reyes 0.0.1 → 0.0.2

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    NzY1ODgzMDM4Yjg5ODIwZjMxNjAwNmY0OTQ5MTQ5NDM1YjExYjEyNw==
+    N2YwMTQ0NDA3OWVjMjQ3MTRkZWI4MTA3YTBlNWU3MTlhMDU5NzA2NA==
   data.tar.gz: !binary |-
-    ODFmZTNiYTg5ZTU1YjI4NTk2NmE0MmQwN2U2ZTMxMWJlNjM3NDZjNQ==
+    MTM4NmQwZmVhY2EwOWJkZGQwODYzM2FkMDJiZGJkNDYyOTQ4NDFkZg==
 SHA512:
   metadata.gz: !binary |-
-    NmEzNmNiZmM5ZWZiOTA1YzgxN2I5ZjIwNDkxYTExZWZkYzVmNTQzMWM2OGE5
-    YjkxYWFlZTkyY2JmYWY3ZmViZWQxOWMxMzY0NjI1ZWZkOTg3OGQwNzkxMDIz
-    OTMyZDIwZDAwYjg2NGQwMmJiZTkxMTc1YzdiOGQ2MjdhMWY3YjA=
+    NzNlN2IwMmMxNmUyNjkxMGYzYjljMTgyMTUwMDU5MjIwOTlmYTdiZmVhODBi
+    OWVhYzJiM2FiNjMzM2U5N2Q0NzIwYmEyNzAwYjQyOWNjMGQ2ZWYwZDE0MDFm
+    NzgyZTcwNzlkMzY3NDhjMTYxMWY1YTViMTU1MzVhZjc2NzBmZTc=
   data.tar.gz: !binary |-
-    YTM4YWVhYzhkOGUyNTcyNDgzZDQ5ZjdhZmViMzU2OGU0YzExY2RhZTI4M2Iz
-    ZTBmYjg4ZDEzMDczOGQ5ODA1ZDI3NWVkMDg5ZWZjN2VhOGFlMjk0Nzk3OWU0
-    OTM3YzIxYTZjNDEwYjhjNDkzY2Y5MzNjMWZmYjNmOTk2ODc3ODc=
+    YjY5MTg0Y2RlYjBhMzlkZjA5Yjc1ZDkyZDgwMzdmMDVjYWNlNjEzNmE2MDVj
+    MDMwMzBiZDg4Nzc5NWM1ZjUzNDkzNzQ3YzQwMWY1NGMxMmU4MzJjMTcyYWY5
+    ODY5YzIwYmVkYWNmYWI4NjZiZWZjNDM1ZmZkZjFiOGExYjNhZmY=

data/.gitignore

@@ -0,0 +1,2 @@
+/pkg/
+Gemfile.lock

data/.rubocop-disables.yml

@@ -0,0 +1,11 @@
+Style/Documentation:
+  Enabled: false
+
+Style/BracesAroundHashParameters:
+  Enabled: false
+
+Style/EmptyLines:
+  Enabled: false
+
+Style/EmptyLinesAroundClassBody:
+  Enabled: false

data/.rubocop.yml

@@ -0,0 +1,17 @@
+inherit_from:
+  - .rubocop-disables.yml
+
+Style/SpaceAroundEqualsInParameterDefault:
+  EnforcedStyle: no_space
+
+Style/TrailingComma:
+  EnforcedStyleForMultiline: comma
+
+Style/SignalException:
+  EnforcedStyle: only_raise
+
+AllCops:
+  Include:
+    - '**/Rakefile'
+  Exclude:
+    - Gemfile

data/README.md

@@ -1,7 +1,17 @@
 Reyes
 =====
 
-![Pt. Reyes Lighthouse](http://upload.wikimedia.org/wikipedia/commons/5/56/Point_Reyes_Lighthouse_%28April_2012%29.jpg)
+![Pt. Reyes Lighthouse](http://upload.wikimedia.org/wikipedia/commons/thumb/5/56/Point_Reyes_Lighthouse_%28April_2012%29.jpg/1266px-Point_Reyes_Lighthouse_%28April_2012%29.jpg)
 
 Reyes populates IPTables firewall rules based on EC2 security group rules.
+Named after the Pt. Reyes Lighthouse, which shines light through the fog,
+preventing your ships from crashing on the rocks as they make their way to
+port.
 
