reyes 0.0.6 → 0.1.1

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    YjM4MDllMmJmMGJiZjZjZGZiMDIwYTAzMDc4YjViYzJmODA2YWVmZQ==
+    NGE0MzE5OTBmNzQ2YWI0YmMxYmJlZGMxMDgxMGEwNDJiOTgzNTg0Mg==
   data.tar.gz: !binary |-
-    MDZjZTU2MjIxZTZhY2FmMTc1ODU4YjkyNzEyYWNmOTIwYzU5Yjk0NA==
+    ZTY4MWFiMmNmMzg5MzEwNDBlYTc4MWUwZGVmYWZhMWYyOGMyZjI3YQ==
 SHA512:
   metadata.gz: !binary |-
-    NTNlNDgyMjg3Mzg0NzdiYjRmY2QxYTRlNGZkMDhmNzA3NDQyZTg2MWMzN2Ez
-    YmJkNmQ4NmZlNGY5NWJjOGQ5MjYxNzkzMGJhZTk1MjQzOTUzYjQyN2YwYjM2
-    ZWVkMmRlNmY0MWY3NTc4OWRjZjBiNzI0NTQ1OGJiY2RjNDdmMWY=
+    ZTczYjRhNGIzZjZjMDViZjRlZDg4ODc2ZTNhYTQ5YjA4MjBiMDFmMjY5NWIw
+    NDE5M2ZmYzZkNDgzMDlmNjVlZTcwYjIyMGI2ODdiNzQ0MDg0ZWJmN2M3Y2Qy
+    MWJhYzljYTM5YzljNDYyMDI2MmQyYTZjODExZDUwZWM1YTFjNjg=
   data.tar.gz: !binary |-
-    NTZlNTU4MGRmZDExNWUwNWEwZDQ2NmE3MDNjMWJjOGU2N2U5MzdkZDhiNjBj
-    YjBlNzlhNDJiZjUzMDAwZWJiNzIxMmY2NjFjZTkxYjcyNWQ3NmYxNjE5MjQ4
-    YTMwODEyMjY5YjYyMWRiMmE2NTk3MWZjMGY2Y2E4N2RmYjljMGE=
+    OWRhNjJjMWI4YTFjN2UwYmNkNWQxZjllZTRkMDM5ZGM5MWM0YzA0MzQyMDVm
+    ZDMzZDE2ZTc0ZjE2NzEyOWM1NzhmZjYyNzlmNmYwZWZkMzYzZWMyMjE4OWM5
+    M2MzM2FiYTRiMDZmZjUwZmQyYjk4MjQyOGFkOThjZGVmYjYwZTk=

data/bin/reyes

@@ -2,47 +2,64 @@
 require 'optparse'
 require_relative '../lib/reyes'
 
-def command_install(options)
-  instance_id = options.fetch(:instance_id)
+def command_dump(output_file, options)
+  aws = Reyes::AwsManager.new(options[:config])
+  aws.dump_fake_data(output_file)
+end
+
+def command_install(json_file, instance_id, options)
   region = options.fetch(:region)
 
   if options[:splay]
     Reyes::Utils.sleep_random(options[:splay])
   end
 
-  AWS.memoize do
-    aws = Reyes::AwsManager.new(options[:config])
-    g = Reyes::GroupManager.new(aws, region, instance_id, options[:config])
-    r = Reyes::RunManager.new(g)
+  fake = Reyes::FakeAws.new(File.open(json_file, 'r'))
+  g = Reyes::GroupManager.new(fake, region, instance_id)
+  r = Reyes::RunManager.new(g)
 
-    options[:run_options][:log_accept] = true # TODO
+  data = r.generate_data!(options.fetch(:gen_options))
+  r.apply_data!(data, options.fetch(:apply_options))
 
-    r.run!(options.fetch(:run_options))
-
-    if options[:prune]
-      r.prune_ipsets
-      # Pruning IPTables rules doesn't make any sense, they are atomically replaced
-    end
+  if options[:prune]
+    r.prune_ipsets
   end
-
 end
 
-
 def parse_args
   options = {
-    :region => 'us-west-1',
-    :run_options => {},
+    :region => 'us-west-1', # TODO: make required
+    :gen_options => {},
+    :apply_options => {
+      :log_accept => true, # TODO remove this default
+    },
   }
 
   optparse = OptionParser.new do |opts|
     opts.banner = <<-EOM
-usage: #{File.basename($0)} [options]
+usage: #{File.basename($0)} [options] COMMAND ARGS...
 
