def load_remote_groups(self):
"""
Load security groups from EC2
Convert boto.ec2.securitygroup objects into unified structure
:rtype : list
"""
lg.debug("Loading remote groups")
groups = ec2.get_all_security_groups()
for group in groups:
# Initialize SGroup object
sgroup = SGroup(str(group.name),
str(group.description),
sgroup_object=group)
# For each rule in group
for rule in group.rules:
rule_info = {
'protocol': str(rule.ip_protocol),
'srule_object': rule,
}
if rule.from_port != rule.to_port:
# We have port range, use port_from and port_to parameters
rule_info['port_from'] = int(rule.from_port)
rule_info['port_to'] = int(rule.to_port)
else:
# We have single port, use port parameter
rule_info['port'] = int(rule.to_port)
if rule.grants:
for grant in rule.grants:
# For each granted permission, add new SRule
try:
srule = SRule(
groups={
'name':
str(grant.groupName),
'owner':
str(grant.owner_id),
# OpenStack doesn't support group IDs, use None if this attr isn't present
'id':
None
if getattr(grant, 'groupId', None) is None
else str(getattr(grant, 'groupId'))
},
**rule_info)
except AttributeError:
srule = SRule(cidr=[str(grant.cidr_ip)],
**rule_info)
sgroup.add_rule(srule)
self.groups[sgroup.name] = sgroup
return self.groups
def load_local_groups(self, config):
"""
Load local groups from config file
Save and return SecurityGroups object
:param config:
:rtype : object
"""
self.config = config
yaml.add_constructor('!include', self._yaml_include)
try:
with open(config, 'r') as fp:
conf = yaml.load(fp)
except IOError as e:
# Error while loading file
raise InvalidConfiguration("Can't read config file %s: %s" % (config, e))
except yaml.YAMLError as e:
# Error while parsing YAML
if hasattr(e, 'problem_mark'):
mark = e.problem_mark
raise InvalidConfiguration("Can't parse config file %s: error at line %s, column %s" % (config, mark.line+1, mark.column+1))
else:
raise InvalidConfiguration("Can't parse config file %s: %s" % (config, e))
lg.debug("Loading local groups")
for name, group in conf.iteritems():
# Initialize SGroup object
sgroup = SGroup(name, None if not group.has_key('description') else group['description'])
if group.has_key('rules'):
for rule in group['rules']:
if rule.has_key('groups'):
# For each group, create separate rule
# multiple groups are used only to simplify configuration
for group in rule['groups']:
rule['groups'] = [ group ]
srule = SRule(**rule)
sgroup.add_rule(srule)
else:
# No groups, initialize SRule object
srule = SRule(**rule)
# Add it into group
sgroup.add_rule(srule)
self.groups[name] = sgroup
return self.groups
def load_remote_groups(self):
"""
Load security groups from EC2
Convert boto.ec2.securitygroup objects into unified structure
:rtype : list
"""
lg.debug("Loading remote groups")
groups = ec2.get_all_security_groups(self.only_groups)
for group in groups:
if not self.vpc and group.vpc_id:
lg.debug("Skipping VPC group %s" % group.name)
continue
elif self.vpc and not group.vpc_id:
lg.debug("Skipping non-VPC group %s" % group.name)
continue
# Initialize SGroup object
sgroup = SGroup(sgroup_object=group)
# For each egress rule in group
for rule in group.rules_egress:
self._load_remote_rule(rule, sgroup, egress=True)
# For each ingress rule in group
for rule in group.rules:
self._load_remote_rule(rule, sgroup)
self.groups[sgroup.name] = sgroup
return self.groups
def load_remote_groups(self):
"""
Load security groups from EC2
Convert boto.ec2.securitygroup objects into unified structure
:rtype : list
"""
lg.debug("Loading remote groups")
groups = ec2.get_all_security_groups()
for group in groups:
# Initialize SGroup object
sgroup = SGroup(str(group.name), str(group.description), sgroup_object=group)
