@Override protected String getPropertyValue(Instance instance) { List<String> result = Lists.newArrayList(); for (GroupIdentifier group : instance.getSecurityGroups()) { result.add(String.format("%s(%s)", group.getGroupName(), group.getGroupId())); } return Joiner.on(", ").join(result); }
/** * Adds the security groups to an EC2 instance. * * @param ec2InstanceId the ec2 instance id. * @param securityGroups security groups to be added. * @param awsParams awsParamsDto object * * @return updated security groups. */ @Override public List<String> addSecurityGroupsToEc2Instance(String ec2InstanceId, List<String> securityGroups, AwsParamsDto awsParams) { Set<String> updatedSecurityGroups = new HashSet<>(); for (String securityGroup : securityGroups) { updatedSecurityGroups.add(securityGroup); } // Get existing security groups DescribeInstanceAttributeRequest describeInstanceAttributeRequest = new DescribeInstanceAttributeRequest().withInstanceId(ec2InstanceId).withAttribute(InstanceAttributeName.GroupSet); DescribeInstanceAttributeResult describeInstanceAttributeResult = ec2Operations.describeInstanceAttribute(getEc2Client(awsParams), describeInstanceAttributeRequest); List<GroupIdentifier> groups = describeInstanceAttributeResult.getInstanceAttribute().getGroups(); for (GroupIdentifier groupIdentifier : groups) { updatedSecurityGroups.add(groupIdentifier.getGroupId()); } // Add security group on master EC2 instance ModifyInstanceAttributeRequest modifyInstanceAttributeRequest = new ModifyInstanceAttributeRequest().withInstanceId(ec2InstanceId).withGroups(updatedSecurityGroups); ec2Operations.modifyInstanceAttribute(getEc2Client(awsParams), modifyInstanceAttributeRequest); return new ArrayList<>(updatedSecurityGroups); }
@Override public DescribeInstanceAttributeResult describeInstanceAttribute(AmazonEC2Client ec2Client, DescribeInstanceAttributeRequest describeInstanceAttributeRequest) { InstanceAttribute instanceAttribute = new InstanceAttribute(); instanceAttribute.withGroups(new GroupIdentifier().withGroupId("A_TEST_SECURITY_GROUP")); return new DescribeInstanceAttributeResult().withInstanceAttribute(instanceAttribute); }
private void visitSubnetForInstancesAndSecGroups(VPCDiagramBuilder vpcDiagramBuilder, Subnet subnet) throws CfnAssistException { String subnetId = subnet.getSubnetId(); logger.debug("visit subnet (for sec groups) " + subnetId); for(Instance instance : facade.getInstancesFor(subnetId)) { for(GroupIdentifier groupId : instance.getSecurityGroups()) { logger.debug("visit securitygroup " + groupId.getGroupId() + " for instance " + instance.getInstanceId()); SecurityGroup group = facade.getSecurityGroupDetailsById(groupId.getGroupId()); vpcDiagramBuilder.addSecurityGroup(group, subnetId); vpcDiagramBuilder.associateInstanceWithSecGroup(instance.getInstanceId(), group); visitInboundSecGroupPerms(vpcDiagramBuilder, group, subnetId); visitOutboundSecGroupPerms(vpcDiagramBuilder, group, subnetId); } } }
private NetworkInterfaceState createNICStateAndDescription( AWSComputeStateCreationContext context, InstanceNetworkInterface awsNic, String existingEndpointLink, Set<String> endpointLinks) { final NetworkInterfaceState nicState; { nicState = new NetworkInterfaceState(); nicState.id = awsNic.getNetworkInterfaceId(); nicState.name = nicState.id; nicState.address = awsNic.getPrivateIpAddress(); if (context.request.enumeratedNetworks != null && context.request.enumeratedNetworks.subnets != null) { nicState.subnetLink = context.request.enumeratedNetworks.subnets .get(awsNic.getSubnetId()); } nicState.tenantLinks = context.request.tenantLinks; // retain the existing link, if it is not null nicState.endpointLink = existingEndpointLink; if (nicState.endpointLink == null ) { nicState.endpointLink = context.request.endpointLink; } if (nicState.endpointLinks == null) { nicState.endpointLinks = new