portalign 0.1.0

data/LICENSE.md

@@ -0,0 +1,9 @@
+(The MIT License)
+
+Copyright (c) 2012 The Agile League, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,95 @@
+portalign
+=========
+By Micah Wedemeyer of [The Agile League](http://agileleague.com)
+
+
+Summary
+=======
+A tool to automatically add and remove your current IP address to Amazon EC2 security groups.
+
+Description
+===========
+
+It's good policy to keep your security groups as restrictive as
+possible. But, as is often the case with security, convenience suffers
+as you get more secure. portalign is a tool that allows you to maintain
+restrictive policies in your security groups while also giving
+convenient access.
+
+With portalign, you can easily update a security group to add your
+current IP address to the list of allowed IPs for a port (usually 22).
+So, instead of complicated port knocking schemes or ssh tunnelling 
+through other allowed EC2 nodes, you can ssh directly in to your machine
+normally.
+
+When you're done working on the node, portalign can restore the policy back to extreme strictness. Enable the port, do your work, disable the port. Easy and secure.
+
+Quick Start
+===========
+
+* gem install portalign
+* create a .portalign.yml file in your current project with your AWS
+  credentials and the security group.
+* portalign
+* ssh me@myserver (do what you need to on the server)
+* portalign -d (to remove the authorization when you're done)
+
+
+Installation
+============
+
+* gem install portalign
+
+Configuration
+=============
+
+The preferred configuration method is using a .portalign.yml file. It
+will look for one in $HOME/.portalign.yml and $PWD/.portalign.yml  Any
+settings found in the current directory will override those in the $HOME
+directory. So, if you have multiple projects with different security
+groups, you can set your AWS credentials in one file (in $HOME) and put
+the various security groups in configuration files in each project.
+
+Example File:
+
+    access_key_id: "acb1234"
+    secret_access_key: "1234abc"
+    security_groups:
+    - "mygroup"
+    - "othergroup"
+    ports:
+    - 22
+    - 8080
+    - 10000
+
+Note: As you're probably aware, your AWS credentials are the keys to the kingdom. It's a good idea to restrict and protect the .portalign.yml file as you would a private key. chmod 600 is a good start.
+
+Configuration Options
+---------------------
+* access_key_id - AWS access key
+* secret_access_key - AWS secret access key
+* security_groups - A list of EC2 security groups (by name, not id)
+* ports - A list of ports to open (defaults to 22)
+* protocol - The protocol (tcp, udp, icmp), defaults to tcp
+
+Usage
+=====
+To add your current IP to the security group
+
+    portalign
+
+To add 0.0.0.0/0 (wide open, allow any IP) to the security group
+
+    portalign -w
+
+To remove your current IP (and 0.0.0.0/0) from the security group
+
+    portalign -d
+    
+You can also specify many configuration options on the command line. Those specified on the command line will override anything from a config file.
+
+    portalign --access-key-id=abc123 --secret-access-key=123abc --ports=22,80 --security-groups=mygroup,othergroup
+
+License
+-------
+See LICENSE.md for details.

data/Rakefile

@@ -0,0 +1,4 @@
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/portalign

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require File.expand_path(File.join(File.dirname(__FILE__), %w[.. lib portalign]))
+require File.expand_path(File.join(File.dirname(__FILE__), %w[.. lib portalign config]))
+
+args = ARGV
+config = Portalign.build_config(args)
+valid, msg = Portalign.validate_config(config)
+if valid
+  Portalign.run(config)
+else
+  puts msg
+  exit
+end

