lucid-cumulus 0.11.3 → 0.11.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- data/Gemfile.lock +1 -1
- data/README.md +9 -4
- data/lib/aws_extensions/iam/Policy.rb +22 -0
- data/lib/iam/models/PolicyConfig.rb +2 -2
- data/lib/iam/models/ResourceWithPolicy.rb +8 -7
- data/lib/iam/models/StatementConfig.rb +19 -4
- data/lib/security/models/RuleConfig.rb +24 -6
- data/lib/security/models/RuleDiff.rb +2 -1
- data/lucid-cumulus.gemspec +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
---
|
2
2
|
!binary "U0hBMQ==":
|
3
3
|
metadata.gz: !binary |-
|
4
|
-
|
4
|
+
ODQ5Zjk4Y2RmOTM0YWQyOTY1NTg1MWRkNDAxZDU1MzkwNmM5OTIzNQ==
|
5
5
|
data.tar.gz: !binary |-
|
6
|
-
|
6
|
+
MjExNzdjZjRjZWViYzhmODBjMzRhZmI1NGUwNmY0N2YxYzc3YzIyYw==
|
7
7
|
SHA512:
|
8
8
|
metadata.gz: !binary |-
|
9
|
-
|
10
|
-
|
11
|
-
|
9
|
+
ZTA0ODEwYTY5ZGM1ZTE1ZDNmNDI4YjBlMTA3MmFiMzliZmE3YjkxZjg0MDZl
|
10
|
+
Y2FmMDdmNzQ4OTEwOGM4YzYwMDUxODdjMTZiM2ZkOTYyZjM5OWVkNzY3ZmJh
|
11
|
+
MGY2NWQxN2M4OTcwYTA3ZWZmOGJjNGRlOTBhOGNkNjViZmNlMDg=
|
12
12
|
data.tar.gz: !binary |-
|
13
|
-
|
14
|
-
|
15
|
-
|
13
|
+
NWI2YmI5ZWVlODI3MjAxMWM4MGVhY2MxOTgzZGVkOGZhZTc0YTk3MWQ2MDA1
|
14
|
+
NTdjNGYxNjdmMWFiNzU5OTdmNWEzYjNmNWI1YmU1YmI4YmJlNzdhMzc2N2Y3
|
15
|
+
MmQyOGE2MWFlNzdiNWRlNjJmOTdjYzkyMjIwMDMyMWIyMmYyMjM=
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -1,12 +1,17 @@
|
|
1
1
|
# cumulus
|
2
2
|
|
3
|
-
[![Build Status](https://travis-ci.org/lucidsoftware/cumulus.svg?branch=master)](https://travis-ci.org/lucidsoftware/cumulus)
|
3
|
+
[![Join the chat at https://gitter.im/lucidsoftware/cumulus](https://badges.gitter.im/lucidsoftware/cumulus.svg)](https://gitter.im/lucidsoftware/cumulus?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) [![Stories in Ready](https://badge.waffle.io/lucidsoftware/cumulus.png?label=ready&title=Ready)](https://waffle.io/lucidsoftware/cumulus) [![Gem Version](https://badge.fury.io/rb/lucid-cumulus.svg)](https://badge.fury.io/rb/lucid-cumulus) [![Build Status](https://travis-ci.org/lucidsoftware/cumulus.svg?branch=master)](https://travis-ci.org/lucidsoftware/cumulus)
|
4
4
|
|
5
|
-
|
5
|
+
CloudFormation alternative
|
6
6
|
|
7
|
-
|
7
|
+
### Installation
|
8
|
+
|
9
|
+
To install cumulus, open a terminal and type:
|
10
|
+
```bash
|
11
|
+
gem install lucid-cumulus
|
12
|
+
```
|
13
|
+
Optionally, you can set up auto-completion by copying the autocomplete file in the root of the Cumulus repo to /etc/bash_completion.d/cumulus
|
8
14
|
|
9
|
-
CloudFormation alternative
|
10
15
|
|
11
16
|
### Usage
|
12
17
|
|
@@ -0,0 +1,22 @@
|
|
1
|
+
require "json"
|
2
|
+
require "deepsort"
|
3
|
+
|
4
|
+
module AwsExtensions
|
5
|
+
module IAM
|
6
|
+
module Policy
|
7
|
+
def as_hash
|
8
|
+
# Sort the statments to prevent false conflicts while diffing
|
9
|
+
sorted_policy = JSON.parse(URI.unescape(policy_document)).deep_sort
|
10
|
+
sorted_policy["Statement"].each do |statement|
