ec2-security-czar 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 259408a1effb7996e0508c8ee6425d5b699a2f07
+  data.tar.gz: 9ac56b7f5a1bb903ebcaeb4ce9c8be47d4c2e4cd
+SHA512:
+  metadata.gz: 0fe4dbf7f7f0af332c2776de3fbfa09db26491582befe0bfe2de2faab1b7378fd0e35623186b954ad9964836458eeed80f469a3f4d2272f436ddf29f829881ae
+  data.tar.gz: 81fb5b7d917f1d5fe930861f770f5fcc65bca346844dc05618dd9a4cf62afa010c8f0cdfd9c2e884cc61c3b2f99e111a339394f0df233ee11442af99a346e405

data/.gitignore

@@ -0,0 +1,24 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+
+config/*

data/.octopolo.yml

@@ -0,0 +1,4 @@
+github_repo: sportngin/ec2-security-czar
+semantic_versioning: true
+branches_to_keep:
+- master

data/.ruby-gemset

@@ -0,0 +1,2 @@
+ec2-security-czar
+

data/.ruby-version

@@ -0,0 +1,2 @@
+2.1
+

data/.soyuz.yml

@@ -0,0 +1,13 @@
+defaults:
+  deploy_cmd: gem push *.gem
+  before_deploy_cmds:
+    - op tag-release
+    - sed -i '' -e "s/\".*/\"$(git tag | tail -1 | sed s/v//)\"/" lib/ec2-security-czar/version.rb
+    - git add  lib/ec2-security-czar/version.rb
+    - git commit -m "Version Bump" && git push
+    - gem build ec2-security-czar.gemspec
+  after_deploy_cmds:
+    - rm *.gem
+environments:
+  -
+    rubygems: {}

data/.travis.yml

@@ -0,0 +1,12 @@
+language: ruby
+rvm:
+  - 2.0
+  - 2.1
+  - 1.9.3
+script: bundle exec rspec
+matrix:
+  include:
+    - rvm: jruby-19mode # JRuby in 1.9 mode
+      env: JRUBY_OPTS="--1.9 -Xcext.enabled=true"
+  allow_failures:
+    - rvm: jruby-19mode

data/CHANGELOG.markdown

@@ -0,0 +1 @@
+#### v1.0.0

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in ec2-security-czar.gemspec
+gemspec

data/Guardfile

@@ -0,0 +1,8 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+guard :rspec, cmd: 'bundle exec rspec', all_on_start: true, all_after_pass: true  do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Ian Ehlert
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,29 @@
+# Ec2SecurityCzar
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'ec2-security-czar'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install ec2-security-czar
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it ( https://github.com/[my-github-username]/ec2-security-czar/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+

data/bin/ec2-security-czar

@@ -0,0 +1,35 @@
+#! /usr/bin/env ruby
+require 'rubygems'
+require 'gli'
+require 'ec2_security_czar'
+
+include GLI::App
+
+program_desc 'Command Line Ec2 Security Group Manager'
+version Ec2SecurityCzar::VERSION
+
+wrap_help_text :verbatim
+
+switch :verbose, :desc => 'Enable Verbose mode for more logging', :negatable => false
+switch :debug, :desc => 'Enable Debug mode for detailed logs and backtraces', :negatable => false
+
+pre do |global_options, command, options, args|
+  $verbose = global_options[:verbose]
+  $debug = global_options[:debug]
+  ENV['GLI_DEBUG'] = $debug.to_s
+  true
+end
+
+desc "Update your ec2 security groups"
+arg_name '<environment>'
+command :update do |c|
+  c.flag [:t, :token], :desc => "AWS MFA Auth Token, Requires mfa_serial_number to be set in the aws config"
+  c.flag [:r, :region], :desc => "AWS Region to apply updates in, ex. 'us-west-2', defaults to 'us-east-1'"
+  c.action do |global_options, options, args|
+   Ec2SecurityCzar::Base.new(args.first, global_options.merge(options)).update_security_groups
+  end
+end
+
+default_command :help
+
+exit run(ARGV)

