/**
* RevokeSecurityGroupEgress action
*
* Removes one or more egress rules from a security group for EC2-VPC.
* The values that you specify in the revoke request (for example, ports)
* must match the existing rule's values for the rule to be revoked.
*
* Each rule consists of the protocol and the CIDR range or destination security group.
* For the TCP and UDP protocols, you must also specify the destination port or range of ports.
* For the ICMP protocol, you must also specify the ICMP type and code.
*
* Rule changes are propagated to instances within the security group as quickly as possible.
* However, a small delay might occur.
*
* @param IpPermissionList $ipPermissions Ip permission list object
* @param string $groupId optional The ID of the security group to modify.
* @return bool Returns true on success
* @throws ClientException
* @throws Ec2Exception
*/
public function revokeSecurityGroupEgress(IpPermissionList $ipPermissions, $groupId)
{
$result = false;
$options = $ipPermissions->getQueryArrayBare('IpPermissions');
$options['GroupId'] = (string) $groupId;
$action = ucfirst(__FUNCTION__);
$response = $this->client->call($action, $options);
if ($response->getError() === false) {
$sxml = simplexml_load_string($response->getRawContent());
if ((string) $sxml->return != 'true') {
throw new Ec2Exception(sprintf('Amazon Ec2 could not %s GroupId:"%s". It returned "%s"', $action, $options['GroupId'], $sxml->return));
}
$result = true;
}
return $result;
}
/**
* @test
* @depends testFunctionalEc2
*/
public function testFunctionalVpc()
{
$this->skipIfEc2PlatformDisabled();
$aws = $this->getContainer()->aws(AwsTestCase::REGION);
$aws->ec2->enableEntityManager();
$nameTag = new ResourceTagSetData(self::TAG_NAME_KEY, self::getTestName(self::NAME_TAG_VALUE));
$ret = $aws->ec2->describeAccountAttributes(array('supported-platforms', 'default-vpc'));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\AccountAttributeSetList'), $ret);
unset($ret);
//Removes previously created route tables if they exist.
$rtList = $aws->ec2->routeTable->describe(null, array(array('name' => RouteTableFilterNameType::tagName(), 'value' => self::getTestName(self::NAME_TAG_VALUE))));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\RouteTableList'), $rtList);
foreach ($rtList as $rt) {
/* @var $rt RouteTableData */
foreach ($rt->routeSet as $route) {
/* @var $route RouteData */
try {
$route->delete();
} catch (ClientException $e) {
}
}
foreach ($rt->associationSet as $rtassoc) {
try {
$rtassoc->disassociate();
} catch (ClientException $e) {
}
}
$rt->delete();
}
unset($rtList);
//Removes previously created Network Interfaces if they have not been removed during past test executions.
$eniList = $aws->ec2->networkInterface->describe(null, array(array('name' => NetworkInterfaceFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE))));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\NetworkInterfaceList'), $eniList);
foreach ($eniList as $v) {
$v->delete();
}
unset($eniList);
$subnetList = $aws->ec2->subnet->describe(null, array(array('name' => SubnetFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE))));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\SubnetList'), $subnetList);
foreach ($subnetList as $subnet) {
/* @var $subnet SubnetData */
$subnet->delete();
}
unset($subnetList);
//Removes previously created Internet Gateways which has not been removed during previous test run.
$igwList = $aws->ec2->internetGateway->describe(null, array(array('name' => InternetGatewayFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE))));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\InternetGatewayList'), $igwList);
foreach ($igwList as $igw) {
/* @var $igw InternetGatewayData */
if (count($igw->attachmentSet)) {
//Detaches previously attachet VPC
$igw->attachmentSet->get(0)->detach();
for ($t = time(); time() - $t < 100 && !empty($igw->attachmentSet[0]) && $igw->attachmentSet[0]->state == InternetGatewayAttachmentData::STATE_DETACHING; sleep(3)) {
$igw = $igw->refresh();
}
}
//Deletes previously created internet gateways
$igw->delete();
}
unset($igwList);
//We should be assured that group which is used for the test does not exists
$list = $aws->ec2->securityGroup->describe(null, null, new SecurityGroupFilterData(SecurityGroupFilterNameType::groupName(), self::getTestName(self::NAME_SECURITY_GROUP_VPC)));
if (count($list) > 0) {
foreach ($list as $v) {
$v->delete();
}
}
unset($list);
//Describes VPC
$vpcList = $aws->ec2->vpc->describe(null, array(array('name' => VpcFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE))));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\VpcList'), $vpcList);
//We should remove VPC which has not been removed by some reason.
