def _load_rule(self, sgroup, rule):
if not rule.has_key('groups') and not rule.has_key('cidr'):
# No groups or cidr, initialize SRule object
srule = SRule(**rule)
# Add it into group
sgroup.add_rule(srule)
else:
# We need to create more separate rules from this single
# definition
if rule.has_key('groups'):
# For each group, create separate rule
# multiple groups are used only to simplify configuration
for rule_group in rule['groups']:
rule_new = rule.copy()
rule_new['groups'] = [rule_group]
# Ignore cidr here, these defines another rules
if rule_new.has_key('cidr'):
rule_new.pop('cidr')
srule = SRule(owner_id=self.owner_id, **rule_new)
sgroup.add_rule(srule)
if rule.has_key('cidr'):
# For each cidr, create separate rule
# multiple cidrs are used only to simplify configuration
for rule_cidr in rule['cidr']:
rule_new = rule.copy()
rule_new['cidr'] = [rule_cidr]
# Ignore groups here, these were managed above
if rule_new.has_key('groups'):
rule_new.pop('groups')
srule = SRule(**rule_new)
sgroup.add_rule(srule)
def load_local_groups(self, config):
"""
Load local groups from config file
Save and return SecurityGroups object
:param config:
:rtype : object
"""
lg.debug("Loading local configuragion")
self.config = config
yaml.add_constructor('!include', self._yaml_include)
try:
with open(config, 'r') as fp:
conf = yaml.load(fp)
except IOError as e:
# Error while loading file
raise InvalidConfiguration("Can't read config file %s: %s" %
(config, e))
except yaml.YAMLError as e:
# Error while parsing YAML
if hasattr(e, 'problem_mark'):
mark = e.problem_mark
raise InvalidConfiguration(
"Can't parse config file %s: error at line %s, column %s" %
(config, mark.line + 1, mark.column + 1))
else:
raise InvalidConfiguration("Can't parse config file %s: %s" %
(config, e))
# Remove include keys
conf = self._fix_include(conf)
lg.debug("Loading local groups")
for name, group in conf.iteritems():
# Initialize SGroup object
sgroup = SGroup(
name, None
if not group.has_key('description') else group['description'])
if group.has_key('rules'):
for rule in group['rules']:
if rule.has_key('groups'):
# For each group, create separate rule
# multiple groups are used only to simplify configuration
for group in rule['groups']:
rule['groups'] = [group]
srule = SRule(owner_id=self.owner_id, **rule)
sgroup.add_rule(srule)
else:
# No groups, initialize SRule object
srule = SRule(**rule)
# Add it into group
sgroup.add_rule(srule)
self.groups[name] = sgroup
return self.groups
def load_remote_groups(self):
"""
Load security groups from EC2
Convert boto.ec2.securitygroup objects into unified structure
:rtype : list
"""
lg.debug("Loading remote groups")
groups = ec2.get_all_security_groups()
for group in groups:
# Initialize SGroup object
sgroup = SGroup(str(group.name),
str(group.description),
sgroup_object=group)
# For each rule in group
for rule in group.rules:
rule_info = {
'protocol': str(rule.ip_protocol),
'srule_object': rule,
}
if rule.from_port != rule.to_port:
# We have port range, use port_from and port_to parameters
rule_info['port_from'] = int(rule.from_port)
rule_info['port_to'] = int(rule.to_port)
else:
# We have single port, use port parameter
rule_info['port'] = int(rule.to_port)
if rule.grants:
for grant in rule.grants:
# For each granted permission, add new SRule
try:
srule = SRule(
groups={
'name':
str(grant.groupName),
'owner':
str(grant.owner_id),
# OpenStack doesn't support group IDs, use None if this attr isn't present
'id':
None
if getattr(grant, 'groupId', None) is None
else str(getattr(grant, 'groupId'))
},
**rule_info)
except AttributeError:
srule = SRule(cidr=[str(grant.cidr_ip)],
**rule_info)
sgroup.add_rule(srule)
self.groups[sgroup.name] = sgroup
return self.groups
def _expand_to_and_load(sgroup, r):
if 'to' in r:
# expand also "to:" section
for proto_port in r['to']:
new_r = r.copy()
new_r.pop('to')
new_r.update(proto_port)
srule = SRule(owner_id=self.owner_id, **new_r)
sgroup.add_rule(srule)
else:
srule = SRule(owner_id=self.owner_id, **r)
sgroup.add_rule(srule)
def _load_remote_rule(self, rule, sgroup, egress=False):
"""
Create SRule objects from single remote rule and add them to sgroup
"""
rule_info = {
'protocol': str(rule.ip_protocol),
'srule_object': rule,
}
if egress:
rule_info['egress'] = egress
if sgroup.vpc_id and not rule.to_port:
# We are VPC rule without port (probably icmp), it's fine..
pass
else:
# Non-VPC rule requires port
if rule.from_port != rule.to_port:
# We have port range, use port_from and port_to parameters
rule_info['port_from'] = int(rule.from_port)
rule_info['port_to'] = int(rule.to_port)
else:
# We have single port, use port parameter
rule_info['port'] = int(rule.to_port)
if rule.grants:
for grant in rule.grants:
# For each granted permission, add new SRule
try:
srule = SRule(
owner_id=self.owner_id,
groups={
'name':
str(grant.groupName),
'owner':
str(grant.owner_id),
# OpenStack doesn't support group IDs, use None if this attr isn't present
'id':
None if getattr(grant, 'groupId', None) is None
else str(getattr(grant, 'groupId'))
},
**rule_info)
except AttributeError:
srule = SRule(cidr=[str(grant.cidr_ip)], **rule_info)
sgroup.add_rule(srule)