Class: Awspec::Generator::Spec::SecurityGroup

Inherits:
Object
  • Object
show all
Includes:
Helper::Finder
Defined in:
lib/awspec/generator/spec/security_group.rb

Constant Summary

Constants included from Helper::Finder

Helper::Finder::CLIENTS

Instance Method Summary collapse

Methods included from Helper::Finder::Ami

#find_ami

Methods included from Helper::Finder::Directconnect

#find_virtual_interface, #select_virtual_interfaces

Methods included from Helper::Finder::Ses

#find_ses_identity

Methods included from Helper::Finder::Cloudwatch

#find_cloudwatch_alarm, #select_all_cloudwatch_alarms

Methods included from Helper::Finder::Elasticache

#find_cache_cluster, #find_cache_subnet_group

Methods included from Helper::Finder::Iam

#select_all_attached_policies, #select_all_iam_groups, #select_all_iam_users, #select_attached_entities, #select_attached_groups, #select_attached_roles, #select_attached_users, #select_iam_group_by_user_name, #select_iam_policy_by_group_name, #select_iam_policy_by_role_name, #select_iam_policy_by_user_name, #select_inine_policy_by_group_name, #select_inine_policy_by_user_name, #select_policy_evaluation_results

Methods included from Helper::Finder::Lambda

#find_lambda, #select_all_lambda_functions, #select_event_source_by_function_arn

Methods included from Helper::Finder::Elb

#find_elb, #select_elb_by_vpc_id

Methods included from Helper::Finder::Ebs

#find_ebs, #select_all_attached_ebs, #select_ebs_by_instance_id

Methods included from Helper::Finder::Autoscaling

#find_autoscaling_group, #find_launch_configuration

Methods included from Helper::Finder::S3

#find_bucket, #find_bucket_acl, #find_bucket_cors, #find_bucket_policy, #select_all_buckets

Methods included from Helper::Finder::Route53

#find_hosted_zone, #select_record_sets_by_hosted_zone_id

Methods included from Helper::Finder::Rds

#find_rds, #select_rds_by_vpc_id

Methods included from Helper::Finder::SecurityGroup

#find_security_group, #select_security_group_by_vpc_id

Methods included from Helper::Finder::Ec2

#find_ec2, #find_ec2_attribute, #find_ec2_status, #find_nat_gateway, #find_network_interface, #select_ec2_by_vpc_id, #select_eip_by_instance_id, #select_nat_gateway_by_vpc_id, #select_network_interface_by_vpc_id

Methods included from Helper::Finder::Subnet

#find_subnet, #select_subnet_by_vpc_id

Methods included from Helper::Finder::Vpc

#find_network_acl, #find_route_table, #find_vpc, #find_vpc_peering_connection, #select_network_acl_by_vpc_id, #select_route_table_by_vpc_id

Instance Method Details

#generate_by_vpc_id(vpc_id) ⇒ Object 



5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
# File 'lib/awspec/generator/spec/security_group.rb', line 5

def generate_by_vpc_id(vpc_id)
  describes = %w(
    group_id group_name
  )
  vpc = find_vpc(vpc_id)
  raise 'Not Found VPC' unless vpc
  @vpc_id = vpc[:vpc_id]
  @vpc_tag_name = vpc.tag_name
  sgs = select_security_group_by_vpc_id(@vpc_id)

  specs = sgs.map do |sg|
    linespecs = generate_linespecs(sg)
    inbound_rule_count = sg[:ip_permissions].reduce(0) do |sum, permission|
      sum += permission.ip_ranges.count + permission.user_id_group_pairs.count
    end
    outbound_rule_count = sg[:ip_permissions_egress].reduce(0) do |sum, permission|
      sum += permission.ip_ranges.count + permission.user_id_group_pairs.count
    end
    content = ERB.new(security_group_spec_template, nil, '-').result(binding).gsub(/^\n/, '')
  end
  specs.join("\n")
end

#generate_linespecs(sg) ⇒ Object 



28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
 
# File 'lib/awspec/generator/spec/security_group.rb', line 28

def generate_linespecs(sg)
  linespecs = []
  permissions = { 'inbound' => sg.ip_permissions, 'outbound' => sg.ip_permissions_egress }
  %w(inbound outbound).each do |inout|
    permissions[inout].each do |permission|
      if permission.ip_protocol.to_i < 0 || permission.from_port.nil?
        linespecs.push('its(:' + inout + ') { should be_opened }')
        next
      end

      port = if permission.from_port == permission.to_port
               permission.from_port
             else
               "'" + permission.from_port.to_s + '-' + permission.to_port.to_s + "'"
             end

      protocol = permission.ip_protocol
      permission.ip_ranges.each do |ip_range|
        target = ip_range.cidr_ip
        linespecs.push(ERB.new(security_group_spec_linetemplate, nil, '-').result(binding))
      end
      permission.user_id_group_pairs.each do |group|
        target = group.group_name
        target = group.group_id unless group.group_name
        linespecs.push(ERB.new(security_group_spec_linetemplate, nil, '-').result(binding))
      end
    end
  end
  linespecs
end

#security_group_spec_linetemplateObject 



59
60
61
62
63
64
 
# File 'lib/awspec/generator/spec/security_group.rb', line 59

def security_group_spec_linetemplate
  template = <<-'EOF'
its(:<%= inout %>) { should be_opened(<%= port %>).protocol('<%= protocol %>').for('<%= target %>') }
EOF
  template
end

#security_group_spec_templateObject 



66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
 
# File 'lib/awspec/generator/spec/security_group.rb', line 66

def security_group_spec_template
  template = <<-'EOF'
describe security_group('<%= sg.group_name %>') do
  it { should exist }
<% describes.each do |describe| %>
<%- if sg.key?(describe) -%>
  its(:<%= describe %>) { should eq '<%= sg[describe] %>' }
<%- end -%>
<% end %>
<% linespecs.each do |line| %>
  <%= line %>
<% end %>
  its(:inbound_rule_count) { should eq <%= inbound_rule_count %> }
  its(:outbound_rule_count) { should eq <%= outbound_rule_count %> }
  its(:inbound_permissions_count) { should eq <%= sg.ip_permissions.count %> }
  its(:outbound_permissions_count) { should eq <%= sg.ip_permissions_egress.count %> }
<%- if @vpc_tag_name -%>
  it { should belong_to_vpc('<%= @vpc_tag_name %>') }
<%- else -%>
  it { should belong_to_vpc('<%= @vpc_id %>') }
<%- end -%>
end
EOF
  template
end