fog-bouncer 0.0.6

data/.gitignore

@@ -0,0 +1,19 @@
+*.gem
+*.rbc
+*.swp
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+Makefile
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.simplecov

@@ -0,0 +1,3 @@
+SimpleCov.start do
+  add_filter "spec/"
+end

data/Gemfile

@@ -0,0 +1,6 @@
+source 'http://rubygems.org'
+
+# Specify your gem's dependencies in fog-bouncer.gemspec
+gemspec
+
+gem 'simplecov', :require => false, :group => :test

data/README.md

@@ -0,0 +1,71 @@
+# fog-bouncer
+
+![fog-bouncer](https://github.com/dylanegan/fog-bouncer/raw/master/bouncer.jpg)
+
+A simple way to define and manage security groups for AWS with the backing support from fog.
+
+## Usage
+
+### Installation
+
+```
+gem install fog-bouncer
+```
+
+### Doorlists
+
+Create a doorlist to manage. Drop it in your project or anywhere on your filesystem. For the following lets assume it is at `/tmp/fog-bouncer.rb`.
+
+```
+Fog::Bouncer.security :private do
+  account "user", "1234567890"
+
+  group "base", "Base Security Group" do
+    source "0.0.0.0/0" do
+      icmp 8..0
+    end
+
+    source "10.0.0.0/8" do
+      tcp 80, 22, 8080..8081
+    end
+  end
+
+  group "other", "Other Security Group" do
+    source "default@user" do
+      tcp 22
+    end
+  end
+end
+```
+
+### Console
+
+```
+➜  ~  export AWS_ACCOUNT_ID=... \
+       AWS_ACCESS_KEY_ID=... \
+       AWS_SECRET_ACCESS_KEY=...
+
+➜  ~  irb
+1.9.3p0 :001 > require 'fog/bouncer'
+=> true
+1.9.3p0 :002 > doorlist = Fog::Bouncer.load('/tmp/fog-bouncer.rb')
+1.9.3p0 :003 > doorlist.import_remote_groups
+1.9.3p0 :004 > doorlist.sync
+```
+
+### CLI (TBD)
+
+```
+➜  ~  export AWS_ACCOUNT_ID=... \
+       AWS_ACCESS_KEY_ID=... \
+       AWS_SECRET_ACCESS_KEY=...
+
+➜  ~  fog-bouncer sync --list private --file /tmp/fog-bouncer.rb
+```
+
+## Environment
+
+* `AWS_ACCOUNT_ID` - your Amazon Web Services account ID
+* `AWS_ACCESS_KEY_ID` - your Amazon Web Services access key ID
+* `AWS_SECRET_ACCESS_KEY` - your Amazon Web Services secret access key
+* `PROVIDER_REGION` - your Amazon Web Services region. Defaults to us-east-1.

data/Rakefile

@@ -0,0 +1,11 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs.push "lib"
+  t.libs.push "spec"
+  t.test_files = FileList['spec/**/*_spec.rb']
+  t.verbose = true
+end

data/bin/fog-bouncer

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+$:.unshift File.expand_path("../../lib", __FILE__)
+
+require "rubygems"
+require "bundler/setup"
+
+require "fog/bouncer/cli"
+
+Fog::Bouncer::CLI.run

data/fog-bouncer.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/fog/bouncer/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Dylan Egan"]
+  gem.email         = ["dylanegan@gmail.com"]
+  gem.description   = %q{A simple way to define and manage security groups for AWS with the backing support of fog.}
+  gem.summary       = %q{A manage security.}
+  gem.homepage      = ""
+
+  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.name          = "fog-bouncer"
+  gem.require_paths = ["lib"]
+  gem.version       = Fog::Bouncer::VERSION
+
+  gem.add_dependency "clamp", "~> 0.3.0"
+  gem.add_dependency "fog", "~> 1.2.0"
+  gem.add_dependency "ipaddress", "~> 0.8.0"
+  gem.add_dependency "rake"
+  gem.add_dependency "scrolls", "~> 0.0.5"
+
+  gem.add_development_dependency "minitest"
+end

