From 13fb36d6ac7da723f7162f867a5c8413e8da89d7 Mon Sep 17 00:00:00 2001 From: Kevin Loiseau Date: Tue, 16 Aug 2016 16:35:39 +0200 Subject: [PATCH] Implements revoke egress rule --- lib/fog/aws/compute.rb | 1 + lib/fog/aws/models/compute/security_group.rb | 16 +++ .../compute/revoke_security_group_egress.rb | 98 +++++++++++++++++++ 3 files changed, 115 insertions(+) create mode 100644 lib/fog/aws/requests/compute/revoke_security_group_egress.rb diff --git a/lib/fog/aws/compute.rb b/lib/fog/aws/compute.rb index c827de352..fbd08a881 100644 --- a/lib/fog/aws/compute.rb +++ b/lib/fog/aws/compute.rb @@ -151,6 +151,7 @@ module Fog request :register_image request :request_spot_instances request :reset_network_interface_attribute + request :revoke_security_group_egress request :revoke_security_group_ingress request :run_instances request :terminate_instances diff --git a/lib/fog/aws/models/compute/security_group.rb b/lib/fog/aws/models/compute/security_group.rb index f6b58ea08..0c657c536 100644 --- a/lib/fog/aws/models/compute/security_group.rb +++ b/lib/fog/aws/models/compute/security_group.rb @@ -200,6 +200,14 @@ module Fog ip_permission = fetch_ip_permission(range, options) + if options[:direction].nil? || options[:direction] == 'ingress' + revoke_port_range_ingress group_id, ip_permission + elsif options[:direction] == 'egress' + revoke_port_range_egress group_id, ip_permission + end + end + + def revoke_port_range_ingress(group_id, ip_permission) service.revoke_security_group_ingress( name, 'GroupId' => group_id, @@ -207,6 +215,14 @@ module Fog ) end + def revoke_port_range_egress(group_id, ip_permission) + service.revoke_security_group_egress( + name, + 'GroupId' => group_id, + 'IpPermissions' => [ ip_permission ] + ) + end + # Reload a security group # # >> g = AWS.security_groups.get(:name => "some_name") diff --git a/lib/fog/aws/requests/compute/revoke_security_group_egress.rb b/lib/fog/aws/requests/compute/revoke_security_group_egress.rb new file mode 100644 index 000000000..d594875d6 --- /dev/null +++ b/lib/fog/aws/requests/compute/revoke_security_group_egress.rb @@ -0,0 +1,98 @@ +module Fog + module Compute + class AWS + class Real + require 'fog/aws/parsers/compute/basic' + + # Remove permissions from a security group + # + # ==== Parameters + # * group_name<~String> - Name of group, optional (can also be specifed as GroupName in options) + # * options<~Hash>: + # * 'GroupName'<~String> - Name of security group to modify + # * 'GroupId'<~String> - Id of security group to modify + # * 'SourceSecurityGroupName'<~String> - Name of security group to authorize + # * 'SourceSecurityGroupOwnerId'<~String> - Name of owner to authorize + # or + # * 'CidrIp'<~String> - CIDR range + # * 'FromPort'<~Integer> - Start of port range (or -1 for ICMP wildcard) + # * 'IpProtocol'<~String> - Ip protocol, must be in ['tcp', 'udp', 'icmp'] + # * 'ToPort'<~Integer> - End of port range (or -1 for ICMP wildcard) + # or + # * 'IpPermissions'<~Array>: + # * permission<~Hash>: + # * 'FromPort'<~Integer> - Start of port range (or -1 for ICMP wildcard) + # * 'Groups'<~Array>: + # * group<~Hash>: + # * 'GroupName'<~String> - Name of security group to authorize + # * 'UserId'<~String> - Name of owner to authorize + # * 'IpProtocol'<~String> - Ip protocol, must be in ['tcp', 'udp', 'icmp'] + # * 'IpRanges'<~Array>: + # * ip_range<~Hash>: + # * 'CidrIp'<~String> - CIDR range + # * 'ToPort'<~Integer> - End of port range (or -1 for ICMP wildcard) + # + # === Returns + # * response<~Excon::Response>: + # * body<~Hash>: + # * 'requestId'<~String> - Id of request + # * 'return'<~Boolean> - success? + # + # {Amazon API Reference}[http://docs.amazonwebservices.com/AWSEC2/latest/APIReference/ApiReference-query-RevokeSecurityGroupEgress.html] + def revoke_security_group_egress(group_name, options = {}) + options = Fog::AWS.parse_security_group_options(group_name, options) + + if ip_permissions = options.delete('IpPermissions') + options.merge!(indexed_ip_permissions_params(ip_permissions)) + end + + request({ + 'Action' => 'RevokeSecurityGroupEgress', + :idempotent => true, + :parser => Fog::Parsers::Compute::AWS::Basic.new + }.merge!(options)) + end + end + + class Mock + def revoke_security_group_egress(group_name, options = {}) + options = Fog::AWS.parse_security_group_options(group_name, options) + if options.key?('GroupName') + group_name = options['GroupName'] + else + group_name = self.data[:security_groups].reject { |k,v| v['groupId'] != options['GroupId'] } .keys.first + end + + response = Excon::Response.new + group = self.data[:security_groups][group_name] + + if group + verify_permission_options(options, group['vpcId'] != nil) + + normalized_permissions = normalize_permissions(options) + + normalized_permissions.each do |permission| + if matching_permission = find_matching_permission_egress(group, permission) + matching_permission['ipRanges'] -= permission['ipRanges'] + matching_permission['groups'] -= permission['groups'] + + if matching_permission['ipRanges'].empty? && matching_permission['groups'].empty? + group['ipPermissionsEgress'].delete(matching_permission) + end + end + end + + response.status = 200 + response.body = { + 'requestId' => Fog::AWS::Mock.request_id, + 'return' => true + } + response + else + raise Fog::Compute::AWS::NotFound.new("The security group '#{group_name}' does not exist") + end + end + end + end + end +end