data/ec2-security-czar.gemspec

@@ -0,0 +1,33 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'ec2-security-czar/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "ec2-security-czar"
+  spec.version       = Ec2SecurityCzar::VERSION
+  spec.authors       = ["Ian Ehlert"]
+  spec.email         = ["ehlertij@gmail.com"]
+  spec.summary       = %q{Rule manager for EC2 Security Groups.}
+  spec.description   = %q{Manages your EC2 security groups using YAML config files.}
+  spec.homepage      = "https://github.com/sportngin/ec2-security-czar"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "aws-sdk", "~> 1.38"
+  spec.add_dependency "gli"
+  spec.add_dependency "hashie"
+  spec.add_dependency "highline"
+
+  spec.add_development_dependency "bundler", "~> 1.6"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec", "3.0.0.beta2"
+  spec.add_development_dependency "guard"
+  spec.add_development_dependency "guard-rspec"
+  spec.add_development_dependency "terminal-notifier-guard"
+  spec.add_development_dependency "simplecov"
+end

data/lib/ec2-security-czar/base.rb

@@ -0,0 +1,52 @@
+require 'aws-sdk'
+require 'yaml'
+require 'hashie'
+
+module Ec2SecurityCzar
+  class AwsConfig < Hash
+    include Hashie::Extensions::IndifferentAccess
+  end
+
+  class Base
+    attr_accessor :ec2
+
+    def initialize(environment=nil, args={})
+      raise MissingConfig.new("Missing aws_keys.yml config file") unless File.exists?(config_filename)
+      @environment = environment
+      load_config(args[:region])
+      AWS.config(access_key_id: @config[:access_key], secret_access_key: @config[:secret_key], region: @config[:region])
+      if @config[:mfa_serial_number]
+        @ec2 = mfa_auth(args[:token])
+      else
+        @ec2 = AWS.ec2
+      end
+    end
+
+    def update_security_groups
+      SecurityGroup.update_security_groups(ec2, @environment, @config[:region])
+    end
+
+    def load_config(region)
+      return @config if @config
+      @config = AwsConfig[YAML.load_file(config_filename)]
+      @config = @config[@environment] if @environment
+      @config[:region] = region || 'us-east-1'
+      @config
+    end
+
+    private
+    def mfa_auth(mfa_token)
+      raise MFATokenMissing.new("MFA token is required as an argument!") unless mfa_token
+      sts = AWS::STS.new(access_key_id: @config[:access_key], secret_access_key: @config[:secret_key])
+      session = sts.new_session(duration: @config[:mfa_duration] || 900, serial_number: @config[:mfa_serial_number], token_code: mfa_token)
+      AWS::EC2.new(session.credentials)
+    end
+
+    def config_filename
+      'config/aws_keys.yml'
+    end
+  end
+
+  MFATokenMissing = Class.new(StandardError)
+  MissingConfig = Class.new(StandardError)
+end

