private void createSecurityGroupByClusterName(String GROUP_NAME) { System.out.println("Creating security group for cluster "+name); CreateSecurityGroupRequest csgr = new CreateSecurityGroupRequest(); csgr.withGroupName(GROUP_NAME).withDescription("AWS Cluster toolkit security group"); CreateSecurityGroupResult createSecurityGroupResult =ec2.createSecurityGroup(csgr); IpPermission ipPermission = new IpPermission(); IpRange ipRange1 = new IpRange().withCidrIp("0.0.0.0/0"); ipPermission.withIpv4Ranges(Arrays.asList(new IpRange[] {ipRange1})) .withIpProtocol("tcp") .withFromPort(0) .withToPort(65535); AuthorizeSecurityGroupIngressRequest authorizeSecurityGroupIngressRequest = new AuthorizeSecurityGroupIngressRequest(); authorizeSecurityGroupIngressRequest.withGroupName(GROUP_NAME) .withIpPermissions(ipPermission); ec2.authorizeSecurityGroupIngress(authorizeSecurityGroupIngressRequest); System.out.println("Created new security group "+GROUP_NAME+" with /usr/bin/ssh enabled."); }
public static String calculateIpRangeCidr(Rule rule, IpPermission ipPermission) { List<IpRange> ipv4Ranges = ipPermission.getIpv4Ranges(); List<Ipv6Range> ipv6Ranges = ipPermission.getIpv6Ranges(); if (rule.protocol.equals(Protocol.ICMPv6.getName())) { return ipv6Ranges.size() > 0 ? ipv6Ranges.get(0).getCidrIpv6() : ANY; } if (rule.protocol.equals(Protocol.ICMPv4.getName())) { // it is possible to specify Ipv6Range for IPv4 ICMP protocol return ipv4Ranges.size() > 0 ? ipv4Ranges.get(0).getCidrIp() : // in case there is no ipv4 cidr, try to obtain ipv6 one ipv6Ranges.size() > 0 ? ipv6Ranges.get(0).getCidrIpv6() : ANY; } return ipv4Ranges.size() > 0 ? ipv4Ranges.get(0).getCidrIp() : ANY; }
@Test public void testAllocateSecurityGroupUpdate() throws Throwable { String groupId = this.client.createDefaultSecurityGroup(null); List<IpPermission> rules = new ArrayList<>(); IpRange ipRange = new IpRange().withCidrIp(DEFAULT_ALLOWED_NETWORK); rules.add(new IpPermission() .withIpProtocol(DEFAULT_PROTOCOL) .withFromPort(22) .withToPort(22) .withIpv4Ranges(ipRange)); this.client.addIngressRules(groupId, rules); SecurityGroup updatedGroup = this.client.getDefaultSecurityGroup(null); validateDefaultRules(updatedGroup.getIpPermissions()); this.client.deleteSecurityGroup(groupId); }
/** * Gets the IP ranges defined in the given security group rule. * * @param permission the given security group rule * @return a list of IP ranges that the security group rule applies to */ private List<String> getIpRangesFromSgPermission(IpPermission permission) { List<String> cidrs = Lists.newArrayList(); List<IpRange> ipRanges = permission.getIpv4Ranges(); if (ipRanges != null && !ipRanges.isEmpty()) { for (IpRange ipRange : ipRanges) { cidrs.add(ipRange.getCidrIp()); } } else { List<Ipv6Range> ipv6Ranges = permission.getIpv6Ranges(); if (ipv6Ranges != null && !ipv6Ranges.isEmpty()) { for (Ipv6Range ipv6Range : ipv6Ranges) { cidrs.add(ipv6Range.getCidrIpv6()); } } } return cidrs; }
@Test public void testAllTcpFromEverywhereIPv4() throws Exception { assertThat(pred).accepts( new IpPermission() .withFromPort(0) .withToPort(65535) .withIpProtocol("tcp") .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))); assertThat(pred).accepts( new IpPermission() .withFromPort(0) .withToPort(65535) .withIpProtocol("6") .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))); }
@Test public void testAllUDPFromEverywhereIPv4() throws Exception { assertThat(pred).accepts( new IpPermission() .withIpProtocol("udp") .withFromPort(0) .withToPort(65535) .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))); assertThat(pred).accepts( new IpPermission() .withIpProtocol("17") .withFromPort(0) .withToPort(65535) .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))); }
@Test public void testAllICMPIPv6FromEverywhereIPv4() throws Exception { assertThat(pred).rejects( new IpPermission() .withIpProtocol("icmpv6") .withFromPort(-1) .withToPort(-1) .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))); assertThat(pred).rejects( new IpPermission() .withIpProtocol("58") .withFromPort(-1) .withToPort(-1) .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))); }
