+  def initialize(ingress, from, to, port_range)
+    @ingress = ingress
+    @from = from
+    @to = to
+    @port_range = port_range
+  end
+  def copy(from, to)
+    Traffic.new(@ingress, from, to, @port_range)
+  end
+  def eql?(other)
+    if @ingress == other.ingress
+      @from == other.from && @to == other.to && @port_range == other.port_range
+    else
+      @from == other.to && @to == other.from && @port_range == other.port_range
+    end
+  end
+  def hash
+    @from.hash + @to.hash + @port_range.hash
+  end
+  def self.grouped(traffic_list)
+    t = traffic_list.first
+    port_range = traffic_list.collect(&:port_range).uniq.join(',')
+    Traffic.new(t.ingress, t.from, t.to, port_range)
+  end
+end

data/lib/exclusions.rb ADDED Viewed

@@ -0,0 +1,14 @@
+class Exclusions
+  attr_reader :patterns
+  def initialize(patterns)
+    @patterns = patterns.map {|p| /#{p}/} unless patterns.nil?
+  end
+  def match(str)
+    return false if patterns.nil?
+    patterns.any? { |p|
+      p.match(str)
+    }
+  end
+end

data/lib/export/html/view.html ADDED Viewed

@@ -0,0 +1,36 @@
+ <html>
+    <head>
+        <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.4/css/bootstrap.min.css">
+        <link rel="stylesheet" href="https://cdn.rawgit.com/mountainstorm/jquery.graphviz.svg/master/css/graphviz.svg.css">
+    </head>
+    <body>
+        <div id="graph" style=""></div>
+        <script type="text/javascript" src="https://code.jquery.com/jquery-2.1.3.min.js"></script>
+        <script type="text/javascript" src="https://cdn.rawgit.com/jquery/jquery-mousewheel/master/jquery.mousewheel.min.js"></script>
+        <script type="text/javascript" src="https://cdn.rawgit.com/jquery/jquery-color/master/jquery.color.js"></script>
+        <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.4/js/bootstrap.min.js"></script>
+        <script type="text/javascript" src="https://cdn.rawgit.com/mountainstorm/jquery.graphviz.svg/master/js/jquery.graphviz.svg.js"></script>
+        <script type="text/javascript">
+            $(document).ready(function(){
+                $("#graph").graphviz({
+                    url: "demo.svg",
+                    ready: function() {
+                        var gv = this
+                        gv.nodes().click(function () {
+                            var $set = $()
+                            $set.push(this)
+                            $set = $set.add(gv.linkedFrom(this, true))
+                            gv.highlight($set, true)
+                            gv.bringToFront($set)
+                        })
+                        $(document).keydown(function (evt) {
+                            if (evt.keyCode == 27) {
+                                gv.highlight()
+                            }
+                        })
+                    }
+                });
+            });
+        </script>
+    </body>
+</html>

data/lib/graph.rb ADDED Viewed

@@ -0,0 +1,40 @@
+require 'graphviz'
+require 'logger'
+class Graph
+  def initialize
+    @g = GraphViz::new('G', :type => 'strict digraph') { |g|
+      g[:overlap] = :false
+      g[:splines] = :true
+      g[:sep] = 1
+      g[:concentrate] = :true
+    }
+  end
+  def add_node(name)
+    log("node: #{name}")
+    @g.add_node(name) if name
+  end
+  def get_node(name, &block)
+    @g.get_node(name, &block)
+  end
+  def add_edge(from, to, opts)
+    log("edge: #{from} -> #{to}")
+    @g.add_edge(from, to, opts)
+  end
+  def each_edge(&block)
+    @g.each_edge(&block)
+  end
+  def output(opts)
+    log("output: #{opts}")
+    @g.output(opts)
+  end
+  def log(msg)
+    puts msg if ENV["DEBUG"]
+  end
+end

data/lib/provider/ec2.rb ADDED Viewed

@@ -0,0 +1,87 @@
+require 'fog'
+class Ec2Provider
+  def initialize(options)
+    @compute = Fog::Compute.new(:provider => 'AWS', :aws_access_key_id => options[:access_key], :aws_secret_access_key => options[:secret_key], :region => options[:region])
+  end
+  def security_groups
+    @compute.security_groups.collect { |sg|
+      Ec2::SecurityGroup.new(sg)
+    }
+  end
+end
+module Ec2
+  class SecurityGroup
+    extend Forwardable
+    def_delegators :@sg, :name, :group_id
+    def initialize(sg)
+      @sg = sg
+    end
+    def ip_permissions
+      @sg.ip_permissions.collect { |ip|
+        Ec2::IpPermission.new(ip)
+      }
+    end
+    def ip_permissions_egress
+      @sg.ip_permissions_egress.collect { |ip|
+        Ec2::IpPermission.new(ip)
+      }
+    end
+  end
+  class IpPermission
+    def initialize(ip)
+      @ip = ip
+    end
+    def protocol
+      @ip['ipProtocol']
+    end
+    def from
+      @ip['fromPort']
+    end
+    def to
+      @ip['toPort']
+    end
+    def ip_ranges
+      @ip['ipRanges'].collect {|gp|
+        Ec2::IpPermissionRange.new(gp)
+      }
+    end
+    def groups
+      @ip['groups'].collect {|gp|
+        Ec2::IpPermissionGroup.new(gp)
+      }
+    end
+  end
+  class IpPermissionRange
+    def initialize(range)
+      @range = range
+    end
+    def cidr_ip
+      @range['cidrIp']
+    end
+  end
+  class IpPermissionGroup
+    def initialize(gp)
+      @gp = gp
+    end
+    def name
+      @gp['groupName'] || @gp['groupId']
+    end
+  end
+end

data/lib/provider/json.rb ADDED Viewed

@@ -0,0 +1,92 @@
+require 'json'
+class JsonProvider
+  def initialize(options)
+    @groups = JSON.parse(File.read(options[:source_file]))['SecurityGroups']
+  end
+  def security_groups
+    @groups.collect { |sg|
+      Json::SecurityGroup.new(sg)
+    }
+  end
+end
+module Json
+  class SecurityGroup
+    def initialize(sg)
+      @sg = sg
+    end
+    def name
+      @sg['GroupName']
+    end
+    def ip_permissions
+      @sg['IpPermissions'].collect { |ip|
+        Json::IpPermission.new(ip)
+      }
+    end
+    def group_id
+      @sg['GroupId']
+    end
+    def ip_permissions_egress
+      @sg['IpPermissionsEgress'].collect { |ip|
+        Json::IpPermission.new(ip)
+      }
+    end
+  end
+  class IpPermission
+    def initialize(ip)
+      @ip = ip
+    end
+    def protocol
+      @ip['IpProtocol']
+    end
+    def from
+      @ip['FromPort']
+    end
+    def to
+      @ip['ToPort']
+    end
+    def ip_ranges
+      @ip['IpRanges'].collect { |gp|
+        Json::IpPermissionRange.new(gp)
+      }
+    end
+    def groups
+      @ip['UserIdGroupPairs'].collect { |pair|
+        Json::IpPermissionGroup.new(pair)
+      }
+    end
+  end
+  class IpPermissionRange
+    def initialize(range)
+      @range = range
+    end
+    def cidr_ip
+      @range['CidrIp']
+    end
+  end
+  class IpPermissionGroup
+    def initialize(gp)
+      @gp = gp
+    end
+    def name
+      @gp['GroupName'] || @gp['GroupId']
+    end
+  end
+end