def edit(group_id, ec2=None, rds=None):
security_groups = ec2.get_all_security_groups(group_ids=[group_id])
if len(security_groups) == 0:
return "Missing security groups"
security_group = security_groups[0]
for rule in security_group.rules:
grants_with_cidrs = []
for grant in rule.grants:
if grant.cidr_ip:
ttl = rds.get(GRANT_KEY_FORMULA.format(security_group_id=group_id, protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, cidr=grant.cidr_ip))
if ttl is None or ttl == 0:
grant.time_left = ttl
else:
grant.time_left = int(float(ttl) - time.time())
grants_with_cidrs.append(grant)
rule.grants = grants_with_cidrs
if 'X-Forwarded-For' in request.headers:
ip = request.headers['X-Forwarded-For']
else:
ip = request.remote_addr
return render_template('edit.html', ip=ip, security_group=security_group)
def authorize(ec2=None, rds=None):
security_group_id, protocol, cidr, from_port, to_port, duration = request.form['security_group_id'], request.form['protocol'], request.form['cidr'], int(request.form['from_port']), int(request.form['to_port']), int(request.form['duration'])
cidr_fixed = fix_cidr(cidr)
security_groups = ec2.get_all_security_groups(group_ids=[security_group_id])
if len(security_groups) == 0:
return "Security group not found"
security_group = security_groups[0]
if security_group.authorize(ip_protocol=protocol, from_port=from_port, to_port=to_port, cidr_ip=cidr_fixed):
grant_key = GRANT_KEY_FORMULA.format(security_group_id=security_group_id, protocol=protocol, from_port=from_port, to_port=to_port, cidr=cidr_fixed)
rds.set(grant_key, str(time.time() + duration))
return redirect("/edit/" + security_group_id)
else:
return "An error occurred"
def persist(ec2=None, rds=None):
security_group_id, protocol, cidr, from_port, to_port = request.args.get('security_group_id'), request.args.get('protocol'), request.args.get('cidr'), int(request.args.get('from_port')), int(request.args.get('to_port'))
grant_key = GRANT_KEY_FORMULA.format(security_group_id=security_group_id, protocol=protocol, from_port=from_port, to_port=to_port, cidr=cidr)
rds.delete(grant_key)
return redirect("/edit/" + security_group_id)
parser.add_argument('--dry', dest='dry', action='store_true', help='Dry run: don\'t actually remove security group rules that have expired')
args = parser.parse_args()
if __name__ == "__main__":
logger = logging.getLogger()
logger.setLevel(logging.INFO)
logger.addHandler(logging.StreamHandler())
security_groups = ec2.get_all_security_groups()
for security_group in security_groups:
for rule in security_group.rules:
grants_with_cidrs = []
for grant in rule.grants:
if grant.cidr_ip:
ttl = rds.get(GRANT_KEY_FORMULA.format(security_group_id=security_group.id, protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, cidr=grant.cidr_ip))
if ttl is None or ttl == 0:
grant.time_left = ttl
else:
grant.time_left = int(float(ttl) - time.time())
if grant.time_left < 0 and ttl > 0:
logging.getLogger("grantaccess").info("Revoking %s: %s %s-%s to %s", security_group.id, rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip)
if args.dry is None or args.dry is not True:
_revoke(rds, security_group, rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip)
else:
logging.getLogger("grantaccess").info("No need to revoke %s: %s %s-%s to %s", security_group.id, rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip)
grants_with_cidrs.append(grant)
