kotovalexarian-likes-github/fog--fog-aws
1
0
Fork 0
mirror of https://github.com/fog/fog-aws.git synced 2022-11-09 13:50:52 -05:00
Code Releases Activity

don't allow sg authorization is unknown sgs

Browse source 
* and refactor the authorize_security_group_ingress method a bit
This commit is contained in:
Josh Lane & Michelle Noorali 2015-02-06 09:54:49 -08:00
parent 268a25ffe6
commit 4960acd91b
2 changed files with 80 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
lib/fog/aws/requests/compute/authorize_security_group_ingress.rb
View file

@ -87,9 +87,8 @@ module Fog
end end
response = Excon::Response.new response = Excon::Response.new
group = self.data[:security_groups][group_name] group = self.data[:security_groups][group_name] || raise(Fog::Compute::AWS::NotFound.new("The security group '#{group_name}' does not exist"))
if group
verify_permission_options(options, group['vpcId'] != nil) verify_permission_options(options, group['vpcId'] != nil)
normalized_permissions = normalize_permissions(options) normalized_permissions = normalize_permissions(options)
@ -121,9 +120,6 @@ module Fog
'return' => true 'return' => true
} }
response response
else
raise Fog::Compute::AWS::NotFound.new("The security group '#{group_name}' does not exist")
end
end end
private private
@ -160,7 +156,11 @@ module Fog
'ipProtocol' => protocol, 'ipProtocol' => protocol,
'fromPort' => 1, 'fromPort' => 1,
'toPort' => 65535, 'toPort' => 65535,
'groups' => [{'groupName' => options['SourceSecurityGroupName'], 'userId' => options['SourceSecurityGroupOwnerId'] || self.data[:owner_id], 'groupId' => source_group_id }], 'groups' => [{
'groupName' => options['SourceSecurityGroupName'],
'userId' => options['SourceSecurityGroupOwnerId'] || self.data[:owner_id],
'groupId' => source_group_id
}],
'ipRanges' => [] 'ipRanges' => []
} }
end end
@ -168,7 +168,11 @@ module Fog
'ipProtocol' => 'icmp', 'ipProtocol' => 'icmp',
'fromPort' => -1, 'fromPort' => -1,
'toPort' => -1, 'toPort' => -1,
'groups' => [{'groupName' => options['SourceSecurityGroupName'], 'userId' => options['SourceSecurityGroupOwnerId'] || self.data[:owner_id], 'groupId' => source_group_id }], 'groups' => [{
'groupName' => options['SourceSecurityGroupName'],
'userId' => options['SourceSecurityGroupOwnerId'] || self.data[:owner_id],
'groupId' => source_group_id
}],
'ipRanges' => [] 'ipRanges' => []
} }
elsif options['CidrIp'] elsif options['CidrIp']
@ -181,34 +185,35 @@ module Fog
} }
elsif options['IpPermissions'] elsif options['IpPermissions']
options['IpPermissions'].each do |permission| options['IpPermissions'].each do |permission|
groups = (permission['Groups'] || []).map do |authorized_group|
security_group = if group_name = authorized_group['GroupName']
self.data[:security_groups][group_name]
elsif group_id = authorized_group['GroupId']
self.data[:security_groups].values.find { |sg| sg['groupId'] == group_id }
end ||
raise(Fog::Compute::AWS::NotFound.new("The security group '#{group_name || group_id}' does not exist"))
{
'groupName' => authorized_group['GroupName'] || security_group["groupName"],
'userId' => authorized_group['UserId'] || self.data[:owner_id],
'groupId' => authorized_group["GroupId"] || security_group['groupId']
}
end
if ['tcp', 'udp', 'icmp'].include?(permission['IpProtocol']) if ['tcp', 'udp', 'icmp'].include?(permission['IpProtocol'])
normalized_permissions << { normalized_permissions << {
'ipProtocol' => permission['IpProtocol'], 'ipProtocol' => permission['IpProtocol'],
'fromPort' => Integer(permission['FromPort']), 'fromPort' => Integer(permission['FromPort']),
'toPort' => Integer(permission['ToPort']), 'toPort' => Integer(permission['ToPort']),
'groups' => (permission['Groups'] || []).map do |authorized_group| 'groups' => groups,
security_group = if group_name = authorized_group['GroupName']
self.data[:security_groups][group_name] || {}
elsif group_id = authorized_group['GroupId']
self.data[:security_groups].values.find { |sg| sg['groupId'] == group_id } || {}
end
{'groupName' => authorized_group['GroupName'] || security_group["groupName"], 'userId' => authorized_group['UserId'] || self.data[:owner_id], 'groupId' => authorized_group["GroupId"] || security_group['groupId']}
end,
'ipRanges' => (permission['IpRanges'] || []).map {|r| { 'cidrIp' => r['CidrIp'] } } 'ipRanges' => (permission['IpRanges'] || []).map {|r| { 'cidrIp' => r['CidrIp'] } }
} }
else else
normalized_permissions << { normalized_permissions << {
'ipProtocol' => permission['IpProtocol'], 'ipProtocol' => permission['IpProtocol'],
'groups' => (permission['Groups'] || []).map do |authorized_group| 'groups' => groups,
security_group = if group_name = authorized_group['GroupName']
self.data[:security_groups][group_name] || {}
elsif group_id = authorized_group['GroupId']
self.data[:security_groups].values.find { |sg| sg['groupId'] == group_id } || {}
end
{'groupName' => authorized_group['GroupName'] || security_group["groupName"], 'userId' => authorized_group['UserId'] || self.data[:owner_id], 'groupId' => authorized_group["GroupId"] || security_group['groupId']}
end,
'ipRanges' => (permission['IpRanges'] || []).map {|r| { 'cidrIp' => r['CidrIp'] } } 'ipRanges' => (permission['IpRanges'] || []).map {|r| { 'cidrIp' => r['CidrIp'] } }
} }
end end

12
tests/models/compute/security_group_tests.rb
View file

@ -39,7 +39,6 @@ Shindo.tests("Fog::Compute[:aws] | security_group", ['aws']) do
"#{@other_group.owner_id}:#{@other_group.group_id}", # deprecated form "#{@other_group.owner_id}:#{@other_group.group_id}", # deprecated form
@other_group.group_id, @other_group.group_id,
{@other_group.owner_id => @other_group.group_id}, {@other_group.owner_id => @other_group.group_id},
{@other_user_id => @other_users_group_id}
] ]
group_forms.each do |group_arg| group_forms.each do |group_arg|
@ -58,6 +57,17 @@ Shindo.tests("Fog::Compute[:aws] | security_group", ['aws']) do
end end
end end
[
{ @other_user_id => @other_users_group_id }
].each do |group_arg|
test("does not authorize port range access by an invalid security group #{group_arg.inspect}") do
raises(Fog::Compute::AWS::NotFound, "The security group '#{@other_users_group_id}' does not exist") {
@other_group.reload
@group.authorize_port_range(5000..6000, {:group => group_arg})
}
end
end
@other_group.destroy @other_group.destroy
@group.destroy @group.destroy
end end