HashSet<String>(); } nicState.endpointLinks.addAll(endpointLinks); nicState.regionId = context.request.regionId; nicState.computeHostLink = context.request.parentComputeLink; Set<String> internalTagLinks = context.internalTagLinksMap .get(ec2_net_interface.toString()); // append internal tagLinks to any existing ones if (internalTagLinks != null && !internalTagLinks.isEmpty()) { if (nicState.tagLinks != null && !nicState.tagLinks.isEmpty()) { nicState.tagLinks.addAll(internalTagLinks); } else { nicState.tagLinks = new HashSet<>(); nicState.tagLinks.addAll(internalTagLinks); } } if (context.request.enumeratedSecurityGroups != null) { for (GroupIdentifier awsSG : awsNic.getGroups()) { // we should have updated the list of SG Ids before this step and // should have ensured that all the SGs exist locally String securityGroupLink = context.request.enumeratedSecurityGroups.securityGroupStates .get(awsSG.getGroupId()); if (securityGroupLink == null || securityGroupLink.isEmpty()) { continue; } if (nicState.securityGroupLinks == null) { nicState.securityGroupLinks = new ArrayList<>(); } nicState.securityGroupLinks.add(securityGroupLink); } } nicState.deviceIndex = awsNic.getAttachment().getDeviceIndex(); // Link is set, because it's referenced by CS before post nicState.documentSelfLink = UUID.randomUUID().toString(); Operation postNetworkInterfaceState = createPostOperation(this, nicState, NetworkInterfaceService.FACTORY_LINK); context.enumerationOperations .add(postNetworkInterfaceState); } return nicState; }
/** * For each NetworkInterfaceState, obtain the corresponding AWS NIC, and generate POST operation * to update its private address */ private NetworkInterfaceState updateNICState(AWSComputeStateCreationContext context, Instance instance, NetworkInterfaceState existingNicState) { InstanceNetworkInterface awsNic = instance .getNetworkInterfaces() .stream() .filter(currentAwsNic -> currentAwsNic.getAttachment() .getDeviceIndex() == existingNicState.deviceIndex) .findFirst().orElse(null); // create a new NetworkInterfaceState for updating the address NetworkInterfaceState updateNicState = new NetworkInterfaceState(); if (StringUtils.isEmpty(updateNicState.endpointLink)) { updateNicState.endpointLink = context.request.endpointLink; } // Use the endpointLinks from the existing state if present else initialize the collection and add the // endpoint link. if (existingNicState.endpointLinks == null) { updateNicState.endpointLinks = new HashSet<>(); } else { updateNicState.endpointLinks = existingNicState.endpointLinks; } updateNicState.endpointLinks.add(context.request.endpointLink); updateNicState.address = awsNic.getPrivateIpAddress(); if (context.request.enumeratedSecurityGroups != null) { for (GroupIdentifier awsSG : awsNic.getGroups()) { // we should have updated the list of SG Ids before this step and should have // ensured that all the SGs exist locally String securityGroupLink = context.request.enumeratedSecurityGroups.securityGroupStates .get(awsSG.getGroupId()); if (securityGroupLink == null || securityGroupLink.isEmpty()) { continue; } if (updateNicState.securityGroupLinks == null) { updateNicState.securityGroupLinks = new ArrayList<>(); } updateNicState.securityGroupLinks.add(securityGroupLink); } } // create update operation and add it for batch execution on the next stage Operation updateNicOperation = createPatchOperation(this, updateNicState, existingNicState.documentSelfLink); context.enumerationOperations.add(updateNicOperation); // If existing network state does not have an internal tag then create dedicated // patch to update the internal tag link. String networkInterfaceInternalTagLink = context.internalTagLinksMap .get(ec2_net_interface.toString()).iterator().next(); if (existingNicState.tagLinks == null || (existingNicState.tagLinks != null && !existingNicState.tagLinks.contains(networkInterfaceInternalTagLink))) { Map<String, Collection<Object>> collectionsToAddMap = Collections.singletonMap( NetworkInterfaceState.FIELD_NAME_TAG_LINKS, Collections.singletonList(networkInterfaceInternalTagLink)); Map<String, Collection<Object>> collectionsToRemoveMap = Collections .singletonMap(NetworkInterfaceState.FIELD_NAME_TAG_LINKS, Collections.emptyList()); ServiceStateCollectionUpdateRequest updateTagLinksRequest = ServiceStateCollectionUpdateRequest .create(collectionsToAddMap, collectionsToRemoveMap); context.enumerationOperations.add(Operation.createPatch(this.getHost(), existingNicState.documentSelfLink) .setReferer(this.getUri()) .setBody(updateTagLinksRequest)); } return updateNicState; }
private void assertAndSetVMSecurityGroupsToBeDeleted(Instance instance, ComputeState vm) { // This assert is only suitable for real (non-mocking env). if (this.isMock) { return; } this.host.log(Level.INFO, "%s: Assert security groups configuration for [%s] VM", this.currentTestName.getMethodName(), this.vmState.name); // Get the SecurityGroupStates that were provided in the request ComputeState Collector<SecurityGroupService.SecurityGroupState, ?, Map<String, SecurityGroupService.SecurityGroupState>> convertToMap = Collectors.<SecurityGroupService.SecurityGroupState, String, SecurityGroupService.SecurityGroupState>toMap( sg -> sg.name, sg -> sg); Map<String, SecurityGroupService.SecurityGroupState> currentSGNamesToStates = vm.networkInterfaceLinks .stream() // collect all NIC states in a List .map(nicLink -> this.host.getServiceState(null, NetworkInterfaceService.NetworkInterfaceState.class, UriUtils.buildUri(this.host, nicLink))) //collect all SecurityGroup States from all NIC states .<SecurityGroupService.SecurityGroupState>flatMap( nicState -> nicState.securityGroupLinks.stream() // obtain SecurityGroupState from each SG link .map(sgLink -> { SecurityGroupService.SecurityGroupState sgState = this.host .getServiceState(null, SecurityGroupService.SecurityGroupState.class, UriUtils.buildUri(this.host, sgLink)); return sgState; })) // collect security group states in a map with key = SG name .collect(convertToMap); // Compare ComputeState after provisioning to the ComputeState in the request assertNotNull("Instance should have security groups attached.", instance.getSecurityGroups()); // Provisioned Instance should have the same number of SecurityGroups as requested assertEquals(instance.getSecurityGroups().size(), currentSGNamesToStates.size()); for (SecurityGroupService.SecurityGroupState currentSGState : currentSGNamesToStates .values()) { // Get corresponding requested state GroupIdentifier provisionedGroupIdentifier = null; for (GroupIdentifier awsGroupIdentifier : instance.getSecurityGroups()) { if (awsGroupIdentifier.getGroupId().equals(currentSGState.id)) { provisionedGroupIdentifier = awsGroupIdentifier; break; } } // Ensure that the requested SecurityGroup was actually provisioned assertNotNull(provisionedGroupIdentifier); if (currentSGState.name.contains(TestAWSSetupUtils.AWS_NEW_GROUP_PREFIX)) { this.sgToCleanUp = currentSGState.id; SecurityGroup awsSecurityGroup = getSecurityGroupsIdUsingEC2Client(this.client, provisionedGroupIdentifier.getGroupId()); assertNotNull(awsSecurityGroup); // Validate rules are correctly created as requested IpPermission awsIngressRule = awsSecurityGroup.getIpPermissions().get(0); IpPermission awsEgressRule = awsSecurityGroup.getIpPermissionsEgress().get(1); assertNotNull(awsIngressRule); assertNotNull(awsEgressRule); assertEquals("Error in created ingress rule", awsIngressRule.getIpProtocol(), currentSGState.ingress.get(0).protocol); assertEquals("Error in created ingress rule", awsIngressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.ingress.get(0).ipRangeCidr); assertEquals("Error in created egress rule", awsEgressRule.getIpProtocol(), currentSGState.egress.get(0).protocol); assertEquals("Error in created egress rule", awsEgressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.egress.get(0).ipRangeCidr); } } }
