private void initSecurityGroup(TemplateBuilderSpec spec, String securityGroup) { if (!isEC2) { return; } // in case of AWS, we are going to create the security group, if it doesn't exist AWSEC2Api ec2Api = compute.getContext().unwrapApi(AWSEC2Api.class); SecurityGroupApi securityGroupApi = ec2Api.getSecurityGroupApi().get(); String region = spec.getLocationId(); if (region == null) { region = "us-east-1"; } Set<SecurityGroup> securityGroups = securityGroupApi.describeSecurityGroupsInRegion(region, securityGroup); if (!securityGroups.isEmpty()) { LOGGER.info("Security group: '" + securityGroup + "' is found in region '" + region + '\''); return; } LOGGER.info("Security group: '" + securityGroup + "' is not found in region '" + region + "', creating it on the fly"); securityGroupApi.createSecurityGroupInRegion(region, securityGroup, securityGroup); for (Map.Entry<Integer, Integer> portRangeEntry : portRangeMap.entrySet()) { int startPort = portRangeEntry.getKey(); int endPort = portRangeEntry.getValue(); securityGroupApi.authorizeSecurityGroupIngressInRegion(region, securityGroup, TCP, startPort, endPort, CIDR_RANGE); } }
@Override public boolean removeSecurityGroup(String id) { checkNotNull(id, "id"); String[] parts = AWSUtils.parseHandle(id); String region = parts[0]; String groupName = parts[1]; boolean deleted = false; if (!client.getSecurityGroupApi().get().describeSecurityGroupsInRegion(region, groupName).isEmpty()) { client.getSecurityGroupApi().get().deleteSecurityGroupInRegion(region, groupName); deleted = true; } groupCreator.invalidate(new RegionNameAndIngressRules(region, groupName, null, false, null)); return deleted; }
/** * @throws IllegalStateException If the security group was in use */ @VisibleForTesting void deleteSecurityGroup(String region, String group) { checkNotNull(emptyToNull(region), "region must be defined"); checkNotNull(emptyToNull(group), "group must be defined"); String groupName = namingConvention.create().sharedNameForGroup(group); Multimap<String, String> securityGroupFilterByName = ImmutableMultimap.of("group-name", groupName); Set<SecurityGroup> securityGroupsToDelete = client.getSecurityGroupApi().get() .describeSecurityGroupsInRegionWithFilter(region, securityGroupFilterByName); if (securityGroupsToDelete.size() > 1) { logger.warn("When trying to delete security group %s found more than one matching the name. Will delete all - %s.", group, securityGroupsToDelete); } for (SecurityGroup securityGroup : securityGroupsToDelete) { logger.debug(">> deleting securityGroup(%s)", groupName); client.getSecurityGroupApi().get().deleteSecurityGroupInRegionById(region, securityGroup.getId()); securityGroupMap.invalidate(new RegionNameAndIngressRules(region, groupName, null, false, null)); logger.debug("<< deleted securityGroup(%s)", groupName); } }
protected void authorizeGroupToItself(String region, String name) { logger.debug(">> authorizing securityGroup region(%s) name(%s) permission to itself", region, name); String myOwnerId = Iterables.get(securityClient.describeSecurityGroupsInRegion(region, name), 0).getOwnerId(); securityClient.authorizeSecurityGroupIngressInRegion(region, name, new UserIdGroupPair(myOwnerId, name)); logger.debug("<< authorized securityGroup(%s)", name); }
@Test void testAuthorizeSecurityGroupIngressSourcePort() { String groupName = PREFIX + "ingress"; cleanupAndSleep(groupName); try { client.createSecurityGroupInRegion(null, groupName, groupName); client.authorizeSecurityGroupIngressInRegion(null, groupName, IpProtocol.TCP, 80, 80, "0.0.0.0/0"); assertEventually(new GroupHasPermission(client, groupName, new TCPPort80AllIPs())); client.revokeSecurityGroupIngressInRegion(null, groupName, IpProtocol.TCP, 80, 80, "0.0.0.0/0"); assertEventually(new GroupHasNoPermissions(client, groupName)); } finally { client.deleteSecurityGroupInRegion(null, groupName); } }
