public static String calculateIpRangeCidr(Rule rule, IpPermission ipPermission) { List<IpRange> ipv4Ranges = ipPermission.getIpv4Ranges(); List<Ipv6Range> ipv6Ranges = ipPermission.getIpv6Ranges(); if (rule.protocol.equals(Protocol.ICMPv6.getName())) { return ipv6Ranges.size() > 0 ? ipv6Ranges.get(0).getCidrIpv6() : ANY; } if (rule.protocol.equals(Protocol.ICMPv4.getName())) { // it is possible to specify Ipv6Range for IPv4 ICMP protocol return ipv4Ranges.size() > 0 ? ipv4Ranges.get(0).getCidrIp() : // in case there is no ipv4 cidr, try to obtain ipv6 one ipv6Ranges.size() > 0 ? ipv6Ranges.get(0).getCidrIpv6() : ANY; } return ipv4Ranges.size() > 0 ? ipv4Ranges.get(0).getCidrIp() : ANY; }
/** * Gets the IP ranges defined in the given security group rule. * * @param permission the given security group rule * @return a list of IP ranges that the security group rule applies to */ private List<String> getIpRangesFromSgPermission(IpPermission permission) { List<String> cidrs = Lists.newArrayList(); List<IpRange> ipRanges = permission.getIpv4Ranges(); if (ipRanges != null && !ipRanges.isEmpty()) { for (IpRange ipRange : ipRanges) { cidrs.add(ipRange.getCidrIp()); } } else { List<Ipv6Range> ipv6Ranges = permission.getIpv6Ranges(); if (ipv6Ranges != null && !ipv6Ranges.isEmpty()) { for (Ipv6Range ipv6Range : ipv6Ranges) { cidrs.add(ipv6Range.getCidrIpv6()); } } } return cidrs; }
@Test public void testAllTcpFromEverywhereIPv6() throws Exception { assertThat(pred).accepts( new IpPermission() .withFromPort(0) .withToPort(65535) .withIpProtocol("tcp") .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))); assertThat(pred).accepts( new IpPermission() .withFromPort(0) .withToPort(65535) .withIpProtocol("6") .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))); }
@Test public void testAllUDPFromEverywhereIPv6() throws Exception { assertThat(pred).accepts( new IpPermission() .withIpProtocol("udp") .withFromPort(0) .withToPort(65535) .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))); assertThat(pred).accepts( new IpPermission() .withIpProtocol("17") .withFromPort(0) .withToPort(65535) .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))); }
@Test public void testAllICMPIPv6FromEverywhereIPv6() throws Exception { assertThat(pred).rejects( new IpPermission() .withIpProtocol("icmpv6") .withFromPort(-1) .withToPort(-1) .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))); assertThat(pred).rejects( new IpPermission() .withIpProtocol("58") .withFromPort(-1) .withToPort(-1) .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))); }
@Test public void testAllICMPIPv4FromEverywhereIPv6() throws Exception { assertThat(pred).rejects( new IpPermission() .withIpProtocol("icmp") .withFromPort(-1) .withToPort(-1) .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))); assertThat(pred).rejects( new IpPermission() .withIpProtocol("1") .withFromPort(-1) .withToPort(-1) .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))); }
@SuppressWarnings("unchecked") @Before public void setUp() throws Exception { final ClientProvider mockClientProvider = mock(ClientProvider.class); final AmazonEC2Client mockEC2 = mock(AmazonEC2Client.class); mockPredicate = (Predicate<IpPermission>) mock(Predicate.class); when(mockClientProvider.getClient(any(), any(), any())).thenReturn(mockEC2); securityGroupsChecker = new SecurityGroupsCheckerImpl(mockClientProvider, mockPredicate); final DescribeSecurityGroupsResult securityGroups = new DescribeSecurityGroupsResult() .withSecurityGroups(new SecurityGroup() .withGroupId("sg-12345678") .withGroupName("my-sec-group") .withIpPermissions(new IpPermission() .withIpProtocol("tcp") .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")) .withFromPort(0) .withToPort(65535) .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")) .withUserIdGroupPairs(new UserIdGroupPair() .withUserId("111222333444") .withGroupId("sg-11223344")))); when(mockEC2.describeSecurityGroups(any())).thenReturn(securityGroups); }
@Test public void testAllTrafficFromPrivateNetworks() throws Exception { assertThat(pred).rejects( new IpPermission() .withIpProtocol("-1") .withIpv4Ranges( new IpRange().withCidrIp("10.0.0.0/8"), new IpRange().withCidrIp("172.31.0.0/16"), new IpRange().withCidrIp("172.16.0.0/12"), new IpRange().withCidrIp("192.168.0.0/16")) .withIpv6Ranges( new Ipv6Range().withCidrIpv6("fc00::/7")) ); }
@Test public void testAllTrafficFromEverywhereIPv6() throws Exception { assertThat(pred).accepts( new IpPermission() .withIpProtocol("-1") .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))); assertThat(pred).accepts( new IpPermission() .withIpProtocol(null) .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))); }
@Test public void testUnallowedPortFromEverywhereIPv6() throws Exception { assertThat(pred).accepts( new IpPermission() .withFromPort(9100) .withToPort(9100) .withIpProtocol("tcp") .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))); }
@Test public void testAllowedPortFromEverywhereIPv6() throws Exception { assertThat(pred).rejects( new IpPermission() .withFromPort(443) .withToPort(443) .withIpProtocol("tcp") .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))); }
