/** * RevokeSecurityGroupEgress action * * Removes one or more egress rules from a security group for EC2-VPC. * The values that you specify in the revoke request (for example, ports) * must match the existing rule's values for the rule to be revoked. * * Each rule consists of the protocol and the CIDR range or destination security group. * For the TCP and UDP protocols, you must also specify the destination port or range of ports. * For the ICMP protocol, you must also specify the ICMP type and code. * * Rule changes are propagated to instances within the security group as quickly as possible. * However, a small delay might occur. * * @param IpPermissionList $ipPermissions Ip permission list object * @param string $groupId optional The ID of the security group to modify. * @return bool Returns true on success * @throws ClientException * @throws Ec2Exception */ public function revokeSecurityGroupEgress(IpPermissionList $ipPermissions, $groupId) { $result = false; $options = $ipPermissions->getQueryArrayBare('IpPermissions'); $options['GroupId'] = (string) $groupId; $action = ucfirst(__FUNCTION__); $response = $this->client->call($action, $options); if ($response->getError() === false) { $sxml = simplexml_load_string($response->getRawContent()); if ((string) $sxml->return != 'true') { throw new Ec2Exception(sprintf('Amazon Ec2 could not %s GroupId:"%s". It returned "%s"', $action, $options['GroupId'], $sxml->return)); } $result = true; } return $result; }
/** * @test * @depends testFunctionalEc2 */ public function testFunctionalVpc() { $this->skipIfEc2PlatformDisabled(); $aws = $this->getContainer()->aws(AwsTestCase::REGION); $aws->ec2->enableEntityManager(); $nameTag = new ResourceTagSetData(self::TAG_NAME_KEY, self::getTestName(self::NAME_TAG_VALUE)); $ret = $aws->ec2->describeAccountAttributes(array('supported-platforms', 'default-vpc')); $this->assertInstanceOf($this->getEc2ClassName('DataType\\AccountAttributeSetList'), $ret); unset($ret); //Removes previously created route tables if they exist. $rtList = $aws->ec2->routeTable->describe(null, array(array('name' => RouteTableFilterNameType::tagName(), 'value' => self::getTestName(self::NAME_TAG_VALUE)))); $this->assertInstanceOf($this->getEc2ClassName('DataType\\RouteTableList'), $rtList); foreach ($rtList as $rt) { /* @var $rt RouteTableData */ foreach ($rt->routeSet as $route) { /* @var $route RouteData */ try { $route->delete(); } catch (ClientException $e) { } } foreach ($rt->associationSet as $rtassoc) { try { $rtassoc->disassociate(); } catch (ClientException $e) { } } $rt->delete(); } unset($rtList); //Removes previously created Network Interfaces if they have not been removed during past test executions. $eniList = $aws->ec2->networkInterface->describe(null, array(array('name' => NetworkInterfaceFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE)))); $this->assertInstanceOf($this->getEc2ClassName('DataType\\NetworkInterfaceList'), $eniList); foreach ($eniList as $v) { $v->delete(); } unset($eniList); $subnetList = $aws->ec2->subnet->describe(null, array(array('name' => SubnetFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE)))); $this->assertInstanceOf($this->getEc2ClassName('DataType\\SubnetList'), $subnetList); foreach ($subnetList as $subnet) { /* @var $subnet SubnetData */ $subnet->delete(); } unset($subnetList); //Removes previously created Internet Gateways which has not been removed during previous test run. $igwList = $aws->ec2->internetGateway->describe(null, array(array('name' => InternetGatewayFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE)))); $this->assertInstanceOf($this->getEc2ClassName('DataType\\InternetGatewayList'), $igwList); foreach ($igwList as $igw) { /* @var $igw InternetGatewayData */ if (count($igw->attachmentSet)) { //Detaches