 Manipulate IPTables rules based on EC2 security groups.
 
+Commands:
+
+  install: load AWS data from JSON_FILE and install rules for INSTANCE_ID
+
+    #{File.basename($0)} [options] install JSON_FILE INSTANCE_ID
+
+  dump: generate JSON from AWS and serialize data to JSON_FILE
+
+    #{File.basename($0)} [options] dump JSON_FILE
+
+
+Defaults:
+  region: #{options.fetch(:region)}
+
+
 For example:
 
-  #{File.basename($0)} --prune --install $(facter -p ec2_instance_id)
+  #{File.basename($0)} --prune install data.json $(facter -p ec2_instance_id)
+
 
 Options:
     EOM
@@ -55,32 +72,39 @@ Options:
       options[:region] = region
     end
 
-    opts.on('--prune', 'Prune old generations after creating rules') do
-      options[:prune] = true
+    opts.on('--env ENV', 'Set SRFC4 env for dump') do |env|
+      options[:tag_filters] = {'env' => env}
     end
 
-    opts.on('--install INSTANCE_ID', 'Configure this instance as INSTANCE_ID') do |id|
-      options[:command] = :install
-      options[:instance_id] = id
+    opts.on('--prune', 'Prune old generations after creating rules') do
+      options[:prune] = true
     end
 
     # TODO: known bug: --dry-run does not prevent run generation increment
     opts.on('-n', '--dry-run', 'Print diff without making changes') do
-      options[:run_options][:dry_run] = true
+      options[:apply_options][:dry_run] = true
     end
 
     opts.on('-i', '--interactive', 'Interactively confirm changes') do
-      options[:run_options][:interactive] = true
+      options[:apply_options][:interactive] = true
     end
 
     opts.on('--empty', 'Generate empty (default DROP) rules') do
-      options[:run_options][:empty] = true
+      options[:gen_options][:empty] = true
     end
 
     opts.on('--splay SECS', 'Delay up to SECS before execution') do |arg|
       options[:splay] = Integer(arg)
     end
 
+    opts.on('--[no-]log-accept', 'Log packets in ACCEPT') do |arg|
+      options[:apply_options][:log_accept] = arg
+    end
+
+    opts.on('--[no-]log-drop', 'Log packets in DROP') do |arg|
+      options[:apply_options][:log_drop] = arg
+    end
+
     opts.on('-h', '--help', 'Display this help message') do
       STDERR.puts opts
       exit 0
@@ -89,9 +113,20 @@ Options:
 
   optparse.parse!
 
-  case options[:command]
-  when :install
-    command_install(options)
+  command = ARGV.shift
+  case command
+  when 'dump'
+    unless ARGV.length == 1
+      STDERR.puts optparse
+      exit 2
+    end
+    command_dump(ARGV.fetch(0), options)
+  when 'install'
+    unless ARGV.length == 2
+      STDERR.puts optparse
+      exit 2
+    end
+    command_install(ARGV.fetch(0), ARGV.fetch(1), options)
   else
     STDERR.puts optparse
     STDERR.puts "\nError: Must provide a command"

data/lib/reyes/aws_manager.rb

@@ -1,4 +1,6 @@
 require 'aws-sdk'
+require 'json'
+require 'socket'
 
 module Reyes
   class AwsManager
@@ -105,8 +107,141 @@ module Reyes
       end
     end
 
