private void visitNetworkAcl(VPCDiagramBuilder vpcDiagramBuilder, NetworkAcl acl) throws CfnAssistException { vpcDiagramBuilder.addAcl(acl); String networkAclId = acl.getNetworkAclId(); logger.debug("visit acl " + networkAclId); for(NetworkAclAssociation assoc : acl.getAssociations()) { String subnetId = assoc.getSubnetId(); vpcDiagramBuilder.associateAclWithSubnet(acl, subnetId); for(NetworkAclEntry entry : acl.getEntries()) { if (entry.getEgress()) { vpcDiagramBuilder.addACLOutbound(networkAclId, entry, subnetId); } else { vpcDiagramBuilder.addACLInbound(networkAclId, entry, subnetId); } } } }
public List<AbstractResource<?>> toVpcNetworkAcls(List<NetworkAcl> networkAcls, String accountId, Region region, DateTime dt) { List<AbstractResource<?>> resources = new ArrayList<>(); for (NetworkAcl networkAcl : networkAcls) { VpcNetworkAcl vpcNetworkAcl = new VpcNetworkAcl(); conf(vpcNetworkAcl, accountId, region, dt); vpcNetworkAcl.setResource(networkAcl); resources.add(vpcNetworkAcl); } log.debug("{} network acls found via api and converted to VpcNetworkAcl", resources.size()); return resources; }
/** * Validates the network ACL against the pre-defined network rules. * * <p> * For more information about network ACLs, see <a * href="http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html">Network ACLs</a> in the <i>Amazon * Virtual Private Cloud User Guide</i>. * </p> * * @param client the EC2 client * @param configuration the configuration to be validated * @param accumulator the exception condition accumulator * @param localizationContext the localization context */ private void checkNetworkACL(AmazonEC2Client client, Configured configuration, PluginExceptionConditionAccumulator accumulator, LocalizationContext localizationContext) { String subnetId = configuration.getConfigurationValue(SUBNET_ID, localizationContext); DescribeNetworkAclsResult aclResult; LOG.info(">> Describing network ACL associated with subnet '{}'", subnetId); try { aclResult = client.describeNetworkAcls( new DescribeNetworkAclsRequest().withFilters( new Filter().withName("association.subnet-id").withValues(subnetId) ) ); } catch (AmazonServiceException e) { // Due to backward compatibility, we cannot mandate the IAM permssion: // ec2:DescribeNetworkAcls in customers' accounts and have to fail the // above AWS call gracefully, which means the NetworkACL validation is // optional now. // We have logged a ticket, https://jira.cloudera.com/browse/CLOUD-5345, // to track it, and will make this validation mandatory later. LOG.warn("Failed to retrieve the network ACL for subnet: " + subnetId, e); LOG.warn("Skipping network ACL validation"); return; } List<NetworkAcl> aclList = aclResult.getNetworkAcls(); // Each subnet must be associated with one and only one network ACL. if (aclList.isEmpty()) { LOG.error(String.format(EMPTY_NETWORK_ACL, subnetId)); addError(accumulator, SUBNET_ID, localizationContext, null, EMPTY_NETWORK_ACL, subnetId); return; } if (aclList.size() > 1) { List<String> aclIds = FluentIterable.from(aclList) .transform(new Function<NetworkAcl, String>() { @Override public String apply(NetworkAcl input) { return input.getNetworkAclId(); } }) .toList(); LOG.error(String.format(MORE_THAN_ONE_NETWORK_ACL, aclIds, subnetId)); addError(accumulator, SUBNET_ID, localizationContext, null, MORE_THAN_ONE_NETWORK_ACL, aclIds, subnetId); return; } NetworkAcl networkAcl = aclList.get(0); for (final Direction direction : Direction.values()) { Iterable<NetworkAclEntry> aclEntries = FluentIterable.from(networkAcl.getEntries()) .filter(new Predicate<NetworkAclEntry>() { @Override public boolean apply(NetworkAclEntry aclEntry) { return direction == Direction.INBOUND ? !aclEntry.isEgress() : aclEntry.isEgress(); } }) .toSortedList(new NetworkAclEntryComparator()); checkRulesForNetworkAclEntries(networkAcl.getNetworkAclId(), aclEntries, direction, accumulator, localizationContext); } }
public List<NetworkAcl> getACLs(String vpcId) { return cloudRepository.getALCsForVPC(vpcId); }
public void addAcl(NetworkAcl acl) throws CfnAssistException { String aclId = acl.getNetworkAclId(); String name = AmazonVPCFacade.getNameFromTags(acl.getTags()); String label = AmazonVPCFacade.createLabelFromNameAndID(aclId,name); securityDiagram.addACL(aclId, label); }
public void associateAclWithSubnet(NetworkAcl acl, String subnetId) { securityDiagram.associateWithSubDiagram(acl.getNetworkAclId(), subnetId, subnetDiagramBuilders.get(subnetId)); }
