2010-10-04 17:02:08 -04:00
|
|
|
require 'fog/core/model'
|
2010-03-16 18:46:21 -04:00
|
|
|
|
2009-09-18 11:56:42 -04:00
|
|
|
module Fog
|
2011-06-16 19:28:54 -04:00
|
|
|
module Compute
|
|
|
|
class AWS
|
2009-09-18 11:56:42 -04:00
|
|
|
|
|
|
|
class SecurityGroup < Fog::Model
|
|
|
|
|
2010-09-07 14:30:02 -04:00
|
|
|
identity :name, :aliases => 'groupName'
|
|
|
|
attribute :description, :aliases => 'groupDescription'
|
2011-12-14 16:25:06 -05:00
|
|
|
attribute :group_id, :aliases => 'groupId'
|
2010-09-07 14:30:02 -04:00
|
|
|
attribute :ip_permissions, :aliases => 'ipPermissions'
|
|
|
|
attribute :owner_id, :aliases => 'ownerId'
|
2011-12-23 08:40:47 -05:00
|
|
|
attribute :vpc_id, :aliases => 'vpcId'
|
2009-09-18 11:56:42 -04:00
|
|
|
|
2010-12-27 19:07:39 -05:00
|
|
|
# Authorize access by another security group
|
|
|
|
#
|
|
|
|
# >> g = AWS.security_groups.all(:description => "something").first
|
|
|
|
# >> g.authorize_group_and_owner("some_group_name", "1234567890")
|
|
|
|
#
|
|
|
|
# == Parameters:
|
|
|
|
# group::
|
|
|
|
# The name of the security group you're granting access to.
|
|
|
|
#
|
|
|
|
# owner::
|
|
|
|
# The owner id for security group you're granting access to.
|
|
|
|
#
|
|
|
|
# == Returns:
|
|
|
|
#
|
|
|
|
# An excon response object representing the result
|
|
|
|
#
|
|
|
|
# <Excon::Response:0x101fc2ae0
|
|
|
|
# @status=200,
|
|
|
|
# @body={"requestId"=>"some-id-string",
|
|
|
|
# "return"=>true},
|
|
|
|
# headers{"Transfer-Encoding"=>"chunked",
|
|
|
|
# "Date"=>"Mon, 27 Dec 2010 22:12:57 GMT",
|
|
|
|
# "Content-Type"=>"text/xml;charset=UTF-8",
|
|
|
|
# "Server"=>"AmazonEC2"}
|
|
|
|
#
|
|
|
|
|
2011-08-23 19:19:49 -04:00
|
|
|
def authorize_group_and_owner(group, owner = nil)
|
2012-08-02 10:36:38 -04:00
|
|
|
Fog::Logger.deprecation("authorize_group_and_owner is deprecated, use authorize_port_range with :group option instead")
|
2012-06-15 22:12:59 -04:00
|
|
|
|
2012-03-29 03:52:14 -04:00
|
|
|
requires_one :name, :group_id
|
2009-11-21 16:56:39 -05:00
|
|
|
|
2009-10-24 14:20:05 -04:00
|
|
|
connection.authorize_security_group_ingress(
|
2011-02-21 19:34:43 -05:00
|
|
|
name,
|
2012-03-29 03:52:14 -04:00
|
|
|
'GroupId' => group_id,
|
|
|
|
'SourceSecurityGroupName' => group,
|
|
|
|
'SourceSecurityGroupOwnerId' => owner
|
2009-10-24 14:20:05 -04:00
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2010-12-27 19:07:39 -05:00
|
|
|
# Authorize a new port range for a security group
|