+Use Case
+--------
+
+Reyes is designed to apply security group rules to IPsec VPN traffic that would
+otherwise be injected past security group protection. This is useful for
+enforcing firewalls on VPNs between EC2 instances and security groups in other
+VPCs, even in other regions.

data/bin/reyes

@@ -0,0 +1,95 @@
+#!/usr/bin/env ruby
+require 'optparse'
+require_relative '../lib/reyes'
+
+def command_dump(options)
+  instance_id = options.fetch(:instance_id)
+  region = options.fetch(:region)
+  g = Reyes::GroupManager.new(region, instance_id, options[:config])
+
+  AWS.memoize do
+    puts g.do_stuff.to_yaml
+  end
+end
+
+def command_install(options)
+  instance_id = options.fetch(:instance_id)
+  region = options.fetch(:region)
+  AWS.memoize do
+    g = Reyes::GroupManager.new(region, instance_id, options[:config])
+
+    options[:run_options][:interactive] = true # TODO
+    options[:run_options][:log_accept] = true # TODO
+
+    g.run!(options.fetch(:run_options))
+
+    if options[:prune]
+      g.prune_ipsets
+      # g.prune_iptables_rules
+    end
+  end
+
+end
+
+
+def parse_args
+  options = {
+    :region => 'us-west-1',
+    :run_options => {},
+  }
+
+  optparse = OptionParser.new do |opts|
+    opts.banner = <<-EOM
+usage: #{File.basename($0)} [options]
+
+Manipulate IPTables rules based on EC2 security groups.
+
+For example:
+
+  #{File.basename($0)} --prune --install $(facter -p ec2_instance_id)
+
+Options:
+    EOM
+
+    opts.on('-c', '--config CONFIG', 'YAML config file') do |config|
+      options[:config] = config
+    end
+
+    opts.on('--region REGION', 'Set EC2 region') do |region|
+      options[:region] = region
+    end
+
+    opts.on('--prune', 'Prune old generations after creating rules') do
+      options[:prune] = true
+    end
+
+    opts.on('--install INSTANCE_ID', 'Configure this instance as INSTANCE_ID') do |id|
+      options[:command] = :install
+      options[:instance_id] = id
+    end
+
+    opts.on('--empty', 'Generate empty (default DROP) rules') do
+      options[:run_options][:empty] = true
+    end
+
+    opts.on('-h', '--help', 'Display this help message') do
+      STDERR.puts opts
+      exit 0
+    end
+  end
+
+  optparse.parse!
+
+  case options[:command]
+  when :dump
+    command_dump(options)
+  when :install
+    command_install(options)
+  else
+    STDERR.puts optparse
+    STDERR.puts "\nError: Must provide a command"
+    exit 1
+  end
+end
+
+parse_args

data/config.yaml.example

@@ -0,0 +1,13 @@
+---
+aws:
+  credentials:
+    :access_key_id: AKIAAAAAAAAAAAAAAAAA
+    :secret_access_key: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
+
+  regions:
+    - us-west-1
+    - us-west-2
+
+  vpcs:
+    - [us-west-2, vpc-abcdef12]
+

data/lib/reyes.rb

@@ -1,4 +1,19 @@
+require 'set'
+require 'yaml'
+
+require 'chalk-log'
+require 'subprocess'
+
 module Reyes
 end
 
 require_relative './reyes/version'
+require_relative './reyes/errors'
+
+require_relative './reyes/aws_manager'
+require_relative './reyes/config'
+require_relative './reyes/group_manager'
+require_relative './reyes/group_tools'
+require_relative './reyes/ipset'
+require_relative './reyes/iptables'
+require_relative './reyes/run_generation'

data/lib/reyes/aws_manager.rb

@@ -0,0 +1,116 @@
+require 'aws-sdk'
+
+module Reyes
+  class AwsManager
+    class Error < Reyes::Error; end
+
+    include Chalk::Log
+
+    def self.with_retries(retries=5, delay=2)
+      raise ArgumentError.new('Block is required') unless block_given?
+      begin
+        yield
+      rescue AWS::EC2::Errors::RequestLimitExceeded => err
+        log.warn(err.inspect)
+        if retries > 0
+          retries -= 1
+          sleep delay
+          retry
+        else
+          raise
+        end
+      end
+    end
+
+    def initialize(config_path=nil)
+      @config ||= Reyes::Config.new(config_path)
+    end
+
+    def ec2(region)
+      connections.fetch(:ec2).fetch(region)
+    end
+
+    def connections
+      @connections ||= connect!
+    end
+
+    def regions
+      aws_config.fetch('regions')
+    end
+
+    def vpcs
+      return @vpcs if @vpcs
+
+      @vpcs = aws_config.fetch('vpcs').map do |row|
+        unless row.length == 2
+          raise Error.new("Invalid VPC row: #{row.inspect}")
+        end
+
+        region, vpc_id = row
+        vpc = ec2(region).vpcs[vpc_id]
+
+        # warm cidr_block cache & ensure VPC exists
+        vpc.cidr_block
+
+        vpc
+      end
+    end
+
+    def security_groups(region)
+      ec2(region).security_groups.to_a
+    end
+
+    # Look up foreign VPC security groups by name.
+    #
+    # Does not use native AWS API filtering to promote better cache behavior.
+    #
+    # @param name [String]
+    # @return [Array<AWS::EC2::SecurityGroup>]
+    #
+    def vpc_security_groups_by_name(name)
+      unless name.is_a?(String)
+        raise ArgumentError.new("#{name.inspect} must be a String")
+      end
+
+      vpcs.map { |vpc|
+        vpc.security_groups.find_all {|sg| sg.name == name }
+      }.flatten
+    end
+
+    def warm_sg_cache
+      connections.fetch(:ec2).each_pair do |region, ec2|
+        log.debug("Warming security group cache for #{region}")
+        ec2.security_groups.to_a
+      end
+    end
+
+    private
+
+    def aws_config
+      @config.aws_config
+    end
+
+    def connect!
+      conns = {
+        ec2: {},
+      }
+
+      regions.each do |region|
+        conns[:ec2][region] = connect_class(AWS::EC2, region)
+      end
+
+      conns
+    end
+
+    def connect_class(klass, region)
+      opts = {
+        region: region,
+        access_key_id: @config.aws_credentials.fetch(:access_key_id),
+        secret_access_key: @config.aws_credentials.fetch(:secret_access_key),
+        logger: Chalk::Log::Logger.new("#{klass.name}<#{region}>"),
+      }
+
+      klass.new(opts)
+    end
+  end
+end

