vcloud-network-configurator 0.1.0

data/.gitignore

@@ -0,0 +1,2 @@
+.bundle/
+Gemfile.lock

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in gds-provisioning.gemspec
+gemspec

data/README.md

@@ -0,0 +1,116 @@
+# Vcloud Network Configurator
+
+This is ruby gem which provides a dsl to configure firewall, nat and
+loadbalancer rules. It is a wrapper around the network components of
+vcloud api.
+
+## Installation
+
+    gem install vcloud-network-configurator
+
+  * Note: It is work in progress, and currently you would have to build
+    them gem locally using the following commands
+
+        git clone git@github.com:alphagov/vcloud-network-configurator.git
+        gem build vcloud-network-configurator.gemspec
+        gem install ./vcloud-network-configurator-0.1.0.gem
+
+## Usage
+
+    Usage: vcloud_configure_edge_gateway [options] API_URL
+        -u, --username=U                         Vcloud Username
+        -p, --password=P                         Vcloud Password
+        -e, --env=E                              Environment: preview | staging | production
+        -U, --organization-edgegateway-uuid=U    UID: This is required to configure edgegateway services. For more info refer to
+                                                  docs/find_organisation_edgegateway_uuid
+        -c, --component=c                        Environment: lb|firewall|nat
+        -o, --organization=o                     Organization: optional. Will default to environment
+        -d, --rule-directory=d                   Rules Directory: From where to read the NAT/Firewal/LB rules
+
+  Note: organization maps to the organization name in vcloud. Whereas,
+        environment maps to your internal environment reference (e.g.
+        preview, qa, staging, production, etc)
+
+### Example
+
+      vcloud_configure_edge_gateway -u username -p password -e preview -U 1yenz127ynz1872eyz12yz817e -c firewall -o development -d . http://vcloud.vendor.com/api
+
+### Rules Directory
+
+A particular rules directory structure could be as follows.
+
+        .
+        ├── Gemfile
+        ├── Gemfile.lock
+        ├── common_firewall.rb
+        ├── common_lb.rb
+        ├── common_nat.rb
+        ├── env1
+        │   ├── firewall.rb
+        │   ├── interfaces.yaml
+        │   ├── lb.rb
+        │   └── nat.rb
+        ├── env2
+            ├── firewall.rb
+            ├── interfaces.yaml
+            ├── lb.rb
+            └── nat.rb
+
+* Here each environment represent a separate organisation with your vcloud
+  vendor (eg qa, staging, production). These could have specific rules for nat,
+  firewall. Also these can have common firewall rules which could be shared
+  across all environments. A common example of such a situation is internal
+  network firewall rules are usually shared across environments, whereas
+  external network firewall rules would be different for all environment.
+
+  * Specific network rules => `env1/firewall.rb`, `env1/nat.rb`, `env1/lb.rb`
+  * Common network rules => `./common_firewall.rb`, `./common_lb.rb`, `./common_lb.rb`
+
+* interfaces.yaml file:
+  To find the urls for network, follow the document at
+  `docs/find_network_url`
+
+        interfaces:
+          Network-1: "https://localhost:4567/api/admin/network/<vdc-network-uuid>"
+          Network-2: "https://localhost:4567/api/admin/network/<vdc-network-uuid>"
+
+### DSL
+
+#### Firewall
+
+    firewall do
+      rule "<description>" do
+         source      :ip => "172.10.0.0/8"
+         destination :ip => "172.10.0.5", :port => 4567
+      end
+    end
+
+#### NAT
+
+    nat do
+        snat :interface => "<key-from-interfaces.rb>", :original => { :ip => "internal-ip" }, :translated => { :ip => "external-ip" }, :desc => "description"
+        dnat :interface => "<key-from-interfaces.rb>", :original => { :ip => "external-ip", :port => 22 }, :translated => { :ip => "internal-ip", :port => 22 },  :desc => "SSH"
+    end
+
+
+#### Load Balancer
+
+    load_balancer do
+      configure "description-1" do
+        pool ["<ip-1>", "<ip-2>"] do
+          http
+          https
+        end
+
+        virtual_server :name => "description-1", :interface => "<key-from-interfaces.rb>", :ip => "<vse-ip>"
+      end
+
+      configure "description-2" do
+        pool ["<ip-1>", "<ip-2>", "<ip-3>"] do
+          http :port => 8080, :health_check_path => "</router/healthcheck>"
+          https
+        end
+
+        virtual_server :name => "description-2", :interface => "<key-from-interfaces.rb>", :ip => "<vse-ip>"
+      end
+    end