|
|
|
#
|
|
|
|
# >> g = AWS.security_groups.all(:description => "something").first
|
|
|
|
# >> g.authorize_port_range(20..21)
|
|
|
|
#
|
|
|
|
# == Parameters:
|
|
|
|
# range::
|
|
|
|
# A Range object representing the port range you want to open up. E.g., 20..21
|
|
|
|
#
|
|
|
|
# options::
|
|
|
|
# A hash that can contain any of the following keys:
|
|
|
|
# :cidr_ip (defaults to "0.0.0.0/0")
|
2012-06-15 22:12:59 -04:00
|
|
|
# :group - ("account:group_name" or "account:group_id"), cannot be used with :cidr_ip
|
2010-12-27 19:07:39 -05:00
|
|
|
# :ip_protocol (defaults to "tcp")
|
|
|
|
#
|
|
|
|
# == Returns:
|
|
|
|
#
|
|
|
|
# An excon response object representing the result
|
|
|
|
#
|
|
|
|
# <Excon::Response:0x101fc2ae0
|
|
|
|
# @status=200,
|
|
|
|
# @body={"requestId"=>"some-id-string",
|
|
|
|
# "return"=>true},
|
|
|
|
# headers{"Transfer-Encoding"=>"chunked",
|
|
|
|
# "Date"=>"Mon, 27 Dec 2010 22:12:57 GMT",
|
|
|
|
# "Content-Type"=>"text/xml;charset=UTF-8",
|
|
|
|
# "Server"=>"AmazonEC2"}
|
|
|
|
#
|
|
|
|
|
2009-10-24 14:20:05 -04:00
|
|
|
def authorize_port_range(range, options = {})
|
2012-03-29 03:52:14 -04:00
|
|
|
requires_one :name, :group_id
|
2009-11-21 16:56:39 -05:00
|
|
|
|
2012-06-15 22:12:59 -04:00
|
|
|
ip_permission = {
|
|
|
|
'FromPort' => range.min,
|
|
|
|
'ToPort' => range.max,
|
|
|
|
'IpProtocol' => options[:ip_protocol] || 'tcp'
|
|
|
|
}
|
|
|
|
|
|
|
|
if options[:group].nil?
|
|
|
|
ip_permission['IpRanges'] = [
|
|
|
|
{ 'CidrIp' => options[:cidr_ip] || '0.0.0.0/0' }
|
|
|
|
]
|
|
|
|
else
|
|
|
|
ip_permission['Groups'] = [
|
|
|
|
group_info(options[:group])
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
2009-10-24 14:20:05 -04:00
|
|
|
connection.authorize_security_group_ingress(
|
2011-02-21 19:34:43 -05:00
|
|
|
name,
|
2012-03-29 03:52:14 -04:00
|
|
|
'GroupId' => group_id,
|
2012-06-15 22:12:59 -04:00
|
|
|
'IpPermissions' => [ ip_permission ]
|
2009-10-24 14:20:05 -04:00
|
|
|
)
|
2009-10-23 17:37:04 -04:00
|
|
|
end
|
|
|
|
|
2010-12-27 19:07:39 -05:00
|
|
|
# Removes an existing security group
|
|
|
|
#
|
|
|
|
# security_group.destroy
|
|
|
|
#
|
|
|
|
# ==== Returns
|
|
|
|
#
|
|
|
|
# True or false depending on the result
|
|
|
|
#
|
|
|
|
|
2009-09-20 12:21:03 -04:00
|
|
|
def destroy
|
2012-03-29 03:52:14 -04:00
|
|
|
requires_one :name, :group_id
|
2009-11-21 16:56:39 -05:00
|
|
|
|
2012-03-20 03:49:49 -04:00
|
|
|
if group_id.nil?
