Class: Cumulus::SecurityGroups::RuleConfig

Inherits:

Object

Object
Cumulus::SecurityGroups::RuleConfig

show all

Defined in:: lib/security/models/RuleConfig.rb

Overview

Public: An object representing configuration for a security group rule

Instance Attribute Summary collapse

#from ⇒ Object readonly

Returns the value of attribute from.
#protocol ⇒ Object readonly

Returns the value of attribute protocol.
#security_groups ⇒ Object readonly

Returns the value of attribute security_groups.
#subnets ⇒ Object readonly

Returns the value of attribute subnets.
#to ⇒ Object readonly

Returns the value of attribute to.

Class Method Summary collapse

.allow_all ⇒ Object

Public: Static method that will produce a RuleConfig that allows all access.
.expand_ports(json) ⇒ Object

Public: Static method that will produce multiple RuleConfigs, one for each port range.
.from_aws(aws) ⇒ Object

Public: Static method that will produce a RuleConfig from an AWS rule resource.

Instance Method Summary collapse

#hash ⇒ Object

Public: Get the configuration as a hash.
#initialize(json) ⇒ RuleConfig constructor

Public: Constructor.
#to_aws(vpc_id) ⇒ Object

Public: Converts the RuleConfig into the format needed by AWS to authorize/deauthorize rules.

Constructor Details

#initialize(json) ⇒ `RuleConfig`

Public: Constructor

json - a hash containing the JSON configuration for the rule

# File 'lib/security/models/RuleConfig.rb', line 84

def initialize(json)
  @protocol = json["protocol"]

  if @protocol.downcase == "icmp"
    @from = json["icmp-type"]
    @to = json["icmp-code"]
  else
    @from = json["from-port"]
    @to = json["to-port"]
  end

  @security_groups = if !json["security-groups"].nil? then json["security-groups"] else [] end
  @subnets = unless json["subnets"].nil?
    # interpret single strings as a string within an array
    # subnets: "0.0.0.0/0"
    #   is the same as:
    # subnets: [
    #   "0.0.0.0/0"
    # ]
    if json["subnets"].is_a?(String)
      [json["subnets"]]
    else
      json["subnets"]
    end.flat_map do |subnet|
      if subnet.downcase == "all"
        "0.0.0.0/0" # all subnets according to aws sdk
      elsif subnet.match(/\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\/\d+/).nil?
        Loader.subnet_group(subnet)
      else
        subnet
      end
    end.sort
  else
    []
  end
end

Instance Attribute Details

#from ⇒ `Object` (readonly)

Returns the value of attribute from.



9
10
11

# File 'lib/security/models/RuleConfig.rb', line 9

def from
  @from
end

#protocol ⇒ `Object` (readonly)

Returns the value of attribute protocol.



10
11
12

# File 'lib/security/models/RuleConfig.rb', line 10

def protocol
  @protocol
end

#security_groups ⇒ `Object` (readonly)

Returns the value of attribute security_groups.



11
12
13

# File 'lib/security/models/RuleConfig.rb', line 11

def security_groups
  @security_groups
end

#subnets ⇒ `Object` (readonly)

Returns the value of attribute subnets.



12
13
14

# File 'lib/security/models/RuleConfig.rb', line 12

def subnets
  @subnets
end

#to ⇒ `Object` (readonly)

Returns the value of attribute to.



13
14
15

# File 'lib/security/models/RuleConfig.rb', line 13

def to
  @to
end

Class Method Details

.allow_all ⇒ `Object`

Public: Static method that will produce a RuleConfig that allows all access

Returns the RuleConfig

# File 'lib/security/models/RuleConfig.rb', line 39

def RuleConfig.allow_all
  RuleConfig.new({
    "protocol" => "all",
    "subnets" => ["0.0.0.0/0"]
  })
end

.expand_ports(json) ⇒ `Object`

Public: Static method that will produce multiple RuleConfigs, one for each port range.