data/lib/reyes/config.rb

@@ -0,0 +1,21 @@
+require 'yaml'
+
+module Reyes
+  class Config
+    def initialize(path=nil)
+      @path = path || File.expand_path('../../../config.yaml', __FILE__)
+    end
+
+    def aws_config
+      config.fetch('aws')
+    end
+
+    def aws_credentials
+      aws_config.fetch('credentials')
+    end
+
+    def config
+      @config ||= YAML.load_file(@path)
+    end
+  end
+end

data/lib/reyes/errors.rb

@@ -0,0 +1,3 @@
+module Reyes
+  class Error < StandardError; end
+end

data/lib/reyes/group_manager.rb

@@ -0,0 +1,414 @@
+module Reyes
+
+  # TODO: use a more precise name
+  class GroupManager
+    include Chalk::Log
+
+    # Short names for AWS regions to save space in ipset names
+    RegionShortNames = {
+      'us-east-1' => 'VA',
+      'us-west-2' => 'OR',
+      'us-west-1' => 'CA',
+      'eu-west-1' => 'IE',
+      'eu-central-1' => 'DE',
+      'ap-southeast-1' => 'SG',
+      'ap-southeast-2' => 'AU',
+      'ap-northeast-1' => 'JP',
+      'sa-east-1' => 'BR',
+      'us-gov-west-1' => 'GV',
+      'cn-north-1' => 'CN',
+    }
+
+    ReyesInputChain = 'reyes-ipsec-input'
+
+    attr_reader :aws
+
+    def initialize(region, instance_id, config_file=nil)
+      log.info("Initializing #{self.class.name} for #{region} #{instance_id}")
+
+      @aws = Reyes::AwsManager.new(config_file)
+      @instance_id = instance_id
+      @instance = @aws.ec2(region).instances[instance_id]
+    end
+
+    def our_groups
+      @our_groups ||= Reyes::AwsManager.with_retries {
+        @instance.security_groups
+      }
+    end
+
+    # @param [Hash] options
+    #
+    # @option options :empty [Boolean] (false) Generate an empty (default DROP)
+    #   rule sets without actually looking up security groups
+    # @option options :interactive [Boolean] (false) Whether to prompt for
+    #   confirmation before applying rules
+    # @option options :log_accept [Boolean] (false) Whether to log packets on
+    #   ACCEPT
+    #
+    def run!(options={})
+      options = {
+        empty: false,
+        interactive: false,
+        log_accept: false,
+      }.merge(options)
+
+      log_accept = options.fetch(:log_accept)
+
+      log.info("Starting iptables rule generation run!")
+
+      if options.fetch(:empty)
+        log.warn("Generating empty (default DROP) rule set")
+        data = generate_rules_empty
+      else
+        data = generate_rules
+      end
+
+      new_rules = generate_iptables_script_file(data, log_accept: log_accept)
+      new_ipsets = generate_ipsets(data)
+
+      show_iptables_diff(new_rules)
+      show_ipsets_diff(new_ipsets)
+
+      if options.fetch(:interactive)
+        puts 'Press enter to continue...'
+        STDIN.gets
+      end
+
+      materialize_ipsets(new_ipsets)
+      iptables_restore(new_rules)
+
+      # XXX(richo) Should we be pruning inside run! ?
+      log.info('Finished firewall configuration run')
+    end
+
+    # TODO: actually do some kind of diff or logging here?
+    def show_iptables_diff(new_rules)
+      log.info("Old rules:")
+      Subprocess.check_call(%w{iptables-save})
+
+      log.info("New rules:")
+      puts new_rules
+    end
+
+    def iptables_restore(new_rules)
+      log.info("Restoring #{new_rules.count("\n")} lines of iptables rules")
+
+      log.info('+ iptables-restore')
+      Subprocess.check_call(['iptables-restore'],
+                            stdin: Subprocess::PIPE) do |p|
+        p.communicate(new_rules)
+      end
+      log.info('restored')
+    end
+
+    def generate_rules_empty
+      {:groups => {}, :ipsets => {}}
+    end
+
+    # Given our instance ID and security group rules, generate IPTables rules
+    # needed to emulate security group behavior for foreign VPCs.
+    #
+    # Look up the set of instance IP addresses in any remote VPC security
+    # groups referenced by our rules, and add them to a list of ipsets to
+    # create.
+    #
+    # Also create a list of IPTables rules that will reference these ipsets.
+    #
+    # This method generates the data and returns it as a hash without making
+    # any changes to the system beyond incrementing the run generation (used
