Returns Security group policy name for service
| public static getEc2SecurityGroupPolicyNameForService ( string $serviceName ) : string | ||
| $serviceName | string | Service name (rds, elb ...) |
| return | string | Policy name |
/**
* Gets default vpc security group list
*
* @param SecurityGroupList $sgList
* @param string $vpcId
* @param string $serviceName Service name (rds, elb ...)
* @return array
*/
private function getDefaultSgRow($sgList, $vpcId, $serviceName = null)
{
$governance = new Scalr_Governance($this->getEnvironmentId());
$governanceSecurityGroups = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::getEc2SecurityGroupPolicyNameForService($serviceName), null);
$vpcSgList = [];
$sgDefaultNames = [];
$wildCardSgDefaultNames = [];
$defaultSecurityGroups = [];
foreach ($sgList as $sg) {
if ($sg->vpcId == $vpcId) {
$vpcSgList[$sg->groupName] = $sg->groupId;
}
}
if (!empty($governanceSecurityGroups['value'])) {
$sgs = explode(',', $governanceSecurityGroups['value']);
foreach ($sgs as $sg) {
if ($sg != '') {
array_push($sgDefaultNames, trim($sg));
if (strpos($sg, '*') !== false) {
array_push($wildCardSgDefaultNames, trim($sg));
}
}
}
unset($sgs);
}
if (!empty($sgDefaultNames)) {
$foundVpcSgNames = [];
foreach ($sgDefaultNames as $groupName) {
if (!isset($vpcSgList[$groupName])) {
if (in_array($groupName, $wildCardSgDefaultNames)) {
$wildCardMatchedSgs = [];
$groupNamePattern = \Scalr_Governance::convertAsteriskPatternToRegexp($groupName);
foreach ($vpcSgList as $sgGroupName => $sgGroupId) {
if (preg_match($groupNamePattern, $sgGroupName) === 1) {
array_push($wildCardMatchedSgs, $sgGroupName);
}
}
if (count($wildCardMatchedSgs) == 1) {
$defaultSecurityGroups[] = ['securityGroupId' => $vpcSgList[$wildCardMatchedSgs[0]], 'securityGroupName' => $wildCardMatchedSgs[0]];
} else {
$defaultSecurityGroups[] = ['securityGroupId' => null, 'securityGroupName' => $groupName];
}
$foundVpcSgNames[] = $groupName;
}
} else {
$defaultSecurityGroups[] = ['securityGroupId' => $vpcSgList[$groupName], 'securityGroupName' => $groupName];
$foundVpcSgNames[] = $groupName;
}
}
$missingSgs = array_diff($sgDefaultNames, $foundVpcSgNames);
foreach ($missingSgs as $missingSg) {
$defaultSecurityGroups[] = ['securityGroupId' => null, 'securityGroupName' => $missingSg];
}
} elseif (isset($vpcSgList['default']) && empty($governanceSecurityGroups)) {
$defaultSecurityGroups[] = ['securityGroupId' => $vpcSgList['default'], 'securityGroupName' => 'default'];
}
return $defaultSecurityGroups;
}
/**
* Applies governance to security groups list
*
* @param string $list SG list
* @param string $platform Platform
* @param string $cloudLocation Cloud location
* @param array $options options
* @return array
*/
private function applyGovernanceToSgList($list, $platform, $cloudLocation, $options)
{
if (isset($options['considerGovernance']) && $options['considerGovernance']) {
$filteredSg = [];
$allowedSgNames = [];
$governance = new Scalr_Governance($this->getEnvironmentId());
if ($platform == SERVER_PLATFORMS::EC2) {
$governanceSecurityGroups = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::getEc2SecurityGroupPolicyNameForService($options['serviceName']), null);
} elseif (PlatformFactory::isOpenstack($platform)) {
$governanceSecurityGroups = $governance->getValue($platform, Scalr_Governance::OPENSTACK_SECURITY_GROUPS, null);
} elseif (PlatformFactory::isCloudstack($platform)) {
$governanceSecurityGroups = $governance->getValue($platform, Scalr_Governance::CLOUDSTACK_SECURITY_GROUPS, null);
}
if ($governanceSecurityGroups) {
$sgRequiredPatterns = \Scalr_Governance::prepareSecurityGroupsPatterns($options['osFamily'] == 'windows' && $governanceSecurityGroups['windows'] ? $governanceSecurityGroups['windows'] : $governanceSecurityGroups['value']);
$sgOptionalPatterns = $governanceSecurityGroups['allow_additional_sec_groups'] ? \Scalr_Governance::prepareSecurityGroupsPatterns($governanceSecurityGroups['additional_sec_groups_list']) : [];
foreach ($list as $sg) {
$sgNameLowerCase = strtolower($sg['name']);
$sgAllowed = false;
if ($governanceSecurityGroups['allow_additional_sec_groups']) {
if (!empty($sgOptionalPatterns)) {
