aws_security_viz 0.1.0

data/lib/version.rb

@@ -0,0 +1,3 @@
+module AwsSecurityViz
+  VERSION = "0.1.0"
+end

data/opts.yml.sample

@@ -0,0 +1,10 @@
+--- 
+:format: dot
+:exclude: 
+- .*test.*
+- .*perf.*
+:groups:
+  '0.0.0.0/0': '*'
+  'x.x.x.x/0': 'External'
+  'y.y.y.y/0': 'External'
+

data/spec/integration/dummy.dot

@@ -0,0 +1,49 @@
+strict digraph G {
+	graph [bb="0,0,305.73,208",
+		concentrate=true,
+		overlap=false,
+		sep=1,
+		splines=true
+	];
+	node [label="\N"];
+	app	 [height=0.5,
+		label=app,
+		pos="171.73,104",
+		width=0.75];
+	db	 [height=0.5,
+		label=db,
+		pos="171.73,18",
+		width=0.75];
+	app -> db	 [color=blue,
+		label="5984/tcp",
+		lp="196.22,61",
+		pos="e,171.73,36.095 171.73,85.595 171.73,74.257 171.73,59.227 171.73,46.315",
+		style=bold];
+	"8.8.8.8/32"	 [height=0.5,
+		label="8.8.8.8/32",
+		pos="45.727,190",
+		width=1.2702];
+	"8.8.8.8/32" -> app	 [color=blue,
+		label="80/tcp",
+		lp="134.22,147",
+		pos="e,153.39,117.22 67.963,174.18 89.418,159.87 121.93,138.2 144.83,122.93",
+		style=bold];
+	"amazon-elb-sg"	 [height=0.5,
+		label="amazon-elb-sg",
+		pos="171.73,190",
+		width=1.7267];
+	"amazon-elb-sg" -> app	 [color=blue,
+		label="80/tcp",
+		lp="189.22,147",
+		pos="e,171.73,122.1 171.73,171.6 171.73,160.26 171.73,145.23 171.73,132.32",
+		style=bold];
+	"*"	 [height=0.5,
+		label="*",
+		pos="278.73,190",
+		width=0.75];
+	"*" -> app	 [color=blue,
+		label="22/tcp",
+		lp="249.22,147",
+		pos="e,188.52,118.19 261.54,175.5 243.96,161.71 216.49,140.14 196.55,124.49",
+		style=bold];
+}

data/spec/integration/dummy.json

@@ -0,0 +1,64 @@
+{
+  "SecurityGroups": [
+    {
+      "IpPermissionsEgress": [],
+      "Description": "app",
+      "IpPermissions": [
+        {
+          "ToPort": 80,
+          "IpProtocol": "tcp",
+          "IpRanges": [
+            {
+              "CidrIp": "8.8.8.8/32"
+            }
+          ],
+          "UserIdGroupPairs": [
+            {
+              "GroupName": "amazon-elb-sg",
+              "UserId": "amazon-elb",
+              "GroupId": "sg-amzelb"
+            }
+          ],
+          "FromPort": 80
+        },
+        {
+          "ToPort": 22,
+          "IpProtocol": "tcp",
+          "IpRanges": [
+            {
+              "CidrIp": "0.0.0.0/0"
+            }
+          ],
+          "UserIdGroupPairs": [],
+          "FromPort": 22
+        }
+      ],
+      "GroupName": "app",
+      "OwnerId": "owner1",
+      "GroupId": "sg-appgrp"
+    },
+    {
+      "IpPermissionsEgress": [],
+      "Description": "db",
+      "IpPermissions": [
+        {
+          "ToPort": 5984,
+          "IpProtocol": "tcp",
+          "IpRanges": [],
+          "UserIdGroupPairs": [
+            {
+              "GroupName": "app",
+              "UserId": "owner1",
+              "GroupId": "sg-appgrp"
+            }
+          ],
+          "FromPort": 5984
+        }
+      ],
+      "GroupName": "db",
+      "OwnerId": "owner1",
+      "GroupId": "sg-dbgrp"
+    }
+  ]
+}
+

