reyes 0.3.1 → 1.0.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    NzRmNzQ2MDEyZGUzZDZlNDZmNzlkMTM5MDkxN2UwZGYwYWI2MjFmOA==
+    MmU1NmFhNTQzMDg4ZTgzMjJhMjQyNzFmYzlkYmNhN2VjMjM4MzA1Yg==
   data.tar.gz: !binary |-
-    YjFkZTIyM2JhNTM4ODgxMDgwN2JjYjNlZWEyYjM1OWQxN2E3ZmRlOA==
+    MjkyYWNkY2RmMDI4NTgzMDcyYTkwNDg5MjI0YTdlYzExNDJiZmQ5OA==
 SHA512:
   metadata.gz: !binary |-
-    MzYzNGY5ZThkMTJjYTI5NDM0ODgwZThlZGQwNTJlMDFjNzkwZjU3ZDM5Mjkw
-    NjE4ZGJlOTE0MGM4NmI0NjIyNjFkZDE5ZDY3YzBlOWY3Y2RkNGQxMDliMDdi
-    NDk3MDlkYmM1YzYxOWU3NGUxODNiYjc0YWFkNGIzMThiMzAwM2U=
+    Yzg3MjRiMzc2MjZhOTIyZTRmOGRlYTU3OTJjNjk0MjU5ZDU5MzhjMzhhMjll
+    MGNhZTEzMmJiMjRhZTc2MjY5OWY2YzE0NTJmNjA4ZmM0NTU0MzAxNmU3NTEx
+    ZjI5NWYxMDdmYWI2ZDI4NmZmZjE0MTIwYjI3ZGQ3MDFjYjE4MDQ=
   data.tar.gz: !binary |-
-    NDVjZGM1NWFlODI2YzE4OTI2YjgwMDBiNTg1Yjg0MzY4YTc4NmFlOTRhODEy
-    Yjk3MWQyZmQ4YjkyMTk0OGUwZjczZTRhNGYyMjJkNDU0M2MyN2VkZmQxMDZk
-    ZGE3OTY0MjQxNjczYzRiMjkyNDA2YjgzMDUwNjVhMGRjMDc4M2U=
+    ZjRkMDg4NzlmN2ViNDNlOTZiN2IzNzU1M2I0ZmVlM2YzZmJhMzYxY2NiYzA1
+    M2UzMzgzZDkyZDBhYzM4ZWViMzRlOGU1MjQ3ODJlMTc5MGQ2MjQwYTdkOTk5
+    YTZlMDM3ZGQzYjNkYjQ2OTI3ODJiMGE5YjE3OTUyMmNkYjdhNmQ=

data/lib/reyes/aws_manager.rb

@@ -352,7 +352,7 @@ module Reyes
       [
         RegionShortNames.fetch(region),
         group.group_id,
-        group.name,
+        group.name.gsub(/[^a-zA-Z0-9\._\/,@+=-]/, '_'),
       ].join(':')[0...31]
     end
 

data/lib/reyes/diff.rb

@@ -1,12 +1,12 @@
 module Reyes
   class Diff
     def initialize
-      @old = Tempfile.new('old')
-      @new = Tempfile.new('new')
+      @old = Tempfile.new('diff.old.')
+      @new = Tempfile.new('diff.new.')
     end
 
     # Consumes the +Diff+, returning the full unified diff of @old and @new
-    # @return [String]
+    # @return [String, nil] String diff or nil if the files do not differ
     def diff
       raise "Diff has already been created" unless @old && @new
 
@@ -14,8 +14,22 @@ module Reyes
         f.flush
       end
 
-      Subprocess.call(["diff", '-u', @old.path, @new.path], :stdout => Subprocess::PIPE) do |c|
-        return c.communicate
+      output = nil
+      cmd = ["diff", '-u', @old.path, @new.path]
+      status = Subprocess.call(cmd, :stdout => Subprocess::PIPE) do |c|
+        output, _ = c.communicate
+      end
+
+      case status.exitstatus
+      when 0
+        # no diff
+        return nil
+      when 1
+        # files differ
+        return output
+      else
+        # trouble
+        raise Subprocess::NonZeroExit.new(cmd, status)
       end
     ensure
       @old.unlink

data/lib/reyes/fake_aws.rb

@@ -5,15 +5,19 @@ module Reyes
     include Chalk::Log
 
     # @param data [Hash]
-    def initialize(data)
+    # @param assert_version [Boolean]
+    def initialize(data, assert_version=true)
       @data = data
       log.info("Initialized FakeAws with metadata: #{metadata.inspect}")
 