data/lib/fog/bouncer.rb

@@ -0,0 +1,95 @@
+require "fog"
+require "fog/bouncer/group"
+require "fog/bouncer/protocols"
+require "fog/bouncer/security"
+require "fog/bouncer/sources"
+require "fog/bouncer/version"
+
+require "fog/bouncer/ip_permissions"
+require "fog/bouncer/group_manager"
+require "fog/bouncer/source_manager"
+
+require "scrolls"
+
+module Fog
+  module Bouncer
+    def self.aws_account_id
+      ENV['AWS_ACCOUNT_ID']
+    end
+
+    def self.doorlists
+      @doorlists ||= {}
+    end
+
+    def self.fog
+      @fog ||= Fog::Compute.new(
+        :provider => "AWS",
+        :region => (ENV['PROVIDER_REGION'] || 'us-east-1'),
+        :aws_access_key_id => ENV['AWS_ACCESS_KEY_ID'],
+        :aws_secret_access_key => ENV['AWS_SECRET_ACCESS_KEY']
+      )
+    end
+
+    def self.log(data, &block)
+      log! unless logging?
+      Scrolls.log({ 'fog-bouncer' => true, 'pretending' => pretending? }.merge(data), &block)
+    end
+
+    def self.log!
+      Scrolls::Log.start(logger)
+      @logging = true
+    end
+
+    def self.logger
+      @logger ||= STDOUT
+    end
+
+    def self.logger=(logger)
+      @logger = logger
+    end
+
+    def self.logging?
+      @logging ||= false
+    end
+
+    def self.load(file)
+      if file && File.exists?(file)
+        Fog::Bouncer.log(load: true, file: file) do
+          instance_eval(File.read(file))
+        end
+      end
+    end
+
+    def self.pretend(&block)
+      if block_given?
+        @pretend = true
+        yield
+        @pretend = false
+      else
+        @pretend ||= false
+      end
+    end
+
+    def self.pretend=(value)
+      @pretend = value
+    end
+
+    def self.pretend!
+      @pretend = true
+    end
+
+    def self.pretending?
+      !!pretend
+    end
+
+    def self.reset
+      @doorlists = {}
+    end
+
+    def self.security(name, &block)
+      Fog::Bouncer.log(security: true, name: name) do
+        doorlists[name] = Fog::Bouncer::Security.new(name, &block)
+      end
+    end
+  end
+end

data/lib/fog/bouncer/cli.rb

@@ -0,0 +1,23 @@
+require "clamp"
+
+require "fog/bouncer"
+
+module Fog
+  module Bouncer
+    module CLI
+      def self.run(*a)
+        MainCommand.run(*a)
+      end
+
+      class AbstractCommand < Clamp::Command
+        option "--version", :flag, "show version" do
+          puts "fog-bounder #{Fog::Bouncer::VERSION}"
+          exit 0
+        end
+      end
+
+      class MainCommand < AbstractCommand
+      end
+    end
+  end
+end