previously attachet VPC $igw->attachmentSet->get(0)->detach(); for ($t = time(); time() - $t < 100 && !empty($igw->attachmentSet[0]) && $igw->attachmentSet[0]->state == InternetGatewayAttachmentData::STATE_DETACHING; sleep(3)) { $igw = $igw->refresh(); } } //Deletes previously created internet gateways $igw->delete(); } unset($igwList); //We should be assured that group which is used for the test does not exists $list = $aws->ec2->securityGroup->describe(null, null, new SecurityGroupFilterData(SecurityGroupFilterNameType::groupName(), self::getTestName(self::NAME_SECURITY_GROUP_VPC))); if (count($list) > 0) { foreach ($list as $v) { $v->delete(); } } unset($list); //Describes VPC $vpcList = $aws->ec2->vpc->describe(null, array(array('name' => VpcFilterNameType::tag(self::TAG_NAME_KEY), 'value' => self::getTestName(self::NAME_TAG_VALUE)))); $this->assertInstanceOf($this->getEc2ClassName('DataType\\VpcList'), $vpcList); //We should remove VPC which has not been removed by some reason. foreach ($vpcList as $vpc) { $vpc->delete(); unset($vpc); } unset($vpcList); //Creates VPC $vpc = $aws->ec2->vpc->create('10.0.0.0/16'); $this->assertInstanceOf($this->getEc2ClassName('DataType\\VpcData'), $vpc); for ($t = time(); time() - $t < 600 && $vpc->state !== VpcData::STATE_AVAILABLE;) { sleep(5); $vpc = $vpc->refresh(); } $this->assertTrue($vpc->state == VpcData::STATE_AVAILABLE); $ret = $vpc->createTags($nameTag); $this->assertTrue($ret); //Creates an VPC Security group $securityGroupId = $aws->ec2->securityGroup->create(self::getTestName(self::NAME_SECURITY_GROUP_VPC), self::getTestName(self::NAME_SECURITY_GROUP_VPC) . ' description', $vpc->vpcId); $this->assertNotEmpty($securityGroupId); sleep(2); $sg = $aws->ec2->securityGroup->describe(null, $securityGroupId)->get(0); $this->assertInstanceOf($this->getEc2ClassName('DataType\\SecurityGroupData'), $sg); //Authorizes security group Egress //Example, how to construct the list with arrays $ipperm3array = array(array('ipProtocol' => 'tcp', 'fromPort' => 80, 'toPort' => 80, 'ipRanges' => array(array('cidrIp' => '192.0.2.0/24'), array('cidrIp' => '198.51.100.0/24')))); $ipperm3 = new IpPermissionList($ipperm3array); $this->assertInstanceOf($this->getEc2ClassName('DataType\\IpPermissionData'), $ipperm3->get(0)); $this->assertInstanceOf($this->getEc2ClassName('DataType\\IpRangeList'), $ipperm3->get(0)->ipRanges); $this->assertEquals(2, $ipperm3->get(0)->ipRanges->count()); $this->assertEquals('192.0.2.0/24', $ipperm3->get(0)->ipRanges->get(0)->cidrIp); $this->assertEquals('198.51.100.0/24', $ipperm3->get(0)->ipRanges->get(1)->cidrIp); //The same can be produced in the another way $ipperm4 = new IpPermissionList(new IpPermissionData('tcp', 80, 80, array(new IpRangeData('192.0.2.0/24'), new IpRangeData('198.51.100.0/24')))); //Checks the equality $this->assertEquals($ipperm3->toArray(), $ipperm4->toArray()); //Authorizes IP Permission Egress $ret = $sg->authorizeEgress($ipperm3); $this->assertTrue($ret); sleep(1); //Checks if specified IP Permission is successfully set $sg->refresh(); $this->assertContains('192.0.2.0/24', $sg->ipPermissionsEgress->getQueryArrayBare()); //Revokes IP Permission Egress //You may pass an array directly to the method $ret = $sg->revokeEgress($ipperm3array); $this->assertTrue($ret); sleep(3); $sg->refresh(); //Checks if IP Permission is successfully revoked. $this->assertNotContains('192.0.2.0/24', $sg->ipPermissionsEgress->getQueryArrayBare()); $this->assertNotContains('198.51.100.0/24', $sg->ipPermissionsEgress->getQueryArrayBare()); //Creates subneet for the networkInterface $subnet = $aws->ec2->subnet->create($vpc->vpcId, '10.0.0.0/16'); $this->assertInstanceOf($this->getEc2ClassName('DataType\\SubnetData'), $subnet); for ($t = time(); time() - $t < 600 && $subnet->state !