+    def generate_fake_data
+      log.info('Generating AWS data for serialization')
+      start = Time.now.utc
+      data = {
+        'metadata' => {
+          'generated' => start,
+          'generated_stamp' => start.to_i,
+          'hostname' => Socket.gethostname,
+          'pid' => Process.pid,
+        },
+        'vpcs' => vpcs.map(&:id),
+        'security_groups_by_name' => {},
+        'regions' => {},
+      }
+
+      regions.each do |region|
+        data['regions'][region] = fake_data_for_region(region)
+      end
+
+      # populate security_groups_by_name
+      data['regions'].each_pair do |region, rdata|
+        rdata.fetch('security_groups').each_pair do |sg_id, sg_data|
+          data['security_groups_by_name'][sg_data.fetch('name')] ||= []
+          data['security_groups_by_name'][sg_data.fetch('name')] << {
+            'region' => region,
+            'group_id' => sg_id,
+            'vpc' => sg_data.fetch('vpc_id'),
+          }
+        end
+      end
+
+      data['metadata']['generated_in'] = Time.now - start
+
+      log.info("Generated AWS data in #{(Time.now - start).round(1)}s")
+
+      data
+    end
+
+    def dump_fake_data(filename)
+      log.info("Dumping AWS data to #{filename.inspect}")
+      data = generate_fake_data
+
+      File.open(filename, File::WRONLY | File::CREAT | File::EXCL) do |fh|
+        fh.write(JSON.pretty_generate(data))
+      end
+
+      log.info('Wrote data to file')
+    end
+
     private
 
+    def fake_data_for_region(region)
+      log.info("Generating data for #{region}")
+
+      data = {
+        'instances' => {},
+        'security_groups' => {},
+      }
+
+      AWS.memoize do
+        conn = ec2(region)
+
+        sg_members = {}
+
+        conn.instances.sort_by(&:instance_id).each do |i|
+          groups = i.security_groups.to_a.sort_by(&:name)
+
+          data['instances'][i.instance_id] = {
+            'tags' => i.tags.to_h.to_h,
+            'region' => region,
+            'availability_zone' => i.availability_zone,
+            'private_ip_address' => i.private_ip_address,
+            'public_ip_address' => i.public_ip_address,
+            'security_groups' => groups.map(&:group_id),
+            'security_group_names' => groups.map(&:name),
+          }
+
+          groups.map(&:id).each do |sg_id|
+            sg_members[sg_id] ||= []
+            sg_members[sg_id] << i.instance_id
+          end
+        end
+
+        conn.security_groups.sort_by(&:group_id).each do |g|
+          data['security_groups'][g.group_id] = {
+            'name' => g.name,
+            'description' => g.description,
+            'vpc_id' => g.vpc_id,
+            'region' => region,
+            'ipset_suffix' => ipset_suffix_for_group(region, g),
+            'ingress_ip_permissions' => g.ingress_ip_permissions.map {|perm|
+
+              if perm.port_range
+                port_start = perm.port_range.first
+                port_end = perm.port_range.last
+              else
+                port_start = nil
+                port_end = nil
+                if perm.protocol != :any
+                  log.error("Invalid looking IpPermission object")
+                  log.error(GroupTools.pretty_perm(perm))
+                  raise Error.new("Missing port_range for perm")
+                end
+              end
+
+              {
+                'protocol' => perm.protocol,
+                'port_start' => port_start,
+                'port_end' => port_end,
+                'ip_ranges' => perm.ip_ranges.sort,
+                'group_names' => perm.groups.map(&:name),
+              }
+            },
+            # avoid g.instances to prevent O(n) behavior
+            'instances' => sg_members.fetch(g.group_id, []).sort,
+          }
+        end
+      end
+
+      data
+    end
+
+
+    # @param group [AWS::EC2::SecurityGroup]
+    #
+    # @return [String] A string title, at most 31 characters long
+    #
+    def ipset_suffix_for_group(region, group)
+      [
+        Reyes::GroupManager::RegionShortNames.fetch(region),
+        group.group_id,
+        group.name,
+      ].join(':')[0...31]
+    end
+
     def aws_config
       @config.aws_config
     end

