ec2-security-czar 1.0.0

data/lib/ec2-security-czar/version.rb

@@ -0,0 +1,3 @@
+module Ec2SecurityCzar
+  VERSION = "1.0.0"
+end

data/lib/ec2_security_czar.rb

@@ -0,0 +1,4 @@
+require_relative 'ec2-security-czar/base'
+require_relative 'ec2-security-czar/security_group'
+require_relative 'ec2-security-czar/rule'
+require_relative 'ec2-security-czar/version'

data/spec/lib/ec2-security-czar/base_spec.rb

@@ -0,0 +1,94 @@
+require 'spec_helper.rb'
+require 'ec2-security-czar/base'
+
+module Ec2SecurityCzar
+  describe Base do
+    let(:access_key){ 'aws-key' }
+    let(:secret_access_key){ 'aws-secret-key' }
+    let(:region) { 'us-east-1' }
+    let(:aws_conf) { { access_key: access_key, secret_key: secret_access_key } }
+    let(:ec2) { double }
+    let(:environment) {double}
+
+    before do
+      allow(File).to receive(:exists?).with('config/aws_keys.yml').and_return(true)
+      allow(YAML).to receive(:load_file).and_return(aws_conf)
+      stub_const("AWS", double("AWS const"))
+      stub_const("SecurityGroup", double("Security Group"))
+      allow(AWS).to receive(:ec2).and_return(ec2)
+      allow(AWS).to receive(:config)
+      allow(SecurityGroup).to receive(:update_security_groups) {[]}
+    end
+
+    context ".new" do
+      subject { Base }
+
+      context "without mfa" do
+        it "configures the AWS sdk" do
+          expect(AWS).to receive(:config).with(
+            hash_including(access_key_id: access_key, secret_access_key: secret_access_key, region: region)
+          )
+          allow(YAML).to receive(:load_file).with('config/aws_keys.yml').and_return(aws_conf)
+          subject.new
+        end
+      end
+
+      context "with mfa" do
+        let(:mfa_token) { '12345' }
+        let(:mfa_serial_number) { 'aws-mfa-serial' }
+        let(:aws_conf) { { access_key: access_key, secret_key: secret_access_key, mfa_serial_number: mfa_serial_number } }
+
+        it "configures the AWS sdk" do
+          allow_any_instance_of(Base).to receive(:mfa_auth)
+          expect(AWS).to receive(:config).with(
+            hash_including(access_key_id: access_key, secret_access_key: secret_access_key, region: region)
+          )
+          subject.new
+        end
+        it "runs mfa auth" do
+          expect_any_instance_of(Base).to receive(:mfa_auth).with(mfa_token)
+          subject.new(nil, token: mfa_token)
+        end
+      end
+    end
+
+    context "#load_config" do
+      subject { Base }
+      context "no environment is set" do
+        it "loads the config for the default environment" do
+          expect(aws_conf).to_not receive(:[]).with(nil)
+          subject.new
+        end
+      end
+      context "environment is set" do
+        let(:environment) { 'environment' }
+        let(:environment_conf) { { environment => aws_conf } }
+
+        before do
+          allow(YAML).to receive(:load_file).with("config/aws_keys.yml").and_return(environment_conf)
+        end
+
+        it "loads the config for the passed environment" do
+          expect(AwsConfig).to receive(:[]).with(environment_conf).and_return(environment_conf)
+          expect(environment_conf).to receive(:[]).with(environment).and_return(aws_conf)
+          subject.new(environment)
+        end
+      end
+    end
+
+    context "#update_security_groups" do
+      let(:environment) { 'environment' }
+      let(:environment_conf) { { environment => aws_conf } }
+
+      before do
+        subject.instance_variable_set("@environment", environment)
+        allow(YAML).to receive(:load_file).with("config/aws_keys.yml").and_return(environment_conf)
+      end
+
+      it "delegates to the SecurityGroup class" do
+        expect(SecurityGroup).to receive(:update_security_groups).with(ec2, environment, region)
+        subject.update_security_groups
+      end
+    end
+  end
+end