private void assertAndSetVMSecurityGroupsToBeDeleted(Instance instance, ComputeState vm) { // This assert is only suitable for real (non-mocking env). if (this.isMock) { return; } this.host.log(Level.INFO, "%s: Assert security groups configuration for [%s] VM", this.currentTestName.getMethodName(), this.vmState.name); // Get the SecurityGroupStates that were provided in the request ComputeState Collector<SecurityGroupState, ?, Map<String, SecurityGroupState>> convertToMap = Collectors.<SecurityGroupState, String, SecurityGroupState> toMap(sg -> sg.name, sg -> sg); Map<String, SecurityGroupState> currentSGNamesToStates = vm.networkInterfaceLinks.stream() // collect all NIC states in a List .map(nicLink -> this.host.getServiceState(null, NetworkInterfaceState.class, UriUtils.buildUri(this.host, nicLink))) //collect all SecurityGroup States from all NIC states .<SecurityGroupState> flatMap(nicState -> nicState.securityGroupLinks.stream() // obtain SecurityGroupState from each SG link .map(sgLink -> { SecurityGroupState sgState = this.host.getServiceState(null, SecurityGroupState.class, UriUtils.buildUri(this.host, sgLink)); return sgState; })) // collect security group states in a map with key = SG name .collect(convertToMap); // Compare ComputeState after provisioning to the ComputeState in the request assertNotNull("Instance should have security groups attached.", instance.getSecurityGroups()); // Provisioned Instance should have the same number of SecurityGroups as requested assertEquals(instance.getSecurityGroups().size(), currentSGNamesToStates.size()); for (SecurityGroupState currentSGState : currentSGNamesToStates.values()) { // Get corresponding requested state GroupIdentifier provisionedGroupIdentifier = null; for (GroupIdentifier awsGroupIdentifier : instance.getSecurityGroups()) { if (awsGroupIdentifier.getGroupId().equals(currentSGState.id)) { provisionedGroupIdentifier = awsGroupIdentifier; break; } } // Ensure that the requested SecurityGroup was actually provisioned assertNotNull(provisionedGroupIdentifier); if (currentSGState.name.contains(TestAWSSetupUtils.AWS_NEW_GROUP_PREFIX)) { this.sgToCleanUp = currentSGState.id; SecurityGroup awsSecurityGroup = getSecurityGroupsIdUsingEC2Client(this.client, provisionedGroupIdentifier.getGroupId()); assertNotNull(awsSecurityGroup); // Validate rules are correctly created as requested IpPermission awsIngressRule = awsSecurityGroup.getIpPermissions().get(0); IpPermission awsEgressRule = awsSecurityGroup.getIpPermissionsEgress().get(1); assertNotNull(awsIngressRule); assertNotNull(awsEgressRule); assertEquals("Error in created ingress rule", awsIngressRule.getIpProtocol(), currentSGState.ingress.get(0).protocol); assertEquals("Error in created ingress rule", awsIngressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.ingress.get(0).ipRangeCidr); assertEquals("Error in created egress rule", awsEgressRule.getIpProtocol(), currentSGState.egress.get(0).protocol); assertEquals("Error in created egress rule", awsEgressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.egress.get(0).ipRangeCidr); } } }
private void assertVMSercurityGroupsConfiguration(Instance instance, ComputeState vm) { // This assert is only suitable for real (non-mocking env). if (this.isMock) { return; } this.host.log(Level.INFO, "%s: Assert security groups configuration for [%s] VM", this.currentTestName.getMethodName(), this.vmState.name); // Get the SecurityGroupStates that were provided in the request ComputeState Collector<SecurityGroupState, ?, Map<String, SecurityGroupState>> convertToMap = Collectors.