banacle 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 62eb7e77755ab01a7f402528bd3d4740bf57849519fecdcf9fcb2d2360c369aa
+  data.tar.gz: afa51477a9e6f8d19669b766fecc2a2b0e09e709247ef03da9ca96ecd19fc4e3
+SHA512:
+  metadata.gz: 99a11e4010d7663b2d991cca2a461bcbd2722f5897e5f9e4a199ab04ec353c1b38688400f4d4fdd260b68f6e4c315f0fc5cb0925cecf1bde79c9dcc73d7b2cab
+  data.tar.gz: 1ee71620bf8b1c67bbda63b9680585f62b526bc79d62f52474a059b2985e1f83dddb6f92ed5071e73728993c7264fb9b4b69bf011efd7fd631c8eb49f0ef7d8e

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.5.1
+before_install: gem install bundler -v 1.16.2

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in banacle.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,81 @@
+PATH
+  remote: .
+  specs:
+    banacle (0.1.1)
+      aws-sdk-ec2
+      sinatra
+      unicorn
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    aws-eventstream (1.0.1)
+    aws-partitions (1.127.0)
+    aws-sdk-core (3.44.1)
+      aws-eventstream (~> 1.0)
+      aws-partitions (~> 1.0)
+      aws-sigv4 (~> 1.0)
+      jmespath (~> 1.0)
+    aws-sdk-ec2 (1.65.0)
+      aws-sdk-core (~> 3, >= 3.39.0)
+      aws-sigv4 (~> 1.0)
+    aws-sigv4 (1.0.3)
+    backports (3.11.4)
+    coderay (1.1.2)
+    diff-lcs (1.3)
+    jmespath (1.4.0)
+    kgio (2.11.2)
+    method_source (0.9.2)
+    multi_json (1.13.1)
+    mustermann (1.0.3)
+    pry (0.12.2)
+      coderay (~> 1.1.0)
+      method_source (~> 0.9.0)
+    rack (2.0.6)
+    rack-protection (2.0.5)
+      rack
+    raindrops (0.19.0)
+    rake (10.5.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
+    sinatra (2.0.5)
+      mustermann (~> 1.0)
+      rack (~> 2.0)
+      rack-protection (= 2.0.5)
+      tilt (~> 2.0)
+    sinatra-contrib (2.0.5)
+      backports (>= 2.8.2)
+      multi_json
+      mustermann (~> 1.0)
+      rack-protection (= 2.0.5)
+      sinatra (= 2.0.5)
+      tilt (>= 1.3, < 3)
+    tilt (2.0.9)
+    unicorn (5.4.1)
+      kgio (~> 2.6)
+      raindrops (~> 0.7)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  banacle!
+  bundler (~> 1.16)
+  pry
+  rake (~> 10.0)
+  rspec (~> 3.0)
+  sinatra-contrib
+
+BUNDLED WITH
+   1.16.2

data/LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2018 Takuya Kosugiyama
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

data/README.md

@@ -0,0 +1,53 @@
+# Banacle: Create or delete DENY NACL entries on AWS VPC as ChatOps (Slack Slash Command)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'banacle'
+```
+
+And then execute:
+
+```
+$ bundle
+```
+
+Or install it yourself as:
+
+```
+$ gem install banacle
+```
+
+## Usage
+
+Banacle is supposed to be run as a Sinatra server. You can run it simply by `rackup` command. Banacle has two endpoints for Slack as follows:
+
+- `/slack/command`: handle Slash Command
+- `/slack/message`: handle Interactive Message
+
+### Example: ban 1.2.3.4 from my VPC
+
+Execute an command that create a DENY NACL entry for 1.2.3.4 on a VPC named "test" in ap-northeast-1.
+
+![](./docs/demo1.png)
+
+Then an approval request appears. Someone else can review the request and decide to approve or reject it. The requester can cancel the request. In this case, the request looks good so the reviewer clicks "Approve" button.
+
+![](./docs/demo2.png)
+
+After approving the request, Banacle executes creating the NACL entry on the target VPC through the AWS API as follows.
+
+![](./docs/nacl.png)
+
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/itkq/banacle.

