Exemple #1
0
    def load_remote_groups(self):
        """
        Load security groups from EC2
        Convert boto.ec2.securitygroup objects into unified structure
        :rtype : list
        """
        lg.debug("Loading remote groups")
        groups = ec2.get_all_security_groups()
        for group in groups:
            # Initialize SGroup object
            sgroup = SGroup(str(group.name),
                            str(group.description),
                            sgroup_object=group)

            # For each rule in group
            for rule in group.rules:
                rule_info = {
                    'protocol': str(rule.ip_protocol),
                    'srule_object': rule,
                }

                if rule.from_port != rule.to_port:
                    # We have port range, use port_from and port_to parameters
                    rule_info['port_from'] = int(rule.from_port)
                    rule_info['port_to'] = int(rule.to_port)
                else:
                    # We have single port, use port parameter
                    rule_info['port'] = int(rule.to_port)

                if rule.grants:
                    for grant in rule.grants:
                        # For each granted permission, add new SRule
                        try:
                            srule = SRule(
                                groups={
                                    'name':
                                    str(grant.groupName),
                                    'owner':
                                    str(grant.owner_id),
                                    # OpenStack doesn't support group IDs, use None if this attr isn't present
                                    'id':
                                    None
                                    if getattr(grant, 'groupId', None) is None
                                    else str(getattr(grant, 'groupId'))
                                },
                                **rule_info)
                        except AttributeError:
                            srule = SRule(cidr=[str(grant.cidr_ip)],
                                          **rule_info)

                        sgroup.add_rule(srule)

            self.groups[sgroup.name] = sgroup

        return self.groups
Exemple #2
0
    def load_local_groups(self, config):
        """
        Load local groups from config file
        Save and return SecurityGroups object

        :param config:
        :rtype : object
        """
        self.config = config
        yaml.add_constructor('!include', self._yaml_include)

        try:
            with open(config, 'r') as fp:
                conf = yaml.load(fp)
        except IOError as e:
            # Error while loading file
            raise InvalidConfiguration("Can't read config file %s: %s" % (config, e))
        except yaml.YAMLError as e:
            # Error while parsing YAML
            if hasattr(e, 'problem_mark'):
                mark = e.problem_mark
                raise InvalidConfiguration("Can't parse config file %s: error at line %s, column %s" % (config, mark.line+1, mark.column+1))
            else:
                raise InvalidConfiguration("Can't parse config file %s: %s" % (config, e))

        lg.debug("Loading local groups")
        for name, group in conf.iteritems():
            # Initialize SGroup object
            sgroup = SGroup(name, None if not group.has_key('description') else group['description'])

            if group.has_key('rules'):
                for rule in group['rules']:
                    if rule.has_key('groups'):
                        # For each group, create separate rule
                        # multiple groups are used only to simplify configuration
                        for group in rule['groups']:
                            rule['groups'] = [ group ]
                            srule = SRule(**rule)
                            sgroup.add_rule(srule)
                    else:
                        # No groups, initialize SRule object
                        srule = SRule(**rule)
                        # Add it into group
                        sgroup.add_rule(srule)

            self.groups[name] = sgroup

        return self.groups
Exemple #3
0
    def load_remote_groups(self):
        """
        Load security groups from EC2
        Convert boto.ec2.securitygroup objects into unified structure
        :rtype : list
        """
        lg.debug("Loading remote groups")
        groups = ec2.get_all_security_groups(self.only_groups)
        for group in groups:
            if not self.vpc and group.vpc_id:
                lg.debug("Skipping VPC group %s" % group.name)
                continue
            elif self.vpc and not group.vpc_id:
                lg.debug("Skipping non-VPC group %s" % group.name)
                continue

            # Initialize SGroup object
            sgroup = SGroup(sgroup_object=group)

            # For each egress rule in group
            for rule in group.rules_egress:
                self._load_remote_rule(rule, sgroup, egress=True)

            # For each ingress rule in group
            for rule in group.rules:
                self._load_remote_rule(rule, sgroup)

            self.groups[sgroup.name] = sgroup

        return self.groups
Exemple #4
0
    def load_remote_groups(self):
        """
        Load security groups from EC2
        Convert boto.ec2.securitygroup objects into unified structure
        :rtype : list
        """
        lg.debug("Loading remote groups")
        groups = ec2.get_all_security_groups()
        for group in groups:
            # Initialize SGroup object
            sgroup = SGroup(str(group.name), str(group.description), sgroup_object=group)

