fog-bouncer 0.0.6

data/lib/fog/bouncer/version.rb

@@ -0,0 +1,5 @@
+module Fog
+  module Bouncer
+    VERSION = "0.0.6"
+  end
+end

data/spec/fog/bouncer/group_spec.rb

@@ -0,0 +1,61 @@
+require "helper"
+
+describe Fog::Bouncer do
+  before do
+    Fog::Bouncer.reset
+    Fog::Mock.reset if Fog.mocking?
+
+    load_security(:private)
+
+    @doorlist = Fog::Bouncer.doorlists[:private]
+    @doorlist.import_remote_groups
+    @fog = Fog::Bouncer.fog
+    @doorlist.sync
+  end
+
+
+  describe Fog::Bouncer::Group do
+    before do
+      @group = @doorlist.groups.find { |g| g.name == 'douchebag' }
+    end
+
+    describe "use" do
+      it "should include any source definition specified" do
+        @group.sources.find { |s| s.source == "0.0.0.0/0" && s.protocols.find { |p| p.type == "icmp" && p.from == 8 && p.to == 0 } }.wont_be_nil
+      end
+
+      it "should not create duplicate sources" do
+        @group.sources.select { |s| s.source == "0.0.0.0/0" }.size.must_equal 1
+      end
+    end
+
+    describe "#extras" do
+      before do
+        Fog::Bouncer::IPPermissions.to(@group, [{ "ipProtocol" => "tcp", "fromPort" => 20, "toPort" => 20, "ipRanges" => [{ "cidrIp" => "2.2.2.2/2" }], "groups" => [] }])
+
+        @doorlist.clear_remote
+      end
+
+      it "detects the extra sources" do
+        @group.extra_remote_sources.must_equal @group.sources.select { |s| s.source == "2.2.2.2/2" }
+
+        @doorlist.clear_remote
+      end
+    end
+
+    describe "#missing" do
+      before do
+        @source = Fog::Bouncer::Sources.for("2.2.2.2/2", @group)
+        @source.protocols << Fog::Bouncer::Protocols::TCP.new(90, @source)
+        @source.local = true
+        @group.sources << @source
+      end
+
+      it "detects the missing sources" do
+        @group.missing_remote_sources.must_equal [@source]
+
+        @doorlist.clear_remote
+      end
+    end
+  end
+end

data/spec/fog/bouncer/protocols_spec.rb

@@ -0,0 +1,25 @@
+require "helper"
+
+describe Fog::Bouncer::Protocols::ICMP do
+  subject { Fog::Bouncer::Protocols::ICMP }
+
+  it "only supports valid AWS ICMP types" do
+    lambda { subject.new(256, nil) }.must_raise(Fog::Bouncer::Protocols::InvalidICMPType)
+  end
+end
+
+describe Fog::Bouncer::Protocols::TCP do
+  subject { Fog::Bouncer::Protocols::TCP }
+
+  it "only supports valid port ranges" do
+    lambda { subject.new(65536, nil) }.must_raise(Fog::Bouncer::Protocols::InvalidPort)
+  end
+end
+
+describe Fog::Bouncer::Protocols::UDP do
+  subject { Fog::Bouncer::Protocols::UDP }
+
+  it "only supports valid port ranges" do
+    lambda { subject.new(65536, nil) }.must_raise(Fog::Bouncer::Protocols::InvalidPort)
+  end
+end