data/lib/reyes/fake_aws.rb

@@ -0,0 +1,71 @@
+require 'json'
+require 'set'
+
+module Reyes
+  class FakeAws
+    include Chalk::Log
+
+    # @param json_source
+    def initialize(json_source)
+      log.info('Loading JSON data')
+      @data = JSON.load(json_source)
+      log.info("Loaded JSON with metadata: #{metadata.inspect}")
+    end
+
+    def region_data(region)
+      @data.fetch('regions').fetch(region)
+    end
+
+    def instance(region, instance_id)
+      region_data(region).fetch('instances').fetch(instance_id)
+    end
+
+    def security_group(region, security_group_id)
+      region_data(region).fetch('security_groups').fetch(security_group_id)
+    end
+
+    def security_group_ids_for_instance(region, instance_id)
+      instance(region, instance_id).fetch('security_groups')
+    end
+
+    def security_groups_for_instance(region, instance_id)
+      data = {}
+
+      security_group_ids_for_instance(region, instance_id).each do |sg_id|
+        data[sg_id] = security_group(region, sg_id)
+      end
+
+      data
+    end
+
+    def addresses_for_security_group(region, security_group_id)
+      security_group_members(region, security_group_id).map do |instance_id|
+        instance(region, instance_id).fetch('private_ip_address')
+      end
+    end
+
+    def security_group_members(region, security_group_id)
+      security_group(region, security_group_id).fetch('instances')
+    end
+
+    def foreign_groups_by_name(group_name)
+      vpc_set = vpc_ids.to_set
+      groups = {}
+      @data.fetch('security_groups_by_name').fetch(group_name).each do |g|
+        next unless vpc_set.include?(g.fetch('vpc'))
+        groups[g.fetch('group_id')] = security_group(g.fetch('region'),
+                                                     g.fetch('group_id'))
+      end
+
+      groups
+    end
+
+    def vpc_ids
+      @data.fetch('vpcs')
+    end
+
+    def metadata
+      @data.fetch('metadata')
+    end
+  end
+end

data/lib/reyes/group_manager.rb

@@ -21,26 +21,31 @@ module Reyes
 
     ReyesInputChain = 'reyes-ipsec-input'
 
-    attr_reader :aws
+    attr_reader :fake_aws, :instance_id
 
-    def initialize(aws, region, instance_id, config_file=nil, generation=nil)
+    # @param fake_aws [Reyes::FakeAws]
+    # @param region [String]
+    # @param instance_id [String] A String instance ID of the target instance.
+    #
+    def initialize(fake_aws, region, instance_id, generation=nil)
       log.info("Initializing #{self.class.name} for #{region} #{instance_id}")
-      log.info("This is reyes #{Reyes::VERSION}")
 
-      @aws = aws
+      @fake_aws = fake_aws
       @generation = generation || RunGeneration.new
+      @region = region
       @instance_id = instance_id
-      @instance = @aws.ec2(region).instances[instance_id]
     end
 
+    # @return [Hash]
     def our_groups
-      @our_groups ||= Reyes::AwsManager.with_retries {
-        @instance.security_groups
-      }
+      fake_aws.security_groups_for_instance(@region, @instance_id)
     end
 
     def generate_rules_empty
-      {:groups => {}, :ipsets => {}}
+      {
+        :groups => {},
+        :ipsets => {},
+      }
     end
 
     # Given our instance ID and security group rules, generate IPTables rules
@@ -53,52 +58,48 @@ module Reyes
     # Also create a list of IPTables rules that will reference these ipsets.
     #
     # This method generates the data and returns it as a hash without making
-    # any changes to the system beyond incrementing the run generation (used
-    # for ipset garbage collection).
+    # any changes to the system.
     #
-    def generate_rules!
-      run_generation_increment!
+    def generate_rules
       log.info("Generating rules for generation #{run_generation}")
 