+    # for ipset garbage collection).
+    #
+    def generate_rules
+      run_generation_increment!
+      log.info("Generating rules for generation #{run_generation}")
+
+      data = generate_rules_empty
+
+      needed_groups = {}
+
+      our_groups.each do |group|
+        group_key = "#{group.group_id}:#{group.name}"
+        data[:groups][group_key] = []
+
+        # we only work with ingress permissions
+        group.ingress_ip_permissions.each do |perm|
+          perm_hash = {
+            protocol: perm.protocol,
+            port: perm.port_range,
+            remote_addrs: [],
+            remote_sets: [],
+          }
+
+          case perm.protocol
+          when :icmp
+            log.info("Skipping ICMP rule")
+            next
+          when :tcp, :udp
+
+            # append IP ranges
+            perm_hash[:remote_addrs] += perm.ip_ranges
+
+            # list the security groups we'll need to look up
+            perm.groups.each do |g|
+              foreign = foreign_groups_by_name(g.name)
+              foreign.each do |fg|
+                needed_groups[fg.group_id] = fg
+                perm_hash[:remote_sets] << ipset_name_for_group(fg)
+              end
+            end
+
+          else
+            raise Error.new("Unexpected protocol #{perm.protocol.inspect}")
+          end
+
+          data[:groups][group_key] << perm_hash
+        end
+      end
+
+      data[:ipsets] = {}
+      needed_groups.each_value do |group|
+        data[:ipsets][ipset_name_for_group(group)] = \
+          addresses_for_group(group)
+      end
+
+      data
+    end
+
+    def generate_ipsets(data)
+      data.fetch(:ipsets).map do |name, hosts|
+        log.info "Creating IPSet for #{name.inspect}"
+        builder = IPSetBuilder.new(name)
+        hosts.each do |host|
+          log.info "  - #{host.inspect}"
+          builder << host
+        end
+
+        builder
+      end
+    end
+
+    def show_ipsets_diff(new_ipsets)
+      # TODO(richo)
+    end
+
+    def materialize_ipsets(new_ipsets)
+      new_ipsets.each do |ipset|
+        ipset.build
+      end
+    end
+
+    # TODO: delurk
+    def create_iptables_rules(data)
+      data.fetch(:groups).each do |cluster, items|
+        log.info "Creating rules for #{cluster}"
+        items.each do |item|
+          rules = Reyes::IPTables.generate_rules_from_hash(item)
+          rules.each do |rule|
+            log.info("  #{rule.cmd.join(" ")}")
+            rule.materialize
+          end
+        end
+      end
+    end
+
+    def prune_ipsets
+      log.info('Pruning old IPSets')
+      old_ipsets = []
+      current_ipsets = []
+
+      current_gen = run_generation
+      Reyes::IPSet.load_all.each do |set|
+        s = Reyes::GroupManager.parse_ipset_name(set.name)
+        unless s
+          log.warn("Skipping unparseable ipset name #{set.name.inspect}")
+          next
+        end
+
+        if s[:generation] < current_gen
+          old_ipsets << set
+        elsif s[:generation] == current_gen
+          current_ipsets << set
+        else
+          log.error("IPSet from a future generation detected: #{set.inspect}")
+          log.error("Cowardly refusing to proceed")
+          raise Reyes::Error.new("IPSet from future generation detected")
+        end
+      end
+
+      if current_ipsets.empty?
+        log.error("No IPSets from current generation.")
+        log.error("Cowardly refusing to proceed")
+        raise Reyes::Error.new("Pruning would remove all IPSets")
+      end
+
+      old_ipsets.each do |set|
+        log.info("Pruning IPSet: #{set.name}")
+        set.drop!
+      end
+    end
+
+    # @return [Integer]
+    def run_generation
+      @generation ||= Reyes::RunGeneration.new
+      @generation.value
+    end
+
+    # Increment the run generation and persist it to disk
+    def run_generation_increment!
+      run_generation
+      @generation.increment!
+    end
+
+    # @return [String] A string title, at most 31 characters long
+    def ipset_name_for_group(group)
+      [
+        run_generation.to_s,
+        RegionShortNames.fetch(group.client.instance_variable_get(:@region)),
+        group.group_id,