# For each rule in group
for rule in group.rules:
rule_info = {
'protocol' : str(rule.ip_protocol),
'srule_object' : rule,
}
if rule.from_port != rule.to_port:
# We have port range, use port_from and port_to parameters
rule_info['port_from'] = int(rule.from_port)
rule_info['port_to'] = int(rule.to_port)
else:
# We have single port, use port parameter
rule_info['port'] = int(rule.to_port)
if rule.grants:
for grant in rule.grants:
# For each granted permission, add new SRule
try:
srule = SRule(groups={
'name' : str(grant.groupName),
'owner' : str(grant.owner_id),
# OpenStack doesn't support group IDs, use None if this attr isn't present
'id' : None if getattr(grant, 'groupId', None) is None else str(getattr(grant, 'groupId'))
}, **rule_info)
except AttributeError:
srule = SRule(cidr=[ str(grant.cidr_ip) ], **rule_info)
sgroup.add_rule(srule)
self.groups[sgroup.name] = sgroup
return self.groups
def load_local_groups(self, config):
"""
Load local groups from config file
Save and return SecurityGroups object
:param config:
:rtype : object
"""
lg.debug("Loading local configuragion")
self.config = config
yaml.add_constructor('!include', self._yaml_include)
try:
with open(config, 'r') as fp:
conf = yaml.load(fp)
except IOError as e:
# Error while loading file
raise InvalidConfiguration("Can't read config file %s: %s" %
(config, e))
except yaml.YAMLError as e:
# Error while parsing YAML
if hasattr(e, 'problem_mark'):
mark = e.problem_mark
raise InvalidConfiguration(
"Can't parse config file %s: error at line %s, column %s" %
(config, mark.line + 1, mark.column + 1))
else:
raise InvalidConfiguration("Can't parse config file %s: %s" %
(config, e))
# Remove include keys
conf = self._fix_include(conf)
lg.debug("Loading local groups")
for name, group in conf.iteritems():
# Initialize SGroup object
sgroup = SGroup(
name, None
if not group.has_key('description') else group['description'])
if group.has_key('rules'):
for rule in group['rules']:
if rule.has_key('groups'):
# For each group, create separate rule
# multiple groups are used only to simplify configuration
for group in rule['groups']:
rule['groups'] = [group]
srule = SRule(owner_id=self.owner_id, **rule)
sgroup.add_rule(srule)
else:
# No groups, initialize SRule object
srule = SRule(**rule)
# Add it into group
sgroup.add_rule(srule)
self.groups[name] = sgroup
return self.groups
def _load_sgroup(self, name, group, check_mode='strict'):
"""
Return SGroup object with assigned rules
"""
# Test len of name and description
if len(name) > 255:
raise InvalidConfiguration(
"Name of group '%s' is longer than 255 chars" % (name))
if group.has_key('description') and len(group['description']) > 255:
raise InvalidConfiguration(
"Description of group '%s' is longer than 255 chars" % (name))
# Test name and description according to spec
if check_mode == 'strict':
allowed = '^[a-zA-Z0-9_\- ]+$'
if check_mode == 'ascii':
allowed = '^[\x20-\x7E]+$'
if check_mode == 'vpc':
allowed = '^[a-zA-Z0-9 ._\-:/()#,@[\]+=&;{}!$*]+$'
if group.has_key('description') and not re.match(
allowed, group['description']):
raise InvalidConfiguration(
"Description of group '%s' is not valid in %s check_mode" %
(name, check_mode))
if not re.match(allowed, name):
raise InvalidConfiguration(
"Name of group '%s' is not valid in %s check_mode" %
(name, check_mode))
sgroup = SGroup(
name,
description=None
if 'description' not in group.keys() else group['description'],
vpc_id=None if 'vpc_id' not in group.keys() else group['vpc_id'])
# Dive into group's rules and create srule objects
if group.has_key('rules'):
for rule in group['rules']:
self._validate(rule, sgroup.name)
self._load_rule(sgroup, rule)
return sgroup
