Class: AwSec::Core

Inherits:

Object

• Object
• AwSec::Core

Defined in:

lib/aw_sec/core.rb

Class Method Summary

• .secure(group_names, public_ip, options = {}) ⇒ Object

Instance Method Summary

• #conn ⇒ Object
• #get_groups(group_names) ⇒ Object
• #is_authorized?(group, ip) ⇒ Boolean
• #list_ips(group) ⇒ Object
• #port ⇒ Object
• #revoke_access(group, ip) ⇒ Object
• #safe_authorize_port(group, ip) ⇒ Object
• #secure(group_names, public_ip, options = {}) ⇒ Object

Class Method Details

.secure(group_names, public_ip, options = {}) ⇒ Object

# File 'lib/aw_sec/core.rb', line 6

def self.secure(group_names, public_ip, options = {})
  client = AwSec::Core.new
  client.secure(group_names, public_ip, options)
end

Instance Method Details

#conn ⇒ Object

# File 'lib/aw_sec/core.rb', line 110

def conn
  @conn ||= Fog::Compute.new({
    :provider => 'AWS',
  	:region => @region,
  	:aws_access_key_id => @aws_key,
  	:aws_secret_access_key => @aws_secret
  	})
end

#get_groups(group_names) ⇒ Object

# File 'lib/aw_sec/core.rb', line 64

def get_groups(group_names)
  groups = []
			if group_names.is_a? String
to_loop = [group_names] 
			else
to_loop = group_names
			end
  to_loop.each do |group_name|
    groups << conn.security_groups.get(group_name)
  end
  
  groups
end

#is_authorized?(group, ip) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/aw_sec/core.rb', line 97

def is_authorized?(group, ip)
	return group.ip_permissions.detect do |ip_permission|
		ip_permission['ipRanges'].first && ip_permission['ipRanges'].first['cidrIp'] == ip &&
			ip_permission['fromPort'] == port &&
			ip_permission['ipProtocol'] == 'tcp' &&
			ip_permission['toPort'] == port
	end
end

#list_ips(group) ⇒ Object

# File 'lib/aw_sec/core.rb', line 51

def list_ips(group)
  result = []
	group.ip_permissions.detect do |ip_permission|
		result << ip_permission['ipRanges'].collect{ |i| i["cidrIp"] } if ip_permission["toPort"] == port
	end

  result.flatten!
end

#port ⇒ Object

# File 'lib/aw_sec/core.rb', line 106

def port
  @port
end

#revoke_access(group, ip) ⇒ Object

# File 'lib/aw_sec/core.rb', line 60

def revoke_access(group, ip)
  group.revoke_port_range(port..port, :cidr_ip => ip)
end

#safe_authorize_port(group, ip) ⇒ Object

# File 'lib/aw_sec/core.rb', line 78

def safe_authorize_port(group, ip)
	if group.ip_permissions.nil?
		authorized = false
	else
		authorized = is_authorized?(group, ip)
	end
	unless authorized
    begin
      group.authorize_port_range(port..port, :cidr_ip => ip)
    rescue => exc
	if exc.message =~ /InvalidPermission.Duplicate/
		puts "#{ip} already has access" 
	else
		puts "Failed #{exc.message}"
	end
    end
	end
end

#secure(group_names, public_ip, options = {}) ⇒ Object

# File 'lib/aw_sec/core.rb', line 11

def secure(group_names, public_ip, options = {})
  public_ip = public_ip
  @port = options[:port] || 22
  @region = options[:aws_region] 
  @aws_key = options[:aws_key] 
  @aws_secret = options[:aws_secret] 
  revoke_all = options.has_key?(:revoke_all) ? options[:revoke_all] : true
  wtlist = options[:whitelist] || []
  
  whitelist = []
  public_ip = "#{public_ip}/32" unless public_ip =~  /\//
  wtlist.each do |ip|
    whitelist << "#{ip}/32" unless ip =~  /\//
  end
  
  puts "Connecting AWS..."
  groups = get_groups(group_names)
  groups.each do |group|
next if group.nil?
    puts "Configuring #{group.name}"
    granted_ips = list_ips(group) || []
    puts "Existing IPs with access to port #{port}: #{granted_ips.join(',')}"
    allowed_ips = granted_ips.select { |i| whitelist.include? i }
    allowed_ips << public_ip
    if revoke_all
      granted_ips.each do |ip|
        unless allowed_ips.include? ip
          puts "Revoking access to #{ip}"
          revoke_access(group, ip)
        end
      end
    end
    granted_ips.uniq!
    allowed_ips.each do |ip|
      puts "Granting access to port #{port} to #{ip}"
      safe_authorize_port(group, ip)
    end
  end
end