@Test public void shouldWalkVPCAndAddItemsForDiagram() throws CfnAssistException { Vpc vpc = vpcBuilder.setFacadeVisitExpections(awsFacade); String instanceSubnetId = vpcBuilder.getSubnetId(); Subnet instanceSubnet = vpcBuilder.getSubnet(); String dbSubnetId = vpcBuilder.getDbSubnetId(); Subnet dbSubnet = vpcBuilder.getDbSubnet(); Address eip = vpcBuilder.getEip(); LoadBalancerDescription elb = vpcBuilder.getElb(); DBInstance dbInstance = vpcBuilder.getDbInstance(); Instance instance = vpcBuilder.getInstance(); String instanceId = instance.getInstanceId(); RouteTable routeTable = vpcBuilder.getRouteTable(); NetworkAcl acl = vpcBuilder.getAcl(); NetworkAclEntry outboundEntry = vpcBuilder.getOutboundEntry(); NetworkAclEntry inboundEntry = vpcBuilder.getInboundEntry(); SecurityGroup instanceSecurityGroup = vpcBuilder.getInstanceSecurityGroup(); IpPermission instanceIpPermsInbound = vpcBuilder.getInstanceIpPermsInbound(); IpPermission instanceIpPermsOutbound = vpcBuilder.getInstanceIpPermsOutbound(); SecurityGroup dbSecurityGroup = vpcBuilder.getDBSecurityGroup(); IpPermission dbIpPermsInbound = vpcBuilder.getDbIpPermsInbound(); IpPermission dbIpPermsOutbound = vpcBuilder.getDbIpPermsOutbound(); SecurityGroup elbSecurityGroup = vpcBuilder.getElbSecurityGroup(); EasyMock.expect(diagramFactory.createVPCDiagramBuilder(vpc)).andReturn(vpcDiagramBuilder); EasyMock.expect(diagramFactory.createSubnetDiagramBuilder(vpcDiagramBuilder, instanceSubnet)).andReturn(subnetDiagramBuilder); EasyMock.expect(diagramFactory.createSubnetDiagramBuilder(vpcDiagramBuilder, dbSubnet)).andReturn(dbSubnetDiagramBuilder); subnetDiagramBuilder.add(instance); vpcDiagramBuilder.add(instanceSubnetId, subnetDiagramBuilder); vpcDiagramBuilder.add(dbSubnetId, dbSubnetDiagramBuilder); // route table & routes vpcDiagramBuilder.addAsssociatedRouteTable(routeTable, instanceSubnetId); vpcDiagramBuilder.addRoute(routeTable.getRouteTableId(), instanceSubnetId, vpcBuilder.getRouteA()); vpcDiagramBuilder.addRoute(routeTable.getRouteTableId(), instanceSubnetId, vpcBuilder.getRouteB()); vpcDiagramBuilder.addRoute(routeTable.getRouteTableId(), instanceSubnetId, vpcBuilder.getRouteC()); vpcDiagramBuilder.addAsssociatedRouteTable(routeTable, dbSubnetId); vpcDiagramBuilder.addRoute(routeTable.getRouteTableId(), dbSubnetId, vpcBuilder.getRouteA()); vpcDiagramBuilder.addRoute(routeTable.getRouteTableId(), dbSubnetId, vpcBuilder.getRouteB()); vpcDiagramBuilder.addRoute(routeTable.getRouteTableId(), dbSubnetId, vpcBuilder.getRouteC()); // eip vpcDiagramBuilder.addEIP(eip); vpcDiagramBuilder.linkEIPToInstance(eip.getPublicIp(), instanceId); // elb vpcDiagramBuilder.addELB(elb); vpcDiagramBuilder.associateELBToInstance(elb, instanceId); vpcDiagramBuilder.associateELBToSubnet(elb, instanceSubnetId); vpcDiagramBuilder.associateELBToSubnet(elb, dbSubnetId); vpcDiagramBuilder.addSecurityGroup(elbSecurityGroup); vpcDiagramBuilder.associateInstanceWithSecGroup(elb.getDNSName(), elbSecurityGroup); vpcDiagramBuilder.addSecGroupInboundPerms("secElbGroupId", vpcBuilder.getElbIpPermsInbound()); vpcDiagramBuilder.addSecGroupOutboundPerms("secElbGroupId", vpcBuilder.getElbIpPermsOutbound()); // db vpcDiagramBuilder.addDBInstance(dbInstance); vpcDiagramBuilder.associateDBWithSubnet(dbInstance, dbSubnetId); vpcDiagramBuilder.addSecurityGroup(dbSecurityGroup); vpcDiagramBuilder.associateInstanceWithSecGroup(dbInstance.getDBInstanceIdentifier(), dbSecurityGroup); vpcDiagramBuilder.addSecGroupInboundPerms("secDbGroupId",dbIpPermsInbound); vpcDiagramBuilder.addSecGroupOutboundPerms("secDbGroupId",dbIpPermsOutbound); // acl vpcDiagramBuilder.addAcl(acl); vpcDiagramBuilder.associateAclWithSubnet(acl, instanceSubnetId); vpcDiagramBuilder.addACLOutbound("aclId",outboundEntry, instanceSubnetId); vpcDiagramBuilder.addACLInbound("aclId", inboundEntry, instanceSubnetId); // sec group vpcDiagramBuilder.addSecurityGroup(instanceSecurityGroup, instanceSubnetId); vpcDiagramBuilder.associateInstanceWithSecGroup(instanceId, instanceSecurityGroup); vpcDiagramBuilder.addSecGroupInboundPerms("secGroupId",instanceIpPermsInbound, instanceSubnetId); vpcDiagramBuilder.addSecGroupOutboundPerms("secGroupId",instanceIpPermsOutbound, instanceSubnetId); diagramBuilder.add(vpcDiagramBuilder); replayAll(); VPCVisitor visitor = new VPCVisitor(diagramBuilder, awsFacade, diagramFactory); visitor.visit(vpc); verifyAll(); }