data/spec/lib/ec2-security-czar/rule_spec.rb

@@ -0,0 +1,183 @@
+require 'spec_helper.rb'
+require 'ec2-security-czar/rule'
+require 'ec2-security-czar/security_group'
+
+module Ec2SecurityCzar
+  describe Rule do
+    let(:direction) { :outbound }
+    let(:ip_range) { '0.0.0.0/0' }
+    let(:group_id) { 'sec-group' }
+    let(:group) { {group_id: group_id} }
+    let(:protocol) { :tcp }
+    let(:port_range) { '666' }
+    let(:api_object) { double }
+    let(:options) {
+      {
+        direction: direction,
+        ip_range: ip_range,
+        protocol: protocol,
+        group: group,
+        port_range: port_range,
+        api_object: api_object,
+      }
+    }
+
+    before do
+      allow(subject).to receive(:say)
+      allow(subject).to receive(:pretty_print)
+    end
+
+    subject { Rule.new(options) }
+
+    context "#equal?" do
+      it "returns true if all options are equal" do
+        expect(subject.equal?(subject.dup)).to be_truthy
+      end
+
+      it "returns false if all options are not equal" do
+        bogus_rule = Rule.new(options.merge(ip_range: '1.1.1.1/32'))
+        expect(subject.equal?(bogus_rule)).to be_falsey
+      end
+
+      context "rule with group name to a group id" do
+        let(:group_name) { 'sec-group-name' }
+
+        it "returns true if the group ids are the same" do
+          allow(SecurityGroup).to receive(:lookup).with(group_name).and_return(group_id)
+          allow(group_id).to receive(:id).and_return(group_id)
+          equivalent_rule = Rule.new(options.merge(group: { group_name: group_name }))
+          expect(subject.equal?(equivalent_rule)).to be_truthy
+        end
+      end
+    end
+
+    context "#authorize!" do
+      let(:security_group_api) { double("Security Group API") }
+      context "outbound rule" do
+        let(:direction) { :outbound }
+        it "authorizes an egress rule for aws" do
+          expect(security_group_api).to receive(:authorize_egress).with(ip_range, hash_including(protocol: protocol, ports: port_range))
+          subject.authorize!(security_group_api)
+        end
+
+        it "does not authorize an ingress rule for aws" do
+          allow(security_group_api).to receive(:authorize_egress)
+          expect(security_group_api).to_not receive(:authorize_ingress)
+          subject.authorize!(security_group_api)
+        end
+      end
+
+      context "inbound rule" do
+        let(:direction) { :inbound }
+        it "authorizes an ingress rule for aws" do
+          expect(security_group_api).to receive(:authorize_ingress).with(protocol, port_range, ip_range)
+          subject.authorize!(security_group_api)
+        end
+
+        it "does not authorize an egress rule for aws" do
+          allow(security_group_api).to receive(:authorize_ingress)
+          expect(security_group_api).to_not receive(:authorize_egress)
+          subject.authorize!(security_group_api)
+        end
+      end
+
+      context "group rule" do
+        let(:direction) { :inbound }
+        let(:group_id) { 'sec-group' }
+        let(:options) {
+          {
+            direction: direction,
+            group: { group_id: group_id },
