fog-bouncer 0.0.6

data/lib/fog/bouncer/ip_permissions.rb

@@ -0,0 +1,51 @@
+module Fog
+  module Bouncer
+    module IPPermissions
+      def self.from(protocols, options = {})
+        permissions = []
+
+        protocols.each do |protocol|
+          next if (options[:remote_only] && protocol.local?) ||
+                  (options[:local_only] && protocol.remote?)
+
+          source = protocol.source
+          permission = permissions.find { |permission| permission["IpProtocol"] == protocol.type && permission["FromPort"] == protocol.from && permission["ToPort"] == protocol.to }
+
+          if permission.nil?
+            permission = { "Groups" => [], "IpRanges" => [], "IpProtocol" => protocol.type, "FromPort" => protocol.from, "ToPort" => protocol.to }
+            permissions << permission
+          end
+
+          if source.is_a?(Fog::Bouncer::Sources::CIDR)
+            permission["IpRanges"] << { "CidrIp" => source.range }
+          else
+            permission["Groups"] << { "UserId" => source.user_id, "GroupName" => source.name }
+          end
+        end
+
+        permissions
+      end
+
+      def self.to(group, permissions)
+        permissions.each do |permission|
+          remote_sources = []
+          remote_sources = remote_sources | permission["groups"].collect { |group| "#{group["groupName"]}@#{group["userId"]}" }
+          remote_sources = remote_sources | permission["ipRanges"].collect { |range| range["cidrIp"] }
+          remote_sources.each do |remote_source|
+            source = group.sources.find { |s| s.match(remote_source) }
+
+            if source.nil?
+              source = Sources.for(remote_source, group)
+              group.sources << source
+            end
+
+            source.remote = true
+
+            protocol = source.add_protocol(permission["ipProtocol"], Range.new(permission["fromPort"], permission["toPort"]))
+            protocol.remote = true
+          end
+        end
+      end
+    end
+  end
+end

data/lib/fog/bouncer/protocols.rb

@@ -0,0 +1,115 @@
+module Fog
+  module Bouncer
+    class Protocol
+      attr_reader :from, :local, :source, :to
+      attr_writer :local, :remote
+
+      def self.range(port)
+        if port.is_a?(Range)
+          [port.begin, port.end]
+        else
+          [port, port]
+        end
+      end
+
+      def initialize(port, source)
+        @from, @to = Protocol.range(port)
+        @source = source
+        validate
+      end
+
+      def local
+        @local ||= false
+      end
+
+      def local?
+        !!local
+      end
+
+      def match(type, port)
+        type.to_s == self.type && Protocol.range(port) == [from, to]
+      end
+
+      def remote
+        @remote ||= false
+      end
+
+      def remote?
+        !!remote
+      end
+
+      def type
+        @type ||= self.class.to_s.gsub("Fog::Bouncer::Protocols::", "").downcase
+      end
+
+      def ==(other)
+        type == other.type &&
+        from == other.from &&
+        to == other.to
+      end
+
+      def <=>(other)
+        [from, to] <=> [other.from, other.to]
+      end
+
+      def inspect
+        "<#{self.class.name} @from=#{from.inspect} @to=#{to.inspect} @local=#{local} @remote=#{remote}>"
+      end
+
+      def to_log
+        { source: source.source, protocol: type, from: from, to: to }
+      end
+    end
+
+    module Protocols
+      class InvalidICMPType < StandardError; end
+      class InvalidPort < StandardError; end
+
+      class ICMP < Protocol
+        ICMP_MAPPING = {
+          all: -1,
+          ping: 8..0
+        }
+
+        ICMP_TYPE_RANGE = (-1..255)
+
+        def initialize(port, source)
+          if port.is_a?(Symbol) && range = ICMP_MAPPING[port]
+            port = range
+          end
+          super
+        end
+
+        def match(type, port)
+          if port.is_a?(Symbol) && range = ICMP_MAPPING[port]
+            type.to_s == self.type && Protocol.range(range) == [from, to]
+          else
+            super
+          end
+        end
+
+        private
+
+        def validate
+          raise InvalidICMPType.new("Must be between and including -1 and 255.") unless ICMP_TYPE_RANGE.include?(from)
+        end
+      end
+
+      class TCP < Protocol
+        private
+
+        def validate
+          raise InvalidPort.new("Invalid port #{from}. Must be between and including 0 and 65535.") unless (0..65535).include?(from)
+        end
+      end
+
+      class UDP < Protocol
+        private
+
+        def validate
+          raise InvalidPort.new("Invalid port #{from}. Must be between and including 0 and 65535.") unless (0..65535).include?(from)
+        end
+      end
+    end
+  end
+end