== SubnetData::STATE_AVAILABLE;) { sleep(5); $subnet = $subnet->refresh(); } $this->assertTrue($subnet->state == SubnetData::STATE_AVAILABLE); $ret = $subnet->createTags($nameTag); $this->assertTrue($ret); //Creates network interface $eni = $aws->ec2->networkInterface->create($subnet->subnetId); $this->assertInstanceOf($this->getEc2ClassName('DataType\\NetworkInterfaceData'), $eni); sleep(4); $ret = $eni->createTags($nameTag); $this->assertTrue($ret); //DescribeAttribute test foreach (NetworkInterfaceAttributeType::getAllowedValues() as $attr) { $expected = $eni->{$attr}; $v = $eni->describeAttribute($attr); $this->assertEquals($expected, $v); if (is_object($v)) { //It's true only if entityManager is enabled $this->assertSame($eni->{$attr}, $v); } } //ModifyAttribute test $ret = $eni->modifyAttribute(NetworkInterfaceAttributeType::sourceDestCheck(), true); $this->assertTrue($ret); //ResetAttrubute test $ret = $eni->resetAttribute(NetworkInterfaceAttributeType::sourceDestCheck()); $this->assertTrue($ret); //Creates Internet Gateway $igw = $aws->ec2->internetGateway->create(); $this->assertInstanceOf($this->getEc2ClassName('DataType\\InternetGatewayData'), $igw); $this->assertNotEmpty($igw->internetGatewayId); sleep(4); $igw->createTags($nameTag); //Attaches Internet Gateway to VPC $ret = $igw->attach($vpc->vpcId); $this->assertTrue($ret); $t = time(); do { sleep(3); $igw = $igw->refresh(); //Verifies that external index for attachmentSet is set properly. $this->assertEquals($igw->internetGatewayId, $igw->attachmentSet[0]->getInternetGatewayId()); } while (time() - $t < 100 && $igw->attachmentSet[0]->state != InternetGatewayAttachmentData::STATE_ATTACHED); $this->assertTrue($igw->attachmentSet[0]->state == InternetGatewayAttachmentData::STATE_AVAILABLE); //Detaches Internet Gateway from VPC $ret = $igw->detach($vpc->vpcId); $this->assertTrue($ret); for ($t = time(); time() - $t < 100 && count($igw->attachmentSet) && $igw->attachmentSet[0]->state == InternetGatewayAttachmentData::STATE_DETACHING; sleep(3)) { $igw = $igw->refresh(); } $this->assertTrue($igw->attachmentSet[0]->state !== InternetGatewayAttachmentData::STATE_DETACHING); //Creates RouteTable $rt = $vpc->createRouteTable(); $this->assertInstanceOf($this->getEc2ClassName('DataType\\RouteTableData'), $rt); $this->assertNotEmpty($rt->routeTableId); $this->assertEquals($vpc->vpcId, $rt->vpcId); sleep(5); $ret = $rt->createTags($nameTag); $this->assertTrue($ret); //Associates route table with the subnet $associationId = $rt->associate($subnet->subnetId); $this->assertNotEmpty($associationId); $rt = $rt->refresh(); $this->assertTrue(count($rt->associationSet) > 0); $c = array(); foreach ($rt->associationSet as $rtassoc) { /* @var $rtassoc RouteTableAssociationData */ $c[] = $rtassoc->routeTableAssociationId; } $this->assertContains($associationId, $c); //Adds Route to Route Table $destinationCidrBlock = '0.0.0.0/0'; $ret = $rt->createRoute($destinationCidrBlock, null, null, $eni->networkInterfaceId); $this->assertTrue($ret); $rt = $rt->refresh(); $this->assertTrue(count($rt->routeSet) > 0); $c = array(); foreach ($rt->routeSet as $route) { /* @var $route RouteData */ $c[$route->destinationCidrBlock] = $route; unset($route); } $this->assertArrayHasKey($destinationCidrBlock, $c); $route = $c[$destinationCidrBlock]; //Deletes Route $ret = $route->delete(); $this->assertTrue($ret); unset($route); $rt = $rt->refresh(); //Disassociates route table with the subnet foreach ($rt->associationSet as $rtassoc) { if ($rtassoc->routeTableAssociationId == $associationId) { $ret = $rtassoc->disassociate(); $this->assertTrue($ret); } } //RunInstance test $request = new RunInstancesRequestData(self::INSTANCE_IMAGE_ID, 1, 1); $request->instanceType = self::INSTANCE_TYPE; //Placement groups may not be used with instances of type 'm1.small'. $request->setPlacement(new PlacementResponseData($subnet->availabilityZone)); $request->setMonitoring(true); // test Assosiate Public Ip $instanceList = new Ec2\DataType\InstanceNetworkInterfaceSetRequestList(); $instanceData = new Ec2\DataType\InstanceNetworkInterfaceSetRequestData(); $instanceData->deviceIndex = 0; $instanceData->associatePublicIpAddress = true; $instanceData->subnetId = $subnet->subnetId; $instanceList->append($instanceData); $request->setNetworkInterface($instanceList); $request->userData = base64_encode("test=26;"); $rd = $aws->ec2->instance->run($request); $this->assertInstanceOf($this->getEc2ClassName('DataType\\ReservationData'), $rd); sleep(60); //Terminates the instance $ind = $rd->instancesSet[0]; $st = $ind->terminate(); $this->assertInstanceOf($this->getEc2ClassName('DataType\\InstanceStateChangeList'), $st); $this->assertEquals(1, count($st)); $this->assertEquals($rd->instancesSet[0]->instanceId, $st[0]->getInstanceId()); for ($t = time(); time() - $t < 200 && $ind && $ind->instanceState->name != InstanceStateData::NAME_TERMINATED; sleep(5)) { $ind = $ind->refresh(); } $this->assertTrue(!$ind || $ind->instanceState->name == InstanceStateData::NAME_TERMINATED); if (isset($ind)) { unset($ind); } //Removes Route Table $ret = $rt->delete(); $this->assertTrue($ret); //Removes Internet Gateway $ret = $igw->delete(); $this->assertTrue($ret); //Removes Network Interface $ret = $eni->delete(); $this->assertTrue($ret); //Removes Subnet $ret = $subnet->delete(); $this->assertTrue($ret); //Removes securigy group $ret = $sg->delete(); $this->assertTrue($ret); //Removes VPC $ret = $vpc->delete(); $this->assertTrue($ret); $aws->ec2->getEntityManager()->detachAll(); }
/** * RevokeSecurityGroupIngress action * * This action applies to both EC2 security groups and VPC security groups. * This action removes one or more ingress rules from a security group. The values that you specify in the * revoke request (e.g., ports, etc.) must match the existing rule's values for the rule to be removed. * * Each rule consists of the protocol and the CIDR range or source security group. For the TCP and UDP * protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must * also specify the ICMP type and code. * * Rule changes are propagated to instances within the security group as quickly as possible. However, * depending on the number of instances, a small delay might occur * * @param IpPermissionList $ipPermissions Ip permission list object * @param string $groupId optional The ID of the EC2 or VPC security group to modify. * The group must belong to your account. * @param string $groupName optional The name of the EC2 security group to modify. * It can be used instead of group ID for EC2 security groups. * @return bool Returns true on success * @throws ClientException * @throws Ec2Exception * @throws \InvalidArgumentException */ public function revokeSecurityGroupIngress(IpPermissionList $ipPermissions, $groupId = null, $groupName = null) { $result = false; $options = $ipPermissions->getQueryArrayBare('IpPermissions'); if ($groupName === null && $groupId === null || $groupName !== null && $groupId !== null) { throw new \InvalidArgumentException(sprintf('Either groupName or groupId is required for the %s. ' . 'Also you cannot specify both in the same call.', __METHOD__)); } if ($groupId !== null) { $options['GroupId'] = (string) $groupId; } else { if ($groupName !== null) { $options['GroupName'] = (string) $groupName; } } $response = $this->client->call(ucfirst(__FUNCTION__), $options); if ($response->getError() === false) { $sxml = simplexml_load_string($response->getRawContent()); if ((string) $sxml->return != 'true') { throw new Ec2Exception(sprintf('Amazon Ec2 could not revoke ingress rules to a security group "%s". It returned "%s"', $options['GroupId'] ?: $options['GroupName'], $sxml->return)); } $result = true; } return $result; }
