Skip to content

Commit

Permalink
Added a security_groups container to dsl/compute, and changed provide…
Browse files Browse the repository at this point in the history 
…rs to respect both cloud defined and compute defined security groups.
  • Loading branch information
Chris Howe committed Jan 16, 2014
1 parent 610cf62 commit c72a466
Show file tree
Hide file tree
Showing 9 changed files with 134 additions and 129 deletions.
1 change: 1 addition & 0 deletions lib/ironfan/dsl/compute.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ class Compute < Ironfan::Dsl
collection :run_list_items, RunListItem, :resolver => :merge_resolve, :key_method => :name
collection :clouds, Ironfan::Dsl::Cloud, :resolver => :merge_resolve, :key_method => :name
collection :volumes, Ironfan::Dsl::Volume, :resolver => :merge_resolve, :key_method => :name
collection :security_groups, Ironfan::Dsl::SecurityGroup, :resolver => :merge_resolve, :key_method => :name

# Resolve these normally (overriding on each layer)
magic :environment, Symbol, :default => :_default
Expand Down
27 changes: 1 addition & 26 deletions lib/ironfan/dsl/ec2.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ class Ec2 < Cloud
magic :auto_elastic_ip, String
magic :allocation_id, String
magic :region, String, :default => ->{ default_region }
collection :security_groups, Ironfan::Dsl::Ec2::SecurityGroup, :key_method => :name
collection :security_groups, Ironfan::Dsl::SecurityGroup, :key_method => :name
magic :ssh_user, String, :default => ->{ image_info[:ssh_user] }
magic :ssh_identity_dir, String, :default => ->{ Chef::Config.ec2_key_dir }
magic :subnet, String
Expand Down Expand Up @@ -126,31 +126,6 @@ def receive_provider(obj)
end
end

class SecurityGroup < Ironfan::Dsl
field :name, String
field :group_authorized, Array, :default => []
field :group_authorized_by, Array, :default => []
field :range_authorizations, Array, :default => []

def authorize_port_range(range, cidr_ip = '0.0.0.0/0', ip_protocol = 'tcp')
range = (range .. range) if range.is_a?(Integer)
range_authorizations << [range, cidr_ip, ip_protocol]
range_authorizations.compact!
range_authorizations.uniq!
end

def authorized_by_group(other_name)
group_authorized_by << other_name.to_s
group_authorized_by.compact!
group_authorized_by.uniq!
end

def authorize_group(other_name)
group_authorized << other_name.to_s
group_authorized.compact!
group_authorized.uniq!
end
end

class ElasticLoadBalancer

Expand Down
28 changes: 1 addition & 27 deletions lib/ironfan/dsl/openstack.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ class OpenStack < Cloud
magic :auto_elastic_ip, String
magic :allocation_id, String
magic :region, String, :default => ->{ default_region }
collection :security_groups, Ironfan::Dsl::OpenStack::SecurityGroup, :key_method => :name
collection :security_groups, Ironfan::Dsl::SecurityGroup, :key_method => :name
magic :ssh_user, String, :default => ->{ image_info[:ssh_user] }
magic :ssh_identity_dir, String, :default => ->{ Chef::Config.openstack_key_dir }
magic :subnet, String
Expand Down Expand Up @@ -125,32 +125,6 @@ def receive_provider(obj)
super(obj)
end
end

class SecurityGroup < Ironfan::Dsl
field :name, String
field :group_authorized, Array, :default => []
field :group_authorized_by, Array, :default => []
field :range_authorizations, Array, :default => []

def authorize_port_range(range, cidr_ip = '0.0.0.0/0', ip_protocol = 'tcp')
range = (range .. range) if range.is_a?(Integer)
range_authorizations << [range, cidr_ip, ip_protocol]
range_authorizations.compact!
range_authorizations.uniq!
end

def authorized_by_group(other_name)
group_authorized_by << other_name.to_s
group_authorized_by.compact!
group_authorized_by.uniq!
end

def authorize_group(other_name)
group_authorized << other_name.to_s
group_authorized.compact!
group_authorized.uniq!
end
end
end
end
end
Expand Down
29 changes: 29 additions & 0 deletions lib/ironfan/dsl/security_group.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
module Ironfan
class Dsl
class SecurityGroup < Ironfan::Dsl
field :name, String
field :group_authorized, Array, :default => []
field :group_authorized_by, Array, :default => []
field :range_authorizations, Array, :default => []