data/spec/integration/visualize_aws_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe VisualizeAws do
+  context 'json' do
+    let(:opts) {
+      {
+        :source_file => source_file,
+        :filename => temp_file
+      }
+    }
+    let(:source_file) {File.join(File.dirname(__FILE__), 'dummy.json')}
+    let(:expected_file) {File.join(File.dirname(__FILE__), 'dummy.dot')}
+    let(:temp_file) { Tempfile.new(%w(aws .dot)) }
+    let(:config) {AwsConfig.new({groups: {'0.0.0.0/0' => '*'}})}
+
+    it 'should parse json input', :integration => true do
+      VisualizeAws.new(config, opts).unleash(temp_file.path)
+      expect(File.read(expected_file)).to eq(temp_file.read)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,24 @@
+require 'bundler'
+Bundler.require
+require 'rspec'
+require 'rubygems'
+
+require File.expand_path(File.dirname(__FILE__) + "/../config/boot")
+Dir[File.dirname(__FILE__) + "/support/**/*.rb"].each {|f| require f}
+
+def group name, *ingress
+  group = double("Group")
+  allow(group).to receive(:ip_permissions).and_return(ingress)
+  allow(group).to receive(:ip_permissions_egress).and_return([])
+  allow(group).to receive(:name).and_return(name)
+  allow(group).to receive(:group_id).and_return('some group')
+  group
+end
+
+def group_ingress port, name
+  {"groups"=>[{"userId"=>"userId", "groupId"=>"sg-groupId", "groupName"=>name}], "ipRanges"=>[], "ipProtocol"=>"tcp", "fromPort"=>port, "toPort"=>port}
+end
+
+def cidr_ingress port, cidr_ip
+  {"groups"=>[], "ipRanges"=>[{"cidrIp"=> cidr_ip}], "ipProtocol"=>"tcp", "fromPort"=>port, "toPort"=>port}
+end

data/spec/support/matchers/graph.rb

@@ -0,0 +1,8 @@
+RSpec::Matchers.define :have_edge do |edge|
+  match do |actual|
+    edges = actual.each_edge
+    edge.each do |k,v|
+      expect(edges.any? {|e| e.node_one == GraphViz.escape(k) && e.node_two == GraphViz.escape(v)}).to eq(true)
+    end
+  end
+end

data/spec/visualize_aws_spec.rb

@@ -0,0 +1,132 @@
+require 'spec_helper'
+
+describe VisualizeAws do
+  before do
+    @ec2 = double(Fog::Compute)
+    allow(Fog::Compute).to receive(:new).and_return(@ec2)
+  end
+
+  let(:visualize_aws) {VisualizeAws.new(AwsConfig.new)}
+
+  it 'should add nodes for each security group' do
+    expect(@ec2).to receive(:security_groups).and_return([group('Remote ssh', group_ingress('22', 'My machine')), group('My machine')])
+    graph = visualize_aws.build
+    node1 = graph.get_node('Remote ssh')
+    node2 = graph.get_node('My machine')
+
+    expect(node1).not_to be_nil
+    expect(node2).not_to be_nil
+    expect(graph.each_edge.size).to eq(1)
+  end
+
+  context 'groups' do
+    it 'should add an edge for each security ingress' do
+      expect(@ec2).to receive(:security_groups).and_return([group('Remote ssh', group_ingress('22', 'My machine')), group('My machine')])
+      graph = visualize_aws.build
+
+      expect(graph.each_edge.size).to eq(1)
+      expect(graph).to have_edge "My machine" => 'Remote ssh'
+    end
+
+    it 'should add nodes for external security groups defined through ingress' do
+      expect(@ec2).to receive(:security_groups).and_return([group('Web', group_ingress('80', 'ELB'))])
+      graph = visualize_aws.build
+
+      expect(graph.get_node('Web')).to_not be_nil
+      expect(graph.get_node('ELB')).to_not be_nil
+      expect(graph.each_edge.size).to eq(1)
+      expect(graph).to have_edge("ELB" => 'Web')
+    end
+
+    it 'should add an edge for each security ingress' do
+      expect(@ec2).to receive(:security_groups).and_return(
+        [
+          group('App', group_ingress('80', 'Web'), group_ingress('8983', 'Internal')),
+          group('Web', group_ingress('80', 'External')),
+          group('Db', group_ingress('7474', 'App'))
+      ])
+      graph = visualize_aws.build
+
+      expect(graph.each_edge.size).to eq(4)
+      expect(graph).to have_edge('Internal'=>'App', 'External' => 'Web', 'App'=> 'Db')
+    end
+  end
+
+  context 'cidr' do
+
+    it 'should add an edge for each cidr ingress' do
+      expect(@ec2).to receive(:security_groups).and_return(
+        [
+          group('Web', group_ingress('80', 'External')),
+          group('Db', group_ingress('7474', 'App'), cidr_ingress('22', '127.0.0.1/32'))
+      ])
+      graph = visualize_aws.build
+
+      expect(graph.each_edge.size).to eq(3)
+      expect(graph).to have_edge('External' => 'Web', 'App'=> 'Db')
+      expect(graph).to have_edge('127.0.0.1/32' => 'Db' )
+    end
+
+    it 'should add map edges for cidr ingress' do
+      expect(@ec2).to receive(:security_groups).and_return(
+        [
+          group('Web', group_ingress('80', 'External')),
+          group('Db', group_ingress('7474', 'App'), cidr_ingress('22', '127.0.0.1/32'))
+      ])
+      mapping = {'127.0.0.1/32' => 'Work'}
+      mapping = CidrGroupMapping.new([], mapping)
+      allow(CidrGroupMapping).to receive(:new).and_return(mapping)
+
+      graph = visualize_aws.build
+
+      expect(graph.each_edge.size).to eq(3)
+      expect(graph).to have_edge('External' => 'Web', 'App'=> 'Db')
+      expect(graph).to have_edge('Work' => 'Db' )
+    end
+    it 'should group mapped duplicate edges for cidr ingress' do
+      expect(@ec2).to receive(:security_groups).and_return(
+        [
+          group('ssh', cidr_ingress('22', '192.168.0.1/32'), cidr_ingress('22', '127.0.0.1/32'))
+      ])
+      mapping = {'127.0.0.1/32' => 'Work', '192.168.0.1/32' => 'Work'}
+      mapping = CidrGroupMapping.new([], mapping)
+      allow(CidrGroupMapping).to receive(:new).and_return(mapping)
+
+      graph = visualize_aws.build
+
+      expect(graph.each_edge.size).to eq(1)
+      expect(graph).to have_edge('Work' => 'ssh' )
+    end
+  end
+  context "filter" do
+    it 'include groups which do not match the pattern' do
+      expect(@ec2).to receive(:security_groups).and_return(
+        [
+          group('Web', group_ingress('80', 'External')),
+          group('Db', group_ingress('7474', 'App'), cidr_ingress('22', '127.0.0.1/32'))
+      ])
+
+      opts = {:exclude => ['D.*b', 'App']}
+      graph = VisualizeAws.new(AwsConfig.new(opts)).build
+
+      expect(graph.each_edge.size).to eq(1)
+      expect(graph).to have_edge('External' => 'Web')
+    end
+
+    it 'include derived groups which do not match the pattern' do
+      expect(@ec2).to receive(:security_groups).and_return(
+        [
+          group('Web', group_ingress('80', 'External')),
+          group('Db', group_ingress('7474', 'App'), cidr_ingress('22', '127.0.0.1/32'))
+      ])
+
+      opts = {:exclude => ['App']}
+      graph = VisualizeAws.new(AwsConfig.new(opts)).build
+
+      expect(graph.each_edge.size).to eq(2)
+      expect(graph).to have_edge('External' => 'Web')
+      expect(graph).to have_edge('127.0.0.1/32' => 'Db' )
+    end
+
+  end
+end