+        group.name,
+      ].join(':')[0...31]
+    end
+
+    # @return [Hash] the parsed names, or nil in case of error
+    def self.parse_ipset_name(name)
+      parts = name.split(":")
+      return nil unless parts.length == 4
+
+      generation, region, group_id, group_name = parts
+      return {
+        generation: Integer(generation),
+        region: region,
+        group_id: group_id,
+        group_name: group_name
+      }
+    end
+
+    # Look up addresses for given group in remote VPCs.
+    #
+    # @param group [AWS::EC2::SecurityGroup]
+    #
+    # @return [Array<String>] A list of private instance IP addresses
+    #
+    def addresses_for_group(group)
+      groups = foreign_groups_by_name(group.name)
+      groups.map { |g| g.instances.map(&:private_ip_address) }.flatten
+    end
+
+    # Look up remote VPC security groups by name.
+    #
+    # @param name [String]
+    #
+    # @return [Array<AWS::EC2::SecurityGroup>]
+    #
+    def foreign_groups_by_name(name)
+      aws.vpc_security_groups_by_name(name)
+    end
+
+    # @param [Hash] data
+    #
+    # @param [Hash] options
+    #
+    # @option options [Boolean] log_drop (true)
+    # @option options [Boolean] log_accept (false)
+    #
+    def generate_iptables_script_file(data, options={})
+      log.info("Generating script for iptables-restore")
+
+      options = {
+        log_drop: true,
+        log_accept: false,
+      }.merge(options)
+
+      log_drop = options.fetch(:log_drop)
+      log_accept = options.fetch(:log_accept)
+
+      lines = []
+
+      lines << "# Generated by Reyes v#{Reyes::VERSION} at #{Time.now.to_s}"
+
+      # we use the default filter table
+      lines << '*filter'
+
+      lines << ':INPUT ACCEPT'
+      lines << ':FORWARD DROP'
+      lines << ':OUTPUT ACCEPT'
+      lines << ''
+
+      lines << ":#{ReyesInputChain} -"
+      lines << ':reyes-log-drop -'
+      lines << ':reyes-log-accept -'
+      lines << ':reyes-accept -'
+      lines << ':reyes-drop -'
+      lines << ''
+
+      lines << IPTables.log_rule_string('reyes-log-drop', 'REYES BLOCK')
+      lines << IPTables.log_rule_string('reyes-log-accept', 'REYES ACCEPT')
+
+      lines << '-A reyes-drop -j reyes-log-drop' if log_drop
+      lines << '-A reyes-drop -j DROP'
+      lines << '-A reyes-accept -j reyes-log-accept' if log_accept
+      lines << '-A reyes-accept -j ACCEPT'
+
+      # filter all ipsec tunneled traffic through reyes
+      lines << "-A INPUT -m policy --pol ipsec --dir in -j #{ReyesInputChain}"
+
+      # allow normal ICMP traffic
+      IPTables.innocuous_icmp_rules(ReyesInputChain).each do |r|
+        lines << r.join(' ')
+      end
+
+      # allow established connections without logging
+      lines << "-A #{ReyesInputChain} -m conntrack --ctstate " \
+               "RELATED,ESTABLISHED -j ACCEPT"
+
+      # drop invalid connections
+      lines << "-A #{ReyesInputChain} -m conntrack --ctstate " \
+               "INVALID -j reyes-drop"
+
+      # add dynamic rules
+      lines << ''
+      lines << '# dynamic rules from security groups'
+      dynamic_rules_from_data(data).each do |rule|
+        lines << rule
+      end
+
+      # add reyes-drop to very end of reyes-ipsec-input chain
+      lines << ''
+      lines << '# default drop'
+      lines << "-A #{ReyesInputChain} -j reyes-drop"
+
+      # commit the filter table
+      lines << ''
+      lines << 'COMMIT'
+
+      text = lines.join("\n")
+      text << "\n"
+
+      text
+    end
+
+    private
+
+    def dynamic_rules_from_data(data)
+      log.info("Generating dynamic iptables rules")
+
+      rule_list = []
+
+      data.fetch(:groups).each do |cluster, items|
+        log.info "Generating rules for #{cluster}"
+        items.each do |item|
+          rules = Reyes::IPTables.generate_rules_from_hash(item,
+                                                           ReyesInputChain,
+                                                           'reyes-accept')
+          rules.each do |rule|
+            log.debug('  ' + rule.inspect)
+            rule_list << rule.join(' ')
+          end
+        end
+      end
+
+      rule_list
+    end
+  end
+end