|
|
|
|
connection.delete_security_group(name)
|
|
|
|
else
|
|
|
|
connection.delete_security_group(nil, group_id)
|
|
|
|
end
|
2009-09-18 11:56:42 -04:00
|
|
|
true
|
|
|
|
end
|
|
|
|
|
2010-12-27 19:07:39 -05:00
|
|
|
# Revoke access by another security group
|
|
|
|
#
|
|
|
|
# >> g = AWS.security_groups.all(:description => "something").first
|
|
|
|
# >> g.revoke_group_and_owner("some_group_name", "1234567890")
|
|
|
|
#
|
|
|
|
# == Parameters:
|
|
|
|
# group::
|
|
|
|
# The name of the security group you're revoking access to.
|
|
|
|
#
|
|
|
|
# owner::
|
|
|
|
# The owner id for security group you're revoking access access to.
|
|
|
|
#
|
|
|
|
# == Returns:
|
|
|
|
#
|
|
|
|
# An excon response object representing the result
|
|
|
|
#
|
|
|
|
# <Excon::Response:0x101fc2ae0
|
|
|
|
# @status=200,
|
|
|
|
# @body={"requestId"=>"some-id-string",
|
|
|
|
# "return"=>true},
|
|
|
|
# headers{"Transfer-Encoding"=>"chunked",
|
|
|
|
# "Date"=>"Mon, 27 Dec 2010 22:12:57 GMT",
|
|
|
|
# "Content-Type"=>"text/xml;charset=UTF-8",
|
|
|
|
# "Server"=>"AmazonEC2"}
|
|
|
|
#
|
|
|
|
|
2011-08-23 19:19:49 -04:00
|
|
|
def revoke_group_and_owner(group, owner = nil)
|
2012-06-15 22:12:59 -04:00
|
|
|
Fog::Logger.deprecation("revoke_group_and_owner is deprecated, use revoke_port_range with :group option instead")
|
|
|
|
|
2012-03-29 03:52:14 -04:00
|
|
|
requires_one :name, :group_id
|
2010-09-15 20:31:45 -04:00
|
|
|
|
|
|
|
connection.revoke_security_group_ingress(
|
2011-02-21 19:34:43 -05:00
|
|
|
name,
|
2012-03-29 03:52:14 -04:00
|
|
|
'GroupId' => group_id,
|
|
|
|
'SourceSecurityGroupName' => group,
|
|
|
|
'SourceSecurityGroupOwnerId' => owner
|
2010-09-15 20:31:45 -04:00
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2010-12-27 19:07:39 -05:00
|
|
|
# Revoke an existing port range for a security group
|
|
|
|
#
|
|
|
|
# >> g = AWS.security_groups.all(:description => "something").first
|
|
|
|
# >> g.revoke_port_range(20..21)
|
|
|
|
#
|
|
|
|
# == Parameters:
|
|
|
|
# range::
|
|
|
|
# A Range object representing the port range you want to open up. E.g., 20..21
|
|
|
|
#
|
|
|
|
# options::
|
|
|
|
# A hash that can contain any of the following keys:
|
|
|
|
# :cidr_ip (defaults to "0.0.0.0/0")
|
2012-06-15 22:12:59 -04:00
|
|
|
# :group - ("account:group_name" or "account:group_id"), cannot be used with :cidr_ip
|
2010-12-27 19:07:39 -05:00
|
|
|
# :ip_protocol (defaults to "tcp")
|
|
|
|
#
|
|
|
|
# == Returns:
|
|
|
|
#
|
|
|
|
# An excon response object representing the result
|
|
|
|
#
|
|
|
|
# <Excon::Response:0x101fc2ae0
|
|
|
|
# @status=200,
|
|
|
|
# @body={"requestId"=>"some-id-string",
|
|
|
|
# "return"=>true},
|
|
|
|
# headers{"Transfer-Encoding"=>"chunked",
|
|
|
|
# "Date"=>"Mon, 27 Dec 2010 22:12:57 GMT",
|
|
|
|
# "Content-Type"=>"text/xml;charset=UTF-8",
|
|
|
|
# "Server"=>"AmazonEC2"}
|
|
|
|
#
|
|
|
|
|
2010-09-15 20:31:45 -04:00
|
|
|
def revoke_port_range(range, options = {})
|
2012-03-29 03:52:14 -04:00
|
|
|
requires_one :name, :group_id
|
2010-09-15 20:31:45 -04:00
|
|
|
|
2012-06-15 22:12:59 -04:00
|
|
|
ip_permission = {
|
|
|
|
'FromPort' => range.min,
|
|
|
|
'ToPort' => range.max,
|
|
|
|
'IpProtocol' => options[:ip_protocol] || 'tcp'
|
|
|
|
}
|
|
|
|
|
|
|
|
if options[:group].nil?