data/spec/fog/bouncer/security_spec.rb

@@ -0,0 +1,85 @@
+require "helper"
+
+describe Fog::Bouncer::Security do
+  before do
+    Fog::Bouncer.reset
+    Fog::Mock.reset if Fog.mocking?
+
+    load_security(:private)
+
+    @doorlist = Fog::Bouncer.doorlists[:private]
+    @doorlist.import_remote_groups
+    @fog = Fog::Bouncer.fog
+  end
+
+  describe "pretending" do
+    before do
+      Fog::Bouncer.pretend!
+      @groups = @fog.security_groups.all
+      @fog.security_groups.get('default').connection.authorize_security_group_ingress('default', "IpPermissions" => [{"Groups" => [], "IpRanges" => [{"CidrIp" => "0.0.0.0/0"}], "IpProtocol" => "icmp", "FromPort" => "-1", "ToPort" => "-1"}])
+      @doorlist.sync
+    end
+
+    it "should not sync anything" do
+      assert !@doorlist.groups.first.remote?
+      @fog.security_groups.get('default').ip_permissions.wont_be_empty
+      @fog.security_groups.size.must_equal @groups.size
+    end
+  end
+
+  describe "use" do
+    it "should include any source definition specified in all groups" do
+      @doorlist.groups.each do |group|
+        next unless group.local?
+        group.sources.find { |s| s.source == "0.0.0.0/0" && s.protocols.find { |p| p.type == "tcp" && p.from == 22 && p.to == 22 } }.wont_be_nil
+      end
+    end
+  end
+
+  describe "#sync" do
+    before do
+      @doorlist.sync
+    end
+
+    it "synchronises against AWS" do
+      @fog.security_groups.size.must_equal 4
+
+      fog_douchebag = @fog.security_groups.get('douchebag')
+      douchebag = @doorlist.groups.find { |g| g.name == 'douchebag' }
+      douchebag.remote.group_id.must_equal fog_douchebag.group_id
+
+      source = @doorlist.groups.find { |g| g.name == 'guido' }.sources.first
+      assert source.remote # not sure of the minitest/spec equivalent
+      source.user_alias.must_equal "jersey_shore"
+      source.user_id.must_equal ENV['AWS_ACCOUNT_ID']
+
+      default = @fog.security_groups.get('default')
+      default.ip_permissions.must_be_empty
+
+      @doorlist.clear_remote
+    end
+  end
+
+  describe "#extra_remote_groups" do
+    it "detects the extra groups" do
+      @doorlist.extra_remote_groups.must_equal [@doorlist.groups.find { |g| g.name == "default"}]
+
+      @doorlist.clear_remote
+    end
+  end
+
+  describe "#missing_remote_groups" do
+    before do
+      @doorlist.sync
+      @new = Fog::Bouncer::Group.new('new', 'new', self)
+      @new.local = true
+      @doorlist.groups << @new
+    end
+
+    it "detects the missing groups" do
+      @doorlist.missing_remote_groups.must_equal [@new]
+
+      @doorlist.clear_remote
+    end
+  end
+end

data/spec/fog/bouncer/source_spec.rb

@@ -0,0 +1,49 @@
+require "helper"
+
+describe Fog::Bouncer do
+  before do
+    Fog::Bouncer.reset
+    Fog::Mock.reset if Fog.mocking?
+
+    load_security(:private)
+
+    @doorlist = Fog::Bouncer.doorlists[:private]
+    @doorlist.import_remote_groups
+    @fog = Fog::Bouncer.fog
+  end
+
+  describe Fog::Bouncer::Source do
+    describe "#extras" do
+      before do
+        @group = @doorlist.groups.first
+        @group.sync
+        @source = @group.sources.first
+        @protocol = @source.protocols.first
+        @protocol.local = false
+        @protocol.remote = true
+        @extras = @source.extras
+      end
+
+      it "detects the extra protocols" do
+        @extras.must_equal [@protocol]
+      end
+    end
+
+    describe "#missing" do
+      before do
+        @group = @doorlist.groups.first
+        @group.sync
+        @source = Fog::Bouncer::Sources.for("1.1.1.1/1", @group)
+        @source.protocols << (@protocol = Fog::Bouncer::Protocols::TCP.new(90, @source))
+        @protocol.local = true
+        @protocol.remote = false
+        @group.sources << @source
+        @missing = @source.missing
+      end
+
+      it "detects the missing protocols" do
+        @missing.must_equal [@protocol]
+      end
+    end
+  end
+end

data/spec/fog/bouncer/sources/cidr_spec.rb

@@ -0,0 +1,9 @@
+require "helper"
+
+describe Fog::Bouncer::Sources::CIDR do
+  subject { Fog::Bouncer::Sources::CIDR }
+
+  it "only supports valid CIDR ranges" do
+    lambda { subject.new("1234.5678.9012.3456/999999", nil) }.must_raise(ArgumentError)
+  end
+end

data/spec/fog/bouncer_spec.rb

@@ -0,0 +1,45 @@
+require "helper"
+
+describe Fog::Bouncer do
+  before do
+    Fog::Bouncer.reset
+    Fog::Mock.reset if Fog.mocking?
+
+    load_security(:private)
+
+    @doorlist = Fog::Bouncer.doorlists[:private]
+    @doorlist.import_remote_groups
+    @fog = Fog::Bouncer.fog
+  end
+
+  it "bounces" do
+    true.must_equal true
+  end
+
+  describe ".security" do
+    it "has a douchebag group" do
+      douchebag = @doorlist.groups.find { |g| g.name == 'douchebag' }
+      douchebag.name.must_equal "douchebag"
+      douchebag.description.must_equal "Don't let them in!"
+
+      source = douchebag.sources.first
+      source.must_be_kind_of Fog::Bouncer::Sources::CIDR
+      source.range.must_equal "1.1.1.1/1"
+
+      protocol = source.protocols.first
+      protocol.must_be_kind_of Fog::Bouncer::Protocols::TCP
+      protocol.from.must_equal 7070
+      protocol.to.must_equal 8080
+    end
+
+    it "has a guido group" do
+      guido = @doorlist.groups.find { |g| g.name == "guido" }
+
+      source = guido.sources.first
+      source.must_be_kind_of Fog::Bouncer::Sources::Group
+      source.user_alias.must_equal "jersey_shore"
+      source.user_id.must_equal ENV['AWS_ACCOUNT_ID']
+      source.name.must_equal "douchebag"
+    end
+  end
+end