       version = metadata['format_version']
       if version != Reyes::JSON_FORMAT_VERSION
-        log.error("WARNING: JSON format_version #{version.inspect} " \
-                  "differs from our version #{Reyes::JSON_FORMAT_VERSION}")
-        log.error('Proceeding anyway...')
+        msg = "JSON format_version #{version.inspect} " \
+              "differs from our version #{Reyes::JSON_FORMAT_VERSION}"
+        log.error('WARNING: ' + msg)
+        if assert_version
+          raise Error.new(msg)
+        end
       end
     end
 

data/lib/reyes/group_manager.rb

@@ -6,7 +6,7 @@ module Reyes
   class GroupManager
     include Chalk::Log
 
-    ReyesInputChain = 'reyes-ipsec-input'
+    ReyesInputChain = 'reyes-input'
 
     attr_reader :fake_aws, :instance_id
 
@@ -283,27 +283,24 @@ module Reyes
       lines << ''
 
       lines << ":#{ReyesInputChain} -"
-      lines << ':reyes-log-drop -'
-      lines << ':reyes-log-accept -'
       lines << ':reyes-accept -'
       lines << ':reyes-drop -'
-      lines << ''
-
-      lines << IPTables.log_rule_string('reyes-log-drop', 'REYES BLOCK')
-      lines << IPTables.log_rule_string('reyes-log-accept', 'REYES ACCEPT')
-
-      lines << '-A reyes-drop -j reyes-log-drop' if log_drop
-      lines << '-A reyes-drop -j DROP'
-      lines << '-A reyes-accept -j reyes-log-accept' if log_accept
-      lines << '-A reyes-accept -j ACCEPT'
+      lines << ':reyes-log-accept -'
+      lines << ':reyes-log-drop -'
 
       # add rules to direct appropriate traffic into reyes
       lines << ''
-      lines << '# input chain rules'
+      lines << '## input chain rules'
       lines.concat(input_chain_rules)
 
       lines << ''
-      lines << '# static global rules'
+      lines << '-A reyes-accept -j reyes-log-accept' if log_accept
+      lines << '-A reyes-accept -j ACCEPT'
+      lines << '-A reyes-drop -j reyes-log-drop' if log_drop
+      lines << '-A reyes-drop -j DROP'
+
+      lines << ''
+      lines << '## static global rules'
 
       # allow normal ICMP traffic
       IPTables.innocuous_icmp_rules(ReyesInputChain).each do |r|
@@ -320,16 +317,21 @@ module Reyes
 
       # add dynamic rules
       lines << ''
-      lines << '# dynamic rules from security groups'
+      lines << '## dynamic rules from security groups'
       dynamic_rules_from_data(data).each do |rule|
         lines << rule
       end
 
-      # add reyes-drop to very end of reyes-ipsec-input chain
+      # add reyes-drop to very end of reyes-input chain
       lines << ''
-      lines << '# default drop'
+      lines << '## default drop'
       lines << "-A #{ReyesInputChain} -j reyes-drop"
 
+      lines << ''
+      lines << '## log rules'
+      lines << IPTables.log_rule_string('reyes-log-accept', 'REYES ACCEPT')
+      lines << IPTables.log_rule_string('reyes-log-drop', 'REYES BLOCK')
+
       # commit the filter table
       lines << ''
       lines << 'COMMIT'

data/lib/reyes/ipset.rb

@@ -3,6 +3,9 @@ module Reyes
     TYPE = "hash:ip"
     attr_reader :name, :members
 
+    # TODO: add more useful logging
+    include Chalk::Log
+
     # Constructor for ipsets, maintaining the invariant that once constructed,
     # ipsets will not be altered.
     # @param [String] name of the IPSet to create
@@ -21,6 +24,7 @@ module Reyes
     # Builds the ipset, retuning an IPSet
     # @returns [IPSet]
     def build
+      log.info("Building ipset #{@name.inspect}")
       create
       populate
       IPSet.load(@name)

data/lib/reyes/iptables.rb

@@ -42,7 +42,7 @@ module Reyes
 
       if dport_range.first == dport_range.last
         # single port match
-        cmd += ['--dport', dport_range.first.to_s]
+        cmd += ['-m', protocol.to_s, '--dport', dport_range.first.to_s]
       else
         # port range match
         cmd += ['-m', 'multiport', '--dports',

data/lib/reyes/run_manager.rb

@@ -2,6 +2,8 @@ module Reyes
   class RunManager
     include Chalk::Log
 
+    IPSET_NAME_PATTERN = /(\d+)(?<nogen>:(\w+):(sg-[a-f0-9]{8}):(\w+))/
+
     def initialize(group_manager)
       @group_manager = group_manager
     end
@@ -29,7 +31,7 @@ module Reyes
         data = @group_manager.generate_rules
       end
 
