Class: ClusterChef::Cloud::SecurityGroup

Inherits:
DslObject
  • Object
show all
Defined in:
lib/cluster_chef/security_group.rb

Constant Summary collapse

@@all =
nil

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from DslObject

#configure, #die, #dump, has_keys, #reverse_merge!, #safely, #set, #to_hash, #to_mash, #to_s, #ui, ui

Constructor Details

#initialize(cloud, group_name, group_description = nil, group_owner_id = nil) ⇒ SecurityGroup

Returns a new instance of SecurityGroup.



9
10
11
12
13
14
15
16
17
18
# File 'lib/cluster_chef/security_group.rb', line 9

def initialize cloud, group_name, group_description=nil, group_owner_id=nil
  super()
  set :name, group_name.to_s
  description group_description || "cluster_chef generated group #{group_name}"
  @cloud         = cloud
  @group_authorizations = []
  @group_authorized_by  = []
  @range_authorizations = []
  owner_id(group_owner_id || Chef::Config[:knife][:aws_account_id])
end

Instance Attribute Details

#group_authorizationsObject (readonly)

Returns the value of attribute group_authorizations.



6
7
8
# File 'lib/cluster_chef/security_group.rb', line 6

def group_authorizations
  @group_authorizations
end

#range_authorizationsObject (readonly)

Returns the value of attribute range_authorizations.



7
8
9
# File 'lib/cluster_chef/security_group.rb', line 7

def range_authorizations
  @range_authorizations
end

Class Method Details

.allObject



24
25
26
27
# File 'lib/cluster_chef/security_group.rb', line 24

def self.all
  return @@all if @@all
  get_all
end

.get_allObject



28
29
30
31
32
33
# File 'lib/cluster_chef/security_group.rb', line 28

def self.get_all
  groups_list = ClusterChef.fog_connection.security_groups.all
  @@all = groups_list.inject(Mash.new) do |hsh, fog_group|
    hsh[fog_group.name] = fog_group ; hsh
  end
end

.get_or_create(group_name, description) ⇒ Object



39
40
41
42
43
44
45
46
47
48
# File 'lib/cluster_chef/security_group.rb', line 39

def self.get_or_create(group_name, description)
  # FIXME: the '|| ClusterChef.fog' part is probably unnecessary
  fog_group = all[group_name] || ClusterChef.fog_connection.security_groups.get(group_name)
  unless fog_group
    self.step(group_name, "creating (#{description})", :green)
    fog_group = all[group_name] = ClusterChef.fog_connection.security_groups.new(:name => group_name, :description => description, :connection => ClusterChef.fog_connection)
    fog_group.save
  end
  fog_group
end

.step(group_name, desc, *style) ⇒ Object



110
111
112
# File 'lib/cluster_chef/security_group.rb', line 110

def self.step(group_name, desc, *style)
  ui.info("  group #{"%-15s" % (group_name+":")}\t#{ui.color(desc.to_s, *style)}")
end

Instance Method Details

#allObject



21
22
23
# File 'lib/cluster_chef/security_group.rb', line 21

def all
  self.class.all
end

#authorize_group(group_name, owner_id = nil) ⇒ Object



50
51
52
# File 'lib/cluster_chef/security_group.rb', line 50

def authorize_group(group_name, owner_id=nil)
  @group_authorizations << [group_name.to_s, owner_id]
end

#authorize_port_range(range, cidr_ip = '0.0.0.0/0', ip_protocol = 'tcp') ⇒ Object



58
59
60
61
# File 'lib/cluster_chef/security_group.rb', line 58

def authorize_port_range(range, cidr_ip = '0.0.0.0/0', ip_protocol = 'tcp')
  range = (range .. range) if range.is_a?(Integer)
  @range_authorizations << [range, cidr_ip, ip_protocol]
end

#authorized_by_group(other_name) ⇒ Object



54
55
56
# File 'lib/cluster_chef/security_group.rb', line 54

def authorized_by_group(other_name)
  @group_authorized_by << other_name.to_s
end

#getObject



35
36
37
# File 'lib/cluster_chef/security_group.rb', line 35

def get
  all[name] || ClusterChef.fog_connection.security_groups.get(name)
end

#group_permission_already_set?(fog_group, other_name, authed_owner) ⇒ Boolean

Returns:

  • (Boolean)


63
64
65
66
67
68
69
70
# File 'lib/cluster_chef/security_group.rb', line 63

def group_permission_already_set?(fog_group, other_name, authed_owner)
  return false if fog_group.ip_permissions.nil?
  fog_group.ip_permissions.any? do |existing_permission|
    existing_permission["groups"].include?({"userId" => authed_owner, "groupName" => other_name}) &&
      existing_permission["fromPort"] == 1 &&
      existing_permission["toPort"]   == 65535
  end
end

#range_permission_already_set?(fog_group, range, cidr_ip, ip_protocol) ⇒ Boolean

Returns:

  • (Boolean)


72
73
74
75
76
77
# File 'lib/cluster_chef/security_group.rb', line 72

def range_permission_already_set?(fog_group, range, cidr_ip, ip_protocol)
  return false if fog_group.ip_permissions.nil?
  fog_group.ip_permissions.include?(
    { "groups"=>[], "ipRanges"=>[{"cidrIp"=>cidr_ip}],
      "ipProtocol"=>ip_protocol, "fromPort"=>range.first, "toPort"=>range.last})
end

#runObject

FIXME: so if you’re saying to yourself, “self, this is some soupy gooey code right here” then you and your self are correct. Much of this is to work around old limitations in the EC2 api. You can now treat range and group permissions the same, and we should.



84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# File 'lib/cluster_chef/security_group.rb', line 84

def run
  fog_group = self.class.get_or_create(name, description)
  @group_authorizations.uniq.each do |other_name, authed_owner|
    authed_owner ||= self.owner_id
    next if group_permission_already_set?(fog_group, other_name, authed_owner)
    step("authorizing access from all machines in #{other_name} to #{name}", :blue)
    self.class.get_or_create(other_name, "Authorized to access #{name}")
    begin  fog_group.authorize_group_and_owner(other_name, authed_owner)
    rescue StandardError => e ; ui.warn e ; end
  end
  @group_authorized_by.uniq.each do |other_name|
    authed_owner = self.owner_id
    other_group = self.class.get_or_create(other_name, "Authorized for access by #{self.name}")
    next if group_permission_already_set?(other_group, self.name, authed_owner)
    step("authorizing access to all machines in #{other_name} from #{name}", :blue)
    begin  other_group.authorize_group_and_owner(self.name, authed_owner)
    rescue StandardError => e ; ui.warn e ; end
  end
  @range_authorizations.uniq.each do |range, cidr_ip, ip_protocol|
    next if range_permission_already_set?(fog_group, range, cidr_ip, ip_protocol)
    step("opening #{ip_protocol} ports #{range} to #{cidr_ip}", :blue)
    begin  fog_group.authorize_port_range(range, { :cidr_ip => cidr_ip, :ip_protocol => ip_protocol })
    rescue StandardError => e ; ui.warn e ; end
  end
end

#step(desc, *style) ⇒ Object



113
114
115
# File 'lib/cluster_chef/security_group.rb', line 113

def step(desc, *style)
  self.class.step(self.name, desc, *style)
end