class Cumulus::SecurityGroups::RuleConfig

Public: An object representing configuration for a security group rule

Attributes

from[R]
protocol[R]
security_groups[R]
subnets[R]
to[R]

Public Class Methods

allow_all() click to toggle source

Public: Static method that will produce a RuleConfig that allows all access

Returns the RuleConfig

# File lib/security/models/RuleConfig.rb, line 39
def RuleConfig.allow_all
  RuleConfig.new({
    "protocol" => "all",
    "subnets" => ["0.0.0.0/0"]
  })
end
expand_ports(json) click to toggle source

Public: Static method that will produce multiple RuleConfigs, one for each port range.

json - a hash containing the JSON configuration for the rule

Returns an array of RuleConfigs

# File lib/security/models/RuleConfig.rb, line 52
def RuleConfig.expand_ports(json)
  ports = json["ports"]

  if !ports.nil?
    ports.map do |port|
      rule_hash = json.clone

      if port.is_a? String
        parts = port.split("-").map(&:strip)
        rule_hash["from-port"] = parts[0].to_i
        rule_hash["to-port"] = parts[1].to_i
      else
        rule_hash["from-port"] = port
        rule_hash["to-port"] = port
      end

      RuleConfig.new(rule_hash)
    end
  else
    RuleConfig.new(json)
  end
end
from_aws(aws) click to toggle source

Public: Static method that will produce a RuleConfig from an AWS rule resource.

aws - the aws resource to use

Returns a RuleConfig containing the data in the AWS rule

# File lib/security/models/RuleConfig.rb, line 20
def RuleConfig.from_aws(aws)
  RuleConfig.new({
    "security-groups" => aws.user_id_group_pairs.map { |security| SecurityGroups::id_security_groups[security.group_id].group_name },
    "protocol" => if aws.ip_protocol == "-1" then "all" else aws.ip_protocol end,
    "from-port" => if aws.ip_protocol != "icmp" and aws.from_port != -1 then aws.from_port end,
    "to-port" => if aws.ip_protocol != "icmp" and aws.to_port != -1 then aws.to_port end,
    "icmp-type" => if aws.ip_protocol == "icmp"
      if aws.from_port != -1 then aws.from_port else "all" end
    end,
    "icmp-code" => if aws.ip_protocol == "icmp"
      if aws.to_port != -1 then aws.to_port  else "all" end
    end,
    "subnets" => aws.ip_ranges.map { |ip| ip.cidr_ip },
  }.reject { |k, v| v.nil? })
end
new(json) click to toggle source

Public: Constructor

json - a hash containing the JSON configuration for the rule

# File lib/security/models/RuleConfig.rb, line 78
def initialize(json)
  @protocol = json["protocol"]

  if @protocol.downcase == "icmp"
    @from = json["icmp-type"]
    @to = json["icmp-code"]
  else
    @from = json["from-port"]
    @to = json["to-port"]
  end

  @security_groups = if !json["security-groups"].nil? then json["security-groups"] else [] end
  @subnets = if !json["subnets"].nil?
    json["subnets"].flat_map do |subnet|
      if subnet.match(/\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\/\d+/).nil?
        Loader.subnet_group(subnet)
      else
        subnet
      end
    end.sort
  else
    []
  end
end

Public Instance Methods

hash() click to toggle source

Public: Get the configuration as a hash

Returns the hash

# File lib/security/models/RuleConfig.rb, line 106
def hash
  security_hashes = @security_groups.map do |security_group|
    {
      "security-groups" => [security_group],
      "protocol" => @protocol,
      "from-port" => if @protocol != "icmp" then @from end,
      "to-port" => if @protocol != "icmp" then @to end,
      "subnets" => [],
      "icmp-type" => if @protocol == "icmp" then @from end,
      "icmp-code" => if @protocol == "icmp" then @to end,
    }.reject { |k, v| v.nil? }
  end
  subnet_hashes = @subnets.map do |subnet|
    {
      "security-groups" => [],
      "protocol" => @protocol,
      "from-port" => if @protocol != "icmp" then @from end,
      "to-port" => if @protocol != "icmp" then @to end,
      "subnets" => [subnet],
      "icmp-type" => if @protocol == "icmp" then @from end,
      "icmp-code" => if @protocol == "icmp" then @to end,
    }.reject { |k, v| v.nil? }
  end

  security_hashes + subnet_hashes
end
to_aws(vpc_id) click to toggle source

Public: Converts the RuleConfig into the format needed by AWS to authorize/deauthorize rules

vpc_id - the id of the vpc that security group ids should be derived from

# File lib/security/models/RuleConfig.rb, line 137
def to_aws(vpc_id)
  {
    ip_protocol: if @protocol == "all" then "-1" else @protocol end,
    from_port: if @from == "all" then "-1" else @from end,
    to_port: if @to == "all" then "-1" else @to end,
    user_id_group_pairs: if !@security_groups.empty?
      @security_groups.map do |sg|
        {
          group_id: SecurityGroups::vpc_security_group_id_names[vpc_id].key(sg)
        }
      end
    end,
    ip_ranges: if !@subnets.empty?
      @subnets.map do |subnet|
        {
          cidr_ip: subnet
        }
      end
    end
  }
end