def do_add_rules(args):
log.info("Operation: add")
rules, errors = read_rules(args.files)
if errors:
map(log.error, errors)
return 1
return change_rules(args, rules, "add", ("InvalidPermission.Duplicate", ))
def do_update_rules(args):
log.info("Operation: update")
rules, errors = read_rules(args.files)
if errors:
map(log.error, errors)
return 1
log.debug("Collecting active rules")
group_args = (args.profile, args.region, args.vpc)
remote_groups = groups_for(*group_args)
if args.obliterate:
log.warning("Obliterate: Updating all groups in {} {} {}".format(*group_args))
else:
affected_groups = list(set(args.groups).intersection(set(g['GroupId'] for g in rules)))
if not affected_groups:
log.warning("No affected groups")
return 0
log.debug("Affected groups: {}".format(", ".join(affected_groups)))
remote_groups = [g for g in remote_groups if g['GroupId'] in affected_groups]
remote_rules = RuleSet().flatten_groups(remote_groups)
add_set = rules - remote_rules
remove_set = remote_rules - rules
if args.add_before_remove:
error = change_rules(args, add_set, "add")
if error != 0:
return error
return change_rules(args, remove_set, "remove")
else:
error = change_rules(args, remove_set, "remove")
if error != 0:
return error
return change_rules(args, add_set, "add")
def do_remove_rules(args):
log.info("Operation: remove")
rules, errors = read_rules(args.files)
if errors:
map(log.error, errors)
return 1
return change_rules(args, rules, "remove", ("InvalidPermission.NotFound",))
def do_add_rules(args):
log.info("Operation: add")
rules, errors = read_rules(args.files)
if errors:
map(log.error, errors)
return 1
return change_rules(args, rules, "add", ("InvalidPermission.Duplicate",))
def do_remove_rules(args):
log.info("Operation: remove")
rules, errors = read_rules(args.files)
if errors:
map(log.error, errors)
return 1
return change_rules(args, rules, "remove",
("InvalidPermission.NotFound", ))
def reverse_rules(args):
"""Given a variables file and raw rules, try to build a symbolic ruleset"""
log = logging.getLogger(__name__)
if args.vars_files:
try:
parser = Parser(args.vars_files, args.account)
except IOError as e:
log.error(e)
return 1
vrev = parser.vars_reverse
vfwd = parser.variables
else:
vrev = {}
vfwd = {}
account = str(vfwd.get(args.account))
if not account:
log.error('Account {} is not defined'.format(args.account))
return 1
try:
rules, errors = read_rules(args.input_files)
except IOError as e:
log.error(e)
return 1
if errors:
map(log.error, errors)
return 1
for rule in rules:
owner = vrev.get(rule['GroupId'])
if not owner:
log.warning("Could not resolve owner: {}".format(rule['GroupId']))
owner = "unknown({})".format(rule['GroupId'])
other_raw = rule.get('OtherCidrIp')
if not other_raw:
other_raw = rule.other()
if '/' in other_raw:
if other_raw.split('/', 1)[0] == account:
other_raw = other_raw.split('/', 1)[1]
other = vrev.get(other_raw)
if not other:
log.warning("Could not resolve other: {}".format(other_raw))
other = "unknown({})".format(other_raw)
proto_raw = "{} {} {}".format(rule['IpProtocol'], rule['FromPort'],
rule['ToPort'])
proto = vrev.get(proto_raw)
if not proto:
log.warning("Could not resolve protocol: {}".format(proto_raw))
proto = "unknown({}/{}/{})".format(rule['IpProtocol'],
rule['FromPort'],
rule['ToPort'])
print('rule {} {} {} {}'.format(rule['Direction'], owner, other,
proto))
def reverse_rules(args):
"""Given a variables file and raw rules, try to build a symbolic ruleset"""
log = logging.getLogger(__name__)
if args.vars_files:
try:
parser = Parser(args.vars_files, args.account)
except IOError as e:
log.error(e)
return 1
vrev = parser.vars_reverse
vfwd = parser.variables
else:
vrev = {}
vfwd = {}
account = str(vfwd.get(args.account))
if not account:
log.error('Account {} is not defined'.format(args.account))
return 1
try:
rules, errors = read_rules(args.input_files)
except IOError as e:
log.error(e)
return 1
if errors:
map(log.error, errors)
return 1
for rule in rules:
owner = vrev.get(rule['GroupId'])
if not owner:
log.warning("Could not resolve owner: {}".format(rule['GroupId']))
owner = "unknown({})".format(rule['GroupId'])
other_raw = rule.get('OtherCidrIp')
if not other_raw:
other_raw = rule.other()
if '/' in other_raw:
if other_raw.split('/', 1)[0] == account:
other_raw = other_raw.split('/', 1)[1]
other = vrev.get(other_raw)
if not other:
log.warning("Could not resolve other: {}".format(other_raw))
other = "unknown({})".format(other_raw)
proto_raw = "{} {} {}".format(rule['IpProtocol'], rule['FromPort'], rule['ToPort'])
proto = vrev.get(proto_raw)
if not proto:
log.warning("Could not resolve protocol: {}".format(proto_raw))
proto = "unknown({}/{}/{})".format(rule['IpProtocol'],
rule['FromPort'],
rule['ToPort'])
print('rule {} {} {} {}'.format(rule['Direction'], owner, other, proto))
def do_update_rules(args):
log.info("Operation: update")
rules, errors = read_rules(args.files)
if errors:
map(log.error, errors)
return 1
log.debug("Collecting active rules")
group_args = (args.profile, args.region, args.vpc)
remote_groups = groups_for(*group_args)
if args.obliterate:
log.warning(
"Obliterate: Updating all groups in {} {} {}".format(*group_args))
else:
affected_groups = list(
set(args.groups).intersection(set(g['GroupId'] for g in rules)))
if not affected_groups:
log.warning("No affected groups")
return 0
log.debug("Affected groups: {}".format(", ".join(affected_groups)))
remote_groups = [
g for g in remote_groups if g['GroupId'] in affected_groups
]
remote_rules = RuleSet().flatten_groups(remote_groups)
add_set = rules - remote_rules
remove_set = remote_rules - rules
if args.add_before_remove:
error = change_rules(args, add_set, "add")
if error != 0:
return error
return change_rules(args, remove_set, "remove")
else:
error = change_rules(args, remove_set, "remove")
if error != 0:
return error
return change_rules(args, add_set, "add")