com.amazonaws.services.ec2.model.IpPermission Java Examples

The following examples show how to use com.amazonaws.services.ec2.model.IpPermission. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: SecurityGroupsTableProviderTest.java    From aws-athena-query-federation with Apache License 2.0 6 votes vote down vote up
private SecurityGroup makeSecurityGroup(String id)
{
    return new SecurityGroup()
            .withGroupId(id)
            .withGroupName("name")
            .withDescription("description")
            .withIpPermissions(new IpPermission()
                    .withIpProtocol("protocol")
                    .withFromPort(100)
                    .withToPort(100)
                    .withIpv4Ranges(new IpRange().withCidrIp("cidr").withDescription("description"))

                    .withIpv6Ranges(new Ipv6Range().withCidrIpv6("cidr").withDescription("description"))
                    .withPrefixListIds(new PrefixListId().withPrefixListId("prefix").withDescription("description"))
                    .withUserIdGroupPairs(new UserIdGroupPair().withGroupId("group_id").withUserId("user_id"))
            );
}
 
Example #2
Source File: AmazonIpRuleManager.java    From usergrid with Apache License 2.0 6 votes vote down vote up
@Override
public void addRules( final String name, final Collection<String> ipRanges, final String protocol,
                      final int fromPort, final int toPort ) {

    IpPermission ipPermission = new IpPermission();

    ipPermission.withIpRanges( ipRanges )
                .withIpProtocol( protocol )
                .withFromPort( fromPort )
                .withToPort( toPort );

    try {
        AuthorizeSecurityGroupIngressRequest request = new AuthorizeSecurityGroupIngressRequest();
        request = request.withGroupName( name ).withIpPermissions( ipPermission );
        client.authorizeSecurityGroupIngress( request );
    }
    catch ( Exception e ) {
        LOG.error( "Error whilt adding rule to security group: {}", name, e );
    }
}
 
Example #3
Source File: AmazonIpRuleManager.java    From usergrid with Apache License 2.0 6 votes vote down vote up
@Override
public Collection<IpRule> getRules( final String name, final boolean inbound ) {
    DescribeSecurityGroupsRequest request = new DescribeSecurityGroupsRequest().withGroupNames( name );
    DescribeSecurityGroupsResult result = client.describeSecurityGroups( request );

    if( result.getSecurityGroups().size() != 1 ) {
        return null;
    }

    Collection<IpRule> ipRules = new ArrayList<IpRule>();
    List<IpPermission> permissions;

    if( inbound ) {
        permissions = result.getSecurityGroups().get( 0 ).getIpPermissions();
    }
    else {
        permissions = result.getSecurityGroups().get( 0 ).getIpPermissionsEgress();
    }

    for( IpPermission permission : permissions ) {
        ipRules.add( toIpRule( permission ) );
    }

    return ipRules;
}
 
Example #4
Source File: AWSSdkClient.java    From incubator-gobblin with Apache License 2.0 6 votes vote down vote up
/***
 * Open firewall for a security group
 *
 * @param groupName Open firewall for this security group
 * @param ipRanges Open firewall for this IP range
 * @param ipProtocol Open firewall for this protocol type (eg. tcp, udp)
 * @param fromPort Open firewall for port range starting at this port
 * @param toPort Open firewall for port range ending at this port
 */
public void addPermissionsToSecurityGroup(String groupName,
    String ipRanges,
    String ipProtocol,
    Integer fromPort,
    Integer toPort) {

  final AmazonEC2 amazonEC2 = getEc2Client();

  final IpPermission ipPermission = new IpPermission()
      .withIpRanges(ipRanges)
      .withIpProtocol(ipProtocol)
      .withFromPort(fromPort)
      .withToPort(toPort);
  final AuthorizeSecurityGroupIngressRequest authorizeSecurityGroupIngressRequest =
      new AuthorizeSecurityGroupIngressRequest()
          .withGroupName(groupName)
          .withIpPermissions(ipPermission);
  amazonEC2.authorizeSecurityGroupIngress(authorizeSecurityGroupIngressRequest);

  LOGGER.info("Added permissions: " + ipPermission + " to security group: " + groupName);
}
 