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/banacle.gemspec

@@ -0,0 +1,34 @@
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "banacle/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "banacle"
+  spec.version       = Banacle::VERSION
+  spec.authors       = ["Takuya Kosugiyama"]
+  spec.email         = ["re@itkq.jp"]
+
+  spec.summary       = %q{Create or delete DENY NACL entries on AWS VPC as ChatOps (Slack Slash Command)}
+  spec.description   = %q{Create or delete DENY NACL entries on AWS VPC as ChatOps (Slack Slash Command)}
+  spec.homepage      = "https://github.com/itkq/banacle"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "sinatra-contrib"
+  spec.add_development_dependency "pry"
+
+  spec.add_dependency "sinatra"
+  spec.add_dependency "unicorn"
+  spec.add_dependency "aws-sdk-ec2"
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "banacle"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/config.ru

@@ -0,0 +1,3 @@
+require 'banacle'
+
+run Banacle::App

data/lib/banacle/app.rb

@@ -0,0 +1,21 @@
+require 'sinatra/base'
+require 'sinatra/reloader'
+require 'banacle/handler'
+
+module Banacle
+  class App < Sinatra::Base
+    configure :development do
+      register Sinatra::Reloader
+    end
+
+    post '/slack/command' do
+      content_type :json
+      Handler.handle_slash_command(request)
+    end
+
+    post '/slack/message' do
+      content_type :json
+      Handler.handle_interactive_message(request)
+    end
+  end
+end

data/lib/banacle/aws_wrapper/error.rb

@@ -0,0 +1,5 @@
+module Banacle
+  module AwsWrapper
+    class Error < StandardError; end
+  end
+end

data/lib/banacle/aws_wrapper/nacl.rb

@@ -0,0 +1,127 @@
+require 'aws-sdk-ec2'
+require 'banacle/aws_wrapper/error'
+require 'banacle/aws_wrapper/result'
+
+module Banacle
+  module AwsWrapper
+    class Nacl
+      class EntryDuplicatedError < AwsWrapper::Error; end
+      class EntryNotFoundError < AwsWrapper::Error; end
+
+      DEFAULT_RULE_NUMBER = 100
+
+      def self.create_network_acl_ingress_entries(region:, vpc_id:, cidr_blocks:)
+        new(region, vpc_id, cidr_blocks).create_network_acl_ingress_entries
+      end
+
+      def self.delete_network_acl_entries(region:, vpc_id:, cidr_blocks:)
+        new(region, vpc_id, cidr_blocks).delete_network_acl_entries
+      end
+
+      def initialize(region, vpc_id, cidr_blocks)
+        @region = region
+        @vpc_id = vpc_id
+        @cidr_blocks = cidr_blocks
+        @rule_numbers = ingress_rules.map(&:rule_number).sort
+      end
+
+      attr_reader :action, :region, :vpc_id, :cidr_blocks
+      attr_accessor :rule_numbers
+
+      def create_network_acl_ingress_entries
+        cidr_blocks.map do |cidr_block|
+          result = begin
+                     create_network_acl_ingress_entry(cidr_block)
+                     AwsWrapper::Result.new(status: true)
+                   rescue AwsWrapper::Error => e
+                     AwsWrapper::Result.new(status: false, error: e)
+                   end
+          [cidr_block, result]
+        end.to_h
+      end
+
+      def delete_network_acl_entries
+        cidr_blocks.map do |cidr_block|
+          result = begin
+                     delete_network_acl_entry(cidr_block)
+                     AwsWrapper::Result.new(status: true)
+                   rescue AwsWrapper::Error => e
+                     AwsWrapper::Result.new(status: false, error: e)
+                   end
+          [cidr_block, result]
+        end.to_h
+      end
+
+      private
+
+      def create_network_acl_ingress_entry(cidr_block)
+        duplicated_rule = ingress_rules.select { |e|
+          e.cidr_block == cidr_block
+        }.first
+
+        if duplicated_rule
+          raise EntryDuplicatedError.new("entry already exists (rule_number: #{duplicated_rule.rule_number})")
+        end
+
+        next_min_rule_number = nil
+        (0..rule_numbers.size - 1).each do |i|
+          if rule_numbers[i + 1] - rule_numbers[i] > 1
+            next_min_rule_number = rule_numbers[i] + 1
+            break
+          end
+        end
+        next_min_rule_number = DEFAULT_RULE_NUMBER unless next_min_rule_number
+
+        ec2.create_network_acl_entry(
+          cidr_block: cidr_block,
+          egress: false,
+          network_acl_id: network_acl_id,
+          protocol: "-1", # all protocols
+          rule_action: "deny",
+          rule_number: next_min_rule_number,
+        )
+
+        add_rule_number(next_min_rule_number)
+      end
+
+      def delete_network_acl_entry(cidr_block)
+        target = ingress_rules.select { |e| !e.egress && e.cidr_block == cidr_block }.first
+        if target
+          ec2.delete_network_acl_entry(
+            egress: false,
+            network_acl_id: network_acl_id,
+            rule_number: target.rule_number,
+          )
+        else
+          raise EntryDuplicatedError.new("not found")
+        end
+      end
+
+      def add_rule_number(num)
+        rule_numbers << num
+        rule_numbers.sort!
+        num
+      end
+
+      def network_acl_id
+        acl.network_acl_id
+      end
+
+      def ingress_rules
+        @ingress_rules ||= acl.entries.select { |e| !e.egress }
+      end
+
+      def acl
+        @acl ||= ec2.describe_network_acls(
+          filters: [
+            { name: 'vpc-id', values: [vpc_id] },
+          ],
+        ).network_acls.first
+      end
+
+      def ec2
+        @ec2 ||= ::Aws::EC2::Client.new(region: region)
+      end
+    end
+  end
+end

data/lib/banacle/aws_wrapper/result.rb

@@ -0,0 +1,6 @@
+module Banacle
+  module AwsWrapper
+    Result = Struct.new(:status, :error, keyword_init: true) do
+    end
+  end
+end

data/lib/banacle/aws_wrapper/vpc.rb

@@ -0,0 +1,51 @@
+require 'aws-sdk-ec2'
+require 'banacle/aws_wrapper/error'
+require 'banacle/aws_wrapper/result'
+
+module Banacle
+  module AwsWrapper
+    class Vpc
+      class InvalidRegionError < AwsWrapper::Error; end
+
+      def self.resolve_vpc_id(region, vpc_id_or_name)
+        new(region, vpc_id_or_name).resolve_vpc_id
+      end
+
+      def initialize(region, vpc_id_or_name)
+        @region = region
+        @vpc_id_or_name = vpc_id_or_name
+      end
+
+      attr_reader :region, :vpc_id_or_name
+
+      def resolve_vpc_id
+        begin
+          vpc_list = ec2.describe_vpcs.each.flat_map(&:vpcs).map do |vpc|
+            name_tag = vpc.tags.find { |t| t.key == "Name" }
+            [
+              name_tag.value,
+              vpc.vpc_id,
+            ]
+          end.sort_by { |e| e[0] }.to_h
+        rescue Aws::Errors::NoSuchEndpointError
+          raise InvalidRegionError.new("region: #{region} is invalid")
+        end
+
+        vpc_id = nil
+        if vpc_list.values.include?(vpc_id_or_name)
+          vpc_id = vpc_id_or_name
+        else
+          vpc_id = vpc_list[vpc_id_or_name]
+        end
+
+        vpc_id
+      end
+
+      private
+
+      def ec2
+        @ec2 ||= ::Aws::EC2::Client.new(region: region)
+      end
+    end
+  end
+end

data/lib/banacle/handler.rb

@@ -0,0 +1,61 @@
+require 'banacle/slash_command/error'
+require 'banacle/slash_command/parser'
+require 'banacle/slash_command/renderer'
+
+require 'banacle/interactive_message/parser'
+require 'banacle/interactive_message/renderer'
+
+require 'banacle/slack_validator'
+
+module Banacle
+  class Handler
+    def self.handle_slash_command(request)
+      new(request).handle_slash_command
+    end
+
+    def self.handle_interactive_message(request)
+      new(request).handle_interactive_message
+    end
+
+    def initialize(request)
+      @request = request
+    end
+
+    attr_reader :request
+
+    def handle_slash_command
+      unless skip_validation? || SlackValidator.valid_signature?(request)
+        return [401, {}, "invalid request"]
+      end
+
+      begin
+        command = SlashCommand::Parser.parse(request_text)
+      rescue SlashCommand::Error => e
+        return SlashCommand::Renderer.render_error(e)
+      end
+
+      SlashCommand::Renderer.render(request.params, command)
+    end
+
+    def handle_interactive_message
+      unless skip_validation? || SlackValidator.valid_signature?(request)
+        return [401, {}, "invalid request"]
+      end
+
+      command = InteractiveMessage::Parser.parse(JSON.parse(request_payload))
+      InteractiveMessage::Renderer.render(request.params, command)
+    end
+
+    def request_text
+      request.params["text"]
+    end
+
+    def request_payload
+      request.params["payload"]
+    end
+
+    def skip_validation?
+      request.params["skip_validation"] || ENV["BANACLE_SKIP_VALIDATION"]
+    end
+  end
+end

data/lib/banacle/interactive_message/parser.rb

@@ -0,0 +1,24 @@
+require 'banacle/slash_command/command'
+
+module Banacle
+  module InteractiveMessage
+    class Parser
+      def self.parse(payload)
+        new.parse(payload)
+      end
+
+      def parse(payload)
+        original_text = payload["original_message"]["text"]
+        original_json = JSON.parse(
+          original_text.match(command_json_regex)[1].strip, symbolize_names: true,
+        )
+        command = SlashCommand::Command.new(**original_json)
+      end
+
+      # TODO: sync slash_command/renderer
+      def command_json_regex
+        /```([^`]+)```/.freeze
+      end
+    end
+  end
+end