data/spec/helper.rb

@@ -0,0 +1,28 @@
+require "simplecov"
+require 'minitest/autorun'
+
+ENV['AWS_ACCESS_KEY_ID'] ||= "abcde1234"
+ENV['AWS_SECRET_ACCESS_KEY'] ||= "abcde1234"
+ENV['AWS_ACCOUNT_ID'] ||= "1234567890"
+
+require "fog/bouncer"
+
+Fog::Bouncer.logger = File.open(File.dirname(__FILE__) + '/../logs/test.log', 'w')
+
+def load_security(security)
+  Fog::Bouncer.load File.dirname(__FILE__) + "/support/security/#{security}.rb"
+end
+
+Fog.mock! unless ENV['FOG_REAL']
+
+MiniTest::Unit.after_tests do
+  Fog::Bouncer.doorlists.each do |name, doorlist|
+    doorlist.groups.each do |group|
+      group.revoke
+    end
+
+    doorlist.groups.each do |group|
+      group.destroy
+    end
+  end
+end

data/spec/support/security/private.rb

@@ -0,0 +1,46 @@
+Fog::Bouncer.security :private do
+  account "jersey_shore", Fog::Bouncer.aws_account_id
+
+  define :ping, "0.0.0.0/0" do
+    icmp :ping
+  end
+
+  define :ssh, "0.0.0.0/0" do
+    tcp 22
+  end
+
+  use :ssh
+
+  group "douchebag", "Don't let them in!" do
+    use :ping
+
+    source "1.1.1.1/1" do
+      tcp 7070..8080, 80
+    end
+
+    source "0.0.0.0/0" do
+      icmp :ping
+    end
+  end
+
+  group "guido", "Definitely don't let them in!" do
+    source "douchebag@jersey_shore" do
+      tcp 7070..8080
+      udp 8081
+    end
+
+    source "other@#{Fog::Bouncer.aws_account_id}" do
+      icmp :all
+    end
+  end
+
+  group "other", "Some other randomness" do
+    source "douchebag" do
+      tcp 80
+    end
+
+    source "douchebag" do
+      udp 8080
+    end
+  end
+end

metadata

@@ -0,0 +1,179 @@
+--- !ruby/object:Gem::Specification
+name: fog-bouncer
+version: !ruby/object:Gem::Version
+  version: 0.0.6
+  prerelease: 
+platform: ruby
+authors:
+- Dylan Egan
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-04-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: clamp
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+- !ruby/object:Gem::Dependency
+  name: fog
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+- !ruby/object:Gem::Dependency
+  name: ipaddress
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.8.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.8.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: scrolls
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.5
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A simple way to define and manage security groups for AWS with the backing
+  support of fog.
+email:
+- dylanegan@gmail.com
+executables:
+- fog-bouncer
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .simplecov
+- Gemfile
+- README.md
+- Rakefile
+- bin/fog-bouncer
+- bouncer.jpg
+- fog-bouncer.gemspec
+- lib/fog/bouncer.rb
+- lib/fog/bouncer/cli.rb
+- lib/fog/bouncer/group.rb
+- lib/fog/bouncer/group_manager.rb
+- lib/fog/bouncer/ip_permissions.rb
+- lib/fog/bouncer/protocols.rb
+- lib/fog/bouncer/security.rb
+- lib/fog/bouncer/source.rb
+- lib/fog/bouncer/source_manager.rb
+- lib/fog/bouncer/sources.rb
+- lib/fog/bouncer/version.rb
+- logs/.gitignore
+- spec/fog/bouncer/group_spec.rb
+- spec/fog/bouncer/protocols_spec.rb
+- spec/fog/bouncer/security_spec.rb
+- spec/fog/bouncer/source_spec.rb
+- spec/fog/bouncer/sources/cidr_spec.rb
+- spec/fog/bouncer_spec.rb
+- spec/helper.rb
+- spec/support/security/private.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.21
+signing_key: 
+specification_version: 3
+summary: A manage security.
+test_files:
+- spec/fog/bouncer/group_spec.rb
+- spec/fog/bouncer/protocols_spec.rb
+- spec/fog/bouncer/security_spec.rb
+- spec/fog/bouncer/source_spec.rb
+- spec/fog/bouncer/sources/cidr_spec.rb
+- spec/fog/bouncer_spec.rb
+- spec/helper.rb
+- spec/support/security/private.rb