-      log.info("Finished loading/generating data")
+      log.info("Finished RunManager.generate_data!")
 
       data
     end
@@ -83,13 +85,15 @@ module Reyes
       iptables_restore(new_rules)
 
       # XXX(richo) Should we be pruning inside run! ?
-      log.info('Finished applying data')
+      log.info('Finished RunManager.apply_data!')
     end
 
     def materialize_ipsets(new_ipsets)
+      log.info('Materializing ipsets')
       new_ipsets.each do |ipset|
         ipset.build
       end
+      log.info('Done building ipsets')
     end
 
     # Call iptables-restore to atomically restore a set of iptables rules.
@@ -151,20 +155,27 @@ module Reyes
     # @param new_rules [String]
     #
     def show_iptables_diff(new_rules)
+      log.debug('show_iptables_diff')
+
+      log.debug('+ iptables-save -t filter')
+      current = Subprocess.check_output(%w{iptables-save -t filter})
+
       diff = Diff.new
-      diff.old.puts(Subprocess.check_output(%w{iptables-save}))
-      diff.new.puts(new_rules)
+      diff.old.puts(filter_iptables_output(current))
+      diff.new.puts(filter_iptables_output(new_rules))
 
-      log.info "Proposed IPTables diff:"
-      puts diff.diff
+      log.info 'Proposed IPTables diff:'
+      log.info(diff.diff || '<unchanged>')
     end
 
     def show_ipsets_diff(new_ipsets)
+      log.debug('show_ipsets_diff')
+
       diff = Diff.new
 
       dump = lambda do |f, ipset|
         ipset.sort_by(&:name).each do |ip|
-          f.puts(ip.name)
+          f.puts(gsub_ipset_generation(ip.name))
           ip.members.sort.each do |m|
             f.puts("\t#{m}")
           end
@@ -174,8 +185,26 @@ module Reyes
       dump.call(diff.old, Reyes::IPSet.load_all)
       dump.call(diff.new, new_ipsets)
 
-      log.info "Proposed IPSets diff:"
-      puts diff.diff
+      log.info 'Proposed IPSets diff:'
+      log.info(diff.diff || '<unchanged>')
+    end
+
+    private
+
+    # Use `IPSET_NAME_PATTERN` to remove generation numbers from any matching
+    # ipset names in the input.
+    #
+    # @param input [String]
+    # @return [String]
+    #
+    def gsub_ipset_generation(input)
+      input.gsub(IPSET_NAME_PATTERN) { '##' + Regexp.last_match['nogen'] }
+    end
+
+    def filter_iptables_output(input)
+      gsub_ipset_generation(input).each_line.reject { |line|
+        line.strip.empty? || line.start_with?('##')
+      }.join
     end
   end
 end

data/lib/reyes/version.rb

@@ -1,6 +1,6 @@
 module Reyes
   # The Reyes version number
-  VERSION = '0.3.1' unless defined?(self::VERSION)
+  VERSION = '1.0.0' unless defined?(self::VERSION)
 
   # Number defining the JSON serialization format
   JSON_FORMAT_VERSION = 2 unless defined?(self::JSON_FORMAT_VERSION)

data/reyes.gemspec

@@ -24,6 +24,7 @@ Gem::Specification.new do |gem|
 
     TO DO
   EOM
+  # TODO ^
   gem.homepage = "https://github.com/stripe/reyes/"
 
   gem.files         = list_files
@@ -35,8 +36,8 @@ Gem::Specification.new do |gem|
   gem.version = Reyes::VERSION
 
   gem.add_dependency 'aws-sdk', '~> 1.60'
-  gem.add_dependency 'chalk-log'
-  gem.add_dependency 'subprocess'
+  gem.add_dependency 'chalk-log', '~> 0.1'
+  gem.add_dependency 'subprocess', '~> 1.2'
 
   gem.add_development_dependency 'pry'
   gem.add_development_dependency 'rake'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: reyes
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 1.0.0
 platform: ruby
 authors:
 - Andy Brody
@@ -29,30 +29,30 @@ dependencies:
   name: chalk-log
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.1'
 - !ruby/object:Gem::Dependency
   name: subprocess
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ! '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement