Class: Cumulus::SecurityGroups::RuleConfig
- Inherits:
-
Object
- Object
- Cumulus::SecurityGroups::RuleConfig
- Defined in:
- lib/security/models/RuleConfig.rb
Overview
Public: An object representing configuration for a security group rule
Instance Attribute Summary collapse
-
#from ⇒ Object
readonly
Returns the value of attribute from.
-
#protocol ⇒ Object
readonly
Returns the value of attribute protocol.
-
#security_groups ⇒ Object
readonly
Returns the value of attribute security_groups.
-
#subnets ⇒ Object
readonly
Returns the value of attribute subnets.
-
#to ⇒ Object
readonly
Returns the value of attribute to.
Class Method Summary collapse
-
.allow_all ⇒ Object
Public: Static method that will produce a RuleConfig that allows all access.
-
.expand_ports(json) ⇒ Object
Public: Static method that will produce multiple RuleConfigs, one for each port range.
-
.from_aws(aws) ⇒ Object
Public: Static method that will produce a RuleConfig from an AWS rule resource.
Instance Method Summary collapse
-
#hash ⇒ Object
Public: Get the configuration as a hash.
-
#initialize(json) ⇒ RuleConfig
constructor
Public: Constructor.
-
#to_aws(vpc_id) ⇒ Object
Public: Converts the RuleConfig into the format needed by AWS to authorize/deauthorize rules.
Constructor Details
#initialize(json) ⇒ RuleConfig
Public: Constructor
json - a hash containing the JSON configuration for the rule
84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 |
# File 'lib/security/models/RuleConfig.rb', line 84 def initialize(json) @protocol = json["protocol"] if @protocol.downcase == "icmp" @from = json["icmp-type"] @to = json["icmp-code"] else @from = json["from-port"] @to = json["to-port"] end @security_groups = if !json["security-groups"].nil? then json["security-groups"] else [] end @subnets = unless json["subnets"].nil? # interpret single strings as a string within an array # subnets: "0.0.0.0/0" # is the same as: # subnets: [ # "0.0.0.0/0" # ] if json["subnets"].is_a?(String) [json["subnets"]] else json["subnets"] end.flat_map do |subnet| if subnet.downcase == "all" "0.0.0.0/0" # all subnets according to aws sdk elsif subnet.match(/\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\/\d+/).nil? Loader.subnet_group(subnet) else subnet end end.sort else [] end end |
Instance Attribute Details
#from ⇒ Object (readonly)
Returns the value of attribute from.
9 10 11 |
# File 'lib/security/models/RuleConfig.rb', line 9 def from @from end |
#protocol ⇒ Object (readonly)
Returns the value of attribute protocol.
10 11 12 |
# File 'lib/security/models/RuleConfig.rb', line 10 def protocol @protocol end |
#security_groups ⇒ Object (readonly)
Returns the value of attribute security_groups.
11 12 13 |
# File 'lib/security/models/RuleConfig.rb', line 11 def security_groups @security_groups end |
#subnets ⇒ Object (readonly)
Returns the value of attribute subnets.
12 13 14 |
# File 'lib/security/models/RuleConfig.rb', line 12 def subnets @subnets end |
#to ⇒ Object (readonly)
Returns the value of attribute to.
13 14 15 |
# File 'lib/security/models/RuleConfig.rb', line 13 def to @to end |
Class Method Details
.allow_all ⇒ Object
Public: Static method that will produce a RuleConfig that allows all access
Returns the RuleConfig
39 40 41 42 43 44 |
# File 'lib/security/models/RuleConfig.rb', line 39 def RuleConfig.allow_all RuleConfig.new({ "protocol" => "all", "subnets" => ["0.0.0.0/0"] }) end |
.expand_ports(json) ⇒ Object
Public: Static method that will produce multiple RuleConfigs, one for each port range.
json - a hash containing the JSON configuration for the rule
Returns an array of RuleConfigs
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |
# File 'lib/security/models/RuleConfig.rb', line 52 def RuleConfig.(json) ports = json["ports"] if !ports.nil? ports.map do |port| rule_hash = json.clone if port.is_a? String if port.downcase == "all" # to include 'all' ports, aws expects both the from-port and the to-port to be nil rule_hash["from-port"] = nil rule_hash["to-port"] = nil else parts = port.split("-").map(&:strip) rule_hash["from-port"] = parts[0].to_i rule_hash["to-port"] = parts[1].to_i end else rule_hash["from-port"] = port rule_hash["to-port"] = port end RuleConfig.new(rule_hash) end else RuleConfig.new(json) end end |
.from_aws(aws) ⇒ Object
Public: Static method that will produce a RuleConfig from an AWS rule resource.
aws - the aws resource to use
Returns a RuleConfig containing the data in the AWS rule
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# File 'lib/security/models/RuleConfig.rb', line 20 def RuleConfig.from_aws(aws) RuleConfig.new({ "security-groups" => aws.user_id_group_pairs.map { |security| SecurityGroups::id_security_groups[security.group_id].group_name }, "protocol" => if aws.ip_protocol == "-1" then "all" else aws.ip_protocol end, "from-port" => if aws.ip_protocol != "icmp" and aws.from_port != -1 then aws.from_port end, "to-port" => if aws.ip_protocol != "icmp" and aws.to_port != -1 then aws.to_port end, "icmp-type" => if aws.ip_protocol == "icmp" if aws.from_port != -1 then aws.from_port else "all" end end, "icmp-code" => if aws.ip_protocol == "icmp" if aws.to_port != -1 then aws.to_port else "all" end end, "subnets" => aws.ip_ranges.map { |ip| ip.cidr_ip }, }.reject { |k, v| v.nil? }) end |
Instance Method Details
#hash ⇒ Object
Public: Get the configuration as a hash
Returns the hash
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 |
# File 'lib/security/models/RuleConfig.rb', line 124 def hash security_hashes = @security_groups.map do |security_group| { "security-groups" => [security_group], "protocol" => @protocol, "from-port" => if @protocol != "icmp" then @from end, "to-port" => if @protocol != "icmp" then @to end, "subnets" => [], "icmp-type" => if @protocol == "icmp" then @from end, "icmp-code" => if @protocol == "icmp" then @to end, }.reject { |k, v| v.nil? } end subnet_hashes = @subnets.map do |subnet| { "security-groups" => [], "protocol" => @protocol, "from-port" => if @protocol != "icmp" then @from end, "to-port" => if @protocol != "icmp" then @to end, "subnets" => [subnet], "icmp-type" => if @protocol == "icmp" then @from end, "icmp-code" => if @protocol == "icmp" then @to end, }.reject { |k, v| v.nil? } end security_hashes + subnet_hashes end |
#to_aws(vpc_id) ⇒ Object
Public: Converts the RuleConfig into the format needed by AWS to authorize/deauthorize rules
vpc_id - the id of the vpc that security group ids should be derived from
155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 |
# File 'lib/security/models/RuleConfig.rb', line 155 def to_aws(vpc_id) { ip_protocol: if @protocol == "all" then "-1" else @protocol end, from_port: if @from == "all" then "-1" else @from end, to_port: if @to == "all" then "-1" else @to end, user_id_group_pairs: if !@security_groups.empty? @security_groups.map do |sg| { group_id: SecurityGroups::vpc_security_group_id_names[vpc_id].key(sg) } end end, ip_ranges: if !@subnets.empty? @subnets.map do |subnet| { cidr_ip: subnet } end end } end |