foreach ($vpcList as $vpc) {
$vpc->delete();
unset($vpc);
}
unset($vpcList);
//Creates VPC
$vpc = $aws->ec2->vpc->create('10.0.0.0/16');
$this->assertInstanceOf($this->getEc2ClassName('DataType\\VpcData'), $vpc);
for ($t = time(); time() - $t < 600 && $vpc->state !== VpcData::STATE_AVAILABLE;) {
sleep(5);
$vpc = $vpc->refresh();
}
$this->assertTrue($vpc->state == VpcData::STATE_AVAILABLE);
$ret = $vpc->createTags($nameTag);
$this->assertTrue($ret);
//Creates an VPC Security group
$securityGroupId = $aws->ec2->securityGroup->create(self::getTestName(self::NAME_SECURITY_GROUP_VPC), self::getTestName(self::NAME_SECURITY_GROUP_VPC) . ' description', $vpc->vpcId);
$this->assertNotEmpty($securityGroupId);
sleep(2);
$sg = $aws->ec2->securityGroup->describe(null, $securityGroupId)->get(0);
$this->assertInstanceOf($this->getEc2ClassName('DataType\\SecurityGroupData'), $sg);
//Authorizes security group Egress
//Example, how to construct the list with arrays
$ipperm3array = array(array('ipProtocol' => 'tcp', 'fromPort' => 80, 'toPort' => 80, 'ipRanges' => array(array('cidrIp' => '192.0.2.0/24'), array('cidrIp' => '198.51.100.0/24'))));
$ipperm3 = new IpPermissionList($ipperm3array);
$this->assertInstanceOf($this->getEc2ClassName('DataType\\IpPermissionData'), $ipperm3->get(0));
$this->assertInstanceOf($this->getEc2ClassName('DataType\\IpRangeList'), $ipperm3->get(0)->ipRanges);
$this->assertEquals(2, $ipperm3->get(0)->ipRanges->count());
$this->assertEquals('192.0.2.0/24', $ipperm3->get(0)->ipRanges->get(0)->cidrIp);
$this->assertEquals('198.51.100.0/24', $ipperm3->get(0)->ipRanges->get(1)->cidrIp);
//The same can be produced in the another way
$ipperm4 = new IpPermissionList(new IpPermissionData('tcp', 80, 80, array(new IpRangeData('192.0.2.0/24'), new IpRangeData('198.51.100.0/24'))));
//Checks the equality
$this->assertEquals($ipperm3->toArray(), $ipperm4->toArray());
//Authorizes IP Permission Egress
$ret = $sg->authorizeEgress($ipperm3);
$this->assertTrue($ret);
sleep(1);
//Checks if specified IP Permission is successfully set
$sg->refresh();
$this->assertContains('192.0.2.0/24', $sg->ipPermissionsEgress->getQueryArrayBare());
//Revokes IP Permission Egress
//You may pass an array directly to the method
$ret = $sg->revokeEgress($ipperm3array);
$this->assertTrue($ret);
sleep(3);
$sg->refresh();
//Checks if IP Permission is successfully revoked.