|
|
|
|
ip_permission['IpRanges'] = [
|
|
|
|
{ 'CidrIp' => options[:cidr_ip] || '0.0.0.0/0' }
|
|
|
|
]
|
|
|
|
else
|
|
|
|
ip_permission['Groups'] = [
|
|
|
|
group_info(options[:group])
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
2010-09-15 20:31:45 -04:00
|
|
|
connection.revoke_security_group_ingress(
|
2011-02-21 19:34:43 -05:00
|
|
|
name,
|
2012-03-29 03:52:14 -04:00
|
|
|
'GroupId' => group_id,
|
2012-06-15 22:12:59 -04:00
|
|
|
'IpPermissions' => [ ip_permission ]
|
2010-09-15 20:31:45 -04:00
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2010-12-27 19:07:39 -05:00
|
|
|
# Create a security group
|
|
|
|
#
|
|
|
|
# >> g = AWS.security_groups.new(:name => "some_name", :description => "something")
|
|
|
|
# >> g.save
|
|
|
|
#
|
|
|
|
# == Returns:
|
|
|
|
#
|
|
|
|
# True or an exception depending on the result. Keep in mind that this *creates* a new security group.
|
|
|
|
# As such, it yields an InvalidGroup.Duplicate exception if you attempt to save an existing group.
|
|
|
|
#
|
|
|
|
|
2009-09-18 11:56:42 -04:00
|
|
|
def save
|
2010-01-21 22:23:46 -05:00
|
|
|
requires :description, :name
|
2011-12-23 09:37:13 -05:00
|
|
|
data = connection.create_security_group(name, description, vpc_id).body
|
2012-03-20 03:49:49 -04:00
|
|
|
new_attributes = data.reject {|key,value| key == 'requestId'}
|
|
|
|
merge_attributes(new_attributes)
|
2009-09-18 11:56:42 -04:00
|
|
|
true
|
|
|
|
end
|
|
|
|
|
2012-06-15 22:12:59 -04:00
|
|
|
private
|
|
|
|
|
2012-08-02 11:38:05 -04:00
|
|
|
#
|
|
|
|
# +group_arg+ may be a string or a hash with one key & value.
|
|
|
|
#
|
|
|
|
# If group_arg is a string, it is assumed to be the group name,
|
|
|
|
# and the UserId is assumed to be self.owner_id.
|
|
|
|
#
|
|
|
|
# The "account:group" form is deprecated.
|
|
|
|
#
|
|
|
|
# If group_arg is a hash, the key is the UserId and value is the group.
|
|
|
|
def group_info(group_arg)
|
|
|
|
if Hash === group_arg
|
|
|
|
account = group_arg.keys.first
|
|
|
|
group = group_arg.values.first
|
|
|
|
elsif group_arg.match(/:/)
|
|
|
|
account, group = group_arg.split(':')
|
|
|
|
Fog::Logger.deprecation("'account:group' argument is deprecated. Use {account => group} or just group instead")
|
|
|
|
else
|
|
|
|
requires :owner_id
|
|
|
|
account = owner_id
|
|
|
|
group = group_arg
|
2012-06-15 22:12:59 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
info = { 'UserId' => account }
|
|
|
|
|
|
|
|
if group.start_with?("sg-")
|
|
|
|
# we're dealing with a security group id
|
|
|
|
info['GroupId'] = group
|
|
|
|
else
|
|
|
|
# this has to be a security group name
|
|
|
|
info['GroupName'] = group
|
|
|
|
end
|
|
|
|
|
|
|
|
info
|
|
|
|
end
|
|
|
|
|
2009-09-18 11:56:42 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|