data/lib/portalign/config.rb

@@ -0,0 +1,93 @@
+require 'yaml'
+require 'optparse'
+
+class Portalign
+  module Config
+    CONFIG_FILE_NAME = ".portalign.yml"
+    CONFIG_FILE_PATHS = ["#{ENV["HOME"]}/#{CONFIG_FILE_NAME}", "#{CONFIG_FILE_NAME}"]
+
+    def self.load_from_file
+      {}.tap do |config|
+        config_file_paths.each do |config_path|
+          if File.exist?(config_path)
+            YAML.load_file(config_path).each do |k,v|
+              config[k.to_sym] = v
+            end
+          end
+        end
+
+        %w(ports security_groups).each {|opt| force_array(config, opt)}
+      end
+    end
+
+    def self.parse_opts(args)
+      {}.tap do |config|
+        opts = OptionParser.new do |opts|
+          opts.banner = "Usage: portalign [options]"
+          opts.separator ""
+          opts.separator "General options:"
+          opts.on("--access-key-id=ACCESS_KEY_ID", "The AWS access key id. Better to specify in a config file. See README") do |access_key_id|
+            config[:access_key_id] = access_key_id
+          end
+          opts.on("--secret-access-key=SECRET_ACCESS_KEY", "The AWS secret access key. Better to specify in a config file. See README") do |secret_access_key|
+            config[:secret_access_key] = secret_access_key 
+          end
+          opts.on("-p PORTS", "--ports=PORTS", Array, "A comma delimited list of ports to align. Defaults to 22") do |ports|
+            config[:ports] = ports.map(&:to_i)
+          end
+          opts.on("-s SECURITY_GROUPS", "--security_groups=SECURITY_GROUPS", Array, "A comma delimited list of security groups to update.") do |security_groups|
+            config[:security_groups] = security_groups
+          end
+          opts.on("--protocol=PROTOCOL", [:tcp, :udp, :icmp], "The protocol to use. Defaults to tcp.") do |protocol|
+            config[:protocol] = protocol
+          end
+          opts.on("-d", "--deauthorize", "Remove the current IP (and 0.0.0.0/0) from the security groups.") do |deauthorize|
+            config[:deauthorize] = deauthorize
+          end
+          opts.on("-w", "--wide", "Authorizes 0.0.0.0/0 in the security groups.") do |wide|
+            config[:wide] = wide
+          end
+          opts.separator ""
+          opts.separator "Common options:"
+          opts.on_tail("-h", "--help", "Show this message") do
+            puts opts
+            exit
+          end
+          opts.on_tail("-v", "--version", "Show version") do
+            puts "portalign v#{Portalign::VERSION}"
+            exit
+          end
+        end
+
+        opts.parse!(args)
+
+        %w(ports security_groups).each {|opt| force_array(config, opt)}
+      end
+    end
+
+    def self.validate_config(config)
+      unless config.keys.include?(:access_key_id) && config.keys.include?(:secret_access_key)
+        return [false, "You must specify an AWS access_key_id and secret_access_key"]
+      end
+
+      unless config[:security_groups] && config[:security_groups].any?
+        return [false, "You must specify at least one security group."]
+      end
+
+      true
+    end
+
+    protected
+
+    def self.config_file_paths
+      CONFIG_FILE_PATHS
+    end
+
+    def self.force_array(config, option)
+      option = option.to_sym
+      if config[option]
+        config[option] = config[option].is_a?(Array) ? config[option] : [config[option]]
+      end
+    end
+  end
+end