+            protocol: protocol,
+            port_range: port_range,
+            api_object: api_object,
+          }
+        }
+
+        it "passes the group_id as a hash" do
+          expect(security_group_api).to receive(:authorize_ingress).with(
+            protocol, port_range, { group_id: group_id }
+          )
+          subject.authorize!(security_group_api)
+        end
+      end
+
+      it "rescues an api error" do
+        allow(security_group_api).to receive(:authorize_egress).and_raise(StandardError)
+        expect(subject).to receive(:say).twice
+        expect { subject.authorize!(security_group_api) }.to_not raise_error
+      end
+    end
+
+    context "#revoke!" do
+      it "calls revoke on it's api object" do
+        expect(api_object).to receive(:revoke)
+        subject.revoke!
+      end
+
+      it "rescues an api error" do
+        allow(api_object).to receive(:revoke).and_raise(StandardError)
+        expect(subject).to receive(:say).twice
+        expect { subject.revoke! }.to_not raise_error
+      end
+    end
+
+    context "#group_id" do
+      context "given a string" do
+        let(:group) { "sec-group" }
+        it "returns the passed in string as the security group id" do
+          expect(subject.group_id(group)).to equal(group)
+        end
+      end
+
+      context "given a hash with group_id" do
+        let(:group) { { group_id: "sec-group" } }
+        it "returns the group id" do
+          expect(subject.group_id(group)).to equal(group[:group_id])
+        end
+      end
+
+      context "given a hash with group_name" do
+        let(:group_name) { 'sec-group' }
+        let(:group) { {group_id: group_id, group_name: group_name} }
+
+        it "returns the matching group id" do
+          allow(SecurityGroup).to receive(:lookup).with(group[:group_name]).and_return(group_id)
+          expect(subject.group_id(group)).to equal(group_id)
+        end
+      end
+    end
+
+    context ".rules_from_api" do
+      subject { Rule }
+      let(:rules) { [double(port_range: 123, protocol: :tcp, ip_ranges: ['0.0.0.0/0'], groups: [double(id: 'sec-group')])] }
+      let(:direction) { :outbound }
+
+      it "returns an array of rules" do
+        expect(subject.rules_from_api(rules, direction)).to be_an_array_of(Rule)
+      end
+    end
+
+    context ".rules_from_api" do
+      subject { Rule }
+      let(:api_rule) { double(port_range: 123, protocol: :tcp, ip_ranges: ['0.0.0.0/0'], groups: [double(id: 'sec-group')]) }
+      let(:rules) { [api_rule] }
+      let(:direction) { :outbound }
+
+      it "returns an array of rules" do
+        expect(subject.rules_from_api(rules, direction)).to be_an_array_of(Rule)
+      end
+    end
+
+    context ".rules_from_config" do
+      subject { Rule }
+      let(:config_rule) { { port_range: 123, protocol: :tcp, ip_ranges: ['0.0.0.0/0'], groups: [double(id: 'sec-group')] } }
+      let(:direction) { :outbound }
+      let(:rules) { {outbound: [config_rule]} }
+
+      it "returns an array of rules" do
+        expect(subject.rules_from_config(rules, direction)).to be_an_array_of(Rule)
+      end
+    end
+  end
+end