metadata

@@ -0,0 +1,210 @@
+--- !ruby/object:Gem::Specification
+name: aws_security_viz
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Anay Nayak
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2015-10-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.1.0
+- !ruby/object:Gem::Dependency
+  name: ruby-graphviz
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.2.1
+- !ruby/object:Gem::Dependency
+  name: fog
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.26.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.26.0
+- !ruby/object:Gem::Dependency
+  name: unf
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.4
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.8.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.8.1
+- !ruby/object:Gem::Dependency
+  name: trollop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.1.1
+- !ruby/object:Gem::Dependency
+  name: organic_hash
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+description: Provides a quick mechanism to visualize your EC2 security groups in multiple
+  formats
+email: anayak007+rubygems@gmail.com
+executables:
+- aws_security_viz
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- LICENSE.md
+- README.md
+- Rakefile
+- Vagrantfile
+- aws_security_viz.gemspec
+- config/boot.rb
+- exe/aws_security_viz
+- images/sample.png
+- lib/aws_config.rb
+- lib/aws_security_viz.rb
+- lib/color_picker.rb
+- lib/debug/parse_log.rb
+- lib/debug_graph.rb
+- lib/ec2/ip_permission.rb
+- lib/ec2/security_groups.rb
+- lib/ec2/traffic.rb
+- lib/exclusions.rb
+- lib/export/html/view.html
+- lib/graph.rb
+- lib/provider/ec2.rb
+- lib/provider/json.rb
+- lib/version.rb
+- opts.yml.sample
+- spec/integration/dummy.dot
+- spec/integration/dummy.json
+- spec/integration/visualize_aws_spec.rb
+- spec/spec_helper.rb
+- spec/support/matchers/graph.rb
+- spec/visualize_aws_spec.rb
+homepage: https://github.com/anaynayak/aws-security-viz
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Visualize your aws security groups
+test_files:
+- spec/integration/dummy.dot
+- spec/integration/dummy.json
+- spec/integration/visualize_aws_spec.rb
+- spec/spec_helper.rb
+- spec/support/matchers/graph.rb
+- spec/visualize_aws_spec.rb