-      @aws.warm_sg_cache
-
       data = generate_rules_empty
 
       needed_groups = {}
 
-      our_groups.each do |group|
-        group_key = "#{group.group_id}:#{group.name}"
+      our_groups.each_pair do |group_id, group|
+        group_key = "#{group_id}:#{group.fetch('name')}"
         data[:groups][group_key] = []
 
         # we only work with ingress permissions
-        group.ingress_ip_permissions.each do |perm|
+        group.fetch('ingress_ip_permissions').each do |perm|
           perm_hash = {
-            protocol: perm.protocol,
-            port: perm.port_range,
+            protocol: perm.fetch('protocol'),
+            port: [perm.fetch('port_start'), perm.fetch('port_end')],
             remote_addrs: [],
             remote_sets: [],
           }
 
-          case perm.protocol
-          when :icmp
+          case perm.fetch('protocol').to_s
+          when 'icmp'
             log.info("Skipping ICMP rule")
             next
-          when :tcp, :udp
+          when 'tcp', 'udp'
 
             # append IP ranges
-            perm_hash[:remote_addrs] += perm.ip_ranges
+            perm_hash[:remote_addrs] += perm.fetch('ip_ranges')
 
             # list the security groups we'll need to look up
-            perm.groups.each do |g|
-              foreign = foreign_groups_by_name(g.name)
-              foreign.each do |fg|
-                needed_groups[fg.group_id] = fg
-                perm_hash[:remote_sets] << ipset_name_for_group(fg)
+            perm.fetch('group_names').each do |g_name|
+              foreign_groups_by_name(g_name).each_pair do |fg_id, fg_data|
+                needed_groups[fg_id] = fg_data
+                perm_hash[:remote_sets] << ipset_name_for_group_hash(fg_data)
               end
             end
 
           else
-            raise Error.new("Unexpected protocol #{perm.protocol.inspect}")
+            raise NotImplementedError.new(
+              "Unexpected protocol #{perm['protocol'].inspect} in #{group_id}")
           end
 
           data[:groups][group_key] << perm_hash
@@ -106,9 +107,9 @@ module Reyes
       end
 
       data[:ipsets] = {}
-      needed_groups.each_value do |group|
-        data[:ipsets][ipset_name_for_group(group)] = \
-          addresses_for_group(group)
+      needed_groups.each_pair do |group_id, group_data|
+        data[:ipsets][ipset_name_for_group_hash(group_data)] = \
+          addresses_for_group(group_data.fetch('region'), group_id)
       end
 
       data
@@ -151,7 +152,11 @@ module Reyes
       @generation.increment!
     end
 
+    # TODO: delurk
+    # @param group [AWS::EC2::SecurityGroup]
+    #
     # @return [String] A string title, at most 31 characters long
+    #
     def ipset_name_for_group(group)
       [
         run_generation.to_s,
@@ -161,6 +166,17 @@ module Reyes
       ].join(':')[0...31]
     end
 
+    # @param group_hash [Hash]
+    #
+    # @return [String] A string title, at most 31 characters long
+    #
+    def ipset_name_for_group_hash(group_hash)
+      [
+        run_generation.to_s,
+        group_hash.fetch('ipset_suffix'),
+      ].join(':')[0...31]
+    end
+
     # @return [Hash] the parsed names, or nil in case of error
     def self.parse_ipset_name(name)
       parts = name.split(":")
@@ -177,25 +193,23 @@ module Reyes
 
     # Look up addresses for given group in remote VPCs.
     #
-    # @param group [AWS::EC2::SecurityGroup]
+    # @param region [String]
+    # @param group_id [String]
     #
     # @return [Array<String>] A list of private instance IP addresses
     #
-    def addresses_for_group(group)
-      groups = foreign_groups_by_name(group.name)
-      groups.map { |g|
-        @aws.instances_in_security_group(g).map(&:private_ip_address)
-      }.flatten
+    def addresses_for_group(region, group_id)
+      fake_aws.addresses_for_security_group(region, group_id)
     end
 