            # For each rule in group
            for rule in group.rules:
                rule_info = {
                    'protocol'  : str(rule.ip_protocol),
                    'srule_object' : rule,
                }

                if rule.from_port != rule.to_port:
                    # We have port range, use port_from and port_to parameters
                    rule_info['port_from'] = int(rule.from_port)
                    rule_info['port_to'] = int(rule.to_port)
                else:
                    # We have single port, use port parameter
                    rule_info['port'] = int(rule.to_port)

                if rule.grants:
                    for grant in rule.grants:
                        # For each granted permission, add new SRule
                        try:
                            srule = SRule(groups={
                                'name'  : str(grant.groupName),
                                'owner' : str(grant.owner_id),
                                # OpenStack doesn't support group IDs, use None if this attr isn't present
                                'id'    : None if getattr(grant, 'groupId', None) is None else str(getattr(grant, 'groupId'))
                            }, **rule_info)
                        except AttributeError:
                            srule = SRule(cidr=[ str(grant.cidr_ip) ], **rule_info)

                        sgroup.add_rule(srule)

            self.groups[sgroup.name] = sgroup

        return self.groups
Exemple #5
0
    def load_local_groups(self, config):
        """
        Load local groups from config file
        Save and return SecurityGroups object

        :param config:
        :rtype : object
        """
        lg.debug("Loading local configuragion")
        self.config = config
        yaml.add_constructor('!include', self._yaml_include)

        try:
            with open(config, 'r') as fp:
                conf = yaml.load(fp)
        except IOError as e:
            # Error while loading file
            raise InvalidConfiguration("Can't read config file %s: %s" %
                                       (config, e))
        except yaml.YAMLError as e:
            # Error while parsing YAML
            if hasattr(e, 'problem_mark'):
                mark = e.problem_mark
                raise InvalidConfiguration(
                    "Can't parse config file %s: error at line %s, column %s" %
                    (config, mark.line + 1, mark.column + 1))
            else:
                raise InvalidConfiguration("Can't parse config file %s: %s" %
                                           (config, e))

        # Remove include keys
        conf = self._fix_include(conf)

        lg.debug("Loading local groups")
        for name, group in conf.iteritems():
            # Initialize SGroup object
            sgroup = SGroup(
                name, None
                if not group.has_key('description') else group['description'])

            if group.has_key('rules'):
                for rule in group['rules']:
                    if rule.has_key('groups'):
                        # For each group, create separate rule
                        # multiple groups are used only to simplify configuration
                        for group in rule['groups']:
                            rule['groups'] = [group]

                            srule = SRule(owner_id=self.owner_id, **rule)
                            sgroup.add_rule(srule)
                    else:
                        # No groups, initialize SRule object
                        srule = SRule(**rule)
                        # Add it into group
                        sgroup.add_rule(srule)

            self.groups[name] = sgroup

        return self.groups
Exemple #6
0
    def _load_sgroup(self, name, group, check_mode='strict'):
        """
        Return SGroup object with assigned rules
        """
        # Test len of name and description
        if len(name) > 255:
            raise InvalidConfiguration(
                "Name of group '%s' is longer than 255 chars" % (name))
        if group.has_key('description') and len(group['description']) > 255:
            raise InvalidConfiguration(
                "Description of group '%s' is longer than 255 chars" % (name))

        # Test name and description according to spec
        if check_mode == 'strict':
            allowed = '^[a-zA-Z0-9_\- ]+$'
        if check_mode == 'ascii':
            allowed = '^[\x20-\x7E]+$'
        if check_mode == 'vpc':
            allowed = '^[a-zA-Z0-9 ._\-:/()#,@[\]+=&;{}!$*]+$'

        if group.has_key('description') and not re.match(
                allowed, group['description']):
            raise InvalidConfiguration(
                "Description of group '%s' is not valid in %s check_mode" %
                (name, check_mode))

        if not re.match(allowed, name):
            raise InvalidConfiguration(
                "Name of group '%s' is not valid in %s check_mode" %
                (name, check_mode))

        sgroup = SGroup(
            name,
            description=None
            if 'description' not in group.keys() else group['description'],
            vpc_id=None if 'vpc_id' not in group.keys() else group['vpc_id'])

        # Dive into group's rules and create srule objects
        if group.has_key('rules'):
            for rule in group['rules']:
                self._validate(rule, sgroup.name)
                self._load_rule(sgroup, rule)

        return sgroup