<SecurityGroupState, String, SecurityGroupState> toMap(sg -> sg.name, sg -> sg); Map<String, SecurityGroupState> currentSGNamesToStates = vm.networkInterfaceLinks.stream() // collect all NIC states in a List .map(nicLink -> this.host.getServiceState(null, NetworkInterfaceState.class, UriUtils.buildUri(this.host, nicLink))) //collect all SecurityGroup States from all NIC states .<SecurityGroupState> flatMap(nicState -> nicState.securityGroupLinks.stream() // obtain SecurityGroupState from each SG link .map(sgLink -> { SecurityGroupState sgState = this.host.getServiceState(null, SecurityGroupState.class, UriUtils.buildUri(this.host, sgLink)); return sgState; })) // collect security group states in a map with key = SG name .collect(convertToMap); // Compare ComputeState after provisioning to the ComputeState in the request assertNotNull("Instance should have security groups attached.", instance.getSecurityGroups()); // Provisioned Instance should have the same number of SecurityGroups as requested assertEquals(instance.getSecurityGroups().size(), currentSGNamesToStates.size()); for (SecurityGroupState currentSGState : currentSGNamesToStates.values()) { // Get corresponding requested state GroupIdentifier provisionedGroupIdentifier = null; for (GroupIdentifier awsGroupIdentifier : instance.getSecurityGroups()) { if (awsGroupIdentifier.getGroupId().equals(currentSGState.id)) { provisionedGroupIdentifier = awsGroupIdentifier; break; } } // Ensure that the requested SecurityGroup was actually provisioned assertNotNull(provisionedGroupIdentifier); if (currentSGState.name.contains(TestAWSSetupUtils.AWS_NEW_GROUP_PREFIX)) { this.sgToCleanUp = currentSGState.id; SecurityGroup awsSecurityGroup = getSecurityGroupsIdUsingEC2Client(this.client, provisionedGroupIdentifier.getGroupId()); assertNotNull(awsSecurityGroup); // Validate rules are correctly created as requested IpPermission awsIngressRule = awsSecurityGroup.getIpPermissions().get(0); IpPermission awsEgressRule = awsSecurityGroup.getIpPermissionsEgress().get(1); assertNotNull(awsIngressRule); assertNotNull(awsEgressRule); assertEquals("Error in created ingress rule", awsIngressRule.getIpProtocol(), currentSGState.ingress.get(0).protocol); assertEquals("Error in created ingress rule", awsIngressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.ingress.get(0).ipRangeCidr); assertEquals("Error in created egress rule", awsEgressRule.getIpProtocol(), currentSGState.egress.get(0).protocol); assertEquals("Error in created egress rule", awsEgressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.egress.get(0).ipRangeCidr); } } }
private void processInstance(String account, String region, Instance instance) { final Map<String, Object> metaData = newHashMap(); metaData.putAll(amiDetailsProvider.getAmiDetails(account, getRegion(fromName(region)), instance.getImageId())); final List<String> errorMessages = newArrayList(); final String instancePublicIpAddress = instance.getPublicIpAddress(); if (violationService.violationExists(account, region, EVENT_ID, instance.getInstanceId(), UNSECURED_PUBLIC_ENDPOINT)) { return; } final Map<String, SecurityGroupCheckDetails> unsecureGroups = securityGroupsChecker.check( instance.getSecurityGroups().stream().map(GroupIdentifier::getGroupId).collect(toList()), account, getRegion(fromName(region))); if (!unsecureGroups.isEmpty()) { metaData.put("unsecuredSecurityGroups", unsecureGroups); errorMessages.add("Unsecured security group! Only ports 80 and 443 are allowed"); } if (errorMessages.size() > 0) { metaData.put("errorMessages", errorMessages); writeViolation(account, region, metaData, instance.getInstanceId()); // skip http response check, as we are already having a violation here return; } // skip check for publicly available apps if (awsApplications.isPubliclyAccessible(account, region, newArrayList(instance.getInstanceId())).orElse(false)) { return; } for (final Integer allowedPort : jobsProperties.getEc2AllowedPorts()) { if (allowedPort == 22) { continue; } final HttpGetRootCall httpCall = new HttpGetRootCall(httpClient, instancePublicIpAddress, allowedPort); final ListenableFuture<HttpCallResult> listenableFuture = threadPoolTaskExecutor.submitListenable( httpCall); listenableFuture.addCallback( httpCallResult -> { log.debug("address: {} and port: {}", instancePublicIpAddress, allowedPort); if (httpCallResult.isOpen()) { final Map<String, Object> md = ImmutableMap.