@Test(enabled = false) void testCreateSecurityGroupIngressCidr() throws InterruptedException, ExecutionException, TimeoutException { securityGroupName = instancePrefix + "ingress"; try { client.getSecurityGroupApi().get().deleteSecurityGroupInRegion(null, securityGroupName); } catch (Exception e) { } client.getSecurityGroupApi().get().createSecurityGroupInRegion(null, securityGroupName, securityGroupName); for (int port : new int[] { 80, 443, 22 }) { client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(null, securityGroupName, IpProtocol.TCP, port, port, "0.0.0.0/0"); } }
@Override public Set<? extends org.jclouds.ec2.domain.SecurityGroup> apply(String from) { return client.getSecurityGroupApi().get().describeSecurityGroupsInRegion(from); }
protected void createIngressRuleForTCPPort(String region, String name, int port) { logger.debug(">> authorizing securityGroup region(%s) name(%s) port(%s)", region, name, port); securityClient.authorizeSecurityGroupIngressInRegion(region, name, IpProtocol.TCP, port, port, "0.0.0.0/0"); logger.debug("<< authorized securityGroup(%s)", name); }
for (String sg : config.getSecurityGroups()) { try { client.getSecurityGroupApi().get().createSecurityGroupInRegion(config.getRegion(), sg, sg); client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(config.getRegion(), sg, IpProtocol.TCP, config.getInboundPorts()[0], config.getInboundPorts()[config.getInboundPorts().length - 1], "0.0.0.0/0"); client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(config.getRegion(), sg, IpProtocol.TCP, 22, 22, "0.0.0.0/0"); } catch (IllegalStateException e) {
@Test void testCreateSecurityGroup() { String groupName = PREFIX + "1"; cleanupAndSleep(groupName); try { String groupDescription = PREFIX + "1 description"; client.deleteSecurityGroupInRegion(null, groupName); client.createSecurityGroupInRegion(null, groupName, groupDescription); verifySecurityGroup(groupName, groupDescription); } finally { client.deleteSecurityGroupInRegion(null, groupName); } }
/** * Removes all rules. */ @Override public void flush(ComputeService service, NodeMetadata node) { String region = AWSUtils.parseHandle(node.getId())[0]; EC2Api ec2Api = service.getContext().unwrapApi(EC2Api.class); String groupName = "jclouds#" + node.getGroup() + "#" + region; Set<SecurityGroup> matchedSecurityGroups = ec2Api.getSecurityGroupApi().get().describeSecurityGroupsInRegion(region, groupName); for (SecurityGroup securityGroup : matchedSecurityGroups) { for (IpPermission ipPermission : securityGroup) { for (String cdr : ipPermission.getCidrBlocks()) { ec2Api.getSecurityGroupApi().get().revokeSecurityGroupIngressInRegion(region, groupName, IpProtocol.TCP, ipPermission.getFromPort(), ipPermission.getToPort(), cdr ); } } } //We want at least ssh access from everywhere. authorize(service, node, "0.0.0.0/0", 22); }
private void createSecurityGroupInRegion(String region, String name, int... ports) { checkNotNull(region, "region"); checkNotNull(name, "name"); logger.debug(">> creating securityGroup region(%s) name(%s)", region, name); try { securityClient.createSecurityGroupInRegion(region, name, name); boolean created = securityGroupEventualConsistencyDelay.apply(new RegionAndName(region, name)); if (!created) throw new RuntimeException(String.format("security group %s/%s is not available after creating", region, name)); logger.debug("<< created securityGroup(%s)", name); for (int port : ports) { createIngressRuleForTCPPort(region, name, port); } if (ports.length > 0) { authorizeGroupToItself(region, name); } } catch (IllegalStateException e) { logger.debug("<< reused securityGroup(%s)", name); } }