$this->assertNotContains('192.0.2.0/24', $sg->ipPermissionsEgress->getQueryArrayBare());
$this->assertNotContains('198.51.100.0/24', $sg->ipPermissionsEgress->getQueryArrayBare());
//Creates subneet for the networkInterface
$subnet = $aws->ec2->subnet->create($vpc->vpcId, '10.0.0.0/16');
$this->assertInstanceOf($this->getEc2ClassName('DataType\\SubnetData'), $subnet);
for ($t = time(); time() - $t < 600 && $subnet->state !== SubnetData::STATE_AVAILABLE;) {
sleep(5);
$subnet = $subnet->refresh();
}
$this->assertTrue($subnet->state == SubnetData::STATE_AVAILABLE);
$ret = $subnet->createTags($nameTag);
$this->assertTrue($ret);
//Creates network interface
$eni = $aws->ec2->networkInterface->create($subnet->subnetId);
$this->assertInstanceOf($this->getEc2ClassName('DataType\\NetworkInterfaceData'), $eni);
sleep(4);
$ret = $eni->createTags($nameTag);
$this->assertTrue($ret);
//DescribeAttribute test
foreach (NetworkInterfaceAttributeType::getAllowedValues() as $attr) {
$expected = $eni->{$attr};
$v = $eni->describeAttribute($attr);
$this->assertEquals($expected, $v);
if (is_object($v)) {
//It's true only if entityManager is enabled
$this->assertSame($eni->{$attr}, $v);
}
}
//ModifyAttribute test
$ret = $eni->modifyAttribute(NetworkInterfaceAttributeType::sourceDestCheck(), true);
$this->assertTrue($ret);
//ResetAttrubute test
$ret = $eni->resetAttribute(NetworkInterfaceAttributeType::sourceDestCheck());
$this->assertTrue($ret);
//Creates Internet Gateway
$igw = $aws->ec2->internetGateway->create();
$this->assertInstanceOf($this->getEc2ClassName('DataType\\InternetGatewayData'), $igw);
$this->assertNotEmpty($igw->internetGatewayId);
sleep(4);
$igw->createTags($nameTag);
//Attaches Internet Gateway to VPC
$ret = $igw->attach($vpc->vpcId);
$this->assertTrue($ret);
$t = time();
do {
sleep(3);
$igw = $igw->refresh();
//Verifies that external index for attachmentSet is set properly.
$this->assertEquals($igw->internetGatewayId, $igw->attachmentSet[0]->getInternetGatewayId());
} while (time() - $t < 100 && $igw->attachmentSet[0]->state != InternetGatewayAttachmentData::STATE_ATTACHED);
$this->assertTrue($igw->attachmentSet[0]->state == InternetGatewayAttachmentData::STATE_AVAILABLE);
//Detaches Internet Gateway from VPC
$ret = $igw->detach($vpc->vpcId);
$this->assertTrue($ret);
for ($t = time(); time() - $t < 100 && count($igw->attachmentSet) && $igw->attachmentSet[0]->state == InternetGatewayAttachmentData::STATE_DETACHING; sleep(3)) {
$igw = $igw->refresh();
}
$this->assertTrue($igw->attachmentSet[0]->state !== InternetGatewayAttachmentData::STATE_DETACHING);
//Creates RouteTable
$rt = $vpc->createRouteTable();
$this->assertInstanceOf($this->getEc2ClassName('DataType\\RouteTableData'), $rt);
$this->assertNotEmpty($rt->routeTableId);
$this->assertEquals($vpc->vpcId, $rt->vpcId);
sleep(5);
$ret = $rt->createTags($nameTag);
$this->assertTrue($ret);
//Associates route table with the subnet
$associationId = $rt->associate($subnet->subnetId);
$this->assertNotEmpty($associationId);
$rt = $rt->refresh();
$this->assertTrue(count($rt->associationSet) > 0);
$c = array();
foreach ($rt->associationSet as $rtassoc) {
/* @var $rtassoc RouteTableAssociationData */
$c[] = $rtassoc->routeTableAssociationId;
}
$this->assertContains($associationId, $c);
//Adds Route to Route Table
$destinationCidrBlock = '0.0.0.0/0';
$ret = $rt->createRoute($destinationCidrBlock, null, null, $eni->networkInterfaceId);
$this->assertTrue($ret);
$rt = $rt->refresh();
$this->assertTrue(count($rt->routeSet) > 0);
$c = array();
foreach ($rt->routeSet as $route) {
/* @var $route RouteData */
$c[$route->destinationCidrBlock] = $route;
unset($route);
}
$this->assertArrayHasKey($destinationCidrBlock, $c);
$route = $c[$destinationCidrBlock];
//Deletes Route
$ret = $route->delete();
$this->assertTrue($ret);
unset($route);
$rt = $rt->refresh();
//Disassociates route table with the subnet
foreach ($rt->associationSet as $rtassoc) {
if ($rtassoc->routeTableAssociationId == $associationId) {
$ret = $rtassoc->disassociate();
$this->assertTrue($ret);
}
}
//RunInstance test
$request = new RunInstancesRequestData(self::INSTANCE_IMAGE_ID, 1, 1);
$request->instanceType = self::INSTANCE_TYPE;
//Placement groups may not be used with instances of type 'm1.small'.