data/lib/ec2-security-czar/rule.rb

@@ -0,0 +1,87 @@
+require 'highline/import'
+
+module Ec2SecurityCzar
+  class Rule
+
+    attr_accessor :protocol, :port_range, :ip, :group, :egress
+
+    def initialize(options)
+      @egress = options[:direction] == :outbound
+      @ip = options[:ip_range]
+      @group = group_id(options[:group])
+      @protocol = options[:protocol] || :tcp
+      @port_range = options[:port_range] || (0..65535)
+      @api_object = options[:api_object]
+    end
+
+    def equal?(rule)
+      rule.protocol.to_s == protocol.to_s &&
+      Array(rule.port_range) == Array(port_range) &&
+      rule.ip == ip &&
+      rule.group == group &&
+      rule.egress == egress
+    end
+
+    def authorize!(security_group_api)
+      sources = ip.nil? ? { group_id: group } : ip
+      if egress
+        security_group_api.authorize_egress(sources, protocol: protocol, ports: port_range)
+      else
+        security_group_api.authorize_ingress(protocol, port_range, sources)
+      end
+      say "<%= color('Authorized - #{pretty_print}', :green) %>"
+    rescue StandardError => e
+      say "<%= color('#{e.class} - #{e.message}', :red) %>"
+      say "<%= color('#{pretty_print}', :red) %>"
+    end
+
+    def revoke!
+      @api_object.revoke
+      say "<%= color('Revoked - #{pretty_print}', :cyan) %>"
+    rescue StandardError => e
+      say "<%= color('#{e.class} - #{e.message}', :red) %>"
+      say "<%= color('#{pretty_print}', :red) %>"
+    end
+
+    def group_id(group)
+      if group.is_a? Hash
+        group[:group_id] || SecurityGroup.lookup(group[:group_name]).id
+      else
+        group
+      end
+    end
+
+    def self.rules_from_api(api_rules, direction)
+      rules = []
+      Array(api_rules).map do |api_rule|
+        rules << api_rule.ip_ranges.map do |ip|
+          Rule.new(ip_range: ip, port_range: api_rule.port_range, protocol: api_rule.protocol, direction: direction, api_object: api_rule)
+        end
+        rules << api_rule.groups.map do |group|
+          Rule.new(group: group.id, port_range: api_rule.port_range, protocol: api_rule.protocol, direction: direction, api_object: api_rule)
+        end
+      end
+      rules.flatten
+    end
+
+    def self.rules_from_config(config, direction)
+      rules = []
+      Array(config[direction]).map do |zone|
+        rules << Array(zone[:ip_ranges]).map do |ip|
+          Rule.new(ip_range: ip, port_range: zone[:port_range], protocol: zone[:protocol], direction: direction)
+        end
+        rules << Array(zone[:groups]).map do |group|
+          Rule.new(group: group, port_range: zone[:port_range], protocol: zone[:protocol], direction: direction)
+        end
+      end
+      rules.flatten
+    end
+
+    def pretty_print
+      direction = egress ? "Outbound" : "Inbound"
+      ip_or_group = ip ? ip : SecurityGroup.lookup(group).name
+      port = port_range.is_a?(Range) ? "ports #{port_range}" : "port #{port_range}"
+      "#{direction} traffic on #{port} for #{ip_or_group} using #{protocol}"
+    end
+  end
+end

