Checks if security group is allowed
| public static isSecurityGroupNameAllowed ( string $sgName, Array $patterns ) : boolean | ||
| $sgName | string | Security group name |
| $patterns | Array | List of patterns |
| return | boolean | Returns true if security matches at list one pattern |
/**
* Checks security groups governance policy
*
* @param Scalr\UI\Request\JsonData $vpcSecurityGroups
* @param string $serviceName Service name (rds, elb ...)
* @return bool|string Returns error message if access to some data restricted. True otherwise.
* @throws Scalr_Exception_Core
*/
public function checkSecurityGroupsPolicy($vpcSecurityGroups, $serviceName = false)
{
$governance = new Scalr_Governance($this->getEnvironmentId());
$value = $governance->getValue(SERVER_PLATFORMS::EC2, Scalr_Governance::getEc2SecurityGroupPolicyNameForService($serviceName), '');
if (!empty($value)) {
if (!empty($vpcSecurityGroups)) {
foreach ($vpcSecurityGroups as $vpcSecurityGroup) {
if (empty($vpcSecurityGroup['id'])) {
$notFoundGroups[] = strtolower($vpcSecurityGroup['name']);
}
$vpcSecurityGroupNames[strtolower($vpcSecurityGroup['name'])] = $vpcSecurityGroup['id'];
}
}
if (!empty($value['value']) && !empty($vpcSecurityGroupNames)) {
if (!empty($notFoundGroups)) {
$s = count($notFoundGroups) > 1 ? 's' : '';
$es = $s ? '' : "e{$s}";
$they = $s ? "they" : 'it';
return sprintf("A Security Group Policy is active in this Environment, and requires that you attach the following Security Group%s to your instance: %s, but %s do%s not exist in current VPC.", $s, implode(', ', $notFoundGroups), $they, $es);
}
}
if (!empty($vpcSecurityGroupNames)) {
$sgRequiredPatterns = \Scalr_Governance::prepareSecurityGroupsPatterns($value['value']);
$sgOptionalPatterns = $value['allow_additional_sec_groups'] ? \Scalr_Governance::prepareSecurityGroupsPatterns($value['additional_sec_groups_list']) : [];
$missingGroups = [];
foreach ($sgRequiredPatterns as $patternName => $sgRequiredPattern) {
$sgGroupExists = true;
if (!isset($vpcSecurityGroupNames[$patternName])) {
$sgGroupExists = false;
if (isset($sgRequiredPattern['regexp'])) {
foreach ($vpcSecurityGroupNames as $sgGroupName => $sgGroupId) {
if (preg_match($sgRequiredPattern['regexp'], $sgGroupName) === 1) {
$sgGroupExists = true;
break;
}
}
}
}
if (!$sgGroupExists) {
$missingGroups[] = $sgRequiredPattern['value'];
}
}
if (!empty($missingGroups)) {
return sprintf("A Security Group Policy is active in this Environment, and requires that you attach the following Security Groups to your instance: %s", implode(', ', $missingGroups));
}
if (empty($value['allow_additional_sec_groups']) || !empty($sgOptionalPatterns)) {
$hasNotAllowedGroups = false;
$notAllowedGroupName = null;
foreach ($vpcSecurityGroupNames as $sgGroupName => $sgGroupId) {
if (!empty($sgRequiredPatterns)) {
$hasNotAllowedGroups = !\Scalr_Governance::isSecurityGroupNameAllowed($sgGroupName, $sgRequiredPatterns);
} else {
$hasNotAllowedGroups = true;
}
if ($hasNotAllowedGroups && !empty($sgOptionalPatterns)) {
$hasNotAllowedGroups = !\Scalr_Governance::isSecurityGroupNameAllowed($sgGroupName, $sgOptionalPatterns);
}
if ($hasNotAllowedGroups) {
$notAllowedGroupName = $sgGroupName;
break;
}
}
if ($hasNotAllowedGroups) {
return sprintf("A Security Group Policy is active in this Environment, and you can't apply additional security groups to your instance (%s).", $notAllowedGroupName);
}
}
}
}
return true;
}