data/spec/lib/ec2-security-czar/security_group_spec.rb

@@ -0,0 +1,240 @@
+require 'spec_helper.rb'
+require 'ec2-security-czar/security_group'
+
+module Ec2SecurityCzar
+  describe SecurityGroup do
+    let(:outbound_rule) {
+      {
+        zone: "Test Outbound",
+        justification: "Test outbound justification",
+        groups: [ 'test-outbound-group-id' ],
+        protocol: :udp,
+        port_range: '666'
+      }
+    }
+    let(:inbound_rule) {
+      {
+        zone: "Test Inbound",
+        justification: "Test inbound justification",
+        groups: [ 'test-inbound-group-id' ],
+        protocol: :tcp,
+        port_range: '999'
+      }
+    }
+    let(:api) { double("API", name: 'test') }
+    let(:config) { { outbound: [outbound_rule], inbound: [inbound_rule] } }
+    let(:filename) { 'the/config/file' }
+    let(:file) { "Raw File" }
+    let(:parsed_file) { { derp: :herp } }
+    let(:environment) { 'environment' }
+    let(:region) { 'us-east-1'}
+    let(:ec2) { double }
+
+
+    before do
+      allow(SecurityGroup).to receive(:ec2) {ec2}
+      allow(SecurityGroup).to receive(:region) {region}
+      allow(SecurityGroup).to receive(:environment) {environment}
+      allow(File).to receive(:read).and_return(file)
+      allow_any_instance_of(SecurityGroup).to receive(:config_filename).and_return(filename)
+      allow(File).to receive(:exists?).with(filename).and_return(true)
+    end
+
+    context "#update_rules" do
+      let(:delete_inbound) { double("Inbound rule to be deleted") }
+      let(:delete_outbound) { double("Outbound rule to be deleted") }
+      let(:addition_inbound) { double("Inbound rule to be added") }
+      let(:addition_outbound) { double("Outbound rule to be added") }
+
+      before do
+        allow(ERB).to receive(:new).and_return(double(:result => parsed_file))
+        allow(YAML).to receive(:load).and_return(parsed_file)
+        allow(subject).to receive(:new_rules).with(:outbound).and_return([addition_outbound])
+        allow(subject).to receive(:new_rules).with(:inbound).and_return([addition_inbound])
+        allow(subject).to receive(:current_rules).with(:outbound).and_return([delete_outbound])
+        allow(subject).to receive(:current_rules).with(:inbound).and_return([delete_inbound])
+        allow(subject).to receive(:say)
+        allow(SecurityGroup).to receive(:lookup) {api}
+      end
+
+      subject { SecurityGroup.new(api, environment) }
+
+      it "revokes rules that have been deleted" do
+        allow(addition_outbound).to receive(:authorize!)
+        allow(addition_inbound).to receive(:authorize!)
+        expect(delete_inbound).to receive(:revoke!)
+        expect(delete_outbound).to receive(:revoke!)
+        subject.update_rules
+      end
+
+      it "authorizes rules that have been added" do
+        allow(delete_inbound).to receive(:revoke!)
+        allow(delete_outbound).to receive(:revoke!)
+        expect(addition_outbound).to receive(:authorize!).with(api)
+        expect(addition_inbound).to receive(:authorize!).with(api)
+        subject.update_rules
+      end
+    end
+
+    context "#load_rules" do
+      let(:environment) { 'parsed' }
+      let(:erb_file) { "--- \nenvironment: <%= environment %> \n" }
+
+      before do
+        allow(File).to receive(:read).with(filename).and_return(erb_file)
+      end
+
+      subject { SecurityGroup.new(api, environment) }
+
+      it "passes the environment into the erb rendering" do
+        expect(SecurityGroupConfig).to receive(:[]).at_least(:once).with(hash_including('environment' => 'parsed'))
+        subject.send(:load_rules)
+      end
+
+    end
+
+    context "#security_group_definition_files" do
+      let(:environment) { 'parsed' }
+      let(:erb_file) { "--- \nenvironment: <%= environment %> \n" }
+
+      before do
+        allow(File).to receive(:read).with(filename).and_return(erb_file)
+      end
+
+      it "returns an array of file names with out the extension" do
+        allow(Dir).to receive(:[]).and_return(["config/aws_keys.yml", "config/foo.yml", "config/bar.yml"])
+        expect(SecurityGroup.send(:security_group_definition_files)).to eq(["config/foo.yml","config/bar.yml"])
+      end
+    end
+
+    context "#config_security_groups" do
+
+      let(:file_region_1) {'us-east-1'}
+      let(:file_region_2) {'us-west-2'}
+      let(:erb_file_1) { "--- \nenvironment: <%= environment %> \n region: <%= file_region_1 %>\n" }
+      let(:erb_file_2) { "--- \nenvironment: <%= environment %> \n region: <%= file_region_2 %>\n" }
+
+      before do
+        allow(SecurityGroup).to receive(:get_security_group_region).and_return(file_region_1,file_region_2)
+        allow(File).to receive(:read).with(filename).and_return([erb_file_1, erb_file_2])
+      end
+