|
11
|
+
# actions sometimes contains a single string element instead of the expected array
|
12
|
+
statement["Action"] = [statement["Action"]] if statement["Action"].is_a? String
|
13
|
+
# resources sometimes contains a single string element instead of the expected array
|
14
|
+
statement["Resource"] = [statement["Resource"]] if statement["Resource"].is_a? String
|
15
|
+
end
|
16
|
+
# return the sorted policy hash
|
17
|
+
sorted_policy
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
@@ -4,11 +4,18 @@ require "iam/models/IamDiff"
|
|
4
4
|
require "iam/models/PolicyConfig"
|
5
5
|
require "iam/models/StatementConfig"
|
6
6
|
require "util/Colors"
|
7
|
+
require "deepsort"
|
8
|
+
require "aws_extensions/iam/Policy"
|
7
9
|
|
8
10
|
require "json"
|
9
11
|
|
10
12
|
module Cumulus
|
11
13
|
module IAM
|
14
|
+
# Monkey patch the bucket so that it can get the bucket's replication configuration
|
15
|
+
Aws::IAM::UserPolicy.send(:include, AwsExtensions::IAM::Policy)
|
16
|
+
Aws::IAM::RolePolicy.send(:include, AwsExtensions::IAM::Policy)
|
17
|
+
Aws::IAM::GroupPolicy.send(:include, AwsExtensions::IAM::Policy)
|
18
|
+
|
12
19
|
# Public: Represents a configuration for a resource that has attached policies.
|
13
20
|
# Lazily loads its static and template policies as needed. Is the base class for
|
14
21
|
# groups, roles, and users.
|
@@ -168,13 +175,7 @@ module Cumulus
|
|
168
175
|
diffs = []
|
169
176
|
|
170
177
|
aws_policies = Hash[aws_resource.policies.map do |policy|
|
171
|
-
|
172
|
-
sorted_policy["Statement"].each do |statement|
|
173
|
-
# Sort the statments before diffing to prevent false conflicts
|
174
|
-
statement["Action"].sort!
|
175
|
-
statement["Resource"].sort!
|
176
|
-
end
|
177
|
-
[policy.name, sorted_policy]
|
178
|
+
[policy.name, policy.as_hash]
|
178
179
|
end]
|
179
180
|
p = policy
|
180
181
|
p.name = generated_policy_name
|
@@ -12,8 +12,23 @@ module Cumulus
|
|
12
12
|
# json - the Hash containing the JSON configuration for this StatementConfig
|
13
13
|
def initialize(json)
|
14
14
|
@effect = json["Effect"]
|
15
|
-
|
16
|
-
@
|
15
|
+
# Action and Resource elements are sometimes strings instead of arrays of strings.
|
16
|
+
@action = if json["Action"].is_a? Array
|
17
|
+
json["Action"].sort
|
18
|
+
elsif json["Action"].is_a? String
|
19
|
+
# convert single element strings into arrays
|
20
|
+
json["Action"] = [json["Action"]]
|
21
|
+
else
|
22
|
+
raise Exception.new("invalid policy statement resource")
|
23
|
+
end
|
24
|
+
@resource = if json["Resource"].is_a? Array
|
25
|
+
json["Resource"].sort
|
26
|
+
elsif json["Resource"].is_a? String
|
27
|
+
# convert single element strings into arrays
|
28
|
+
json["Resource"] = [json["Resource"]]
|
29
|
+
else
|
30
|
+
raise Exception.new("invalid policy statement resource")
|
31
|
+
end
|
17
32
|
@condition = json["Condition"]