<String, Object>builder() .putAll(metaData) .put("instancePublicIpAddress", instancePublicIpAddress) .put("Port", allowedPort) .put("Error", httpCallResult.getMessage()).build(); writeViolation(account, region, md, instance.getInstanceId()); } }, ex -> log.warn("Could not call " + instancePublicIpAddress, ex)); log.debug("Active threads in pool: {}/{}", threadPoolTaskExecutor.getActiveCount(), threadPoolTaskExecutor.getMaxPoolSize()); } }
public void setGroups(List<GroupIdentifier> groups) { this.groups = groups; }
public List<GroupIdentifier> getGroups() { return groups; }
@Override public List<GroupIdentifier> getGroups() { return (List<GroupIdentifier>) resource.getAttribute("Groups"); }
@Override public List<GroupIdentifier> getSecurityGroups() { return (List<GroupIdentifier>) resource.getAttribute("SecurityGroups"); }
public EC2Instance(Instance instance) { this.id = instance.getInstanceId(); this.type = instance.getInstanceType(); this.lifecycle = instance.getInstanceLifecycle(); this.hypervisor = instance.getHypervisor(); this.az = instance.getPlacement().getAvailabilityZone(); this.group = instance.getPlacement().getGroupName(); this.tenancy = instance.getPlacement().getTenancy(); this.vpc = instance.getVpcId(); this.platform = instance.getPlatform(); this.kernel = instance.getKernelId(); this.key = instance.getKeyName(); this.image = instance.getImageId(); this.privateIP = instance.getPrivateIpAddress(); this.publicIP = instance.getPublicIpAddress(); this.publicHostname = instance.getPublicDnsName(); this.privateHostname = instance.getPrivateDnsName(); this.architecture = instance.getArchitecture(); this.state = instance.getState().getName(); this.ramdisk = instance.getRamdiskId(); this.subnet = instance.getSubnetId(); this.rootDeviceName = instance.getRootDeviceName(); this.rootDeviceType = instance.getRootDeviceType(); this.stateTransitionReason = instance.getStateTransitionReason(); this.spotInstanceRequest = instance.getSpotInstanceRequestId(); this.virtualizationType = instance.getVirtualizationType(); this.sourceDestCheck = instance.getSourceDestCheck(); this.launchTime = new DateTime(instance.getLaunchTime()); if (instance.getIamInstanceProfile() != null) { this.iamInstanceProfile = instance.getIamInstanceProfile().getArn().toString(); } else { this.iamInstanceProfile = null; } final StateReason stateReason = instance.getStateReason(); if (stateReason != null) this.stateReason = stateReason.getMessage(); else this.stateReason = null; this.securityGroups = new ArrayList<>(); for (GroupIdentifier identifier : instance.getSecurityGroups()) { this.securityGroups.add(new SecurityGroup(identifier)); } this.tags = new HashMap<>(); for (Tag tag : instance.getTags()) { this.tags.put(tag.getKey(), tag.getValue()); } }
public SecurityGroup(GroupIdentifier id) { this.id = id.getGroupId(); this.name = id.getGroupName(); }
@Override public int compare(GroupIdentifier gi1, GroupIdentifier gi2) { validateNotEqual(gi1.getGroupId(), gi2.getGroupId()); return new CompareToBuilder().append(gi1.getGroupId(), gi2.getGroupId()).toComparison(); }
/** * Gets the value of the SecurityGroups attribute. If this resource is not * yet loaded, a call to {@code load()} is made to retrieve the value of the * attribute. */ List<GroupIdentifier> getSecurityGroups();
/** * Gets the value of the Groups attribute. If this resource is not yet * loaded, a call to {@code load()} is made to retrieve the value of the * attribute. */ List<GroupIdentifier> getGroups();