data/Rakefile

@@ -0,0 +1,25 @@
+require "bundler/gem_tasks"
+require 'rake/testtask'
+require 'rspec/core/rake_task'
+require "gem_publisher"
+
+RSpec::Core::RakeTask.new(:spec) do |task|
+  task.pattern = FileList.new('spec/**/*_spec.rb') do |file|
+    file.exclude(/integration/)
+  end
+  task.rspec_opts = ['--color']
+end
+
+RSpec::Core::RakeTask.new(:integration) do |task|
+  task.pattern = FileList['spec/integration/*_spec.rb']
+  task.rspec_opts = ['--color']
+end
+
+task :default => [:spec]
+
+desc "Publish gem to RubyGems.org"
+task :publish_gem do |t|
+  gem = GemPublisher.publish_if_updated("vcloud-network-configurator.gemspec", :rubygems)
+  puts "Published #{gem}" if gem
+end
+

data/bin/vcloud_configure_edge_gateway

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+$:.unshift File.dirname(__FILE__) + '/../lib'
+require 'vcloud_network_configurator'
+
+VcloudNetworkConfigurator.new(ARGV).execute

data/docs/find_network_url.md

@@ -0,0 +1,56 @@
+# How to find Network UUID for interfaces.yaml
+
+## Steps
+
+   * vcloud authorization
+
+        curl -v -X POST -d '' -H "Accept: application/*+xml;version=5.1"
+          -u "{username}@vcloud-org-name:**********"
+          https://vendor-api-url.net/sessions
+
+
+    The above returns the following information in response
+    `x-cloud-authorization` and
+    `<Link rel="down" type="application/vnd.vmware.vcloud.orgList+xml" href="https://vendor-api-url.net/org/"/>`
+
+
+   * List organisations
+
+        curl -v --insecure
+          -H "x-vcloud-authorization: {x-vcloud-auth-code}"
+          -H "Accept: application/*+xml;version=5.1"
+          "https://vendor-api-url.net/org/"
+
+
+      This gives the list of organizations you have access to, and you can choose the one you need by using the name attribute `<Org type="application/vnd.vmware.vcloud.org+xml" name="ORG-NAME" href="https://vendor-api-url.net/org/{org-code}"/>`
+
+   * Get details of the organisation
+
+        curl -v --insecure -H "x-vcloud-authorization: {x-vcloud-auth-code}"
+          -H "Accept: application/*+xml;version=5.1"
+          "https://vendor-api-url.net/org/{org-code}"
+
+      * This also gives details about various vdc. We would need the one for management vdc:
+
+            <Link rel="down" type="application/vnd.vmware.vcloud.vdc+xml"
+              name="Management - GDS Development (SL1)"
+              href="https://vendor-api-url.net/vdc/{vdc-uuid}"/>
+
+    * Get vdc details
+
+        curl -v --insecure -H "x-vcloud-authorization: {x-vcloud-auth-code}"
+          -H "Accept: application/*+xml;version=5.1"
+          "https://vendor-api-url.net/vdc/{vdc-uuid}
+
+      * This would provide you with available networks. From which you
+        can use the name and href attributes for adding to your
+        interfaces.yaml
+
+            <AvailableNetworks>
+              <Network type="application/vnd.vmware.vcloud.network+xml" name="NetworkTest2"
+                  href="https:///vendor-api-url.net/network/{network-uuid-2}"/>
+              <Network type="application/vnd.vmware.vcloud.network+xml" name="NetworkTest"
+                  href="https:///vendor-api-url.net/network/{network-uuid-1}"/>
+            </AvailableNetworks>
+
+