@Override public SecurityGroup removeIpPermission(IpProtocol protocol, int startPort, int endPort, Multimap<String, String> tenantIdGroupNamePairs, Iterable<String> ipRanges, Iterable<String> groupIds, SecurityGroup group) { String region = AWSUtils.getRegionFromLocationOrNull(group.getLocation()); String name = group.getName(); if (!Iterables.isEmpty(ipRanges)) { for (String cidr : ipRanges) { client.getSecurityGroupApi().get(). revokeSecurityGroupIngressInRegion(region, name, protocol, startPort, endPort, cidr); } } if (!tenantIdGroupNamePairs.isEmpty()) { for (String userId : tenantIdGroupNamePairs.keySet()) { for (String groupName : tenantIdGroupNamePairs.get(userId)) { client.getSecurityGroupApi().get(). revokeSecurityGroupIngressInRegion(region, name, new UserIdGroupPair(userId, groupName)); } } } return getSecurityGroupById(new RegionAndName(region, group.getName()).slashEncode()); }
@Test(expectedExceptions = AWSResponseException.class) void testFilterInvalid() { for (String region : ec2Api.getConfiguredRegions()) { Set<SecurityGroup> allResults = client.describeSecurityGroupsInRegion(region); assertNotNull(allResults); if (!allResults.isEmpty()) { final SecurityGroup group = getLast(allResults); // in case there are multiple groups with the same name, which is the case with VPC ImmutableSet<SecurityGroup> expected = FluentIterable.from(allResults) .filter(new Predicate<SecurityGroup>() { @Override public boolean apply(SecurityGroup in) { return group.getName().equals(in.getName()); } }).toSet(); ImmutableSet<SecurityGroup> result = ImmutableSet.copyOf(client.describeSecurityGroupsInRegionWithFilter(region, ImmutableMultimap.<String, String>builder() .put("invalid-filter", group.getName()).build())); } } }
protected void cleanupAndSleep(String groupName) { try { client.deleteSecurityGroupInRegion(null, groupName); Thread.sleep(2000); } catch (Exception e) { } }
@Override public String apply(String input) { checkNotNull(input, "input"); String[] parts = AWSUtils.parseHandle(input); String region = parts[0]; String name = parts[1]; return Iterables.getOnlyElement(api.getSecurityGroupApi().get() .describeSecurityGroupsInRegionWithFilter(region, of("group-name", name))).getId(); } }
public void testDeleteSecurityGroupByIdWhen404() { HttpResponse deleteResponse = HttpResponse.builder().statusCode(404).build(); EC2Api apiWhenNotExist = requestsSendResponses( describeRegionsRequest, describeRegionsResponse, deleteById, deleteResponse); apiWhenNotExist.getSecurityGroupApi().get().deleteSecurityGroupInRegionById("us-east-1", "sg-3c6ef654"); }
@Test void testAuthorizeSecurityGroupIngressCidr() { String groupName = PREFIX + "ingress"; cleanupAndSleep(groupName); try { client.createSecurityGroupInRegion(null, groupName, groupName); client.authorizeSecurityGroupIngressInRegion(null, groupName, IpProtocol.TCP, 80, 80, "0.0.0.0/0"); assertEventually(new GroupHasPermission(client, groupName, new TCPPort80AllIPs())); client.revokeSecurityGroupIngressInRegion(null, groupName, IpProtocol.TCP, 80, 80, "0.0.0.0/0"); assertEventually(new GroupHasNoPermissions(client, groupName)); } finally { client.deleteSecurityGroupInRegion(null, groupName); } }
@Test(enabled = false) void testCreateSecurityGroupIngressCidr() throws InterruptedException, ExecutionException, TimeoutException { securityGroupName = INSTANCE_PREFIX + "ingress"; try { client.getSecurityGroupApi().get().deleteSecurityGroupInRegion(null, securityGroupName); } catch (Exception e) { } client.getSecurityGroupApi().get().createSecurityGroupInRegion(null, securityGroupName, securityGroupName); client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(null, securityGroupName, IpProtocol.TCP, 80, 80, "0.0.0.0/0"); client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(null, securityGroupName, IpProtocol.TCP, 443, 443, "0.0.0.0/0"); client.getSecurityGroupApi().get().authorizeSecurityGroupIngressInRegion(null, securityGroupName, IpProtocol.TCP, 22, 22, "0.0.0.0/0"); }
@Override public Set<? extends org.jclouds.ec2.domain.SecurityGroup> apply(String from) { return client.getSecurityGroupApi().get().describeSecurityGroupsInRegion(from); }