data/lib/portalign/version.rb

@@ -0,0 +1,3 @@
+class Portalign
+  VERSION = "0.1.0"
+end

data/lib/portalign.rb

@@ -0,0 +1,102 @@
+require "open-uri"
+require "aws"
+
+require File.join(File.dirname(__FILE__), "portalign", "version")
+require File.join(File.dirname(__FILE__), "portalign", "config")
+
+class Portalign
+  CHECK_IP_URL = "http://checkip.dyndns.org"
+  CHECK_IP_REGEX = /(\d+\.){3}\d+/
+
+  NARROW_CIDR = "32"
+  WIDE_IP = "0.0.0.0"
+  WIDE_CIDR = "0"
+
+  def self.build_config(args)
+    {
+      :ports => [22],
+      :wide => false,
+      :deauthorize => false,
+      :protocol => "tcp"
+    }.merge!(Config.load_from_file).merge!(Config.parse_opts(args))
+  end
+
+  def self.validate_config(config)
+    Config.validate_config(config)
+  end
+
+  def self.run(config)
+    unless config[:wide]
+      ip_address = resolve_ip
+      exit unless ip_address
+      puts "Resolved local IP to #{ip_address}"
+    end
+
+    ec2 = ec2_instance(config[:access_key_id], config[:secret_access_key])
+
+    if config[:deauthorize]
+      deauthorize_ingress(ec2, ip_address, NARROW_CIDR, config[:security_groups], config[:ports], config[:protocol])
+    elsif config[:wide]
+      authorize_ingress(ec2, WIDE_IP, WIDE_CIDR, config[:security_groups], config[:ports], config[:protocol])
+    else
+      authorize_ingress(ec2, ip_address, NARROW_CIDR, config[:security_groups], config[:ports], config[:protocol])
+    end
+  end
+
+  def self.authorize_ingress(ec2, ip_address, cidr, security_groups, ports, protocol)
+    security_groups.each do |security_group|
+      ports.each do |port|
+        puts "Authorizing #{ip_address}/#{cidr} for #{security_group} on port #{port}"
+        begin
+          ec2.authorize_security_group_IP_ingress(security_group, port, port, protocol, "#{ip_address}/#{cidr}")
+        rescue Aws::AwsError => e
+          # It will throw an error if already authorized, but that's OK
+          # with us.
+          unless e.message =~ /has already been authorized/
+            raise
+          end
+        end
+      end
+    end
+  end
+
+  def self.deauthorize_ingress(ec2, ip_address, cidr, security_groups, ports, protocol)
+    security_groups.each do |security_group|
+      ports.each do |port|
+        # We deauthorize both the specific IP and also the wide open IP
+        puts "Deauthorizing #{ip_address}/#{cidr} for #{security_group} on port #{port}"
+        ec2.revoke_security_group_IP_ingress(security_group, port, port, protocol, "#{ip_address}/#{cidr}")
+
+        puts "Deauthorizing #{WIDE_IP}/#{WIDE_CIDR} for #{security_group} on port #{port}"
+        ec2.revoke_security_group_IP_ingress(security_group, port, port, protocol, "#{WIDE_IP}/#{WIDE_CIDR}")
+      end
+    end
+  end
+
+  def self.resolve_ip
+    # TODO: Perhaps have several services in case one is down?
+    begin
+      parse_checkip(call_checkip)
+    rescue Exception => e
+      puts "Unable to resolve local IP address. Exiting."
+      puts "Error: #{e.message}"
+      false
+    end
+  end
+
+  protected
+
+  def self.ec2_instance(access_key_id, secret_access_key)
+    logger = Logger.new(File.new("/dev/null", "w"))
+    @ec2_instance ||= Aws::Ec2.new(access_key_id, secret_access_key, :logger => logger)
+  end
+
+  def self.call_checkip
+    open(CHECK_IP_URL).read
+  end
+
+  def self.parse_checkip(response)
+    match_data = CHECK_IP_REGEX.match(response)
+    match_data ? match_data[0] : nil
+  end
+end

data/spec/portalign/config_spec.rb

@@ -0,0 +1,57 @@
+require 'spec_helper'
+require 'tempfile'
+
+describe Portalign::Config do
+  let(:access_key_id) { "123abc" }
+  let(:secret_access_key) { "abc123" }
+  let(:ports) { [22,80] }
+  let(:security_groups) { ["mygroup"] }
+
+  context "reading from the YAML files" do
+
+    let(:config1) do
+      t = Tempfile.new("config1")
+      t.write("access_key_id: wrong_key\n")
+      t.write("secret_access_key: wrong_key\n")
+      t.write("security_groups: #{security_groups.join(',')}\n")
+      t.close
+      t
+    end
+
+    let(:config2) do
+      t = Tempfile.new("config2")
+      t.write("access_key_id: #{access_key_id}\n")
+      t.write("secret_access_key: #{secret_access_key}\n")
+      t.write("ports:\n")
+      ports.each { |p| t.write("- #{p}\n") }
+      t.close
+      t
+    end
+
+    before do
+      Portalign::Config.stub(:config_file_paths).and_return([config1.path, config2.path])
+    end
+
+    it "should parse the files in order" do
+      Portalign::Config.load_from_file.should == {
+        :access_key_id => access_key_id,
+        :secret_access_key => secret_access_key,
+        :ports => ports,
+        :security_groups => security_groups
+      }
+    end
+
+  end
+
+  context "parsing the CLI options" do
+    let(:args) { "--access-key-id=#{access_key_id} --secret-access-key #{secret_access_key} --ports=#{ports.join(',')} -s #{security_groups.join(',')}".split(/\s/) }
+    it "should extract all the options" do
+      Portalign::Config.parse_opts(args).should == {
+        :access_key_id => access_key_id,
+        :secret_access_key => secret_access_key,
+        :ports => ports,
+        :security_groups => security_groups
+      }
+    end
+  end
+end

