Class: ClusterChef::Cloud::SecurityGroup

Inherits:

DslObject

• Object
• DslObject
• ClusterChef::Cloud::SecurityGroup

Defined in:

lib/cluster_chef/security_group.rb

Constant Summary

@@all =

nil

Instance Attribute Summary

• #group_authorizations ⇒ Object readonly

  Returns the value of attribute group_authorizations.

• #range_authorizations ⇒ Object readonly

  Returns the value of attribute range_authorizations.

Class Method Summary

• .all ⇒ Object
• .get_all ⇒ Object
• .get_or_create(group_name, description) ⇒ Object
• .step(group_name, desc, *style) ⇒ Object

Instance Method Summary

• #all ⇒ Object
• #authorize_group(group_name, owner_id = nil) ⇒ Object
• #authorize_port_range(range, cidr_ip = '0.0.0.0/0', ip_protocol = 'tcp') ⇒ Object
• #authorized_by_group(other_name) ⇒ Object
• #get ⇒ Object
• #group_permission_already_set?(fog_group, other_name, authed_owner) ⇒ Boolean
• #initialize(cloud, group_name, group_description = nil, group_owner_id = nil) ⇒ SecurityGroup constructor

  A new instance of SecurityGroup.

• #range_permission_already_set?(fog_group, range, cidr_ip, ip_protocol) ⇒ Boolean
• #run ⇒ Object

  FIXME: so if you’re saying to yourself, “self, this is some soupy gooey code right here” then you and your self are correct.

• #step(desc, *style) ⇒ Object

Methods inherited from DslObject

#configure, #die, #dump, has_keys, #reverse_merge!, #safely, #set, #to_hash, #to_mash, #to_s, #ui, ui

Constructor Details

#initialize(cloud, group_name, group_description = nil, group_owner_id = nil) ⇒ SecurityGroup

Returns a new instance of SecurityGroup.

# File 'lib/cluster_chef/security_group.rb', line 9

def initialize cloud, group_name, group_description=nil, group_owner_id=nil
  super()
  set :name, group_name.to_s
  description group_description || "cluster_chef generated group #{group_name}"
  @cloud         = cloud
  @group_authorizations = []
  @group_authorized_by  = []
  @range_authorizations = []
  owner_id(group_owner_id || Chef::Config[:knife][:aws_account_id])
end

Instance Attribute Details

#group_authorizations ⇒ Object (readonly)

Returns the value of attribute group_authorizations.

# File 'lib/cluster_chef/security_group.rb', line 6

def group_authorizations
  @group_authorizations
end

#range_authorizations ⇒ Object (readonly)

Returns the value of attribute range_authorizations.

# File 'lib/cluster_chef/security_group.rb', line 7

def range_authorizations
  @range_authorizations
end

Class Method Details

.all ⇒ Object

# File 'lib/cluster_chef/security_group.rb', line 24

def self.all
  return @@all if @@all
  get_all
end

.get_all ⇒ Object

# File 'lib/cluster_chef/security_group.rb', line 28

def self.get_all
  groups_list = ClusterChef.fog_connection.security_groups.all
  @@all = groups_list.inject(Mash.new) do |hsh, fog_group|
    hsh[fog_group.name] = fog_group ; hsh
  end
end

.get_or_create(group_name, description) ⇒ Object

# File 'lib/cluster_chef/security_group.rb', line 39

def self.get_or_create(group_name, description)
  # FIXME: the '|| ClusterChef.fog' part is probably unnecessary
  fog_group = all[group_name] || ClusterChef.fog_connection.security_groups.get(group_name)
  unless fog_group
    self.step(group_name, "creating (#{description})", :green)
    fog_group = all[group_name] = ClusterChef.fog_connection.security_groups.new(:name => group_name, :description => description, :connection => ClusterChef.fog_connection)
    fog_group.save
  end
  fog_group
end

.step(group_name, desc, *style) ⇒ Object

# File 'lib/cluster_chef/security_group.rb', line 110

def self.step(group_name, desc, *style)
  ui.info("  group #{"%-15s" % (group_name+":")}\t#{ui.color(desc.to_s, *style)}")
end