Example #5
Source File: SecurityGroupsCheckerImplTest.java    From fullstop with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
@Before
public void setUp() throws Exception {
    final ClientProvider mockClientProvider = mock(ClientProvider.class);
    final AmazonEC2Client mockEC2 = mock(AmazonEC2Client.class);
    mockPredicate = (Predicate<IpPermission>) mock(Predicate.class);

    when(mockClientProvider.getClient(any(), any(), any())).thenReturn(mockEC2);

    securityGroupsChecker = new SecurityGroupsCheckerImpl(mockClientProvider, mockPredicate);

    final DescribeSecurityGroupsResult securityGroups = new DescribeSecurityGroupsResult()
            .withSecurityGroups(new SecurityGroup()
                    .withGroupId("sg-12345678")
                    .withGroupName("my-sec-group")
                    .withIpPermissions(new IpPermission()
                            .withIpProtocol("tcp")
                            .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0"))
                            .withFromPort(0)
                            .withToPort(65535)
                            .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0"))
                            .withUserIdGroupPairs(new UserIdGroupPair()
                                    .withUserId("111222333444")
                                    .withGroupId("sg-11223344"))));
    when(mockEC2.describeSecurityGroups(any())).thenReturn(securityGroups);
}
 
Example #6
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 6 votes vote down vote up
@Test
public void testAllICMPIPv4FromEverywhereIPv6() throws Exception {
    assertThat(pred).rejects(
            new IpPermission()
                    .withIpProtocol("icmp")
                    .withFromPort(-1)
                    .withToPort(-1)
                    .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")));

    assertThat(pred).rejects(
            new IpPermission()
                    .withIpProtocol("1")
                    .withFromPort(-1)
                    .withToPort(-1)
                    .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")));
}
 
Example #7
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 6 votes vote down vote up
@Test
public void testAllICMPIPv4FromEverywhereIPv4() throws Exception {
    assertThat(pred).rejects(
            new IpPermission()
                    .withIpProtocol("icmp")
                    .withFromPort(-1)
                    .withToPort(-1)
                    .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")));

    assertThat(pred).rejects(
            new IpPermission()
                    .withIpProtocol("1")
                    .withFromPort(-1)
                    .withToPort(-1)
                    .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")));
}
 
Example #8
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 6 votes vote down vote up
@Test
public void testAllICMPIPv6FromEverywhereIPv6() throws Exception {
    assertThat(pred).rejects(
            new IpPermission()
                    .withIpProtocol("icmpv6")
                    .withFromPort(-1)
                    .withToPort(-1)
                    .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")));

    assertThat(pred).rejects(
            new IpPermission()
                    .withIpProtocol("58")
                    .withFromPort(-1)
                    .withToPort(-1)
                    .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")));
}
 
Example #9
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 6 votes vote down vote up
@Test
public void testAllICMPIPv6FromEverywhereIPv4() throws Exception {
    assertThat(pred).rejects(
            new IpPermission()
                    .withIpProtocol("icmpv6")
                    .withFromPort(-1)
                    .withToPort(-1)
                    .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")));

    assertThat(pred).rejects(
            new IpPermission()
                    .withIpProtocol("58")
                    .withFromPort(-1)
                    .withToPort(-1)
                    .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")));
}
 
Example #10
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 6 votes vote down vote up
@Test
public void testAllUDPFromEverywhereIPv6() throws Exception {
    assertThat(pred).accepts(
            new IpPermission()
                    .withIpProtocol("udp")
                    .withFromPort(0)
                    .withToPort(65535)
                    .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")));

    assertThat(pred).accepts(
            new IpPermission()
                    .withIpProtocol("17")
                    .withFromPort(0)
                    .withToPort(65535)
                    .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")));
}
 
Example #11
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 6 votes vote down vote up
@Test
public void testAllUDPFromEverywhereIPv4() throws Exception {
    assertThat(pred).accepts(
            new IpPermission()
                    .withIpProtocol("udp")
                    .withFromPort(0)
                    .withToPort(65535)
                    .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")));

    assertThat(pred).accepts(
            new IpPermission()
                    .withIpProtocol("17")
                    .withFromPort(0)
                    .withToPort(65535)
                    .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")));
}
 