$request->setPlacement(new PlacementResponseData($subnet->availabilityZone));
$request->setMonitoring(true);
// test Assosiate Public Ip
$instanceList = new Ec2\DataType\InstanceNetworkInterfaceSetRequestList();
$instanceData = new Ec2\DataType\InstanceNetworkInterfaceSetRequestData();
$instanceData->deviceIndex = 0;
$instanceData->associatePublicIpAddress = true;
$instanceData->subnetId = $subnet->subnetId;
$instanceList->append($instanceData);
$request->setNetworkInterface($instanceList);
$request->userData = base64_encode("test=26;");
$rd = $aws->ec2->instance->run($request);
$this->assertInstanceOf($this->getEc2ClassName('DataType\\ReservationData'), $rd);
sleep(60);
//Terminates the instance
$ind = $rd->instancesSet[0];
$st = $ind->terminate();
$this->assertInstanceOf($this->getEc2ClassName('DataType\\InstanceStateChangeList'), $st);
$this->assertEquals(1, count($st));
$this->assertEquals($rd->instancesSet[0]->instanceId, $st[0]->getInstanceId());
for ($t = time(); time() - $t < 200 && $ind && $ind->instanceState->name != InstanceStateData::NAME_TERMINATED; sleep(5)) {
$ind = $ind->refresh();
}
$this->assertTrue(!$ind || $ind->instanceState->name == InstanceStateData::NAME_TERMINATED);
if (isset($ind)) {
unset($ind);
}
//Removes Route Table
$ret = $rt->delete();
$this->assertTrue($ret);
//Removes Internet Gateway
$ret = $igw->delete();
$this->assertTrue($ret);
//Removes Network Interface
$ret = $eni->delete();
$this->assertTrue($ret);
//Removes Subnet
$ret = $subnet->delete();
$this->assertTrue($ret);
//Removes securigy group
$ret = $sg->delete();
$this->assertTrue($ret);
//Removes VPC
$ret = $vpc->delete();
$this->assertTrue($ret);
$aws->ec2->getEntityManager()->detachAll();
}
/**
* RevokeSecurityGroupIngress action
*
* This action applies to both EC2 security groups and VPC security groups.
* This action removes one or more ingress rules from a security group. The values that you specify in the
* revoke request (e.g., ports, etc.) must match the existing rule's values for the rule to be removed.
*
* Each rule consists of the protocol and the CIDR range or source security group. For the TCP and UDP
* protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must
* also specify the ICMP type and code.
*
* Rule changes are propagated to instances within the security group as quickly as possible. However,
* depending on the number of instances, a small delay might occur
*
* @param IpPermissionList $ipPermissions Ip permission list object
* @param string $groupId optional The ID of the EC2 or VPC security group to modify.
* The group must belong to your account.
* @param string $groupName optional The name of the EC2 security group to modify.
* It can be used instead of group ID for EC2 security groups.
* @return bool Returns true on success
* @throws ClientException
* @throws Ec2Exception
* @throws \InvalidArgumentException
*/
public function revokeSecurityGroupIngress(IpPermissionList $ipPermissions, $groupId = null, $groupName = null)
{
$result = false;
$options = $ipPermissions->getQueryArrayBare('IpPermissions');
if ($groupName === null && $groupId === null || $groupName !== null && $groupId !== null) {
throw new \InvalidArgumentException(sprintf('Either groupName or groupId is required for the %s. ' . 'Also you cannot specify both in the same call.', __METHOD__));
}
if ($groupId !== null) {
$options['GroupId'] = (string) $groupId;
} else {
if ($groupName !== null) {
$options['GroupName'] = (string) $groupName;
}
}
$response = $this->client->call(ucfirst(__FUNCTION__), $options);
if ($response->getError() === false) {
$sxml = simplexml_load_string($response->getRawContent());
if ((string) $sxml->return != 'true') {