data/lib/fog/bouncer/security.rb

@@ -0,0 +1,88 @@
+module Fog
+  module Bouncer
+    class DefinitionNotFound < StandardError; end
+    class SourceBlockRequired < StandardError; end
+    class Security
+      attr_reader :name, :description
+
+      def initialize(name, &block)
+        @name = name
+        @definitions = {}
+        @using = []
+        instance_eval(&block)
+        apply_definitions
+      end
+
+      def accounts
+        @accounts ||= { 'amazon-elb' => 'amazon-elb', 'self' => Fog::Bouncer.aws_account_id }
+      end
+
+      def define(name, source, &block)
+        raise SourceBlockRequired unless block_given?
+        @definitions[name] = { source: source, block: block }
+      end
+
+      def definitions(name)
+        @definitions[name] || raise(DefinitionNotFound.new("No definition found for #{name}."))
+      end
+
+      def extra_remote_groups
+        groups.select { |group| !group.local? && group.remote? }
+      end
+
+      def groups
+        @groups ||= []
+      end
+
+      def import_remote_groups
+        Fog::Bouncer.fog.security_groups.each do |remote_group|
+          group = group(remote_group.name, remote_group.description)
+          group.remote = remote_group
+          IPPermissions.to(group, remote_group.ip_permissions) if remote_group.ip_permissions
+        end
+      end
+
+      def missing_remote_groups
+        groups.select { |group| group.local? && !group.remote? }
+      end
+
+      def sync
+        GroupManager.new(self).synchronize
+      end
+
+      def use(name)
+        @using << definitions(name)
+      end
+
+      def clear_remote
+        GroupManager.new(self).clear
+      end
+
+      private
+
+      def account(name, account_id)
+        accounts[name] = account_id
+      end
+
+      def apply_definitions
+        return if @using.empty?
+
+        @using.each do |definition|
+          @groups.each do |group|
+            group.add_source(definition[:source], &definition[:block])
+          end
+        end
+      end
+
+      def group(name, description, &block)
+        group = groups.find { |group| group.name == name }
+        if group.nil?
+          group = Group.new(name, description, self, &block)
+          groups << group
+        end
+
+        group
+      end
+    end
+  end
+end

data/lib/fog/bouncer/source.rb

@@ -0,0 +1,87 @@
+module Fog
+  module Bouncer
+    class Source
+      attr_reader :group, :source
+      attr_writer :local, :remote
+
+      def initialize(source, group, &block)
+        @source = source
+        @group = group
+        if block_given?
+          @local = true
+          instance_eval(&block)
+        end
+      end
+
+      def extras
+        protocols.select { |protocol| !protocol.local? }
+      end
+
+      def add_protocol(type, port)
+        protocol = protocols.find { |p| p.match(type, port) }
+        if protocol.nil?
+          protocol = case type.to_sym
+          when :icmp
+            Fog::Bouncer::Protocols::ICMP.new(port, self)
+          when :tcp
+            Fog::Bouncer::Protocols::TCP.new(port, self)
+          when :udp
+            Fog::Bouncer::Protocols::UDP.new(port, self)
+          end
+
+          protocols << protocol
+        end
+
+        protocol
+      end
+
+      def local
+        @local ||= false
+      end
+
+      def local?
+        !!local
+      end
+
+      def missing
+        protocols.select { |protocol| protocol.local? && !protocol.remote? }
+      end
+
+      def protocols
+        @protocols ||= []
+      end
+
+      def remote
+        @remote ||= false
+      end
+
+      def remote?
+        !!remote
+      end
+
+      def ==(other)
+        source == other.source &&
+        group == other.group &&
+        protocols.sort! == other.protocols.sort!
+      end
+
+      def inspect
+        "<#{self.class.name} @source=#{source.inspect} @local=#{local} @remote=#{remote} @protocols=#{protocols.inspect}>"
+      end
+
+      private
+
+      def icmp(*ports)
+        ports.each { |port| p = add_protocol(:icmp, port); p.local = true }
+      end
+
+      def tcp(*ports)
+        ports.each { |port| p = add_protocol(:tcp, port); p.local = true }
+      end
+
+      def udp(*ports)
+        ports.each { |port| p = add_protocol(:udp, port); p.local = true }
+      end
+    end
+  end
+end