data/lib/reyes/group_tools.rb

@@ -0,0 +1,145 @@
+module Reyes
+  # A few methods for manipulating EC2 SecurityGroup and IpPermission objects
+  # that really should be in the aws-sdk. These are taken directly from
+  # space-commander.
+  module GroupTools
+
+    # Print a pretty representation of an AWS::EC2::SecurityGroup::IpPermission
+    # object. May issue API calls to resolve security group names.
+    #
+    # @param [AWS::EC2::SecurityGroup::IpPermission] perm Object to inspect
+    #
+    # @param [Hash] options
+    #
+    # @option options [Integer] :indent Indentation level (default 0)
+    #
+    # @option options [Boolean] :include_group Whether to print the security
+    #   group to which the IpPermission belongs. (default true)
+    #
+    # @option options [SpaceCommander::SecurityGroup::Cache] :cache A cache to
+    #   use for resolving security group names as needed.
+    #
+    def self.pretty_perm(perm, options={})
+      options = {:indent => 0, :include_group => true}.merge(options)
+      indent = options.fetch(:indent)
+      include_group = options.fetch(:include_group)
+
+      # use cache to find groups if one was provided
+      if options[:cache]
+        groups = options[:cache].unsafe_get_many(perm.groups)
+      else
+        groups = perm.groups
+      end
+
+      lines = []
+      group = perm.security_group
+      lines << "security_group: #{group.name} (#{group.id})" if include_group
+      lines.concat([
+        "type:   #{(perm.egress? ? :egress : :ingress)}",
+        "proto:  #{perm.protocol.inspect}",
+        "ports:  #{perm.port_range.inspect}",
+        "cidr:   #{perm.ip_ranges.inspect}",
+        "groups: [#{groups.map{|g| "<#{g.name} #{g.id}>"}.join(", ")}]"
+      ])
+      return lines.map{|line| ' '*indent + line}.join("\n")
+    end
+
+    # Inspect an AWS::EC2::SecurityGroup::IpPermission object. May issue API
+    # calls to resolve security group names.
+    #
+    # @param [AWS::EC2::SecurityGroup::IpPermission] perm Object to inspect
+    #
+    # @param [Hash] options
+    #
+    # @option options [SpaceCommander::SecurityGroup::Cache] :cache A cache to
+    #   use for resolving security group names as needed.
+    #
+    def self.inspect_perm(perm, options={})
+      unless perm.is_a?(AWS::EC2::SecurityGroup::IpPermission)
+        raise ArgumentError.new("Not an IpPermission: #{perm.inspect}")
+      end
+
+      s = "#<IpPermission #{perm.egress? ? :egress : :ingress}"
+
+      s << " @security_group=<#{perm.security_group.id} #{perm.security_group.name}>"
+      s << " @protocol=#{perm.protocol.inspect}"
+      s << " @port_range=#{perm.port_range.inspect}"
+
+      unless perm.ip_ranges.empty?
+        s << " @ip_ranges=#{perm.ip_ranges.inspect}"
+      end
+
+      unless perm.groups.empty?
+        # use cache to find groups if one was provided
+        if options[:cache]
+          groups = options[:cache].unsafe_get_many(perm.groups)
+        else
+          groups = perm.groups
+        end
+
+        s << " @groups=[#{groups.map{|g| "<#{g.name} #{g.id}>"}.join(", ")}]"
+      end
+      s
+    end
+
+    def self.perm_to_hash(perm)
+      h = {}
+
+      h[:protocol] = perm.protocol.to_s
+      h[:label] = ''
+
+      port = perm.port_range
+      if port == all_ports(perm.protocol)
+        h[:port] = 'all'
+      else
+        if port.first == port.last
+          h[:port] = port.first
+        else
+          h[:port] = "#{port.first}-#{port.last}"
+        end
+      end
+
+      # TODO: convert /32s back into hostname from config.yaml if possible
+      if perm.ip_ranges.length > 1
+        h[:cidr] = perm.ip_ranges
+      elsif perm.ip_ranges.length == 1
+        h[:cidr] = perm.ip_ranges.first
+        if h[:cidr] == '0.0.0.0/0'
+          h[:cidr] = 'all'
+        end
+      end
+
+      if perm.groups.length > 0
+        h[:groups] = perm.groups.map(&:name)
+      end
+
+      h
+    end
+
+    def self.group_to_hash(group)
+      h = {
+        :name => group.name,
+        :description => group.description,
+        :inbound => group.ingress_ip_permissions.map {|p| perm_to_hash(p)},
+        :outbound => group.egress_ip_permissions.map {|p| perm_to_hash(p)},
+      }
+
+      h
+    end
+
+    def self.all_ports(protocol)
+      case protocol
+      when :icmp
+        -1..-1
+      when :tcp, :udp
+        0..65535
+      when :any, :'-1', -1
+        nil
+      else
+        msg = "Don't know how to allow 'all' ports for " + protocol.inspect
+        raise NotImplementedError.new(msg)
+      end
+    end
+
+  end
+end