data/lib/fog/bouncer/group.rb

@@ -0,0 +1,140 @@
+module Fog
+  module Bouncer
+    class Group
+      attr_reader :name, :description, :security
+      attr_accessor :local, :remote
+
+      def self.log(data, &block)
+        Fog::Bouncer.log({ group: true }.merge(data), &block)
+      end
+
+      def log(data, &block)
+        self.class.log({ name: name }.merge(data), &block)
+      end
+
+      def initialize(name, description, security, &block)
+        @name = name
+        @description = description
+        @security = security
+        @using = []
+        if block_given?
+          @local = true
+          instance_eval(&block)
+          apply_definitions
+        end
+      end
+
+      def extra_remote_sources
+        sources.select { |source| !source.local? && source.remote? }
+      end
+
+      def local?
+        !!local
+      end
+
+      def missing_remote_sources
+        sources.select { |source| source.local? && !source.remote? }
+      end
+
+      def remote?
+        !remote.nil?
+      end
+
+      def sources
+        @sources ||= []
+      end
+
+      def add_source(source, &block)
+        if existing = sources.find { |s| s.match(source) }
+          existing.instance_eval(&block)
+        else
+          sources << Sources.for(source, self, &block)
+        end
+      end
+
+      def sync
+        log(sync: true) do
+          create_missing_remote
+          synchronize_sources
+        end
+      end
+
+      def use(name)
+        @using << security.definitions(name)
+      end
+
+      def create_missing_remote
+        unless remote?
+          log(create_missing_remote: true) do
+            unless Fog::Bouncer.pretending?
+              @remote = Fog::Bouncer.fog.security_groups.create(:name => name, :description => description)
+              @remote.reload
+            end
+          end
+        end
+      end
+
+      def synchronize_sources
+        log(synchronize_sources: true) do
+          SourceManager.new(self).synchronize
+        end
+      end
+
+      def destroy
+        revoke
+        if remote?
+          if name != "default"
+            log(destroy: true) do
+              unless Fog::Bouncer.pretending?
+                remote.destroy
+                @remote = nil
+                @security.groups.delete_if { |g| g.name == name }
+              end
+            end
+          else
+            log(destroy: false, group_name: name)
+          end
+        end
+      end
+
+      def revoke
+        permissions = sources.map do |source|
+          source.protocols.select { |p| p.remote? }
+        end.flatten.compact
+
+        if remote? && permissions.any?
+          log(revoke: true) do
+            remote.connection.revoke_security_group_ingress(name, "IpPermissions" => IPPermissions.from(permissions)) unless Fog::Bouncer.pretending?
+            permissions.each do |protocol|
+              log({revoked: true}.merge(protocol.to_log))
+              protocol.source.protocols.delete_if { |p| p == protocol } unless Fog::Bouncer.pretending?
+            end
+          end
+        end
+      end
+
+      def ==(other)
+        name == other.name &&
+        description == other.description
+      end
+
+      def inspect
+        "<#{self.class.name} @name=#{name.inspect} @description=#{description.inspect} @local=#{local} @remote=#{remote} @sources=#{sources.inspect}>"
+      end
+
+      private
+
+      def apply_definitions
+        return if @using.empty?
+
+        @using.each do |definition|
+          add_source(definition[:source], &definition[:block])
+        end
+      end
+
+      def source(source, &block)
+        add_source(source, &block)
+      end
+    end
+  end
+end

data/lib/fog/bouncer/group_manager.rb

@@ -0,0 +1,75 @@
+module Fog
+  module Bouncer
+    class GroupManager
+      def self.log(data, &block)
+        Fog::Bouncer.log({group_manager: true}.merge(data), &block)
+      end
+
+      def log(data, &block)
+        self.class.log(data, &block)
+      end
+
+      def initialize(security)
+        @security = security
+      end
+
+      def synchronize
+        log(synchronize: true) do
+          create_missing_remote_groups
+          synchronize_rules
+          remove_extra_remote_groups
+        end
+      end
+
+      def clear
+        @security.groups.each do |group|
+          group.revoke
+        end
+
+        @security.groups.each do |group|
+          begin
+            group.destroy
+          rescue Fog::Compute::AWS::Error => exception
+            unless exception.message =~ /InvalidGroup.InUse/
+              raise
+            end
+            log group_in_use: true, group_name: group.name
+          end
+        end
+      end
+
+      private
+
+      def create_missing_remote_groups
+        @security.missing_remote_groups.each do |group|
+          log(create_missing_remote_group: true, group_name: group.name) do
+            group.create_missing_remote
+          end
+        end
+      end
+
+      def remove_extra_remote_groups
+        @security.extra_remote_groups.each do |group|
+          log(remove_extra_remote_group: true, group_name: group.name) do
+            begin
+              group.destroy
+            rescue Fog::Compute::AWS::Error => exception
+              unless exception.message =~ /InvalidGroup.InUse/
+                raise
+              end
+              log group_in_use: true, group_name: group.name
+            end
+          end
+        end
+      end
+
+      def synchronize_rules
+        @security.groups.each do |group|
+          log(synchronize_rules: true, group_name: group.name) do
+            group.sync
+          end
+        end
+      end
+    end
+  end
+end