cumulus-aws 0.11.1

data/lib/security/models/RuleDiff.rb

@@ -0,0 +1,72 @@
+require "common/models/Diff"
+require "util/Colors"
+
+module Cumulus
+  module SecurityGroups
+    # Public: The types of changes that can be made to security group rules
+    module RuleChange
+      include Common::DiffChange
+
+      REMOVED = Common::DiffChange::next_change_id
+    end
+
+    # Public: Represents a single difference between local rule configuration and AWS
+    # configuration of security group rules
+    class RuleDiff < Common::Diff
+      include RuleChange
+
+      # Public: Static method that will produce a diff that contains an added rule
+      #
+      # local - the local configuration that was added
+      #
+      # Returns the diff
+      def RuleDiff.added(local)
+        RuleDiff.new(ADD, nil, local)
+      end
+
+      # Public: Static method that will produce a diff that contains a removed rule
+      #
+      # aws - the aws configuration that was removed
+      #
+      # Returns the diff
+      def RuleDiff.removed(aws)
+        RuleDiff.new(REMOVED, aws)
+      end
+
+      def to_s
+        case @type
+        when ADD
+          Colors.added("#{to_readable(local)}")
+        when REMOVED
+          Colors.removed("#{to_readable(aws)}")
+        end
+      end
+
+      private
+
+      # Internal: Produce a human readable string from a config hash
+      #
+      # config - the config to process
+      #
+      # Returns the human readable string
+      def to_readable(config)
+        # yes, for real, AWS returns the STRING "-1" if all protocols are allowed
+        protocol = if config.protocol == "-1" then "All" else config.protocol end
+        allowed = (config.security_groups + config.subnets).join(", ")
+
+        temp = "Allowed: #{allowed}, Protocol: #{protocol}, "
+        if protocol.downcase == "icmp"
+          temp << "Type: #{config.from}, Code: #{config.to}"
+        elsif config.from != config.to
+          temp << "Ports: #{config.from}-#{config.to}"
+        elsif config.from.nil?
+          temp << "Ports: All"
+        else
+          temp << "Port: #{config.from}"
+        end
+        temp
+      end
+
+    end
+  end
+end