throw new Ec2Exception(sprintf('Amazon Ec2 could not revoke ingress rules to a security group "%s". It returned "%s"', $options['GroupId'] ?: $options['GroupName'], $sxml->return));
}
$result = true;
}
return $result;
}
private function updateRules($platform, $cloudLocation, $securityGroupId, $rules, $method)
{
$cloudInstance = $this->getCloudInstance($platform, $cloudLocation);
$ipPermissionList = new IpPermissionList();
foreach ($rules['rules'] as $rule) {
$ipPermissionList->append(new IpPermissionData($rule['ipProtocol'], $rule['fromPort'], $rule['toPort'], new IpRangeList(new IpRangeData($rule['cidrIp'])), null));
}
foreach ($rules['sgRules'] as $rule) {
$chunks = explode("/", $rule['sg']);
$userId = $chunks[0];
$name = $chunks[1];
$ipPermissionList->append(new IpPermissionData($rule['ipProtocol'], $rule['fromPort'], $rule['toPort'], null, new UserIdGroupPairList(new UserIdGroupPairData($userId, null, $name))));
}
if ($method == 'add') {
$cloudInstance->ec2->securityGroup->authorizeIngress($ipPermissionList, $securityGroupId);
} else {
$cloudInstance->ec2->securityGroup->revokeIngress($ipPermissionList, $securityGroupId);
}
}
private function saveGroupRulesEc2($platform, $cloudLocation, $securityGroupId, $rules, $action)
{
$sgService = $this->getPlatformService($platform, $cloudLocation);
$ipPermissionList = new IpPermissionList();
foreach ($rules['rules'] as $rule) {
$ipPermissionList->append(new IpPermissionData($rule['ipProtocol'], $rule['fromPort'], $rule['toPort'], new IpRangeList(new IpRangeData($rule['cidrIp'])), null));
}
foreach ($rules['sgRules'] as $rule) {
$chunks = explode("/", $rule['sg']);
$userId = $chunks[0];
$name = $chunks[1];
$sgId = null;
if (substr($name, 0, 3) == 'sg-') {
$sgId = $name;
$name = null;
}
$ipPermissionList->append(new IpPermissionData($rule['ipProtocol'], $rule['fromPort'], $rule['toPort'], null, new UserIdGroupPairList(new UserIdGroupPairData($userId, $sgId, $name))));
}
if ($action == 'add') {
$sgService->authorizeIngress($ipPermissionList, $securityGroupId);
} else {
$sgService->revokeIngress($ipPermissionList, $securityGroupId);
}
}
private function saveGroupRulesEc2($platform, $cloudLocation, $groupData, $rules, $action)
{
$securityGroupId = $groupData['id'];
$sgService = $this->getPlatformService($platform, $cloudLocation);
$ipPermissionListIngress = new IpPermissionList();
$ipPermissionListEgress = new IpPermissionList();
foreach ($rules['rules'] as $rule) {
$item = new IpPermissionData($rule['ipProtocol'] == 'ANY' ? '-1' : $rule['ipProtocol'], $rule['fromPort'], $rule['toPort'], new IpRangeList(new IpRangeData($rule['cidrIp'])), null);
if ($rule['type'] == self::OUTBOUND_RULE) {
$ipPermissionListEgress->append($item);
} else {
$ipPermissionListIngress->append($item);
}
}
foreach ($rules['sgRules'] as $rule) {
$chunks = explode("/", $rule['sg']);
$userId = $chunks[0];
$name = $chunks[1];
$sgId = null;
if (substr($name, 0, 3) == 'sg-') {
$sgId = $name;
$name = null;
}
$item = new IpPermissionData($rule['ipProtocol'] == 'ANY' ? '-1' : $rule['ipProtocol'], $rule['fromPort'], $rule['toPort'], null, new UserIdGroupPairList(new UserIdGroupPairData($userId, $sgId, $name)));
if ($rule['type'] == self::OUTBOUND_RULE) {
$ipPermissionListEgress->append($item);
} else {
$ipPermissionListIngress->append($item);
}
}
if ($action == 'add') {
if (count($ipPermissionListIngress)) {
$sgService->authorizeIngress($ipPermissionListIngress, $securityGroupId);
}
if (count($ipPermissionListEgress)) {
$sgService->authorizeEgress($ipPermissionListEgress, $securityGroupId);
}
} else {
if (count($ipPermissionListIngress)) {
$sgService->revokeIngress($ipPermissionListIngress, $securityGroupId);
}
if (count($ipPermissionListEgress)) {
$sgService->revokeEgress($ipPermissionListEgress, $securityGroupId);
}
}
}