data/docs/find_organisation_edgegateway_uuid.md

@@ -0,0 +1,58 @@
+# How to find Organisation Edgegateway UUID
+
+##Steps:
+
+   * vcloud authorization
+
+        curl -v -X POST -d '' -H "Accept: application/*+xml;version=5.1"
+          -u "{username}@vcloud-org-name:**********"
+          https://vendor-api-url.net/sessions
+
+
+    The above returns the following information in response
+    `x-cloud-authorization` and
+    `<Link rel="down" type="application/vnd.vmware.vcloud.orgList+xml" href="https://vendor-api-url.net/org/"/>`
+
+
+   * List organisations
+
+        curl -v --insecure
+          -H "x-vcloud-authorization: {x-vcloud-auth-code}"
+          -H "Accept: application/*+xml;version=5.1"
+          "https://vendor-api-url.net/org/"
+
+
+      This gives the list of organizations you have access to, and you can choose the one you need by using the name attribute `<Org type="application/vnd.vmware.vcloud.org+xml" name="ORG-NAME" href="https://vendor-api-url.net/org/{org-code}"/>`
+
+   * Get details of the organisation
+
+        curl -v --insecure -H "x-vcloud-authorization: {x-vcloud-auth-code}"
+          -H "Accept: application/*+xml;version=5.1"
+          "https://vendor-api-url.net/org/{org-code}"
+
+      * This also gives details about various vdc. We would need the one for management vdc:
+
+            <Link rel="down" type="application/vnd.vmware.vcloud.vdc+xml"
+              name="Management - GDS Development (SL1)"
+              href="https://vendor-api-url.net/vdc/{org-code}"/>
+
+   * Retrieve edgegateway record
+
+        curl -v --insecure -H "x-vcloud-authorization: {x-vcloud-auth-code}="
+          -H "Accept: application/*+xml;version=5.1"
+          "https://vendor-api-url.net/admin/vdc/{management-edgegateway-uuid}/edgeGateways"
+
+      * Response of the above is (from which you would need the id in the href attribute):
+
+            <EdgeGatewayRecord vdc="https://vendor-api-url.net/vdc/{management-edgegateway-uuid}"
+              numberOfOrgNetworks="8" numberOfExtNetworks="1"
+              name="GDS Development Gateway" isBusy="false" haStatus="UP" gatewayStatus="READY"
+              href="https://vendor-api-url.net/admin/edgeGateway/{id}"
+              isSyslogServerSettingInSync="true" taskStatus="success"
+              taskOperation="networkConfigureEdgeGatewayServices"
+              task="https://vendor-api-url.net/task/***" taskDetails=" "/>
+
+         *e.g. https://vendor-api-url.net/admin/edgeGateway/{id}*
+
+
+

data/jenkins.sh

@@ -0,0 +1,6 @@
+#!/bin/bash -x
+set -e
+bundle install --path "${HOME}/bundles/${JOB_NAME}"
+bundle exec rake spec
+bundle exec rake integration
+bundle exec rake publish_gem --trace