Example #12
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 6 votes vote down vote up
@Test
public void testAllTcpFromEverywhereIPv6() throws Exception {
    assertThat(pred).accepts(
            new IpPermission()
                    .withFromPort(0)
                    .withToPort(65535)
                    .withIpProtocol("tcp")
                    .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")));

    assertThat(pred).accepts(
            new IpPermission()
                    .withFromPort(0)
                    .withToPort(65535)
                    .withIpProtocol("6")
                    .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")));
}
 
Example #13
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 6 votes vote down vote up
@Test
public void testAllTcpFromEverywhereIPv4() throws Exception {
    assertThat(pred).accepts(
            new IpPermission()
                    .withFromPort(0)
                    .withToPort(65535)
                    .withIpProtocol("tcp")
                    .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")));

    assertThat(pred).accepts(
            new IpPermission()
                    .withFromPort(0)
                    .withToPort(65535)
                    .withIpProtocol("6")
                    .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")));
}
 
Example #14
Source File: CommonTestUtils.java    From pacbot with Apache License 2.0 6 votes vote down vote up
public static SecurityGroup getSecurityGroup(String groupId){
	UserIdGroupPair groupPair = new UserIdGroupPair();
	groupPair.setGroupId("123");
	List<UserIdGroupPair> userIdGroupPairs = new ArrayList<UserIdGroupPair>();
	userIdGroupPairs.add(groupPair);
	
	
	IpPermission ipPermission = new IpPermission();
	ipPermission.setFromPort(80);
	ipPermission.setUserIdGroupPairs(userIdGroupPairs);
	List<IpPermission> ipPermissions = new ArrayList<IpPermission>();
	ipPermissions.add(ipPermission);
	SecurityGroup securityGroup = new SecurityGroup();
	securityGroup.setGroupId(groupId);
	securityGroup.setIpPermissions(ipPermissions);
    return securityGroup;
}
 
Example #15
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 5 votes vote down vote up
@Test
public void testAllTrafficFromEverywhereIPv4() throws Exception {
    assertThat(pred).accepts(
            new IpPermission()
                    .withIpProtocol("-1")
                    .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")));

    assertThat(pred).accepts(
            new IpPermission()
                    .withIpProtocol(null)
                    .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")));
}
 
Example #16
Source File: AmazonIpRuleManager.java    From usergrid with Apache License 2.0 5 votes vote down vote up
protected static IpPermission toIpPermission( IpRule rule ) {
    IpPermission permission = new IpPermission();
    permission.setIpProtocol( rule.getIpProtocol() );
    permission.setToPort( rule.getToPort() );
    permission.setFromPort( rule.getFromPort() );
    permission.setIpRanges( rule.getIpRanges() );

    return permission;
}
 
Example #17
Source File: AmazonIpRuleManager.java    From usergrid with Apache License 2.0 5 votes vote down vote up
protected static IpRule toIpRule( IpPermission permission ) {
    BasicIpRule rule = new BasicIpRule();
    rule.setFromPort( permission.getFromPort() );
    rule.setToPort( permission.getToPort() );
    rule.setIpProtocol( permission.getIpProtocol() );
    rule.setIpRanges( permission.getIpRanges() );

    return rule;
}
 
Example #18
Source File: SecurityGroupsTableProvider.java    From aws-athena-query-federation with Apache License 2.0 5 votes vote down vote up
/**
 * Maps an each SecurityGroup rule (aka IpPermission) to a row in the response.
 *
 * @param securityGroup The SecurityGroup that owns the permission entry.
 * @param permission The permission entry (aka rule) to map.
 * @param direction The direction (EGRESS or INGRESS) of the rule.
 * @param spiller The BlockSpiller to use when we want to write a matching row to the response.
 * @note The current implementation is rather naive in how it maps fields. It leverages a static
 * list of fields that we'd like to provide and then explicitly filters and converts each field.
 */
private void instanceToRow(SecurityGroup securityGroup,
        IpPermission permission,
        String direction,
        BlockSpiller spiller)
{
    spiller.writeRows((Block block, int row) -> {
        boolean matched = true;

        matched &= block.offerValue("id", row, securityGroup.getGroupId());
        matched &= block.offerValue("name", row, securityGroup.getGroupName());
        matched &= block.offerValue("description", row, securityGroup.getDescription());
        matched &= block.offerValue("from_port", row, permission.getFromPort());
        matched &= block.offerValue("to_port", row, permission.getFromPort());
        matched &= block.offerValue("protocol", row, permission.getIpProtocol());
        matched &= block.offerValue("direction", row, permission.getIpProtocol());

