Returns Security group policy name for service
public static getEc2SecurityGroupPolicyNameForService ( string $serviceName ) : string | ||
$serviceName | string | Service name (rds, elb ...) |
return | string | Policy name |
/** * Gets default vpc security group list * * @param SecurityGroupList $sgList * @param string $vpcId * @param string $serviceName Service name (rds, elb ...) * @return array */ private function getDefaultSgRow($sgList, $vpcId, $serviceName = null) { $governance = new Scalr_Governance($this->getEnvironmentId()); $governanceSecurityGroups = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::getEc2SecurityGroupPolicyNameForService($serviceName), null); $vpcSgList = []; $sgDefaultNames = []; $wildCardSgDefaultNames = []; $defaultSecurityGroups = []; foreach ($sgList as $sg) { if ($sg->vpcId == $vpcId) { $vpcSgList[$sg->groupName] = $sg->groupId; } } if (!empty($governanceSecurityGroups['value'])) { $sgs = explode(',', $governanceSecurityGroups['value']); foreach ($sgs as $sg) { if ($sg != '') { array_push($sgDefaultNames, trim($sg)); if (strpos($sg, '*') !== false) { array_push($wildCardSgDefaultNames, trim($sg)); } } } unset($sgs); } if (!empty($sgDefaultNames)) { $foundVpcSgNames = []; foreach ($sgDefaultNames as $groupName) { if (!isset($vpcSgList[$groupName])) { if (in_array($groupName, $wildCardSgDefaultNames)) { $wildCardMatchedSgs = []; $groupNamePattern = \Scalr_Governance::convertAsteriskPatternToRegexp($groupName); foreach ($vpcSgList as $sgGroupName => $sgGroupId) { if (preg_match($groupNamePattern, $sgGroupName) === 1) { array_push($wildCardMatchedSgs, $sgGroupName); } } if (count($wildCardMatchedSgs) == 1) { $defaultSecurityGroups[] = ['securityGroupId' => $vpcSgList[$wildCardMatchedSgs[0]], 'securityGroupName' => $wildCardMatchedSgs[0]]; } else { $defaultSecurityGroups[] = ['securityGroupId' => null, 'securityGroupName' => $groupName]; } $foundVpcSgNames[] = $groupName; } } else { $defaultSecurityGroups[] = ['securityGroupId' => $vpcSgList[$groupName], 'securityGroupName' => $groupName]; $foundVpcSgNames[] = $groupName; } } $missingSgs = array_diff($sgDefaultNames, $foundVpcSgNames); foreach ($missingSgs as $missingSg) { $defaultSecurityGroups[] = ['securityGroupId' => null, 'securityGroupName' => $missingSg]; } } elseif (isset($vpcSgList['default']) && empty($governanceSecurityGroups)) { $defaultSecurityGroups[] = ['securityGroupId' => $vpcSgList['default'], 'securityGroupName' => 'default']; } return $defaultSecurityGroups; }
/** * Applies governance to security groups list * * @param string $list SG list * @param string $platform Platform * @param string $cloudLocation Cloud location * @param array $options options * @return array */ private function applyGovernanceToSgList($list, $platform, $cloudLocation, $options) { if (isset($options['considerGovernance']) && $options['considerGovernance']) { $filteredSg = []; $allowedSgNames = []; $governance = new Scalr_Governance($this->getEnvironmentId()); if ($platform == SERVER_PLATFORMS::EC2) { $governanceSecurityGroups = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::getEc2SecurityGroupPolicyNameForService($options['serviceName']), null); } elseif (PlatformFactory::isOpenstack($platform)) { $governanceSecurityGroups = $governance->getValue($platform, Scalr_Governance::OPENSTACK_SECURITY_GROUPS, null); } elseif (PlatformFactory::isCloudstack($platform)) { $governanceSecurityGroups = $governance->getValue($platform, Scalr_Governance::CLOUDSTACK_SECURITY_GROUPS, null); } if ($governanceSecurityGroups) { $sgRequiredPatterns = \Scalr_Governance::prepareSecurityGroupsPatterns($options['osFamily'] == 'windows' && $governanceSecurityGroups['windows'] ? $governanceSecurityGroups['windows'] : $governanceSecurityGroups['value']); $sgOptionalPatterns = $governanceSecurityGroups['allow_additional_sec_groups'] ? \Scalr_Governance::prepareSecurityGroupsPatterns($governanceSecurityGroups['additional_sec_groups_list']) : []; foreach ($list as $sg) { $sgNameLowerCase = strtolower($sg['name']); $sgAllowed = false; if ($governanceSecurityGroups['allow_additional_sec_groups']) { if (!empty($sgOptionalPatterns)) { if (isset($sgOptionalPatterns[$sgNameLowerCase])) { $sgAllowed = true; } else { foreach ($sgOptionalPatterns as &$sgOptionalPattern) { if (isset($sgOptionalPattern['regexp']) && preg_match($sgOptionalPattern['regexp'], $sg['name']) === 1) { $sgAllowed = true; break; } } } } else { $sgAllowed = true; } } if (isset($sgRequiredPatterns[$sgNameLowerCase])) { $sgAllowed = true; $sg['addedByGovernance'] = true; $sg['ignoreOnSave'] = true; $sgRequiredPatterns[$sgNameLowerCase]['found'] = true; } else { foreach ($sgRequiredPatterns as &$sgRequiredPattern) { if (isset($sgRequiredPattern['regexp']) && preg_match($sgRequiredPattern['regexp'], $sg['name']) === 1) { $sgRequiredPattern['matches'][] = $sg; break; } } } if ($sgAllowed) { $allowedSgNames[] = $sgNameLowerCase; $filteredSg[$sg['id']] = $sg; } } foreach ($sgRequiredPatterns as &$sgRequiredPattern) { if (isset($sgRequiredPattern['matches']) && count($sgRequiredPattern['matches']) == 1) { $sg = $sgRequiredPattern['matches'][0]; if (!isset($filteredSg[$sg['id']])) { $filteredSg[$sg['id']] = $sg; } $filteredSg[$sg['id']]['addedByGovernance'] = true; $filteredSg[$sg['id']]['ignoreOnSave'] = true; $sgRequiredPattern['found'] = true; } } $list = $filteredSg; if (!$options['existingGroupsOnly']) { foreach ($sgRequiredPatterns as $sgRequiredPattern) { if (!$sgRequiredPattern['found']) { $list[] = ['id' => null, 'name' => $sgRequiredPattern['value'], 'description' => null, 'vpcId' => null, 'owner' => null, 'addedByGovernance' => true, 'ignoreOnSave' => true]; } } } } } return $list; }
private function listGroupsEc2($platform, $cloudLocation, $filters) { $sgFilter = null; $result = []; if (!is_array($filters)) { $filters = []; } if (!empty($filters['sgIds'])) { $sgFilter = is_null($sgFilter) ? array() : $sgFilter; $sgFilter[] = array('name' => SecurityGroupFilterNameType::groupId(), 'value' => $filters['sgIds']); } if (empty($filters['vpcId']) && array_key_exists('vpcId', $filters)) { $p = PlatformFactory::NewPlatform(SERVER_PLATFORMS::EC2); $defaultVpc = $p->getDefaultVpc($this->environment, $cloudLocation); if ($defaultVpc) { $filters['vpcId'] = $defaultVpc; } } if (!empty($filters['vpcId'])) { $sgFilter = is_null($sgFilter) ? array() : $sgFilter; $sgFilter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $filters['vpcId']); } $sgList = $this->getPlatformService($platform, $cloudLocation)->describe(null, null, $sgFilter); /* @var $sg SecurityGroupData */ foreach ($sgList as $sg) { if (is_array($filters) && array_key_exists('vpcId', $filters) && $filters['vpcId'] == null && $sg->vpcId) { //we don't want to see VPC Security groups when $filters['vpcId'] == null continue; } $result[] = ['id' => $sg->groupId, 'name' => $sg->groupName, 'description' => $sg->groupDescription, 'vpcId' => $sg->vpcId, 'owner' => $sg->ownerId]; } if ($filters['considerGovernance']) { $filteredSg = []; $allowedSgNames = []; $governance = new Scalr_Governance($this->getEnvironmentId()); $governanceSecurityGroups = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::getEc2SecurityGroupPolicyNameForService($filters['serviceName']), ''); if ($governanceSecurityGroups) { $sgRequiredPatterns = \Scalr_Governance::prepareSecurityGroupsPatterns($filters['osFamily'] == 'windows' && $governanceSecurityGroups['windows'] ? $governanceSecurityGroups['windows'] : $governanceSecurityGroups['value']); $sgOptionalPatterns = $governanceSecurityGroups['allow_additional_sec_groups'] ? \Scalr_Governance::prepareSecurityGroupsPatterns($governanceSecurityGroups['additional_sec_groups_list']) : []; foreach ($result as $sg) { $sgNameLowerCase = strtolower($sg['name']); $sgAllowed = false; if ($governanceSecurityGroups['allow_additional_sec_groups']) { if (!empty($sgOptionalPatterns)) { if (isset($sgOptionalPatterns[$sgNameLowerCase])) { $sgAllowed = true; } else { foreach ($sgOptionalPatterns as &$sgOptionalPattern) { if (isset($sgOptionalPattern['regexp']) && preg_match($sgOptionalPattern['regexp'], $sg['name']) === 1) { $sgAllowed = true; break; } } } } else { $sgAllowed = true; } } if (isset($sgRequiredPatterns[$sgNameLowerCase])) { $sgAllowed = true; $sg['addedByGovernance'] = true; $sgRequiredPatterns[$sgNameLowerCase]['found'] = true; } else { foreach ($sgRequiredPatterns as &$sgRequiredPattern) { if (isset($sgRequiredPattern['regexp']) && preg_match($sgRequiredPattern['regexp'], $sg['name']) === 1) { $sgRequiredPattern['matches'][] = $sg; break; } } } if ($sgAllowed) { $allowedSgNames[] = $sgNameLowerCase; $filteredSg[$sg['id']] = $sg; } } foreach ($sgRequiredPatterns as &$sgRequiredPattern) { if (isset($sgRequiredPattern['matches']) && count($sgRequiredPattern['matches']) == 1) { $sg = $sgRequiredPattern['matches'][0]; if (!isset($filteredSg[$sg['id']])) { $filteredSg[$sg['id']] = $sg; } $filteredSg[$sg['id']]['addedByGovernance'] = true; $sgRequiredPattern['found'] = true; } } $result = $filteredSg; if (!$filters['existingGroupsOnly']) { foreach ($sgRequiredPatterns as $sgRequiredPattern) { if (!$sgRequiredPattern['found']) { $result[] = ['id' => null, 'name' => $sgRequiredPattern['value'], 'description' => null, 'vpcId' => null, 'owner' => null, 'addedByGovernance' => true]; } } } } } return $result; }
/** * Checks security groups governance policy * * @param Scalr\UI\Request\JsonData $vpcSecurityGroups * @param string $serviceName Service name (rds, elb ...) * @return bool|string Returns error message if access to some data restricted. True otherwise. * @throws Scalr_Exception_Core */ public function checkSecurityGroupsPolicy($vpcSecurityGroups, $serviceName = false) { $governance = new Scalr_Governance($this->getEnvironmentId()); $value = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::getEc2SecurityGroupPolicyNameForService($serviceName), ''); if (!empty($value)) { if (!empty($vpcSecurityGroups)) { foreach ($vpcSecurityGroups as $vpcSecurityGroup) { if (empty($vpcSecurityGroup['id'])) { $notFoundGroups[] = strtolower($vpcSecurityGroup['name']); } $vpcSecurityGroupNames[strtolower($vpcSecurityGroup['name'])] = $vpcSecurityGroup['id']; } } if (!empty($value['value']) && !empty($vpcSecurityGroupNames)) { if (!empty($notFoundGroups)) { $s = count($notFoundGroups) > 1 ? 's' : ''; $es = $s ? '' : "e{$s}"; $they = $s ? "they" : 'it'; return sprintf("A Security Group Policy is active in this Environment, and requires that you attach the following Security Group%s to your instance: %s, but %s do%s not exist in current VPC.", $s, implode(', ', $notFoundGroups), $they, $es); } } if (!empty($vpcSecurityGroupNames)) { $sgRequiredPatterns = \Scalr_Governance::prepareSecurityGroupsPatterns($value['value']); $sgOptionalPatterns = $value['allow_additional_sec_groups'] ? \Scalr_Governance::prepareSecurityGroupsPatterns($value['additional_sec_groups_list']) : []; $missingGroups = []; foreach ($sgRequiredPatterns as $patternName => $sgRequiredPattern) { $sgGroupExists = true; if (!isset($vpcSecurityGroupNames[$patternName])) { $sgGroupExists = false; if (isset($sgRequiredPattern['regexp'])) { foreach ($vpcSecurityGroupNames as $sgGroupName => $sgGroupId) { if (preg_match($sgRequiredPattern['regexp'], $sgGroupName) === 1) { $sgGroupExists = true; break; } } } } if (!$sgGroupExists) { $missingGroups[] = $sgRequiredPattern['value']; } } if (!empty($missingGroups)) { return sprintf("A Security Group Policy is active in this Environment, and requires that you attach the following Security Groups to your instance: %s", implode(', ', $missingGroups)); } if (empty($value['allow_additional_sec_groups']) || !empty($sgOptionalPatterns)) { $hasNotAllowedGroups = false; $notAllowedGroupName = null; foreach ($vpcSecurityGroupNames as $sgGroupName => $sgGroupId) { if (!empty($sgRequiredPatterns)) { $hasNotAllowedGroups = !\Scalr_Governance::isSecurityGroupNameAllowed($sgGroupName, $sgRequiredPatterns); } else { $hasNotAllowedGroups = true; } if ($hasNotAllowedGroups && !empty($sgOptionalPatterns)) { $hasNotAllowedGroups = !\Scalr_Governance::isSecurityGroupNameAllowed($sgGroupName, $sgOptionalPatterns); } if ($hasNotAllowedGroups) { $notAllowedGroupName = $sgGroupName; break; } } if ($hasNotAllowedGroups) { return sprintf("A Security Group Policy is active in this Environment, and you can't apply additional security groups to your instance (%s).", $notAllowedGroupName); } } } } return true; }