data/lib/ec2-security-czar/security_group.rb

@@ -0,0 +1,209 @@
+require 'yaml'
+require 'erb'
+require 'hashie'
+require 'highline/import'
+
+module Ec2SecurityCzar
+  class SecurityGroupConfig < Hash
+    include Hashie::Extensions::IndifferentAccess
+  end
+
+  class SecurityGroup
+
+    attr_accessor :name, :config, :diff
+
+    def initialize(name, environment)
+      @name = name
+      @environment = environment
+      load_rules
+    end
+
+    # Public: Creates missing security groups, updates all security groups
+    # 
+    # ec2: ec2 instance created in base.rb
+    # environment: environment passed in from commandline
+    # region: the region loaded in from aws_keys.yml, defaults to 'us-east-1'
+    def self.update_security_groups(ec2, environment, region)
+      @ec2 = ec2
+      @environment = environment
+      @region = region
+      create_missing_security_groups(environment)
+      update_rules
+    end
+
+    def self.update_rules
+      security_groups.each do |sg|
+        security_group = SecurityGroup.new(sg.name, @environment)
+        security_group.update_rules
+      end
+    end
+
+    # Public: Creates a hash mapping security_group.name to security_group, and looks up security_group by name or id
+    # 
+    # name: the name of the security group to lookup 
+    #
+    # Returns - SecurityGroup object 
+    def self.lookup(query)
+      @security_group_hash ||= security_groups.inject({}) do |hash, security_group|
+        hash[security_group.name] = security_group
+        hash[security_group.id] = security_group
+        hash
+      end
+      @security_group_hash[query] 
+    end
+
+    # Private: Gets all security groups from AWS
+    #
+    # Returns - SecurityGroupCollection 
+    def self.from_aws
+      @security_groups = ec2.security_groups
+    end
+
+    # Private: Gets all the security groups with YAML files
+    #
+    # Returns - Array of all security group names
+    def self.config_security_groups
+      security_group_definition_files
+        .reject { |file| get_security_group_region(file) != region}
+        .map { |file| File.basename(file,File.extname(file)) }
+    end
+    private_class_method :config_security_groups
+
+    def self.security_group_definition_files
+      Dir["config/*.yml"].reject!{ |file| file == "config/aws_keys.yml" }
+    end
+    private_class_method :security_group_definition_files
+
+    # Private: Gets the security group region
+    #
+    # Returns - The region in which the security group should be made
+    def self.get_security_group_region(file)
+      SecurityGroupConfig[YAML.load(ERB.new(File.read(file)).result(binding))][:region] || 'us-east-1'
+    end
+    private_class_method :get_security_group_region
+
+    # Public: Finds security groups with YAML files not on AWS
+    #
+    # Returns - Array of all security group names not on AWS
+    def self.missing_security_groups
+      config_security_groups - from_aws.map(&:name)
+    end
+    private_class_method :missing_security_groups
+
+    # Public: Creates missing security groups
+    #
+    # Returns - nil
+    def self.create_missing_security_groups(environment)
+      unless (missing_groups = missing_security_groups).empty?
+        say "================================================="
+        say "Creating security groups for #{environment}:"
+        say "================================================="
+        missing_groups.each do |name|
+          security_group = SecurityGroup.new(name, environment)
+          config = security_group.config
+          ec2.security_groups.create(name, vpc: config[:vpc], description: config[:description]) 
+          say "<%= color('#{name}', :green) %>"
+        end
+        say "\n"
+      end
+    end
+    private_class_method :create_missing_security_groups
+
+    # Private: @security_groups accessor
+    #
+    # Returns - @security_groups
+    def self.security_groups
+      @security_groups
+    end
+    private_class_method :security_groups
+
+    # Private: @ec2 accessor
+    #
+    # Returns - @ec2
+    def self.ec2
+      @ec2 
+    end
+    private_class_method :ec2
+
+    def self.environment
+      @environment
+    end
+    private_class_method :environment
+
+    def self.region
+      @region
+    end
+    private_class_method :region
+
+    def update_rules
+      if config
+        say "================================================="
+        say "Applying changes for #{name}:"
+        say "================================================="
+
+        # Apply deletions first
+        rules_diff
+        [:outbound, :inbound].each do |direction|
+          diff[:deletions][direction].each{ |rule| rule.revoke! }
+        end
+
+        # Re-calculate the diff after performing deletions to make sure we add
+        # back any that got removed because of the way AWS groups rules together.
+        rules_diff
+        [:outbound, :inbound].each do |direction|
+          diff[:additions][direction].each{ |rule| rule.authorize!(self.class.lookup(name)) }
+        end
+        say "\n"
+      else
+        say "No config file for #{name}, skipping...\n\n"
+      end
+    end
+
+    def rules_diff
+      @diff = { deletions: {}, additions: {} }
+
+      [:outbound, :inbound].each do |direction|
+        @diff[:deletions][direction] = []
+        @diff[:additions][direction] = new_rules(direction)
+
+        current_rules(direction).each do |current_rule|
+          unless rule_exists?(direction, current_rule)
+            @diff[:deletions][direction] << current_rule
+          end
+        end
+      end
+      diff
+    end
+    private :rules_diff
+
+    def load_rules
+      if File.exists? config_filename
+        environment = @environment
+        @config = SecurityGroupConfig[YAML.load(ERB.new(File.read(config_filename)).result(binding))]
+      end
+    end
+
+    def config_filename
+      "config/#{name}.yml"
+    end
+    private :config_filename
+
+    def rule_exists?(direction, current_rule)
+      @diff[:additions][direction].reject!{ |rule| rule.equal?(current_rule) }
+    end
+    private :config_filename
+
+    def current_rules(direction)
+      security_group = self.class.lookup(name)
+      aws_security_group_rules = direction == :outbound ? security_group.egress_ip_permissions : security_group.ingress_ip_permissions
+      Rule.rules_from_api(aws_security_group_rules, direction)
+    end
+    private :current_rules
+
+    def new_rules(direction)
+      Rule.rules_from_config(config, direction)
+    end
+    private :new_rules
+
+  end
+end