json - a hash containing the JSON configuration for the rule

Returns an array of RuleConfigs

# File 'lib/security/models/RuleConfig.rb', line 52

def RuleConfig.expand_ports(json)
  ports = json["ports"]

  if !ports.nil?
    ports.map do |port|
      rule_hash = json.clone

      if port.is_a? String
        if port.downcase == "all"
          # to include 'all' ports, aws expects both the from-port and the to-port to be nil
          rule_hash["from-port"] = nil
          rule_hash["to-port"] = nil
        else
          parts = port.split("-").map(&:strip)
          rule_hash["from-port"] = parts[0].to_i
          rule_hash["to-port"] = parts[1].to_i
        end
      else
        rule_hash["from-port"] = port
        rule_hash["to-port"] = port
      end

      RuleConfig.new(rule_hash)
    end
  else
    RuleConfig.new(json)
  end
end

.from_aws(aws) ⇒ `Object`

Public: Static method that will produce a RuleConfig from an AWS rule resource.

aws - the aws resource to use

Returns a RuleConfig containing the data in the AWS rule

# File 'lib/security/models/RuleConfig.rb', line 20

def RuleConfig.from_aws(aws)
  RuleConfig.new({
    "security-groups" => aws.user_id_group_pairs.map { |security| SecurityGroups::id_security_groups[security.group_id].group_name },
    "protocol" => if aws.ip_protocol == "-1" then "all" else aws.ip_protocol end,
    "from-port" => if aws.ip_protocol != "icmp" and aws.from_port != -1 then aws.from_port end,
    "to-port" => if aws.ip_protocol != "icmp" and aws.to_port != -1 then aws.to_port end,
    "icmp-type" => if aws.ip_protocol == "icmp"
      if aws.from_port != -1 then aws.from_port else "all" end
    end,
    "icmp-code" => if aws.ip_protocol == "icmp"
      if aws.to_port != -1 then aws.to_port  else "all" end
    end,
    "subnets" => aws.ip_ranges.map { |ip| ip.cidr_ip },
  }.reject { |k, v| v.nil? })
end

Instance Method Details

#hash ⇒ `Object`

Public: Get the configuration as a hash

Returns the hash

# File 'lib/security/models/RuleConfig.rb', line 124

def hash
  security_hashes = @security_groups.map do |security_group|
    {
      "security-groups" => [security_group],
      "protocol" => @protocol,
      "from-port" => if @protocol != "icmp" then @from end,
      "to-port" => if @protocol != "icmp" then @to end,
      "subnets" => [],
      "icmp-type" => if @protocol == "icmp" then @from end,
      "icmp-code" => if @protocol == "icmp" then @to end,
    }.reject { |k, v| v.nil? }
  end
  subnet_hashes = @subnets.map do |subnet|
    {
      "security-groups" => [],
      "protocol" => @protocol,
      "from-port" => if @protocol != "icmp" then @from end,
      "to-port" => if @protocol != "icmp" then @to end,
      "subnets" => [subnet],
      "icmp-type" => if @protocol == "icmp" then @from end,
      "icmp-code" => if @protocol == "icmp" then @to end,
    }.reject { |k, v| v.nil? }
  end

  security_hashes + subnet_hashes
end

#to_aws(vpc_id) ⇒ `Object`

Public: Converts the RuleConfig into the format needed by AWS to authorize/deauthorize rules

vpc_id - the id of the vpc that security group ids should be derived from

# File 'lib/security/models/RuleConfig.rb', line 155

def to_aws(vpc_id)
  {
    ip_protocol: if @protocol == "all" then "-1" else @protocol end,
    from_port: if @from == "all" then "-1" else @from end,
    to_port: if @to == "all" then "-1" else @to end,
    user_id_group_pairs: if !@security_groups.empty?
      @security_groups.map do |sg|
        {
          group_id: SecurityGroups::vpc_security_group_id_names[vpc_id].key(sg)
        }
      end
    end,
    ip_ranges: if !@subnets.empty?
      @subnets.map do |subnet|
        {
          cidr_ip: subnet
        }
      end
    end
  }
end

Class: Cumulus::SecurityGroups::RuleConfig

Overview

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(json) ⇒ RuleConfig

Instance Attribute Details

#from ⇒ Object (readonly)

#protocol ⇒ Object (readonly)

#security_groups ⇒ Object (readonly)

#subnets ⇒ Object (readonly)

#to ⇒ Object (readonly)