Module: Grouper

Defined in:
lib/grouper.rb

Defined Under Namespace

Classes: Rule

Instance Method Summary collapse

Instance Method Details

#add_rule(group, rule) ⇒ Object

add a rule to a security group



58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
# File 'lib/grouper.rb', line 58

def add_rule(group, rule)
  begin
    case rule.direction
    when :in
	group.authorize_ingress(rule.protocol, rule.ports, *rule.sources)
    when :out
	group.authorize_egress(*rule.sources, :protocol => rule.protocol, :ports => rule.ports)
    else
	group.authorize_ingress(rule.protocol, rule.ports, *rule.sources)
	group.authorize_egress(*rule.sources, :protocol => rule.protocol, :ports => rule.ports)
    end
  rescue AWS::EC2::Errors::InvalidPermission::Duplicate
  
  end
end

#apply_rules(group, rules) ⇒ Object

Takes an array of rules and applies them to a security froup if the security group has rules that are not part of the rules array being applied these are revoked



16
17
18
19
20
21
 
# File 'lib/grouper.rb', line 16

def apply_rules(group, rules)
  remove_old_rules(group, rules)
  rules.each do |rule|
    add_rule(group, rule)
  end
end

#find_or_create(ec2, group_name) ⇒ Object

find a security group, create it if it does not exist



5
6
7
8
9
10
11
 
# File 'lib/grouper.rb', line 5

def find_or_create(ec2, group_name)
  if ec2.security_groups.map(&:name).include?(group_name)
    ec2.security_groups.filter('group-name', group_name).first
  else
    ec2.security_groups.create(group_name)
  end
end

#is_rule?(permission, rules) ⇒ Boolean

checks to see if an EC2 IP permission is in array of rules

Returns:

  • (Boolean) 


36
37
38
39
40
41
 
# File 'lib/grouper.rb', line 36

def is_rule?(permission, rules)
  rules.each do |rule|
    return true if match?(permission, rule)
  end
  false
end

#match?(permission, rule) ⇒ Boolean

checks to see if an EC2 IP permission matches a rule AWS doesn’t do clever recombination of rules in the background so we do simple comparaisons to keep things simples

Returns:

  • (Boolean) 


46
47
48
49
50
51
52
53
54
 
# File 'lib/grouper.rb', line 46

def match?(permission, rule)
  if rule.direction == :in
    (permission.port_range == rule.ports) and (permission.ip_ranges == rule.sources) and (permission.protocol == rule.protocol) and (!permission.egress)
  elsif rule.direction == :out
    (permission.port_range == rule.ports) and (permission.ip_ranges == rule.sources) and (permission.protocol == rule.protocol) and (permission.egress)
  else #rule.direction == :both
    (permission.port_range == rule.ports) and (permission.ip_ranges == rule.sources) and (permission.protocol == rule.protocol)
  end
end

#remove_old_rules(group, rules) ⇒ Object

revoke old rules that are not part of the rules array



25
26
27
28
29
30
31
32
 
# File 'lib/grouper.rb', line 25

def remove_old_rules(group, rules)
  group.ingress_ip_permissions.each do |p|
    p.revoke if !is_rule?(p, rules)
  end
  group.egress_ip_permissions.each do |p|
    p.revoke if !is_rule?(p, rules)
  end
end

#revoke_rule(group, rule) ⇒ Object

remove rule from a security group



76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/grouper.rb', line 76

def revoke_rule(group, rule)
  case rule.direction
  when :in
    group.revoke_ingress(rule.protocol, rule.ports, *rule.sources)
  when :out
    group.revoke_egress(*rule.sources, :protocol => rule.protocol, :ports => rule.ports)
  else
    group.revoke_ingress(rule.protocol, rule.ports, *rule.sources)
    group.revoke_egress(*rule.sources, :protocol => rule.protocol, :ports => rule.ports)
  end
end