        List<String> ipv4Ranges = permission.getIpv4Ranges().stream()
                .map(next -> next.getCidrIp() + ":" + next.getDescription()).collect(Collectors.toList());
        matched &= block.offerComplexValue("ipv4_ranges", row, FieldResolver.DEFAULT, ipv4Ranges);

        List<String> ipv6Ranges = permission.getIpv6Ranges().stream()
                .map(next -> next.getCidrIpv6() + ":" + next.getDescription()).collect(Collectors.toList());
        matched &= block.offerComplexValue("ipv6_ranges", row, FieldResolver.DEFAULT, ipv6Ranges);

        List<String> prefixLists = permission.getPrefixListIds().stream()
                .map(next -> next.getPrefixListId() + ":" + next.getDescription()).collect(Collectors.toList());
        matched &= block.offerComplexValue("prefix_lists", row, FieldResolver.DEFAULT, prefixLists);

        List<String> userIdGroups = permission.getUserIdGroupPairs().stream()
                .map(next -> next.getUserId() + ":" + next.getGroupId())
                .collect(Collectors.toList());
        matched &= block.offerComplexValue("user_id_groups", row, FieldResolver.DEFAULT, userIdGroups);

        return matched ? 1 : 0;
    });
}
 
Example #19
Source File: AmazonIpRuleManager.java    From usergrid with Apache License 2.0 5 votes vote down vote up
@Override
public void deleteRules( final String name, final Collection<String> ipRanges, final String protocol,
                         final int port ) {
    IpPermission permission = new IpPermission();
    permission = permission.withIpProtocol( protocol )
                           .withFromPort( port )
                           .withToPort( port )
                           .withIpRanges( ipRanges );

    RevokeSecurityGroupIngressRequest request = new RevokeSecurityGroupIngressRequest();
    request = request.withGroupName( name ).withIpPermissions( permission );

    client.revokeSecurityGroupIngress( request );
}
 
Example #20
Source File: AmazonIpRuleManager.java    From usergrid with Apache License 2.0 5 votes vote down vote up
@Override
public void deleteRules( final String name, final Collection<IpRule> ipRules ) {
    if( ipRules == null || ipRules.size() == 0 ) {
        return;
    }
    Collection<IpPermission> permissions = new ArrayList<IpPermission>( ipRules.size() );
    for( IpRule rule : ipRules ) {
        permissions.add( toIpPermission( rule ) );
    }

    RevokeSecurityGroupIngressRequest request = new RevokeSecurityGroupIngressRequest();
    request = request.withGroupName( name ).withIpPermissions( permissions );
    client.revokeSecurityGroupIngress( request );
}
 
Example #21
Source File: IpPermissionConverter.java    From primecloud-controller with GNU General Public License v2.0 5 votes vote down vote up
@Override
protected IpPermission convertObject(com.xerox.amazonws.ec2.GroupDescription.IpPermission from) {
    IpPermission to = new IpPermission();

    to.setIpProtocol(from.getProtocol());
    to.setFromPort(from.getFromPort());
    to.setToPort(from.getToPort());
    to.setUserIdGroupPairs(new UserIdGroupPairConverter().convert(from.getUidGroupPairs()));
    to.setIpRanges(from.getIpRanges());

    return to;
}
 
Example #22
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 5 votes vote down vote up
@Test
public void testAllowedPortFromEverywhereIPv6() throws Exception {
    assertThat(pred).rejects(
            new IpPermission()
                    .withFromPort(443)
                    .withToPort(443)
                    .withIpProtocol("tcp")
                    .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")));
}
 
Example #23
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 5 votes vote down vote up
@Test
public void testAllowedPortFromEverywhereIPv4() throws Exception {
    assertThat(pred).rejects(
            new IpPermission()
                    .withFromPort(443)
                    .withToPort(443)
                    .withIpProtocol("tcp")
                    .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")));
}
 