+      context "with no region specified" do
+        it "retrusn groups in the default region" do
+          allow(Dir).to receive(:[]).and_return(["config/aws_keys.yml", "config/foo.yml", "config/bar.yml"])
+          expect(SecurityGroup.send(:config_security_groups)).to eq(["foo"])
+        end
+      end
+
+      context "with a region specified" do
+        let(:region) { 'us-west-2' }
+
+        it "returns groups in the specified region" do
+          allow(Dir).to receive(:[]).and_return(["config/aws_keys.yml", "config/foo.yml", "config/bar.yml"])
+          expect(SecurityGroup.send(:config_security_groups)).to eq(["bar"])
+        end
+      end
+    end
+
+    context "#missing_security_groups" do
+      let(:environment) { 'parsed' }
+      let(:erb_file) { "--- \nenvironment: <%= environment %> \n" }
+      let(:security_group_1) { double }
+      let(:security_group_2) { double }
+
+      before do
+        allow(File).to receive(:read).with(filename).and_return(erb_file)
+        allow(SecurityGroup).to receive(:config_security_groups).and_return(["foo","bar"])
+        allow(security_group_1).to receive(:name).and_return("foo")
+        allow(security_group_2).to receive(:name).and_return("bar")
+      end
+
+      it "returns empty if config_security_groups is the same as security_groups" do
+        allow(SecurityGroup).to receive(:from_aws).and_return([security_group_1, security_group_2])
+        expect(SecurityGroup.send(:missing_security_groups)).to eq([])
+      end
+
+      it "returns groups in config_security_groups not in security_groups" do
+        allow(SecurityGroup).to receive(:from_aws).and_return([security_group_2])
+        expect(SecurityGroup.send(:missing_security_groups)).to eq(["foo"])
+      end
+    end
+
+    context ".lookup" do
+      before do
+        allow(security_group).to receive(:name) {security_group_name}
+        allow(security_group).to receive(:id) {security_group_id}
+        allow(SecurityGroup).to receive(:security_groups).and_return([security_group])
+        SecurityGroup.instance_variable_set(:@security_group_hash, nil)
+      end
+
+      let(:security_group_name) { 'sec-group-name' }
+      let(:security_group_id) { 'sec-group' }
+      let(:security_group) { double }
+
+      it "returns the group corresponding to the group name" do
+        expect(SecurityGroup.lookup(security_group_name)).to eq(security_group)
+      end
+
+      it "returns the group name corresponding to the group id" do
+        expect(SecurityGroup.lookup(security_group_id)).to eq(security_group)
+      end
+    end
+
+    context ".from_aws" do
+      before do
+        allow(SecurityGroup).to receive(:security_groups) {nil}
+      end
+      it "delegates to the ec2 object" do
+        expect(ec2).to receive(:security_groups)
+        SecurityGroup.from_aws
+      end
+    end
+
+    context ".create_missing_security_groups" do
+      let(:security_groups) { double }
+      let(:environment) { 'parsed' }
+      let(:security_group_name) {'sec-group-name'}
+      let(:security_group) { double }
+      let(:configs) {{vpc: "vpc", description: "description"}}
+
+      before do
+        allow(ec2).to receive(:security_groups) {security_groups}
+        allow(SecurityGroup).to receive(:missing_security_groups).and_return(['sec-group-name'])
+        allow(SecurityGroup).to receive(:new).with(security_group_name,environment).and_return(security_group)
+        allow(security_group).to receive(:config).and_return(configs)
+        allow(SecurityGroup).to receive(:say)
+      end
+
+      it "create missing security groups" do
+        expect(security_groups).to receive(:create).with('sec-group-name', {vpc: "vpc", description: "description"})
+        SecurityGroup.send(:create_missing_security_groups, environment)
+      end
+    end
+
+    context ".update_rules" do
+      let(:security_group) { double }
+      let(:security_groups) { [security_group] }
+
+      before do
+        SecurityGroup.instance_variable_set(:@environment, "environment")
+        allow(SecurityGroup).to receive(:security_groups) {security_groups}
+        allow(SecurityGroup).to receive(:new).with('sec-group-name','environment').and_return(security_group)
+        allow(security_group).to receive(:name) {'sec-group-name'}
+      end
+
+      it "calls #update_rules" do
+        expect(security_group).to receive(:update_rules)
+        SecurityGroup.send(:update_rules)
+      end
+    end
+
+    context ".update_security_groups" do
+      it "calls everything it's supposed to" do
+        expect(SecurityGroup).to receive(:create_missing_security_groups)
+        expect(SecurityGroup).to receive(:update_rules)
+        SecurityGroup.send(:update_security_groups, ec2, environment, region)
+      end
+    end
+  end
+end