private function updateRules($platform, $cloudLocation, $securityGroupId, $rules, $method) { $cloudInstance = $this->getCloudInstance($platform, $cloudLocation); $ipPermissionList = new IpPermissionList(); foreach ($rules['rules'] as $rule) { $ipPermissionList->append(new IpPermissionData($rule['ipProtocol'], $rule['fromPort'], $rule['toPort'], new IpRangeList(new IpRangeData($rule['cidrIp'])), null)); } foreach ($rules['sgRules'] as $rule) { $chunks = explode("/", $rule['sg']); $userId = $chunks[0]; $name = $chunks[1]; $ipPermissionList->append(new IpPermissionData($rule['ipProtocol'], $rule['fromPort'], $rule['toPort'], null, new UserIdGroupPairList(new UserIdGroupPairData($userId, null, $name)))); } if ($method == 'add') { $cloudInstance->ec2->securityGroup->authorizeIngress($ipPermissionList, $securityGroupId); } else { $cloudInstance->ec2->securityGroup->revokeIngress($ipPermissionList, $securityGroupId); } }
private function saveGroupRulesEc2($platform, $cloudLocation, $securityGroupId, $rules, $action) { $sgService = $this->getPlatformService($platform, $cloudLocation); $ipPermissionList = new IpPermissionList(); foreach ($rules['rules'] as $rule) { $ipPermissionList->append(new IpPermissionData($rule['ipProtocol'], $rule['fromPort'], $rule['toPort'], new IpRangeList(new IpRangeData($rule['cidrIp'])), null)); } foreach ($rules['sgRules'] as $rule) { $chunks = explode("/", $rule['sg']); $userId = $chunks[0]; $name = $chunks[1]; $sgId = null; if (substr($name, 0, 3) == 'sg-') { $sgId = $name; $name = null; } $ipPermissionList->append(new IpPermissionData($rule['ipProtocol'], $rule['fromPort'], $rule['toPort'], null, new UserIdGroupPairList(new UserIdGroupPairData($userId, $sgId, $name)))); } if ($action == 'add') { $sgService->authorizeIngress($ipPermissionList, $securityGroupId); } else { $sgService->revokeIngress($ipPermissionList, $securityGroupId); } }
private function saveGroupRulesEc2($platform, $cloudLocation, $groupData, $rules, $action) { $securityGroupId = $groupData['id']; $sgService = $this->getPlatformService($platform, $cloudLocation); $ipPermissionListIngress = new IpPermissionList(); $ipPermissionListEgress = new IpPermissionList(); foreach ($rules['rules'] as $rule) { $item = new IpPermissionData($rule['ipProtocol'] == 'ANY' ? '-1' : $rule['ipProtocol'], $rule['fromPort'], $rule['toPort'], new IpRangeList(new IpRangeData($rule['cidrIp'])), null); if ($rule['type'] == self::OUTBOUND_RULE) { $ipPermissionListEgress->append($item); } else { $ipPermissionListIngress->append($item); } } foreach ($rules['sgRules'] as $rule) { $chunks = explode("/", $rule['sg']); $userId = $chunks[0]; $name = $chunks[1]; $sgId = null; if (substr($name, 0, 3) == 'sg-') { $sgId = $name; $name = null; } $item = new IpPermissionData($rule['ipProtocol'] == 'ANY' ? '-1' : $rule['ipProtocol'], $rule['fromPort'], $rule['toPort'], null, new UserIdGroupPairList(new UserIdGroupPairData($userId, $sgId, $name))); if ($rule['type'] == self::OUTBOUND_RULE) { $ipPermissionListEgress->append($item); } else { $ipPermissionListIngress->append($item); } } if ($action == 'add') { if (count($ipPermissionListIngress)) { $sgService->authorizeIngress($ipPermissionListIngress, $securityGroupId); } if (count($ipPermissionListEgress)) { $sgService->authorizeEgress($ipPermissionListEgress, $securityGroupId); } } else { if (count($ipPermissionListIngress)) { $sgService->revokeIngress($ipPermissionListIngress, $securityGroupId); } if (count($ipPermissionListEgress)) { $sgService->revokeEgress($ipPermissionListEgress, $securityGroupId); } } }