Example #24
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 5 votes vote down vote up
@Test
public void testUnallowedPortFromEverywhereIPv4() throws Exception {
    assertThat(pred).accepts(
            new IpPermission()
                    .withFromPort(9100)
                    .withToPort(9100)
                    .withIpProtocol("tcp")
                    .withIpv4Ranges(new IpRange().withCidrIp("0.0.0.0/0")));
}
 
Example #25
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 5 votes vote down vote up
@Test
public void testAllTrafficFromEverywhereIPv6() throws Exception {
    assertThat(pred).accepts(
            new IpPermission()
                    .withIpProtocol("-1")
                    .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")));

    assertThat(pred).accepts(
            new IpPermission()
                    .withIpProtocol(null)
                    .withIpv6Ranges(new Ipv6Range().withCidrIpv6("::/0")));
}
 
Example #26
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 5 votes vote down vote up
@Test
public void testAllTrafficFromPartiallyPrivateNetwork() throws Exception {
    assertThat(pred).accepts(
            new IpPermission()
                    .withIpProtocol("-1")
                    .withIpv4Ranges(
                            new IpRange().withCidrIp("192.168.0.0/15"))
    );
}
 
Example #27
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 5 votes vote down vote up
@Test
public void testAllTrafficFromPrivateNetworks() throws Exception {
    assertThat(pred).rejects(
            new IpPermission()
                    .withIpProtocol("-1")
                    .withIpv4Ranges(
                            new IpRange().withCidrIp("10.0.0.0/8"),
                            new IpRange().withCidrIp("172.31.0.0/16"),
                            new IpRange().withCidrIp("172.16.0.0/12"),
                            new IpRange().withCidrIp("192.168.0.0/16"))
                    .withIpv6Ranges(
                            new Ipv6Range().withCidrIpv6("fc00::/7"))
    );
}
 
Example #28
Source File: PredicatesTest.java    From fullstop with Apache License 2.0 5 votes vote down vote up
@Test
public void testAllTrafficFromSecurityGroups() throws Exception {
    assertThat(pred).rejects(
            new IpPermission()
                    .withIpProtocol("-1")
                    .withUserIdGroupPairs(
                            new UserIdGroupPair().withUserId("111222333444").withGroupId("sg-11223344")));
}
 
Example #29
Source File: Predicates.java    From fullstop with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings({"SimplifiableIfStatement"})
private static boolean opensUnallowedPorts(final IpPermission rule, final Set<Integer> allowedPorts) {
    final String protocol = rule.getIpProtocol();
    if (protocol != null) {
        // match logical names as well as protocol numbers
        switch (protocol.toLowerCase()) {
            case "tcp":
            case "6":
            case "udp":
            case "17":
                // check port ranges
                break;

            case "icmp":
            case "1":
            case "icmpv6":
            case "58":
                return false;

            default:
                // From http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_IpPermission.html
                // [...] specifying -1 or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6)
                // allows traffic on all ports, regardless of any port range you specify. [...]
                return true;
        }
    }

    final Integer fromPort = rule.getFromPort();
    final Integer toPort = rule.getToPort();

    // No port range means: All traffic
    if (fromPort == null || toPort == null) {
        return true;
    }

    // Is there at least one non-allowed port?
    return IntStream.rangeClosed(fromPort, toPort).anyMatch(port -> !allowedPorts.contains(port));
}
 
Example #30
Source File: Predicates.java    From fullstop with Apache License 2.0 5 votes vote down vote up
private static boolean hasExternalSource(final IpPermission rule) {
    final boolean hasExternalIpv4Range = rule.getIpv4Ranges().stream()
            .map(IpRange::getCidrIp)
            .map(Ipv4Range::parseCidr)
            .anyMatch(range -> PRIVATE_IPV4_RANGES.stream().noneMatch(privateRange -> privateRange.contains(range)));

    final boolean hasExternalIpv6Ranges = rule.getIpv6Ranges().stream()
            .map(com.amazonaws.services.ec2.model.Ipv6Range::getCidrIpv6)
            .map(Ipv6Range::parseCidr)
            .anyMatch(range -> !PRIVATE_IPV6_RANGE.contains(range));

    return hasExternalIpv4Range || hasExternalIpv6Ranges;
}