if (isset($sgOptionalPatterns[$sgNameLowerCase])) {
$sgAllowed = true;
} else {
foreach ($sgOptionalPatterns as &$sgOptionalPattern) {
if (isset($sgOptionalPattern['regexp']) && preg_match($sgOptionalPattern['regexp'], $sg['name']) === 1) {
$sgAllowed = true;
break;
}
}
}
} else {
$sgAllowed = true;
}
}
if (isset($sgRequiredPatterns[$sgNameLowerCase])) {
$sgAllowed = true;
$sg['addedByGovernance'] = true;
$sg['ignoreOnSave'] = true;
$sgRequiredPatterns[$sgNameLowerCase]['found'] = true;
} else {
foreach ($sgRequiredPatterns as &$sgRequiredPattern) {
if (isset($sgRequiredPattern['regexp']) && preg_match($sgRequiredPattern['regexp'], $sg['name']) === 1) {
$sgRequiredPattern['matches'][] = $sg;
break;
}
}
}
if ($sgAllowed) {
$allowedSgNames[] = $sgNameLowerCase;
$filteredSg[$sg['id']] = $sg;
}
}
foreach ($sgRequiredPatterns as &$sgRequiredPattern) {
if (isset($sgRequiredPattern['matches']) && count($sgRequiredPattern['matches']) == 1) {
$sg = $sgRequiredPattern['matches'][0];
if (!isset($filteredSg[$sg['id']])) {
$filteredSg[$sg['id']] = $sg;
}
$filteredSg[$sg['id']]['addedByGovernance'] = true;
$filteredSg[$sg['id']]['ignoreOnSave'] = true;
$sgRequiredPattern['found'] = true;
}
}
$list = $filteredSg;
if (!$options['existingGroupsOnly']) {
foreach ($sgRequiredPatterns as $sgRequiredPattern) {
if (!$sgRequiredPattern['found']) {
$list[] = ['id' => null, 'name' => $sgRequiredPattern['value'], 'description' => null, 'vpcId' => null, 'owner' => null, 'addedByGovernance' => true, 'ignoreOnSave' => true];
}
}
}
}
}
return $list;
}
private function listGroupsEc2($platform, $cloudLocation, $filters)
{
$sgFilter = null;
$result = [];
if (!is_array($filters)) {
$filters = [];
}
if (!empty($filters['sgIds'])) {
$sgFilter = is_null($sgFilter) ? array() : $sgFilter;
$sgFilter[] = array('name' => SecurityGroupFilterNameType::groupId(), 'value' => $filters['sgIds']);
}
if (empty($filters['vpcId']) && array_key_exists('vpcId', $filters)) {
$p = PlatformFactory::NewPlatform(SERVER_PLATFORMS::EC2);
$defaultVpc = $p->getDefaultVpc($this->environment, $cloudLocation);
if ($defaultVpc) {
$filters['vpcId'] = $defaultVpc;
}
}
if (!empty($filters['vpcId'])) {
$sgFilter = is_null($sgFilter) ? array() : $sgFilter;
$sgFilter[] = array('name' => SecurityGroupFilterNameType::vpcId(), 'value' => $filters['vpcId']);
}
$sgList = $this->getPlatformService($platform, $cloudLocation)->describe(null, null, $sgFilter);
/* @var $sg SecurityGroupData */
foreach ($sgList as $sg) {
if (is_array($filters) && array_key_exists('vpcId', $filters) && $filters['vpcId'] == null && $sg->vpcId) {
//we don't want to see VPC Security groups when $filters['vpcId'] == null
continue;
}
$result[] = ['id' => $sg->groupId, 'name' => $sg->groupName, 'description' => $sg->groupDescription, 'vpcId' => $sg->vpcId, 'owner' => $sg->ownerId];
}
if ($filters['considerGovernance']) {
$filteredSg = [];
$allowedSgNames = [];
$governance = new Scalr_Governance($this->getEnvironmentId());
$governanceSecurityGroups = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::getEc2SecurityGroupPolicyNameForService($filters['serviceName']), '');
if ($governanceSecurityGroups) {
$sgRequiredPatterns = \Scalr_Governance::prepareSecurityGroupsPatterns($filters['osFamily'] == 'windows' && $governanceSecurityGroups['windows'] ? $governanceSecurityGroups['windows'] : $governanceSecurityGroups['value']);
$sgOptionalPatterns = $governanceSecurityGroups['allow_additional_sec_groups'] ? \Scalr_Governance::prepareSecurityGroupsPatterns($governanceSecurityGroups['additional_sec_groups_list']) : [];
foreach ($result as $sg) {
$sgNameLowerCase = strtolower($sg['name']);
$sgAllowed = false;
if ($governanceSecurityGroups['allow_additional_sec_groups']) {
if (!empty($sgOptionalPatterns)) {
if (isset($sgOptionalPatterns[$sgNameLowerCase])) {
$sgAllowed = true;
} else {
foreach ($sgOptionalPatterns as &$sgOptionalPattern) {
if (isset($sgOptionalPattern['regexp']) && preg_match($sgOptionalPattern['regexp'], $sg['name']) === 1) {
$sgAllowed = true;
break;
}
}
}
} else {
$sgAllowed = true;
}
}
if (isset($sgRequiredPatterns[$sgNameLowerCase])) {
$sgAllowed = true;
$sg['addedByGovernance'] = true;
