def test_formats_rule(self):
this = self.good_gid
other = self.good_gid
rule_fmt = "{Direction} {GroupId} {OtherGroupId}{OtherCidrIp} " + \
"{IpProtocol} {FromPort} {ToPort}"
rule_fmt_with_acc = "{Direction} {GroupId} {OtherUserId}/{OtherGroupId} " + \
"{IpProtocol} {FromPort} {ToPort}"
formatter = RuleFormatter()
rule_data = {
'Direction': 'in',
'GroupId': this,
'IpProtocol': 'tcp',
'FromPort': 0,
'ToPort': 65535,
'OtherGroupId': other,
'OtherUserId': '',
'OtherCidrIp': '',
}
self.assertEqual(formatter.format_rule(Rule(rule_data)),
rule_fmt.format(**rule_data))
rule_data['OtherUserId'] = self.good_account
self.assertEqual(formatter.format_rule(Rule(rule_data)),
rule_fmt_with_acc.format(**rule_data))
rule_data['OtherCidrIp'] = self.good_cidr
rule_data['OtherGroupId'] = ''
rule_data['OtherUserId'] = ''
self.assertEqual(formatter.format_rule(Rule(rule_data)),
rule_fmt.format(**rule_data))
def test_formats_rule(self):
this = self.good_gid
other = self.good_gid
rule_fmt = "{Direction} {GroupId} {OtherGroupId}{OtherCidrIp} " + \
"{IpProtocol} {FromPort} {ToPort}"
rule_fmt_with_acc = "{Direction} {GroupId} {OtherUserId}/{OtherGroupId} " + \
"{IpProtocol} {FromPort} {ToPort}"
formatter = RuleFormatter()
rule_data = {
'Direction': 'in',
'GroupId': this,
'IpProtocol': 'tcp',
'FromPort': 0,
'ToPort': 65535,
'OtherGroupId': other,
'OtherUserId': '',
'OtherCidrIp': '',
}
self.assertEqual(formatter.format_rule(Rule(rule_data)),
rule_fmt.format(**rule_data))
rule_data['OtherUserId'] = self.good_account
self.assertEqual(formatter.format_rule(Rule(rule_data)),
rule_fmt_with_acc.format(**rule_data))
rule_data['OtherCidrIp'] = self.good_cidr
rule_data['OtherGroupId'] = ''
rule_data['OtherUserId'] = ''
self.assertEqual(formatter.format_rule(Rule(rule_data)), rule_fmt.format(**rule_data))
def change_rules(args, rules, verb, warn=None):
error = 0
if not rules:
log.info("Nothing to {}".format(verb))
return 0
for rule in rules:
if rule["GroupId"] not in args.groups:
log.debug("Skipping rule for excluded group: {}".format(rule))
continue
if args.noop:
log.info("NOOP: {} {}".format(
verb,
RuleFormatter(args.aws.account_id).format_rule(rule)))
continue
try:
action = getattr(args.aws.ec2.IpPermissions, verb)
action(rule["GroupId"], rule.other(), rule.proto_spec(),
rule["Direction"])
log.info("{} rule: {}".format(
verb,
RuleFormatter(args.aws.account_id).format_rule(rule)))
except AWSCallError as e:
if warn and e.code in warn:
log.warn("Warning: {}".format(e))
log.warn(" {}".format(rule))
else:
log.error("Error: {}".format(e))
error = 1
return error
def test_parses_other(self):
formatter = RuleFormatter()
gid = self.good_gid
account = self.good_account
self.assertEqual({
'OtherGroupId': gid,
'OtherUserId': account
}, formatter.parse_other("{}/{}".format(account, gid)))
def do_list_rules(args):
groups = args.aws.ec2.SecurityGroups.get(filters={'group-id': args.groups})
rs = RuleSet()
rs.flatten_groups(groups)
for rule in rs:
print(RuleFormatter(args.aws.account_id).format_rule(rule),
file=args.outfile)
return 0
def test_parses_valid_rules(self):
logger = logging.getLogger(__name__)
lines = (
"in sg-12345abc sg-def98765 tcp 0 65535",
"in sg-12345abc sg-def98765 udp 0 65536",
"in sg-12345abc sg-def98765 -1 0 65536",
"in sg-12345abc sg-def98765 17 0 65536",
"in sg-12345abc sg-def98765 tcp -1 65535",
"in sg-12345abc 0.0.0.0/0 tcp -1 65535",
"in sg-12345abc 1.2.3.4 tcp -1 65535",
"in sg-12345abc sg-def98765 tcp 0 -1",
"in sg-12345abc sg-def98765 tcp -1 -1",
"in sg-12345abc sg-def98765 tcp 22 22",
"in sg-12345abc 123456/sg-def98765 tcp 22 22",
"in sg-12345abc sg-def98765 17 -1 -1",
)
formatter = RuleFormatter()
for line in lines:
logger.debug(line)
rule = formatter.parse_string(line)
self.assertIsInstance(rule, Rule, msg="Failed on {}".format(line))
def test_fails_parse_invalid(self):
logger = logging.getLogger(__name__)
lines = ("in sg-12345abc sg-def98765 tcp a 65535",
"in sg-12345abc sg-def98765 udp 0 a"
"in sg-12345abc sg-def98765 fail 0 65536",
"in sg-12345abc sg-def98765 None None None",
"in sg-12345abc(foo baz) sg-def98765(bar) tcp 0 65535",
"in sg-12345abc(foo baz) sg-def98765(bar qux) tcp 0 65535",
"eg sg-12345abc sg-def98765 tcp 0 65535")
formatter = RuleFormatter()
for line in lines:
logger.debug(line)
self.assertRaises(InvalidRule, formatter.parse_string, line)
def test_parses_valid_rules(self):
logger = logging.getLogger(__name__)
lines = (
"in sg-12345abc sg-def98765 tcp 0 65535",
"in sg-12345abc sg-def98765 udp 0 65536",
"in sg-12345abc sg-def98765 -1 0 65536",
"in sg-12345abc sg-def98765 17 0 65536",
"in sg-12345abc sg-def98765 tcp -1 65535",
"in sg-12345abc 0.0.0.0/0 tcp -1 65535",
"in sg-12345abc 1.2.3.4 tcp -1 65535",
"in sg-12345abc sg-def98765 tcp 0 -1",
"in sg-12345abc sg-def98765 tcp -1 -1",
"in sg-12345abc sg-def98765 tcp 22 22",
"in sg-12345abc 123456/sg-def98765 tcp 22 22",
"in sg-12345abc sg-def98765 17 -1 -1",
)
formatter = RuleFormatter()
for line in lines:
logger.debug(line)
rule = formatter.parse_string(line)
self.assertIsInstance(rule, Rule, msg="Failed on {}".format(line))
def test_parses_other(self):
formatter = RuleFormatter()
gid = self.good_gid
account = self.good_account
self.assertEqual({'OtherGroupId': gid, 'OtherUserId': account},
formatter.parse_other("{}/{}".format(account, gid)))
def test_parses_group(self):
formatter = RuleFormatter()
gid = self.good_gid
self.assertEqual({'GroupId': gid}, formatter.parse_group(gid))
def test_parses_group(self):
formatter = RuleFormatter()
gid = self.good_gid
self.assertEqual({'GroupId': gid}, formatter.parse_group(gid))