data/lib/reyes/ipset.rb

@@ -0,0 +1,118 @@
+module Reyes
+  class IPSetBuilder
+    TYPE = "hash:ip"
+    attr_reader :name
+
+    # Constructor for ipsets, maintaining the invariant that once constructed,
+    # ipsets will not be altered.
+    # @param [String] name of the IPSet to create
+    def initialize(name)
+      @name = name
+      @members = []
+    end
+
+    # Add a new member to this set. `member` should be something an ipset can
+    # understand, eg an ip address or cidr range
+    # @param [String] entity to add to the set
+    def <<(entity)
+      @members << entity
+    end
+
+    # Builds the ipset, retuning an IPSet
+    # @returns [IPSet]
+    def build
+      create
+      populate
+      IPSet.load(@name)
+    end
+
+  private
+
+    def create
+      begin
+        Subprocess.check_call(["ipset", "create", @name, TYPE])
+      rescue Subprocess::NonZeroExit
+        raise Error.new("Couldn't create ipset #@name")
+      end
+    end
+
+    def populate
+      @members.each do |e|
+        begin
+          Subprocess.check_call(["ipset", "add", @name, e])
+        rescue Subprocess::NonZeroExit
+          raise Error.new("Couldn't add #{e} to ipset #@name")
+        end
+      end
+    end
+
+    class Error < StandardError
+    end
+  end
+
+  class IPSet < Struct.new(:name, :type, :header, :size, :references, :members)
+    # An immutable view into an existing IPSet
+
+    # @param [Name] name of the set to load
+    # @returns IPSet
+    def self.load(name)
+      new(*load_by_name(name))
+    end
+
+    # Loads all IPSets from the local system
+    # @returns [Array<IPSet>]
+    def self.load_all
+      cmd = ['ipset', 'list']
+      output = Subprocess.check_output(cmd)
+      return output.split("\n\n").map { |x| new(*parse(x)) }
+    end
+
+    # Drops the currect IPSet, destroying it on the underlying system
+    def drop!
+      begin
+        Subprocess.check_call(["ipset", "destroy", name])
+      rescue Subprocess::NonZeroExit
+        raise Error.new("Couldn't destroy #{name}")
+      end
+    end
+
+  private
+
+    def self.load_by_name(name)
+      cmd = ['ipset', 'list', name]
+      output = Subprocess.check_output(cmd)
+      entries = output.split("\n\n")
+      unless entries.length == 1
+        raise IPSetError.new("`ipset list #{name}` returned too many entries")
+      end
+
+      return parse(entries.first)
+    end
+
+    KEYS = ["Name", "Header", "Size in memory", "References", "Members", "Type"]
+    def self.parse(entry)
+      out = {:members => []}
+      entry.split(?\n).each do |line|
+        k, v = line.split(":", 2)
+        if KEYS.include?(k)
+          out[k] = v.strip
+        else
+          raise Error.new("Invalid data: #{entry.inspect}") unless out.include?("Members")
+          out[:members] << line.strip
+        end
+      end
+
+      return [
+        out["Name"],
+        out["Type"],
+        out["Header"],
+        Integer(out["Size in memory"]),
+        Integer(out["References"]),
+        out[:members],
+      ]
+    end
+
+    class Error < StandardError
+    end
+  end
+end

data/lib/reyes/iptables.rb

@@ -0,0 +1,87 @@
+module Reyes
+  # A collection of functionality related to generating IPTables rule sets.
+  module IPTables
+
+    # Generate IPTables rule arguments based on a specification and yield a
+    # series of arguments appropriate for passing to IPTables.
+    #
+    # @param [Symbol] protocol
+    # @param [Range] dport_range
+    # @param [Array<String>] remote_addrs
+    # @param [Array<String>] remote_sets
+    # @param [String] input_chain
+    # @param [String] accept_chain
+    #
+    # @yield [Array<String>] IPTables rules argument array
+    #
+    def self.generate_rules(protocol, dport_range, remote_addrs, remote_sets,
+                            input_chain, accept_chain)
+      raise 'Unsupported protocol' unless [:tcp, :udp].include?(protocol)
+
+      unless block_given?
+        return enum_for(__method__, protocol, dport_range, remote_addrs,
+                        remote_sets, input_chain, accept_chain)
+      end
+
+      cmd = ['-A', input_chain, '-p', protocol.to_s]
+
+      if dport_range.first == dport_range.last
+        # single port match
+        cmd += ['--dport', dport_range.first.to_s]
+      else
+        # port range match
+        cmd += ['-m', 'multiport', '--dports',
+                "#{dport_range.first}:#{dport_range.last}"]
+      end
+
+      jump_args = ['-j', accept_chain]
+
+      remote_addrs.each do |addr|
+        yield cmd + ['-s', addr] + jump_args
+      end
+
+      remote_sets.each do |set|
+        yield cmd + ['-m', 'set', '--match-set', set, 'src,dst'] + jump_args
+      end
+
+      nil
+    end
+
+    # Generate IPTables rules from a hash. This is a thin wrapper around
+    # {.generate_rules}.
+    #
+    # @param [Hash] hash
+    # @param [String] input_chain
+    # @param [String] accept_chain
+    #
+    def self.generate_rules_from_hash(hash, input_chain, accept_chain)
+      generate_rules(hash.fetch(:protocol), hash.fetch(:port),
+                     hash.fetch(:remote_addrs), hash.fetch(:remote_sets),
+                     input_chain, accept_chain)
+    end
+
+    class Rule
+      IPTABLES = "iptables"
+      attr_reader :cmd
+      def initialize(cmd)
+        @cmd = cmd
+      end
+
+      def materialize
+        cmd = [IPTABLES] + @cmd
+        Subprocess.check_call(cmd)
+      end
+    end
+
+    def self.log_rule_string(chain, message, limit='3/min', limit_burst=10)
+      "-A #{chain} -m limit --limit #{limit} --limit-burst #{limit_burst}" \
+        " -j LOG --log-prefix \"[#{message}] \""
+    end
+
+    def self.innocuous_icmp_rules(chain)
+      [3, 4, 11, 12, 8].map do |type|
+        %W{-A #{chain} -p icmp -m icmp --icmp-type #{type} -j ACCEPT}
+      end
+    end
+  end
+end