@Test public void testAllICMPIPv4FromEverywhereIPv4() throws Exception { assertThat(pred).rejects( new IpPermission() .withIpProtocol("icmp") .withFromPort(-1) .withToPort(-1) .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))); assertThat(pred).rejects( new IpPermission() .withIpProtocol("1") .withFromPort(-1) .withToPort(-1) .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))); }
@SuppressWarnings("unchecked") @Before public void setUp() throws Exception { final ClientProvider mockClientProvider = mock(ClientProvider.class); final AmazonEC2Client mockEC2 = mock(AmazonEC2Client.class); mockPredicate = (Predicate<IpPermission>) mock(Predicate.class); when(mockClientProvider.getClient(any(), any(), any())).thenReturn(mockEC2); securityGroupsChecker = new SecurityGroupsCheckerImpl(mockClientProvider, mockPredicate); final DescribeSecurityGroupsResult securityGroups = new DescribeSecurityGroupsResult() .withSecurityGroups(new SecurityGroup() .withGroupId("sg-12345678") .withGroupName("my-sec-group") .withIpPermissions(new IpPermission() .withIpProtocol("tcp") .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")) .withFromPort(0) .withToPort(65535) .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")) .withUserIdGroupPairs(new UserIdGroupPair() .withUserId("111222333444") .withGroupId("sg-11223344")))); when(mockEC2.describeSecurityGroups(any())).thenReturn(securityGroups); }
private String createSG(Environment env) throws Exception { String sgName = env.name + ":" + resourceId; CreateSecurityGroupRequest request = new CreateSecurityGroupRequest(sgName, sgName); if (bakeSubnet != null) request.setVpcId(bakeSubnet.getVpcId()); String sgId = AWS.ec2.createSecurityGroup(request).getGroupId(); AWS.ec2.createSGIngressRules(sgId, Lists.newArrayList(new IpPermission() .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")) .withFromPort(22) .withToPort(22) .withIpProtocol("tcp"))); AWS.ec2.createTags(new CreateTagsRequest() .withResources(sgId) .withTags(tagHelper.name(resourceId), tagHelper.env(), tagHelper.resourceId(resourceId))); return sgId; }
private IpPermission createRule(int fromPort, int toPort, String subnet, String protocol) { IpRange ipRange = new IpRange().withCidrIp(subnet); protocol = protocol.equals(ALL_TRAFFIC) ? ALL_PROTOCOLS : protocol; return new IpPermission() .withIpProtocol(protocol) .withFromPort(fromPort) .withToPort(toPort) .withIpv4Ranges(ipRange); }
private static boolean hasExternalSource(final IpPermission rule) { final boolean hasExternalIpv4Range = rule.getIpv4Ranges().stream() .map(IpRange::getCidrIp) .map(Ipv4Range::parseCidr) .anyMatch(range -> PRIVATE_IPV4_RANGES.stream().noneMatch(privateRange -> privateRange.contains(range))); final boolean hasExternalIpv6Ranges = rule.getIpv6Ranges().stream() .map(com.amazonaws.services.ec2.model.Ipv6Range::getCidrIpv6) .map(Ipv6Range::parseCidr) .anyMatch(range -> !PRIVATE_IPV6_RANGE.contains(range)); return hasExternalIpv4Range || hasExternalIpv6Ranges; }
@Test public void testAllTrafficFromPrivateNetworks() throws Exception { assertThat(pred).rejects( new IpPermission() .withIpProtocol("-1") .withIpv4Ranges( new IpRange().withCidrIp("10.0.0.0/8"), new IpRange().withCidrIp("172.31.0.0/16"), new IpRange().withCidrIp("172.16.0.0/12"), new IpRange().withCidrIp("192.168.0.0/16")) .withIpv6Ranges( new Ipv6Range().withCidrIpv6("fc00::/7")) ); }
@Test public void testAllTrafficFromPartiallyPrivateNetwork() throws Exception { assertThat(pred).accepts( new IpPermission() .withIpProtocol("-1") .withIpv4Ranges( new IpRange().withCidrIp("192.168.0.0/15")) ); }
@Test public void testAllTrafficFromEverywhereIPv4() throws Exception { assertThat(pred).accepts( new IpPermission() .withIpProtocol("-1") .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))); assertThat(pred).accepts( new IpPermission() .withIpProtocol(null) .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))); }
@Test public void testUnallowedPortFromEverywhereIPv4() throws Exception { assertThat(pred).accepts( new IpPermission() .withFromPort(9100) .withToPort(9100) .withIpProtocol("tcp") .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))); }
@Test public void testAllowedPortFromEverywhereIPv4() throws Exception { assertThat(pred).rejects( new IpPermission() .withFromPort(443) .withToPort(443) .withIpProtocol("tcp") .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))); }