$sgRequiredPatterns[$sgNameLowerCase]['found'] = true;
} else {
foreach ($sgRequiredPatterns as &$sgRequiredPattern) {
if (isset($sgRequiredPattern['regexp']) && preg_match($sgRequiredPattern['regexp'], $sg['name']) === 1) {
$sgRequiredPattern['matches'][] = $sg;
break;
}
}
}
if ($sgAllowed) {
$allowedSgNames[] = $sgNameLowerCase;
$filteredSg[$sg['id']] = $sg;
}
}
foreach ($sgRequiredPatterns as &$sgRequiredPattern) {
if (isset($sgRequiredPattern['matches']) && count($sgRequiredPattern['matches']) == 1) {
$sg = $sgRequiredPattern['matches'][0];
if (!isset($filteredSg[$sg['id']])) {
$filteredSg[$sg['id']] = $sg;
}
$filteredSg[$sg['id']]['addedByGovernance'] = true;
$sgRequiredPattern['found'] = true;
}
}
$result = $filteredSg;
if (!$filters['existingGroupsOnly']) {
foreach ($sgRequiredPatterns as $sgRequiredPattern) {
if (!$sgRequiredPattern['found']) {
$result[] = ['id' => null, 'name' => $sgRequiredPattern['value'], 'description' => null, 'vpcId' => null, 'owner' => null, 'addedByGovernance' => true];
}
}
}
}
}
return $result;
}
/**
* Checks security groups governance policy
*
* @param Scalr\UI\Request\JsonData $vpcSecurityGroups
* @param string $serviceName Service name (rds, elb ...)
* @return bool|string Returns error message if access to some data restricted. True otherwise.
* @throws Scalr_Exception_Core
*/
public function checkSecurityGroupsPolicy($vpcSecurityGroups, $serviceName = false)
{
$governance = new Scalr_Governance($this->getEnvironmentId());
$value = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::getEc2SecurityGroupPolicyNameForService($serviceName), '');
if (!empty($value)) {
if (!empty($vpcSecurityGroups)) {
foreach ($vpcSecurityGroups as $vpcSecurityGroup) {
if (empty($vpcSecurityGroup['id'])) {
$notFoundGroups[] = strtolower($vpcSecurityGroup['name']);
}
$vpcSecurityGroupNames[strtolower($vpcSecurityGroup['name'])] = $vpcSecurityGroup['id'];
}
}
if (!empty($value['value']) && !empty($vpcSecurityGroupNames)) {
if (!empty($notFoundGroups)) {
$s = count($notFoundGroups) > 1 ? 's' : '';
$es = $s ? '' : "e{$s}";
$they = $s ? "they" : 'it';
return sprintf("A Security Group Policy is active in this Environment, and requires that you attach the following Security Group%s to your instance: %s, but %s do%s not exist in current VPC.", $s, implode(', ', $notFoundGroups), $they, $es);
}
}
if (!empty($vpcSecurityGroupNames)) {
$sgRequiredPatterns = \Scalr_Governance::prepareSecurityGroupsPatterns($value['value']);
$sgOptionalPatterns = $value['allow_additional_sec_groups'] ? \Scalr_Governance::prepareSecurityGroupsPatterns($value['additional_sec_groups_list']) : [];
$missingGroups = [];
foreach ($sgRequiredPatterns as $patternName => $sgRequiredPattern) {
$sgGroupExists = true;
if (!isset($vpcSecurityGroupNames[$patternName])) {
$sgGroupExists = false;
if (isset($sgRequiredPattern['regexp'])) {
foreach ($vpcSecurityGroupNames as $sgGroupName => $sgGroupId) {
if (preg_match($sgRequiredPattern['regexp'], $sgGroupName) === 1) {
$sgGroupExists = true;
break;
}
}
}
}
if (!$sgGroupExists) {
$missingGroups[] = $sgRequiredPattern['value'];
}
}
if (!empty($missingGroups)) {
return sprintf("A Security Group Policy is active in this Environment, and requires that you attach the following Security Groups to your instance: %s", implode(', ', $missingGroups));
}
if (empty($value['allow_additional_sec_groups']) || !empty($sgOptionalPatterns)) {
$hasNotAllowedGroups = false;
$notAllowedGroupName = null;
foreach ($vpcSecurityGroupNames as $sgGroupName => $sgGroupId) {
if (!empty($sgRequiredPatterns)) {
$hasNotAllowedGroups = !\Scalr_Governance::isSecurityGroupNameAllowed($sgGroupName, $sgRequiredPatterns);
} else {
$hasNotAllowedGroups = true;
}
if ($hasNotAllowedGroups && !empty($sgOptionalPatterns)) {
$hasNotAllowedGroups = !\Scalr_Governance::isSecurityGroupNameAllowed($sgGroupName, $sgOptionalPatterns);
}
if ($hasNotAllowedGroups) {
$notAllowedGroupName = $sgGroupName;
break;
}
}
if ($hasNotAllowedGroups) {
return sprintf("A Security Group Policy is active in this Environment, and you can't apply additional security groups to your instance (%s).", $notAllowedGroupName);
}
}
}
}
return true;
}