     # Look up remote VPC security groups by name.
     #
     # @param name [String]
     #
-    # @return [Array<AWS::EC2::SecurityGroup>]
+    # @return [Hash]
     #
     def foreign_groups_by_name(name)
-      aws.vpc_security_groups_by_name(name)
+      fake_aws.foreign_groups_by_name(name)
     end
 
     # @param [Hash] data

data/lib/reyes/iptables.rb

@@ -6,7 +6,7 @@ module Reyes
     # series of arguments appropriate for passing to IPTables.
     #
     # @param [Symbol] protocol
-    # @param [Range] dport_range
+    # @param [Range, Array(Integer, Integer)] dport_range
     # @param [Array<String>] remote_addrs
     # @param [Array<String>] remote_sets
     # @param [String] input_chain
@@ -16,7 +16,10 @@ module Reyes
     #
     def self.generate_rules(protocol, dport_range, remote_addrs, remote_sets,
                             input_chain, accept_chain)
-      raise 'Unsupported protocol' unless [:tcp, :udp].include?(protocol)
+
+      unless ['tcp', 'udp'].include?(protocol.to_s)
+        raise ArgumentError.new("Unsupported protocol #{protocol.inspect}")
+      end
 
       unless block_given?
         return enum_for(__method__, protocol, dport_range, remote_addrs,
@@ -25,6 +28,18 @@ module Reyes
 
       cmd = ['-A', input_chain, '-p', protocol.to_s]
 
+      # dport_range may be a Range or two element Array
+      case dport_range
+      when Range
+        # OK
+      when Array
+        if dport_range.length != 2
+          raise ArgumentError.new("bad dport_range: #{dport_range.inspect}")
+        end
+      else
+        raise ArgumentError.new("invalid dport_range: #{dport_range.inspect}")
+      end
+
       if dport_range.first == dport_range.last
         # single port match
         cmd += ['--dport', dport_range.first.to_s]

data/lib/reyes/run_generation.rb

@@ -31,6 +31,20 @@ module Reyes
       @value
     end
 
+    # Set the generation value and save it to disk.
+    #
+    # @param value [Integer]
+    #
+    def set!(value)
+      unless value.is_a?(Integer)
+        raise ArgumentError.new("Not an integer: #{value.inspect}")
+      end
+      @value = value
+      log.debug("Setting generation to #{@value}")
+      save(true)
+      @value
+    end
+
     private
 
     def reload
@@ -66,8 +80,9 @@ module Reyes
       end
     end
 
-    def save
+    def save(truncate=false)
       @fh.rewind
+      @fh.truncate(0) if truncate
       @fh.puts(@value.to_s)
       @fh.flush
     end

data/lib/reyes/run_manager.rb

@@ -8,34 +8,62 @@ module Reyes
 
     # @param [Hash] options
     #
-    # @option options :dry_run [Boolean] (false) Don't actually apply changes
     # @option options :empty [Boolean] (false) Generate an empty (default DROP)
     #   rule sets without actually looking up security groups
-    # @option options :interactive [Boolean] (false) Whether to prompt for
-    #   confirmation before applying rules
-    # @option options :log_accept [Boolean] (false) Whether to log packets on
-    #   ACCEPT
     #
-    def run!(options={})
+    def generate_data!(options={})
       options = {
-        dry_run: false,
         empty: false,
-        interactive: false,
-        log_accept: false,
+        increment_generation: true,
       }.merge(options)
 
-      log_accept = options.fetch(:log_accept)
-
-      log.info("Starting iptables rule generation run!")
+      log.info("RunManager.generate_data!")
 
       if options.fetch(:empty)
         log.warn("Generating empty (default DROP) rule set")
         data = @group_manager.generate_rules_empty
       else
-        data = @group_manager.generate_rules!
+        if options.fetch(:increment_generation)
+          @group_manager.run_generation_increment!
+        end
+        data = @group_manager.generate_rules
       end
 