data/lib/reyes/run_generation.rb

@@ -0,0 +1,75 @@
+module Reyes
+  # An abstraction over tmpfile based generation number storage.
+  class RunGeneration
+    class LoadError < Reyes::Error; end
+
+    include Chalk::Log
+
+    DefaultGenerationPath = "/tmp/reyes.u#{Process.euid}.generation"
+
+    attr_reader :value
+
+    # @param path [String] Path to generation file
+    #
+    # If the file at `path` does not exist, it will be created. Attempting to
+    # open a symbolic link will raise Errno::ELOOP to avoid security
+    # vulnerabilities.
+    #
+    def initialize(path=DefaultGenerationPath)
+      @path = path
+      reload
+    end
+
+    # Increment the generation value and save it to disk.
+    #
+    # @return [Integer] new generation value
+    #
+    def increment!
+      @value += 1
+      log.debug("Incrementing generation to #{@value}")
+      save
+      @value
+    end
+
+    private
+
+    def reload
+      log.debug("Opening generation file at #{@path.inspect}")
+      @fh = open(@path)
+      if @fh.size == 0
+        @value = 0
+      else
+        @value = load_value
+      end
+      log.debug("Loaded generation value #{@value.inspect}")
+    end
+
+    # Open `path` read-write, creating it if it doesn't exist, refusing to
+    # follow symbolic links in the final path component.
+    #
+    # @param [String] path
+    #
+    # @raise [SystemCallError] in various circumstances involving failure to
+    #   open or create the file.
+    #
+    def open(path)
+      File.open(path, File::RDWR | File::CREAT | File::NOFOLLOW)
+    end
+
+    def load_value
+      @fh.rewind
+      content = @fh.read
+      if content.empty?
+        0
+      else
+        Integer(content)
+      end
+    end
+
+    def save
+      @fh.rewind
+      @fh.puts(@value.to_s)
+      @fh.flush
+    end
+  end
+end

data/lib/reyes/version.rb

@@ -1,3 +1,3 @@
 module Reyes
-  VERSION = '0.0.1' unless defined?(self::VERSION)
+  VERSION = '0.0.2' unless defined?(self::VERSION)
 end

data/reyes.gemspec

@@ -35,7 +35,10 @@ Gem::Specification.new do |gem|
   gem.version = Reyes::VERSION
 
   gem.add_dependency 'aws-sdk', '~> 1.60'
+  gem.add_dependency 'chalk-log'
+  gem.add_dependency 'subprocess'
 
   gem.add_development_dependency 'pry'
   gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rubocop'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: reyes
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Andy Brody
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-29 00:00:00.000000000 Z
+date: 2015-02-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -25,6 +25,34 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.60'
+- !ruby/object:Gem::Dependency
+  name: chalk-log
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: subprocess
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -53,18 +81,46 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: ! "    Reyes is a gem...\n\n    TO DO\n"
 email:
 - security@stripe.com
-executables: []
+executables:
+- reyes
 extensions: []
 extra_rdoc_files: []
 files:
+- .gitignore
+- .rubocop-disables.yml
+- .rubocop.yml
 - .ruby-version
 - Gemfile
 - README.md
 - Rakefile
+- bin/reyes
+- config.yaml.example
 - lib/reyes.rb
+- lib/reyes/aws_manager.rb
+- lib/reyes/config.rb
+- lib/reyes/errors.rb
+- lib/reyes/group_manager.rb
+- lib/reyes/group_tools.rb
+- lib/reyes/ipset.rb
+- lib/reyes/iptables.rb
+- lib/reyes/run_generation.rb
 - lib/reyes/version.rb
 - reyes.gemspec
 homepage: ''