def revoke(ec2=None, rds=None): security_group_id, protocol, cidr, from_port, to_port = request.args.get('security_group_id'), request.args.get('protocol'), request.args.get('cidr'), request.args.get('from_port'), request.args.get('to_port') security_groups = ec2.get_all_security_groups(group_ids=[security_group_id]) if len(security_groups) == 0: return "Security group not found" security_group = security_groups[0] if _revoke(rds, security_group, protocol, from_port, to_port, cidr): return redirect("/edit/" + security_group_id) else: return "An error occurred"
if __name__ == "__main__": logger = logging.getLogger() logger.setLevel(logging.INFO) logger.addHandler(logging.StreamHandler()) security_groups = ec2.get_all_security_groups() for security_group in security_groups: for rule in security_group.rules: grants_with_cidrs = [] for grant in rule.grants: if grant.cidr_ip: ttl = rds.get(GRANT_KEY_FORMULA.format(security_group_id=security_group.id, protocol=rule.ip_protocol, from_port=rule.from_port, to_port=rule.to_port, cidr=grant.cidr_ip)) if ttl is None or ttl == 0: grant.time_left = ttl else: grant.time_left = int(float(ttl) - time.time()) if grant.time_left < 0 and ttl > 0: logging.getLogger("grantaccess").info("Revoking %s: %s %s-%s to %s", security_group.id, rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip) if args.dry is None or args.dry is not True: _revoke(rds, security_group, rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip) else: logging.getLogger("grantaccess").info("No need to revoke %s: %s %s-%s to %s", security_group.id, rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip) grants_with_cidrs.append(grant) rule.grants = grants_with_cidrs