Instance Method Details

#all ⇒ Object

# File 'lib/cluster_chef/security_group.rb', line 21

def all
  self.class.all
end

#authorize_group(group_name, owner_id = nil) ⇒ Object

# File 'lib/cluster_chef/security_group.rb', line 50

def authorize_group(group_name, owner_id=nil)
  @group_authorizations << [group_name.to_s, owner_id]
end

#authorize_port_range(range, cidr_ip = '0.0.0.0/0', ip_protocol = 'tcp') ⇒ Object

# File 'lib/cluster_chef/security_group.rb', line 58

def authorize_port_range(range, cidr_ip = '0.0.0.0/0', ip_protocol = 'tcp')
  range = (range .. range) if range.is_a?(Integer)
  @range_authorizations << [range, cidr_ip, ip_protocol]
end

#authorized_by_group(other_name) ⇒ Object

# File 'lib/cluster_chef/security_group.rb', line 54

def authorized_by_group(other_name)
  @group_authorized_by << other_name.to_s
end

#get ⇒ Object

# File 'lib/cluster_chef/security_group.rb', line 35

def get
  all[name] || ClusterChef.fog_connection.security_groups.get(name)
end

#group_permission_already_set?(fog_group, other_name, authed_owner) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/cluster_chef/security_group.rb', line 63

def group_permission_already_set?(fog_group, other_name, authed_owner)
  return false if fog_group.ip_permissions.nil?
  fog_group.ip_permissions.any? do |existing_permission|
    existing_permission["groups"].include?({"userId" => authed_owner, "groupName" => other_name}) &&
      existing_permission["fromPort"] == 1 &&
      existing_permission["toPort"]   == 65535
  end
end

#range_permission_already_set?(fog_group, range, cidr_ip, ip_protocol) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/cluster_chef/security_group.rb', line 72

def range_permission_already_set?(fog_group, range, cidr_ip, ip_protocol)
  return false if fog_group.ip_permissions.nil?
  fog_group.ip_permissions.include?(
    { "groups"=>[], "ipRanges"=>[{"cidrIp"=>cidr_ip}],
      "ipProtocol"=>ip_protocol, "fromPort"=>range.first, "toPort"=>range.last})
end

#run ⇒ Object

FIXME: so if you’re saying to yourself, “self, this is some soupy gooey code right here” then you and your self are correct. Much of this is to work around old limitations in the EC2 api. You can now treat range and group permissions the same, and we should.

# File 'lib/cluster_chef/security_group.rb', line 84

def run
  fog_group = self.class.get_or_create(name, description)
  @group_authorizations.uniq.each do |other_name, authed_owner|
    authed_owner ||= self.owner_id
    next if group_permission_already_set?(fog_group, other_name, authed_owner)
    step("authorizing access from all machines in #{other_name} to #{name}", :blue)
    self.class.get_or_create(other_name, "Authorized to access #{name}")
    begin  fog_group.authorize_group_and_owner(other_name, authed_owner)
    rescue StandardError => e ; ui.warn e ; end
  end
  @group_authorized_by.uniq.each do |other_name|
    authed_owner = self.owner_id
    other_group = self.class.get_or_create(other_name, "Authorized for access by #{self.name}")
    next if group_permission_already_set?(other_group, self.name, authed_owner)
    step("authorizing access to all machines in #{other_name} from #{name}", :blue)
    begin  other_group.authorize_group_and_owner(self.name, authed_owner)
    rescue StandardError => e ; ui.warn e ; end
  end
  @range_authorizations.uniq.each do |range, cidr_ip, ip_protocol|
    next if range_permission_already_set?(fog_group, range, cidr_ip, ip_protocol)
    step("opening #{ip_protocol} ports #{range} to #{cidr_ip}", :blue)
    begin  fog_group.authorize_port_range(range, { :cidr_ip => cidr_ip, :ip_protocol => ip_protocol })
    rescue StandardError => e ; ui.warn e ; end
  end
end

#step(desc, *style) ⇒ Object

# File 'lib/cluster_chef/security_group.rb', line 113

def step(desc, *style)
  self.class.step(self.name, desc, *style)
end