data/spec/portalign_spec.rb

@@ -0,0 +1,77 @@
+require 'spec_helper'
+
+describe Portalign do
+
+  let(:portalign_config) do
+    {
+      :access_key_id => "54321",
+      :secret_access_key => "12345",
+      :security_groups => "portalign",
+      :ports => 22,
+      :protocol => "tcp"
+    }
+  end
+
+  let(:current_ip) { "66.56.44.38" }
+
+  let(:checkip_response) do
+    "<html><head><title>Current IP Check</title></head><body>Current IP Address: #{current_ip}</body></html>"
+  end
+
+  let(:ec2_instance) { stub("ec2_instance") }
+
+  before do
+    Portalign.stub(:call_checkip).and_return(checkip_response)
+  end
+
+  context "#resolve_ip" do
+    it "should call checkip" do
+      Portalign.should_receive(:call_checkip).and_return(checkip_response)
+      Portalign.resolve_ip
+    end
+
+    it "should get the correct IP address" do
+      Portalign.resolve_ip.should == current_ip
+    end
+  end
+
+  context "#authorize_ingress" do
+    context "successfully" do
+      it "should update the security group" do
+        ec2_instance.should_receive(:authorize_security_group_IP_ingress).with(
+          portalign_config[:security_groups],
+          portalign_config[:ports],
+          portalign_config[:ports],
+          "tcp",
+          "#{current_ip}/32"
+        )
+
+        Portalign.authorize_ingress(ec2_instance, current_ip, Portalign::NARROW_CIDR, [portalign_config[:security_groups]], [portalign_config[:ports]], portalign_config[:protocol])
+      end
+    end
+  end
+
+  context "#deauthorize_ingress" do
+    context "successfully" do
+      it "should update the security group" do
+        ec2_instance.should_receive(:revoke_security_group_IP_ingress).with(
+          portalign_config[:security_groups],
+          portalign_config[:ports],
+          portalign_config[:ports],
+          "tcp",
+          "#{current_ip}/32"
+        )
+
+        ec2_instance.should_receive(:revoke_security_group_IP_ingress).with(
+          portalign_config[:security_groups],
+          portalign_config[:ports],
+          portalign_config[:ports],
+          "tcp",
+          "0.0.0.0/0"
+        )
+
+        Portalign.deauthorize_ingress(ec2_instance, current_ip, Portalign::NARROW_CIDR, [portalign_config[:security_groups]], [portalign_config[:ports]], portalign_config[:protocol])
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,9 @@
+require 'rspec'
+
+require File.join(File.dirname(__FILE__), '..', 'lib', 'portalign')
+
+RSpec.configure do |config|
+  config.color_enabled = true
+  config.formatter = 'progress'
+end
+

metadata

@@ -0,0 +1,93 @@
+--- !ruby/object:Gem::Specification
+name: portalign
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Micah Wedemeyer
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-05-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws
+  requirement: &70273097692780 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - =
+      - !ruby/object:Gem::Version
+        version: 2.5.6
+  type: :runtime
+  prerelease: false
+  version_requirements: *70273097692780
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &70273097692380 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70273097692380
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &70273097691800 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.10.0
+  type: :development
+  prerelease: false
+  version_requirements: *70273097691800
+description: Easily set and unset your current IP as an allowed ingress for a given
+  EC2 security group. This allows you to securely close port 22 (or whatever you use
+  for SSH) except for your current exact IP.
+email: micah@agileleague.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/portalign/config.rb
+- lib/portalign/version.rb
+- lib/portalign.rb
+- bin/portalign
+- Rakefile
+- LICENSE.md
+- README.md
+- spec/portalign/config_spec.rb
+- spec/portalign_spec.rb
+- spec/spec_helper.rb
+homepage: http://github.com/agileleague/portalign
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: 1.3.6
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.15
+signing_key: 
+specification_version: 3
+summary: A tool to automatically add and remove your current IP address to Amazon
+  EC2 security groups.
+test_files:
+- spec/portalign/config_spec.rb
+- spec/portalign_spec.rb
+- spec/spec_helper.rb