data/lib/component/firewall.rb

@@ -0,0 +1,82 @@
+require 'rubygems'
+require 'nokogiri'
+
+module Component
+  class Firewall
+    attr_reader :rules
+
+    def initialize
+      @rules = []
+      @count = 0
+    end
+
+    def rule(description, options = {}, &block)
+      defaults = { :enabled => true, :protocols => [:tcp], :id => @count+=1, :description => description}
+      @current_rule = defaults.merge(options)
+      rules << @current_rule
+      yield
+    ensure
+      @current_rule = nil
+    end
+
+    def source(options)
+      @current_rule[:source] = { :port => options[:port] || "Any", :ip => options[:ip] }
+    end
+
+    def destination(options)
+      @current_rule[:destination] = { :port => options[:port], :ip => options[:ip] }
+    end
+
+    def self.reset
+      @firewall = nil
+    end
+
+    def self.instance
+      @firewall ||= Firewall.new
+    end
+
+    def self.generate_xml interfaces
+      Nokogiri::XML::Builder.new(:encoding => 'UTF-8') do |xml|
+        xml.EdgeGatewayServiceConfiguration('xmlns' => "http://www.vmware.com/vcloud/v1.5", 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xsi:schemaLocation' => "http://www.vmware.com/vcloud/v1.5 http://vendor-api-url.net/v1.5/schema/master.xsd") {
+          xml.FirewallService {
+            xml.IsEnabled "true"
+            xml.DefaultAction "drop"
+            xml.LogDefaultAction "false"
+
+            Firewall.instance.rules.each do |rule|
+              xml.FirewallRule {
+                xml.Id rule[:id]
+                xml.IsEnabled rule[:enabled]
+                xml.MatchOnTranslate "false"
+                xml.Description rule[:description]
+                xml.Policy "allow"
+
+                xml.Protocols {
+                  rule[:protocols].each do |protocol|
+                    xml.send(protocol.to_s.capitalize, true)
+                  end
+                }
+
+                if rule[:protocols].first == :icmp
+                  xml.IcmpSubType "any"
+                end
+
+                xml.Port rule[:destination][:port] == "Any" ? "-1" : rule[:destination][:port]
+                xml.DestinationPortRange rule[:destination][:port]
+                xml.DestinationIp rule[:destination][:ip]
+                xml.SourcePort rule[:source][:port] == "Any" ? "-1" : rule[:source][:port]
+                xml.SourcePortRange rule[:source][:port]
+                xml.SourceIp rule[:source][:ip]
+                xml.EnableLogging "false"
+              }
+            end
+          }
+        }
+      end
+    end
+  end
+end
+
+def firewall (&block)
+  Component::Firewall.instance.instance_eval(&block)
+end