data/lib/security/models/RuleMigration.rb

@@ -0,0 +1,127 @@
+module Cumulus
+  module SecurityGroups
+    # A class used to migrate RuleConfigs
+    class RuleMigration
+
+      attr_reader :ports
+      attr_reader :icmp_type
+      attr_reader :icmp_code
+      attr_reader :protocol
+      attr_reader :security_groups
+      attr_reader :subnets
+
+      # Public: Static method that will produce a RuleMigration from a RuleConfig
+      #
+      # rule_config - the RuleConfig to create from
+      #
+      # Returns the corresponding RuleMigration
+      def self.from_rule_config(rule_config)
+        ports = if (rule_config.from.nil? and rule_config.to.nil?) or rule_config.protocol == "icmp"
+          nil
+        else
+          if rule_config.from == rule_config.to
+            [rule_config.from]
+          else
+            ["#{rule_config.from}-#{rule_config.to}"]
+          end
+        end
+
+        icmp_type = if rule_config.protocol == "icmp" then rule_config.from end
+        icmp_code = if rule_config.protocol == "icmp" then rule_config.to end
+
+        # we're gonna replace any "0.0.0.0/0" with all to educate users on subnets.json
+        subnets = rule_config.subnets.map do |subnet|
+          if subnet == "0.0.0.0/0"
+            "all"
+          else
+            subnet
+          end
+        end
+
+        RuleMigration.new(
+          ports,
+          rule_config.protocol,
+          icmp_type,
+          icmp_code,
+          rule_config.security_groups,
+          subnets
+        )
+      end
+
+      # Public: Constructor.
+      #
+      # ports           - an array of the ports to put into cumulus config, or nil for all
+      # protocol        - the protocol for the rule
+      # icmp_type       - if protocol is icmp, the icmp type
+      # icmp_code       - if protocol is icmp, the icmp code
+      # security_groups - an array of security group names for the rule, or nil if there are no security groups
+      # subnets         - an array of subnets to include in the rule, or nil if there are no subnets
+      def initialize(ports, protocol, icmp_type, icmp_code, security_groups, subnets)
+        @ports = ports
+        @protocol = protocol
+        @icmp_type = icmp_type
+        @icmp_code = icmp_code
+        @security_groups = security_groups
+        @subnets = subnets
+      end
+
+      # Public: Get the configuration as a hash for migration
+      #
+      # Returns the hash
+      def hash
+        {
+          "security-groups" => @security_groups,
+          "protocol" => @protocol,
+          "ports" => @ports,
+          "icmp-type" => @icmp_type,
+          "icmp-code" => @icmp_code,
+          "subnets" => @subnets,
+        }.reject { |k, v| v.nil? }
+      end
+
+      # Public: Combine two RuleMigrations by combining allowed entities (security group or subnet).
+      #
+      # other - the other RuleMigration to combine with this one
+      #
+      # Returns the a new RuleMigration with this RuleMigration's ports and protocol, and
+      # the allowed entities of both RuleMigrations concatenated together
+      def combine_allowed(other)
+        RuleMigration.new(
+          @ports,
+          @protocol,
+          @icmp_type,
+          @icmp_code,
+          @security_groups + other.security_groups,
+          @subnets + other.subnets
+        )
+      end
+
+      # Public: Combine two RuleMigrations by combining ports. If both of the RuleMigrations
+      # have nil ports, they will be combined, but if only one does, an array containing
+      # both RuleMigrations (unchanged) will be returned
+      #
+      # other - the other RuleMigration to combine with this one
+      #
+      # Returns a new RuleMigration with this RuleMigration's allowed entities and the combined port
+      # or an array of the two original RuleMigrations
+      def combine_ports(other)
+        # In this case, they should be identical, we just return self
+        if !@ports and !other.ports
+          self
+        # at this point we're guaranteed that if one of the ports is nil, the other is not
+        elsif @ports.nil? or other.ports.nil?
+          [self, other]
+        else
+          RuleMigration.new(
+            @ports + other.ports,
+            @protocol,
+            @icmp_type,
+            @icmp_code,
+            @security_groups,
+            @subnets
+          )
+        end
+      end
+    end
+  end
+end

data/lib/security/models/SecurityGroupConfig.rb

@@ -0,0 +1,172 @@
+require "conf/Configuration"
+require "security/loader/Loader"
+require "security/models/RuleConfig"
+require "security/models/RuleDiff"
+require "security/models/RuleMigration"
+require "security/models/SecurityGroupDiff"
+
+require "json"
+
+module Cumulus
+  module SecurityGroups
+    # Public: An object representing configuration for a security group
+    class SecurityGroupConfig
+
+      attr_reader :description
+      attr_reader :includes
+      attr_reader :inbound
+      attr_reader :name
+      attr_reader :outbound
+      attr_reader :tags
+      attr_reader :vpc_id
+
+      # Public: Constructor.
+      #
+      # name - the name of the security group
+      # vpc_id - the id of the vpc the security group belongs in
+      # json - a hash containing the JSON configuration for the security group
+      def initialize(name, vpc_id, json = nil)
+        @name = name
+        @vpc_id = vpc_id
+        if !json.nil?
+          @description = if !json["description"].nil? then json["description"] else "" end
+          @tags = if !json["tags"].nil? then json["tags"] else {} end
+
+
+          includes = (json["rules"]["includes"] || []).map { |rule| Loader.rule(rule) }
+          inbound_includes = includes.reduce([]) { |sofar, inc| sofar + (inc["inbound"] || []) }.flatten.compact
+          outbound_includes = includes.reduce([]) { |sofar, inc| sofar + (inc["outbound"] || []) }.flatten.compact
+
+          combined_inbound = (json["rules"]["inbound"] || []) + inbound_includes
+          @inbound = combined_inbound.map(&RuleConfig.method(:expand_ports)).flatten
+
+          combined_outbound = (json["rules"]["outbound"] || []) + outbound_includes
+          @outbound = if !json["rules"]["outbound"].nil?
+            combined_outbound.map(&RuleConfig.method(:expand_ports)).flatten
+          else
+            if Configuration.instance.security.outbound_default_all_allowed
+              [RuleConfig.allow_all]
+            else
+              outbound_includes
+            end
+          end
+        end
+      end
+
+      # Public: Produce an array of the differences between this local configuration and the
+      # configuration in AWS
+      #
+      # aws - the aws resource
+      #
+      # Returns an array of the SecurityGroupDiffs that were found
+      def diff(aws)
+        diffs = []
+
+        if @description != aws.description
+          diffs << SecurityGroupDiff.new(SecurityGroupChange::DESCRIPTION, aws, self)
+        end
+
+        if @tags != Hash[aws.tags.map { |t| [t.key, t.value] }]
+          diffs << SecurityGroupDiff.new(SecurityGroupChange::TAGS, aws, self)
+        end
+
+        inbound_diffs = diff_rules(@inbound, aws.ip_permissions)
+        if !inbound_diffs.empty?
+          diffs << SecurityGroupDiff.inbound(aws, self, inbound_diffs)
+        end
+
+        outbound_diffs = diff_rules(@outbound, aws.ip_permissions_egress)
+        if !outbound_diffs.empty?
+          diffs << SecurityGroupDiff.outbound(aws, self, outbound_diffs)
+        end
+
+        diffs
+      end
+
+      # Public: Populate this SecurityGroupConfig from an AWS resource
+      #
+      # aws             - the aws resource
+      def populate!(aws)
+        @vpc_id = aws.vpc_id
+        @description = aws.description
+        @tags = Hash[aws.tags.map { |t| [t.key, t.value] }]
+        @inbound = combine_rules(aws.ip_permissions.map { |rule| RuleConfig.from_aws(rule) })
+        @outbound = combine_rules(aws.ip_permissions_egress.map { |rule| RuleConfig.from_aws(rule) })
+      end
+
+      # Public: Get the config as a prettified JSON string.
+      #
+      # Returns the JSON string
+      def pretty_json
+        JSON.pretty_generate({
+          "description" => @description,
+          "tags" => @tags,
+          "rules" => {
+            "inbound" => @inbound.map(&:hash),
+            "outbound" => @outbound.map(&:hash),
+          }
+        }.reject { |k, v| v.nil? })
+      end
+
+      private
+
+      # Internal: Determine changes in rules
+      #
+      # local_rules     - the rules defined locally
+      # aws_rules       - the rules in AWS
+      #
+      # Returns an array of RuleDiffs that represent differences between local and AWS configuration
+      def diff_rules(local_rules, aws_rules)
+        diffs = []
+
+        # get the aws config into a format that mirrors cumulus so we can compare
+        aws = aws_rules.map do |rule|
+          RuleConfig.from_aws(rule)
+        end
+        aws_hashes = aws.flat_map(&:hash)
+        local_hashes = local_rules.flat_map(&:hash)
+
+        diffs << local_hashes.reject { |i| aws_hashes.include?(i) }.map { |l| RuleDiff.added(RuleConfig.new(l)) }
+        diffs << aws_hashes.reject { |a| local_hashes.include?(a) }.map { |a| RuleDiff.removed(RuleConfig.new(a)) }
+
+        diffs.flatten
+      end
+
+      # Internal: Combine rules that have the same ports and security groups to create the compact version
+      # used by cumulus config.
+      #
+      # rules - an array of the rules to combine
+      #
+      # Returns an array of compact rules
+      def combine_rules(rules)
+        # separate out icmp rules
+        all_rules = rules.map(&RuleMigration.method(:from_rule_config))
+        icmp_rules = all_rules.select { |rule| rule.protocol == "icmp" }
+
+        # first we find the ones that have the same protocol and port
+        other_rules = all_rules.reject { |rule| rule.protocol == "icmp" }.group_by do |rule|
+          [rule.protocol, rule.ports]
+        # next, we combine the matching rules together
+        end.flat_map do |_, matches|
+          if matches.size == 1
+            matches
+          else
+            matches[1..-1].inject(matches[0]) { |prev, cur| prev.combine_allowed(cur) }
+          end
+        # now, try to find ones that have the same groups of allowed entities and protocol
+        end.group_by do |rule|
+          [rule.protocol, rule.security_groups, rule.subnets]
+        # finally, we'll combine ports for the matches
+        end.flat_map do |_, matches|
+          if matches.size == 1
+            matches
+          else
+            matches[1..-1].inject(matches[0]) { |prev, cur| prev.combine_ports(cur) }
+          end
+        end
+
+        icmp_rules + other_rules
+      end
+    end
+  end
+end