data/lib/fog/bouncer/source_manager.rb

@@ -0,0 +1,59 @@
+module Fog
+  module Bouncer
+    class SourceManager
+      def self.log(data, &block)
+        Fog::Bouncer.log({source_manager: true}.merge(data), &block)
+      end
+
+      def log(data, &block)
+        self.class.log({group_name: @group.name}.merge(data), &block)
+      end
+
+      def initialize(group)
+        @group = group
+      end
+
+      def synchronize
+        log(synchronize: true) do
+          create_missing_source_permissions
+          remove_extra_source_permissions
+          @group.sources.each { |s| s.remote = true } unless Fog::Bouncer.pretending?
+        end
+      end
+
+      private
+
+      def create_missing_source_permissions
+        if missing_source_permissions.any?
+          @group.remote.connection.authorize_security_group_ingress(@group.name, "IpPermissions" => IPPermissions.from(missing_source_permissions, :local_only => true)) unless Fog::Bouncer.pretending?
+          missing_source_permissions.each do |protocol|
+            log({authorized: true}.merge(protocol.to_log))
+            protocol.remote = true unless Fog::Bouncer.pretending?
+          end
+        end
+      end
+
+      def missing_source_permissions
+        @group.sources.map do |source|
+          source.protocols.select { |p| p.local? && !p.remote? }
+        end.flatten.compact
+      end
+
+      def remove_extra_source_permissions
+        if extra_source_permissions.any?
+          @group.remote.connection.revoke_security_group_ingress(@group.name, "IpPermissions" => IPPermissions.from(extra_source_permissions, :remote_only => true)) unless Fog::Bouncer.pretending?
+          extra_source_permissions.each do |protocol|
+            log({revoked: true}.merge(protocol.to_log))
+            protocol.source.protocols.delete_if { |p| p == protocol } unless Fog::Bouncer.pretending?
+          end
+        end
+      end
+
+      def extra_source_permissions
+        @group.sources.map do |source|
+          source.protocols.select { |p| !p.local? && p.remote? }
+        end.flatten.compact
+      end
+    end
+  end
+end

data/lib/fog/bouncer/sources.rb

@@ -0,0 +1,61 @@
+require "fog/bouncer/source"
+require "ipaddress"
+
+module Fog
+  module Bouncer
+    module Sources
+      def self.for(source, group, &block)
+        if source =~ /^\d+\.\d+\.\d+.\d+\/\d+$/
+          CIDR.new(source, group, &block)
+        else
+          Group.new(source, group, &block)
+        end
+      end
+
+      class CIDR < Fog::Bouncer::Source
+        def initialize(source, group, &block)
+          source = IPAddress::IPv4.new(source).to_string
+          super
+        end
+
+        def match(source)
+          range == source
+        end
+
+        def range
+          @source
+        end
+      end
+
+      class Group < Fog::Bouncer::Source
+        attr_reader :name, :user_alias, :user_id
+
+        def initialize(source, group, &block)
+          super
+          case source
+          when /^(.+)@(.+)$/
+            @name = $1
+            @user_alias = $2
+            if @user_alias[/^\d+$/]
+              @user_id = @user_alias
+              if account = group.security.accounts.find { |key, id| id == @user_id }
+                @user_alias = account[0]
+              end
+            end
+          else
+            @name = source
+            @user_alias = 'self'
+          end
+        end
+
+        def match(source)
+          "#{name}@#{user_id}" == source || name == source
+        end
+
+        def user_id
+          @user_id ||= group.security.accounts[user_alias]
+        end
+      end
+    end
+  end
+end