def authorize_port_range(range, cidr_ip = '0.0.0.0/0', ip_protocol = 'tcp')
range = (range .. range) if range.is_a?(Integer)
range_authorizations << [range, cidr_ip, ip_protocol]
range_authorizations.compact!
range_authorizations.uniq!
end

def authorized_by_group(other_name)
group_authorized_by << other_name.to_s
group_authorized_by.compact!
group_authorized_by.uniq!
end

def authorize_group(other_name)
group_authorized << other_name.to_s
group_authorized.compact!
group_authorized.uniq!
end
end
end
end
8 changes: 6 additions & 2 deletions lib/ironfan/provider/ec2/machine.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -256,9 +256,13 @@ def self.launch_description(computer)
}

# VPC security_groups can only be addressed by id (not name)
description[:security_group_ids] = cloud.security_groups.keys.map do |g|
SecurityGroup.recall( SecurityGroup.group_name_with_vpc(g,cloud.vpc) ).group_id
sec_group_ids = []
[computer.server.security_groups, cloud.security_groups].each do |container|
sec_group_ids += container.security_groups.keys.map do |g|
SecurityGroup.recall( SecurityGroup.group_name_with_vpc(g,cloud.vpc) ).group_id
end
end
description[:security_group_ids] = sec_group_ids.uniq

description[:iam_server_certificates] = cloud.iam_server_certificates.values.map do |cert|
IamServerCertificate.recall(IamServerCertificate.full_name(computer, cert))
Expand Down
87 changes: 49 additions & 38 deletions lib/ironfan/provider/ec2/security_group.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,15 @@ def self.expected_ids(computer)
return unless computer.server
ec2 = computer.server.cloud(:ec2)
ec2.security_groups.keys.map { |name| group_name_with_vpc(name,ec2.vpc) }.uniq
server_groups = computer.server.security_groups
cloud_groups = ec2.security_groups

result = []
[server_groups, cloud_groups].each do |container|
container.keys.each { |name| result.push( group_name_with_vpc(name,ec2.vpc) )}
end
return result.uniq

end

def name()
Expand Down Expand Up @@ -83,44 +92,46 @@ def self.prepare!(computers)

# Iterate over all of the security group information, keeping track of
# any groups that must exist and any authorizations that must be ensured
cloud.security_groups.values.each do |dsl_group|

groups_to_create << dsl_group.name

groups_to_create << dsl_group.group_authorized.map do |other_group|
most_appropriate_group_name(other_group, cloud.vpc)
end

groups_to_create << dsl_group.group_authorized_by.map do |other_group|
most_appropriate_group_name(other_group, cloud.vpc)
end

authorizations_to_ensure << dsl_group.group_authorized.map do |other_group|
{
:grantor => most_appropriate_group_name(dsl_group.name, cloud.vpc),
:grantee => most_appropriate_group_name(other_group, cloud.vpc),
:grantee_type => :group,
:range => WIDE_OPEN,
}
end

authorizations_to_ensure << dsl_group.group_authorized_by.map do |other_group|
{
:grantor => most_appropriate_group_name(other_group, cloud.vpc),
:grantee => most_appropriate_group_name(dsl_group.name, cloud.vpc),
:grantee_type => :group,
:range => WIDE_OPEN,
}
end

authorizations_to_ensure << dsl_group.range_authorizations.map do |range_auth|
range, cidr, protocol = range_auth
{
:grantor => group_name_with_vpc(dsl_group.name, cloud.vpc),
:grantee => { :cidr_ip => cidr, :ip_protocol => protocol },
:grantee_type => :cidr,
:range => range,
}
[computer.server.security_groups, cloud.security_groups].each do |container|
container.values.each do |dsl_group|

groups_to_create << dsl_group.name

groups_to_create << dsl_group.group_authorized.map do |other_group|
most_appropriate_group_name(other_group, cloud.vpc)
end

groups_to_create << dsl_group.group_authorized_by.map do |other_group|
most_appropriate_group_name(other_group, cloud.vpc)
end

authorizations_to_ensure << dsl_group.group_authorized.map do |other_group|
{
:grantor => most_appropriate_group_name(dsl_group.name, cloud.vpc),
:grantee => most_appropriate_group_name(other_group, cloud.vpc),
:grantee_type => :group,
:range => WIDE_OPEN,
}
end