data/lib/security/models/SecurityGroupDiff.rb

@@ -0,0 +1,112 @@
+require "common/models/Diff"
+require "common/models/TagsDiff"
+require "security/models/RuleDiff"
+require "util/Colors"
+
+module Cumulus
+  module SecurityGroups
+    # Public: The types of changes that can be made to security groups
+    module SecurityGroupChange
+      include Common::DiffChange
+
+      DESCRIPTION = Common::DiffChange::next_change_id
+      TAGS = Common::DiffChange::next_change_id
+      INBOUND = Common::DiffChange::next_change_id
+      OUTBOUND = Common::DiffChange::next_change_id
+    end
+
+    # Public: Represents a single difference between local configuration and AWS configuration
+    # of security groups
+    class SecurityGroupDiff < Common::Diff
+      include SecurityGroupChange
+      include Common::TagsDiff
+
+      attr_accessor :inbound_diffs
+      attr_accessor :outbound_diffs
+
+      # Public: Static method that will produce a diff that contains changes in inbound rules
+      #
+      # aws           - the aws configuration
+      # local         - the local configuration
+      # inbound_diffs - the differences in inbound rules
+      #
+      # Returns the diff
+      def SecurityGroupDiff.inbound(aws, local, inbound_diffs)
+        diff = SecurityGroupDiff.new(INBOUND, aws, local)
+        diff.inbound_diffs = inbound_diffs
+        diff
+      end
+
+      # Public: Static method that will produce a diff that contains changes in outbound rules
+      #
+      # aws            - the aws configuration
+      # local          - the local configuration
+      # outbound_diffs - the differences in outbound rules
+      #
+      # Returns the diff
+      def SecurityGroupDiff.outbound(aws, local, outbound_diffs)
+        diff = SecurityGroupDiff.new(OUTBOUND, aws, local)
+        diff.outbound_diffs = outbound_diffs
+        diff
+      end
+
+      def asset_type
+        "Security group"
+      end
+
+      def aws_name
+        @aws.vpc_group_name
+      end
+
+      def diff_string
+        case @type
+        when DESCRIPTION
+          [
+            "Description:",
+            Colors.aws_changes("\tAWS - #{@aws.description}"),
+            Colors.local_changes("\tLocal - #{@local.description}"),
+            "\tUnfortunately, AWS's SDK does not allow updating the description."
+          ].join("\n")
+        when INBOUND
+          lines = ["Inbound rules:"]
+          lines << inbound_diffs.map { |d| "\t#{d}" }
+          lines.flatten.join("\n")
+        when OUTBOUND
+          lines = ["Outbound rules:"]
+          lines << outbound_diffs.map { |d| "\t#{d}" }
+          lines.flatten.join("\n")
+        when TAGS
+          tags_diff_string
+        end
+      end
+
+      # Public: Get the inbound rules to add
+      #
+      # Returns the added rules
+      def added_inbounds
+        inbound_diffs.reject { |i| i.type == RuleChange::REMOVED }.map(&:local)
+      end
+
+      # Public: Get the inbound rules to remove
+      #
+      # Returns the removed rules
+      def removed_inbounds
+        inbound_diffs.reject { |i| i.type == RuleChange::ADD }.map(&:aws)
+      end
+
+      # Public: Get the outbound rules to add
+      #
+      # Returns the added rules
+      def added_outbounds
+        outbound_diffs.reject { |o| o.type == RuleChange::REMOVED }.map(&:local)
+      end
+
+      # Public: Get the outbound rules to remove
+      #
+      # Returns the removed rules
+      def removed_outbounds
+        outbound_diffs.reject { |o| o.type == RuleChange::ADD }.map(&:aws)
+      end
+    end
+  end
+end