|
18
33
|
end
|
19
34
|
|
@@ -22,12 +37,12 @@ module Cumulus
|
|
22
37
|
#
|
23
38
|
# Returns the Hash representing this StatementConfig.
|
24
39
|
def as_hash
|
25
|
-
{
|
40
|
+
Hash[{
|
26
41
|
"Effect" => @effect,
|
27
42
|
"Action" => @action,
|
28
43
|
"Resource" => @resource,
|
29
44
|
"Condition" => @condition
|
30
|
-
}.reject { |k, v| v.nil? }
|
45
|
+
}.sort].reject { |k, v| v.nil? }
|
31
46
|
end
|
32
47
|
|
33
48
|
end
|
@@ -57,9 +57,15 @@ module Cumulus
|
|
57
57
|
rule_hash = json.clone
|
58
58
|
|
59
59
|
if port.is_a? String
|
60
|
-
|
61
|
-
|
62
|
-
|
60
|
+
if port.downcase == "all"
|
61
|
+
# to include 'all' ports, aws expects both the from-port and the to-port to be nil
|
62
|
+
rule_hash["from-port"] = nil
|
63
|
+
rule_hash["to-port"] = nil
|
64
|
+
else
|
65
|
+
parts = port.split("-").map(&:strip)
|
66
|
+
rule_hash["from-port"] = parts[0].to_i
|
67
|
+
rule_hash["to-port"] = parts[1].to_i
|
68
|
+
end
|
63
69
|
else
|
64
70
|
rule_hash["from-port"] = port
|
65
71
|
rule_hash["to-port"] = port
|
@@ -87,9 +93,21 @@ module Cumulus
|
|
87
93
|
end
|
88
94
|
|
89
95
|
@security_groups = if !json["security-groups"].nil? then json["security-groups"] else [] end
|
90
|
-
@subnets =
|
91
|
-
|
92
|
-
|
96
|
+
@subnets = unless json["subnets"].nil?
|
97
|
+
# interpret single strings as a string within an array
|
98
|
+
# subnets: "0.0.0.0/0"
|
99
|
+
# is the same as:
|
100
|
+
# subnets: [
|
101
|
+
# "0.0.0.0/0"
|
102
|
+
# ]
|
103
|
+
if json["subnets"].is_a?(String)
|
104
|
+
[json["subnets"]]
|
105
|
+
else
|
106
|
+
json["subnets"]
|
107
|
+
end.flat_map do |subnet|
|
108
|
+
if subnet.downcase == "all"
|
109
|
+
"0.0.0.0/0" # all subnets according to aws sdk
|
110
|
+
elsif subnet.match(/\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\/\d+/).nil?
|
93
111
|
Loader.subnet_group(subnet)
|
94
112
|
else
|
95
113
|
subnet
|
@@ -53,6 +53,7 @@ module Cumulus
|
|
53
53
|
# yes, for real, AWS returns the STRING "-1" if all protocols are allowed
|
54
54
|
protocol = if config.protocol == "-1" then "All" else config.protocol end
|
55
55
|
allowed = (config.security_groups + config.subnets).join(", ")
|
56
|
+
allowed = "all addresses" if allowed == "0.0.0.0/0"
|
56
57
|
|
57
58
|
temp = "Allowed: #{allowed}, Protocol: #{protocol}, "
|
58
59
|
if protocol.downcase == "icmp"
|
@@ -60,7 +61,7 @@ module Cumulus
|
|
60
61
|
elsif config.from != config.to
|
61
62
|
temp << "Ports: #{config.from}-#{config.to}"
|
62
63
|
elsif config.from.nil?
|
63
|
-
temp << "Ports:
|
64
|
+
temp << "Ports: all"
|
64
65
|
else
|
65
66
|
temp << "Port: #{config.from}"
|
66
67
|
end
|
data/lucid-cumulus.gemspec
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: lucid-cumulus
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.11.
|
4
|
+
version: 0.11.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Keilan Jackson
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2016-08-
|
12
|
+
date: 2016-08-15 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: aws-sdk
|
@@ -93,6 +93,7 @@ files:
|
|
93
93
|
- lib/aws_extensions/ec2/VpcEndpoint.rb
|
94
94
|
- lib/aws_extensions/elb/BackendServerDescription.rb
|
95
95
|
- lib/aws_extensions/elb/PolicyDescription.rb
|
96
|
+
- lib/aws_extensions/iam/Policy.rb
|
96
97
|
- lib/aws_extensions/kinesis/StreamDescription.rb
|
97
98
|
- lib/aws_extensions/route53/AliasTarget.rb
|
98
99
|
- lib/aws_extensions/s3/Bucket.rb
|