private void addIngressRule(SecurityGroup securityGroup, Protocol protocol, Source inputSource, Resources resources) { SecurityGroup.Source source = new SecurityGroup.Source(); if (inputSource.sgId != null) { source.securityGroup = resources.get(SecurityGroup.class, inputSource.sgId); } else if (inputSource.cidr != null) { source.ipRange = new IpRange().withCidrIp(inputSource.cidr); } securityGroup.addIngressRule(protocol, source); }
List<IpPermission> findDeletedIngressRules() { List<IpPermission> deletedRules = new ArrayList<>(); for (IpPermission permission : remoteIngressRules) { // delete all traffic rules if ("-1".equals(permission.getIpProtocol())) { deletedRules.add(permission); continue; } Protocol protocol = new Protocol(permission.getIpProtocol(), permission.getFromPort(), permission.getToPort()); List<SecurityGroup.Source> sources = localIngressRules.get(protocol); if (sources == null) { deletedRules.add(permission); continue; } List<IpRange> deletedIpRanges = permission.getIpv4Ranges().stream() .filter(ipRange -> !containsIpRange(sources, ipRange)) .collect(Collectors.toList()); List<UserIdGroupPair> deletedSecurityGroupIds = new ArrayList<>(); deletedSecurityGroupIds.addAll(permission.getUserIdGroupPairs().stream() .filter(userGroup -> !containsSourceUserGroup(sources, userGroup)) .map(userGroup -> new UserIdGroupPair().withUserId(userGroup.getUserId()).withGroupId(userGroup.getGroupId())) .collect(Collectors.toList())); if (!deletedIpRanges.isEmpty() || !deletedSecurityGroupIds.isEmpty()) { IpPermission rule = new IpPermission() .withIpProtocol(permission.getIpProtocol()) .withFromPort(permission.getFromPort()) .withToPort(permission.getToPort()) .withIpv4Ranges(deletedIpRanges) .withUserIdGroupPairs(deletedSecurityGroupIds); deletedRules.add(rule); } } return deletedRules; }
private String createLabel(IpPermission perms) { List<IpRange> ipRanges = perms.getIpv4Ranges(); String ipProtocol = perms.getIpProtocol(); if (ipProtocol.equals("-1")) { ipProtocol = "all"; } if (ipRanges.isEmpty()) { return String.format("[%s]", ipProtocol); } return String.format("(%s)\n[%s]", ipRangesIntoTextList(ipRanges) ,ipProtocol); }
private String ipRangesIntoTextList(List<IpRange> ipRanges) { StringBuilder rangesPart = new StringBuilder(); for (IpRange range : ipRanges) { if (rangesPart.length()!=0) { rangesPart.append(",\n"); } if (range.getCidrIp().equals("0.0.0.0/0")) { rangesPart.append("all"); } else { rangesPart.append(range.getCidrIp()); } } return rangesPart.toString(); }
public static void main(String[] args) { final String USAGE = "To run this example, supply a group name, group description and vpc id\n" + "Ex: CreateSecurityGroup <group-name> <group-description> <vpc-id>\n"; if (args.length != 3) { System.out.println(USAGE); System.exit(1); } String group_name = args[0]; String group_desc = args[1]; String vpc_id = args[2]; final AmazonEC2 ec2 = AmazonEC2ClientBuilder.defaultClient(); CreateSecurityGroupRequest create_request = new CreateSecurityGroupRequest() .withGroupName(group_name) .withDescription(group_desc) .withVpcId(vpc_id); CreateSecurityGroupResult create_response = ec2.createSecurityGroup(create_request); System.out.printf( "Successfully created security group named %s", group_name); IpRange ip_range = new IpRange() .withCidrIp("0.0.0.0/0"); IpPermission ip_perm = new IpPermission() .withIpProtocol("tcp") .withToPort(80) .withFromPort(80) .withIpv4Ranges(ip_range); IpPermission ip_perm2 = new IpPermission() .withIpProtocol("tcp") .withToPort(22) .withFromPort(22) .withIpv4Ranges(ip_range); AuthorizeSecurityGroupIngressRequest auth_request = new AuthorizeSecurityGroupIngressRequest() .withGroupName(group_name) .withIpPermissions(ip_perm, ip_perm2); AuthorizeSecurityGroupIngressResult auth_response = ec2.authorizeSecurityGroupIngress(auth_request); System.out.printf( "Successfully added ingress policy to security group %s", group_name); }
private boolean containsIpRange(Collection<SecurityGroup.Source> sources, final IpRange ipRange) { return sources.stream().anyMatch(source -> source.ipRange != null && source.ipRange.equals(ipRange)); }