-      new_rules = @group_manager.generate_iptables_script(data, log_accept: log_accept)
+      log.info("Finished loading/generating data")
+
+      data
+    end
+
+    # @param [Hash] options
+    #
+    # @option options :dry_run [Boolean] (false) Don't actually apply changes
+    # @option options :interactive [Boolean] (false) Whether to prompt for
+    #   confirmation before applying rules
+    # @option options :log_accept [Boolean] Whether to log packets on
+    #   ACCEPT
+    # @option options :log_drop [Boolean] Whether to log packets on
+    #   DROP
+    #
+    # @see {GroupManager#generate_iptables_script}
+    # @see {GroupManager#generate_ipsets}
+    #
+    def apply_data!(data, options={})
+      options = {
+        dry_run: false,
+        interactive: false,
+      }.merge(options)
+
+      log.info("RunManager.apply_data!")
+
+      gen_options = {}
+      if options.include?(:log_accept)
+        gen_options[:log_accept] = options.fetch(:log_accept)
+      end
+      if options.include?(:log_drop)
+        gen_options[:log_drop] = options.fetch(:log_drop)
+      end
+
+      new_rules = @group_manager.generate_iptables_script(data, gen_options)
       new_ipsets = @group_manager.generate_ipsets(data)
 
       show_iptables_diff(new_rules)
@@ -55,7 +83,7 @@ module Reyes
       iptables_restore(new_rules)
 
       # XXX(richo) Should we be pruning inside run! ?
-      log.info('Finished firewall configuration run')
+      log.info('Finished applying data')
     end
 
     def materialize_ipsets(new_ipsets)
@@ -64,6 +92,10 @@ module Reyes
       end
     end
 
+    # Call iptables-restore to atomically restore a set of iptables rules.
+    #
+    # @param new_rules [String]
+    #
     def iptables_restore(new_rules)
       log.info("Restoring #{new_rules.count("\n")} lines of iptables rules")
 
@@ -75,7 +107,7 @@ module Reyes
       log.info('restored')
     end
 
-
+    # Remove old IPSets from previous run generations.
     def prune_ipsets
       log.info('Pruning old IPSets')
       old_ipsets = []
@@ -114,6 +146,10 @@ module Reyes
       log.info('Done pruning old IPSets')
     end
 
+    # Show a diff between current IPTables rules and new IPTables rules.
+    #
+    # @param new_rules [String]
+    #
     def show_iptables_diff(new_rules)
       diff = Diff.new
       diff.old.puts(Subprocess.check_output(%w{iptables-save}))

data/lib/reyes/version.rb

@@ -1,3 +1,3 @@
 module Reyes
-  VERSION = '0.0.6' unless defined?(self::VERSION)
+  VERSION = '0.1.1' unless defined?(self::VERSION)
 end

data/lib/reyes.rb

@@ -14,10 +14,11 @@ require_relative './reyes/errors'
 require_relative './reyes/aws_manager'
 require_relative './reyes/config'
 require_relative './reyes/diff'
+require_relative './reyes/fake_aws'
 require_relative './reyes/group_manager'
 require_relative './reyes/group_tools'
 require_relative './reyes/ipset'
 require_relative './reyes/iptables'
 require_relative './reyes/run_generation'
-require_relative './reyes/utils'
 require_relative './reyes/run_manager'
+require_relative './reyes/utils'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: reyes
 version: !ruby/object:Gem::Version
-  version: 0.0.6
+  version: 0.1.1
 platform: ruby
 authors:
 - Andy Brody
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-02-18 00:00:00.000000000 Z
+date: 2015-02-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -117,6 +117,7 @@ files:
 - lib/reyes/config.rb
 - lib/reyes/diff.rb
 - lib/reyes/errors.rb
+- lib/reyes/fake_aws.rb
 - lib/reyes/group_manager.rb
 - lib/reyes/group_tools.rb
 - lib/reyes/ipset.rb