authorizations_to_ensure << dsl_group.group_authorized_by.map do |other_group|
{
:grantor => most_appropriate_group_name(other_group, cloud.vpc),
:grantee => most_appropriate_group_name(dsl_group.name, cloud.vpc),
:grantee_type => :group,
:range => WIDE_OPEN,
}
end

authorizations_to_ensure << dsl_group.range_authorizations.map do |range_auth|
range, cidr, protocol = range_auth
{
:grantor => group_name_with_vpc(dsl_group.name, cloud.vpc),
:grantee => { :cidr_ip => cidr, :ip_protocol => protocol },
:grantee_type => :cidr,
:range => range,
}
end
end
end
end
Expand Down
2 changes: 1 addition & 1 deletion lib/ironfan/provider/openstack/machine.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,7 @@ def self.launch_description(computer)
:name => computer.name,
}

description[:security_groups] = cloud.security_groups.keys
description[:security_groups] = (computer.server.security_groups.keys + cloud.security_groups.keys).uniq

#description[:iam_server_certificates] = cloud.iam_server_certificates.values.map do |cert|
# IamServerCertificate.recall(IamServerCertificate.full_name(computer, cert))
Expand Down
80 changes: 45 additions & 35 deletions lib/ironfan/provider/openstack/security_group.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,14 @@ def self.resource_type() :security_group; end
def self.expected_ids(computer)
return unless computer.server
openstack = computer.server.cloud(:openstack)
openstack.security_groups.to_a.map {|g| g.name }
server_groups = computer.server.security_groups
cloud_groups = openstack.security_groups

result = []
[server_groups, cloud_groups].each do |container|
container.each { |g| result.push(g.name) }
end
return result.uniq
end

def ip_permissions
Expand Down Expand Up @@ -87,40 +94,43 @@ def self.prepare!(computers)

# Iterate over all of the security group information, keeping track of
# any groups that must exist and any authorizations that must be ensured
cloud.security_groups.values.each do |dsl_group|

groups_to_create << dsl_group.name

groups_to_create << dsl_group.group_authorized

groups_to_create << dsl_group.group_authorized_by

authorizations_to_ensure << dsl_group.group_authorized.map do |other_group|
{
:grantor => dsl_group.name,
:grantee => other_group,
:grantee_type => :group,
:range => WIDE_OPEN,
}
end

authorizations_to_ensure << dsl_group.group_authorized_by.map do |other_group|
{
:grantor => other_group,
:grantee => dsl_group.name,
:grantee_type => :group,
:range => WIDE_OPEN,
}
end

authorizations_to_ensure << dsl_group.range_authorizations.map do |range_auth|
range, cidr, protocol = range_auth
{
:grantor => dsl_group.name,
:grantee => { :cidr_ip => cidr, :ip_protocol => protocol },
:grantee_type => :cidr,
:range => range,
}
[computer.server.security_groups, cloud.security_groups].each do |container|

container.values.each do |dsl_group|

groups_to_create << dsl_group.name

groups_to_create << dsl_group.group_authorized

groups_to_create << dsl_group.group_authorized_by

authorizations_to_ensure << dsl_group.group_authorized.map do |other_group|
{
:grantor => dsl_group.name,
:grantee => other_group,
:grantee_type => :group,
:range => WIDE_OPEN,
}
end

authorizations_to_ensure << dsl_group.group_authorized_by.map do |other_group|
{
:grantor => other_group,
:grantee => dsl_group.name,
:grantee_type => :group,
:range => WIDE_OPEN,
}
end

authorizations_to_ensure << dsl_group.range_authorizations.map do |range_auth|
range, cidr, protocol = range_auth
{
:grantor => dsl_group.name,
:grantee => { :cidr_ip => cidr, :ip_protocol => protocol },
:grantee_type => :cidr,
:range => range,
}
end
end
end
end
Expand Down
1 change: 1 addition & 0 deletions lib/ironfan/requirements.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
require 'ironfan/builder'

require 'ironfan/dsl/component'
require 'ironfan/dsl/security_group'
require 'ironfan/dsl/compute'
require 'ironfan/dsl/server'
require 'ironfan/dsl/facet'
Expand Down

0 comments on commit c72a466

Please sign in to comment.