data/lib/component/load_balancer.rb

@@ -0,0 +1,181 @@
+require 'rubygems'
+require 'nokogiri'
+
+module Component
+  class LoadBalancer
+    attr_reader :pools, :configurations
+
+    def initialize
+      @pools = []
+      @configurations = []
+    end
+
+    def configure(name, &block)
+      @current_configuration = { :name => name, :virtual_servers => [], :pool => nil }
+      @configurations << @current_configuration
+      yield
+    ensure
+      @current_pool = nil
+    end
+
+    def virtual_server(options = {})
+      raise "Can't add a virtual server without first having defined a pool" if @current_pool.nil?
+      virtual_server = { :name => options[:name], :pool => @current_pool[:name], :ip => options[:ip], :interface => options[:interface] }
+      @current_configuration[:virtual_servers] << virtual_server
+    end
+
+    def pool(nodes, &block)
+      @current_pool = { :name => "#{@current_configuration[:name]} pool", :ports => [], :nodes => nodes }
+      @current_configuration[:pool] = @current_pool
+      @pools << @current_pool
+      yield
+    end
+
+    def http(options = {})
+      defaults = { :enabled => true, :health_check_path => "/", :port => 80, :health_check_mode => "HTTP" }
+      options = defaults.merge(options)
+      @current_pool[:ports] << { :port => options[:port], :health_check_port => options[:health_check_port],
+                                 :health_check_path => options[:health_check_path], :enabled => options[:enabled],
+                                 :type => :http, :health_check_mode=>options[:health_check_mode] }
+    end
+
+    def https(options = {})
+      defaults = { :enabled => true, :health_check_path => "/", :port => 443, :health_check_mode => "SSL" }
+      options = defaults.merge(options)
+      @current_pool[:ports] << { :port => options[:port], :health_check_port => options[:health_check_port],
+                                 :health_check_path => options[:health_check_path], :enabled => options[:enabled],
+                                 :type => :https, :health_check_mode => options[:health_check_mode] }
+    end
+
+    def load_balances(port, options = {})
+      defaults = { :enabled => true, :health_check_path => "/" }
+      options = defaults.merge(options)
+      @current_pool[:ports] << { :port => port, :health_check_port => options[:health_check_port], :health_check_path => options[:health_check_path],
+                                 :enabled => options[:enabled], :type => options[:type] }
+    end
+
+    def self.instance
+      @lb ||= LoadBalancer.new
+    end
+
+    def self.generate_xml interfaces
+      Nokogiri::XML::Builder.new(:encoding => 'UTF-8') do |xml|
+        xml.EdgeGatewayServiceConfiguration('xmlns' => "http://www.vmware.com/vcloud/v1.5", 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xsi:schemaLocation' => "http://www.vmware.com/vcloud/v1.5 http://vendor-api-url.net/v1.5/schema/master.xsd") {
+          xml.LoadBalancerService {
+            xml.IsEnabled 'false'
+            LoadBalancer.instance.pools.each do |pool|
+              xml.Pool {
+                xml.Name pool[:name]
+
+                pool[:ports].each do |port|
+                  xml.ServicePort {
+                    xml.IsEnabled port[:enabled]
+                    xml.Protocol port[:port] == 443 ? "HTTPS" : "HTTP"
+                    xml.Algorithm 'ROUND_ROBIN'
+                    xml.Port port[:port]
+
+                    if port[:health_check_port]
+                      xml.HealthCheckPort port[:health_check_port]
+                    else
+                      xml.HealthCheckPort
+                    end
+
+                    xml.HealthCheck {
+                      xml.Mode port[:health_check_mode]
+                      xml.Uri port[:health_check_path]
+                      xml.HealthThreshold "2"
+                      xml.UnhealthThreshold "3"
+                      xml.Interval "5"
+                      xml.Timeout	"15"
+                    }
+                  }
+                end
+
+                xml.ServicePort {
+                  xml.IsEnabled 'false'
+                  xml.Protocol "TCP"
+                  xml.Algorithm 'ROUND_ROBIN'
+                  xml.Port
+                  xml.HealthCheckPort
+                  xml.HealthCheck {
+                    xml.Mode "TCP"
+                    xml.HealthThreshold "2"
+                    xml.UnhealthThreshold "3"
+                    xml.Interval "5"
+                    xml.Timeout	"15"
+                  }
+                }
+
+                pool[:nodes].each do |node|
+                  xml.Member {
+                    xml.IpAddress node
+                    xml.Weight "1"
+
+                    ["HTTP", "HTTPS"].each do |protocol|
+                      xml.ServicePort {
+                        xml.Protocol protocol
+                        xml.Port pool[:ports].find { |port| port[:type] == protocol.downcase.to_sym }[:port]
+                        xml.HealthCheckPort
+                      }
+                    end
+
+                    xml.ServicePort {
+                      xml.Protocol "TCP"
+                      xml.Port
+                      xml.HealthCheckPort
+                    }
+
+                  }
+                end
+                xml.Operational "false"
+              }
+            end
+
+            LoadBalancer.instance.configurations.each do |configuration|
+              configuration[:virtual_servers].each do |virtual_server|
+                xml.VirtualServer {
+                  xml.IsEnabled "true"
+                  xml.Name virtual_server[:name]
+                  xml.Interface('type' => "application/vnd.vmware.vcloud.orgVdcNetwork+xml", :name => virtual_server[:interface], :href => interfaces[virtual_server[:interface]])
+                  xml.IpAddress virtual_server[:ip]
+
+                  configuration[:pool][:ports].each do |port|
+                    xml.ServiceProfile {
+                      xml.IsEnabled port[:enabled]
+                      xml.Protocol port[:type].to_s.upcase
+                      xml.Port port[:port]
+                      xml.Persistence {
+                        if port[:type] == :https
+                          xml.Method
+                        else
+                          xml.Method
+                        end
+                      }
+                    }
+                  end
+
+                  xml.ServiceProfile {
+                    xml.IsEnabled "false"
+                    xml.Protocol "TCP"
+                    xml.Port
+                    xml.Persistence {
+                      xml.Method
+                    }
+                  }
+                  xml.Logging "false"
+                  xml.Pool configuration[:pool][:name]
+
+                }
+              end
+            end
+          }
+        }
+      end
+    end
+
+  end
+end
+
+def load_balancer (&block)
+  Component::LoadBalancer.instance.instance_eval(&block)
+end