Checks if security group is allowed
public static isSecurityGroupNameAllowed ( string $sgName, Array $patterns ) : boolean | ||
$sgName | string | Security group name |
$patterns | Array | List of patterns |
return | boolean | Returns true if security matches at list one pattern |
/** * Checks security groups governance policy * * @param Scalr\UI\Request\JsonData $vpcSecurityGroups * @param string $serviceName Service name (rds, elb ...) * @return bool|string Returns error message if access to some data restricted. True otherwise. * @throws Scalr_Exception_Core */ public function checkSecurityGroupsPolicy($vpcSecurityGroups, $serviceName = false) { $governance = new Scalr_Governance($this->getEnvironmentId()); $value = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::getEc2SecurityGroupPolicyNameForService($serviceName), ''); if (!empty($value)) { if (!empty($vpcSecurityGroups)) { foreach ($vpcSecurityGroups as $vpcSecurityGroup) { if (empty($vpcSecurityGroup['id'])) { $notFoundGroups[] = strtolower($vpcSecurityGroup['name']); } $vpcSecurityGroupNames[strtolower($vpcSecurityGroup['name'])] = $vpcSecurityGroup['id']; } } if (!empty($value['value']) && !empty($vpcSecurityGroupNames)) { if (!empty($notFoundGroups)) { $s = count($notFoundGroups) > 1 ? 's' : ''; $es = $s ? '' : "e{$s}"; $they = $s ? "they" : 'it'; return sprintf("A Security Group Policy is active in this Environment, and requires that you attach the following Security Group%s to your instance: %s, but %s do%s not exist in current VPC.", $s, implode(', ', $notFoundGroups), $they, $es); } } if (!empty($vpcSecurityGroupNames)) { $sgRequiredPatterns = \Scalr_Governance::prepareSecurityGroupsPatterns($value['value']); $sgOptionalPatterns = $value['allow_additional_sec_groups'] ? \Scalr_Governance::prepareSecurityGroupsPatterns($value['additional_sec_groups_list']) : []; $missingGroups = []; foreach ($sgRequiredPatterns as $patternName => $sgRequiredPattern) { $sgGroupExists = true; if (!isset($vpcSecurityGroupNames[$patternName])) { $sgGroupExists = false; if (isset($sgRequiredPattern['regexp'])) { foreach ($vpcSecurityGroupNames as $sgGroupName => $sgGroupId) { if (preg_match($sgRequiredPattern['regexp'], $sgGroupName) === 1) { $sgGroupExists = true; break; } } } } if (!$sgGroupExists) { $missingGroups[] = $sgRequiredPattern['value']; } } if (!empty($missingGroups)) { return sprintf("A Security Group Policy is active in this Environment, and requires that you attach the following Security Groups to your instance: %s", implode(', ', $missingGroups)); } if (empty($value['allow_additional_sec_groups']) || !empty($sgOptionalPatterns)) { $hasNotAllowedGroups = false; $notAllowedGroupName = null; foreach ($vpcSecurityGroupNames as $sgGroupName => $sgGroupId) { if (!empty($sgRequiredPatterns)) { $hasNotAllowedGroups = !\Scalr_Governance::isSecurityGroupNameAllowed($sgGroupName, $sgRequiredPatterns); } else { $hasNotAllowedGroups = true; } if ($hasNotAllowedGroups && !empty($sgOptionalPatterns)) { $hasNotAllowedGroups = !\Scalr_Governance::isSecurityGroupNameAllowed($sgGroupName, $sgOptionalPatterns); } if ($hasNotAllowedGroups) { $notAllowedGroupName = $sgGroupName; break; } } if ($hasNotAllowedGroups) { return sprintf("A Security Group Policy is active in this Environment, and you can't apply additional security groups to your instance (%s).", $notAllowedGroupName); } } } } return true; }