if (getOwnerId() != null) sb.append("OwnerId: ").append(getOwnerId()).append(","); if (getGroupId() != null) sb.append("GroupId: ").append(getGroupId()).append(","); if (getIpPermissionsEgress() != null) sb.append("IpPermissionsEgress: ").append(getIpPermissionsEgress()).append(",");
@Override public int hashCode() { final int prime = 31; int hashCode = 1; hashCode = prime * hashCode + ((getDescription() == null) ? 0 : getDescription().hashCode()); hashCode = prime * hashCode + ((getGroupName() == null) ? 0 : getGroupName().hashCode()); hashCode = prime * hashCode + ((getIpPermissions() == null) ? 0 : getIpPermissions().hashCode()); hashCode = prime * hashCode + ((getOwnerId() == null) ? 0 : getOwnerId().hashCode()); hashCode = prime * hashCode + ((getGroupId() == null) ? 0 : getGroupId().hashCode()); hashCode = prime * hashCode + ((getIpPermissionsEgress() == null) ? 0 : getIpPermissionsEgress().hashCode()); hashCode = prime * hashCode + ((getTags() == null) ? 0 : getTags().hashCode()); hashCode = prime * hashCode + ((getVpcId() == null) ? 0 : getVpcId().hashCode()); return hashCode; }
"vpc id %s " + "and description %s", group.getGroupId(), group.getVpcId(), group.getDescription());
if (other.getOwnerId() != null && other.getOwnerId().equals(this.getOwnerId()) == false) return false; if (other.getGroupId() == null ^ this.getGroupId() == null) return false; if (other.getGroupId() != null && other.getGroupId().equals(this.getGroupId()) == false) return false; if (other.getIpPermissionsEgress() == null ^ this.getIpPermissionsEgress() == null)
protected String getVpcGoupId() { AmazonEC2 client = null; try { client = getEc2Client(); Filter nameFilter = new Filter().withName("group-name").withValues(config.getACLGroupName()); // SG Filter vpcFilter = new Filter().withName("vpc-id").withValues(instanceInfo.getVpcId()); DescribeSecurityGroupsRequest req = new DescribeSecurityGroupsRequest().withFilters(nameFilter, vpcFilter); DescribeSecurityGroupsResult result = client.describeSecurityGroups(req); for (SecurityGroup group : result.getSecurityGroups()) { logger.debug( "got group-id:{} for group-name:{},vpc-id:{}", group.getGroupId(), config.getACLGroupName(), instanceInfo.getVpcId()); return group.getGroupId(); } logger.error( "unable to get group-id for group-name={} vpc-id={}", config.getACLGroupName(), instanceInfo.getVpcId()); return ""; } finally { if (client != null) client.shutdown(); } }
@Override public int hashCode() { final int prime = 31; int hashCode = 1; hashCode = prime * hashCode + ((getOwnerId() == null) ? 0 : getOwnerId().hashCode()); hashCode = prime * hashCode + ((getGroupName() == null) ? 0 : getGroupName().hashCode()); hashCode = prime * hashCode + ((getGroupId() == null) ? 0 : getGroupId().hashCode()); hashCode = prime * hashCode + ((getDescription() == null) ? 0 : getDescription().hashCode()); hashCode = prime * hashCode + ((getIpPermissions() == null) ? 0 : getIpPermissions().hashCode()); hashCode = prime * hashCode + ((getIpPermissionsEgress() == null) ? 0 : getIpPermissionsEgress().hashCode()); hashCode = prime * hashCode + ((getVpcId() == null) ? 0 : getVpcId().hashCode()); hashCode = prime * hashCode + ((getTags() == null) ? 0 : getTags().hashCode()); return hashCode; }
/** * Returns a string representation of this object; useful for testing and * debugging. * * @return A string representation of this object. * * @see java.lang.Object#toString() */ @Override public String toString() { StringBuilder sb = new StringBuilder(); sb.append("{"); if (getOwnerId() != null) sb.append("OwnerId: " + getOwnerId() + ","); if (getGroupName() != null) sb.append("GroupName: " + getGroupName() + ","); if (getGroupId() != null) sb.append("GroupId: " + getGroupId() + ","); if (getDescription() != null) sb.append("Description: " + getDescription() + ","); if (getIpPermissions() != null) sb.append("IpPermissions: " + getIpPermissions() + ","); if (getIpPermissionsEgress() != null) sb.append("IpPermissionsEgress: " + getIpPermissionsEgress() + ","); if (getVpcId() != null) sb.append("VpcId: " + getVpcId() + ","); if (getTags() != null) sb.append("Tags: " + getTags() ); sb.append("}"); return sb.toString(); }
@Override public boolean equals(Object obj) { if (this == obj) return true; if (obj == null) return false; if (obj instanceof SecurityGroup == false) return false; SecurityGroup other = (SecurityGroup)obj; if (other.getOwnerId() == null ^ this.getOwnerId() == null) return false; if (other.getOwnerId() != null && other.getOwnerId().equals(this.getOwnerId()) == false) return false; if (other.getGroupName() == null ^ this.getGroupName() == null) return false; if (other.getGroupName() != null && other.getGroupName().equals(this.getGroupName()) == false) return false; if (other.getGroupId() == null ^ this.getGroupId() == null) return false; if (other.getGroupId() != null && other.getGroupId().equals(this.getGroupId()) == false) return false; if (other.getDescription() == null ^ this.getDescription() == null) return false; if (other.getDescription() != null && other.getDescription().equals(this.getDescription()) == false) return false; if (other.getIpPermissions() == null ^ this.getIpPermissions() == null) return false; if (other.getIpPermissions() != null && other.getIpPermissions().equals(this.getIpPermissions()) == false) return false; if (other.getIpPermissionsEgress() == null ^ this.getIpPermissionsEgress() == null) return false; if (other.getIpPermissionsEgress() != null && other.getIpPermissionsEgress().equals(this.getIpPermissionsEgress()) == false) return false; if (other.getVpcId() == null ^ this.getVpcId() == null) return false; if (other.getVpcId() != null && other.getVpcId().equals(this.getVpcId()) == false) return false; if (other.getTags() == null ^ this.getTags() == null) return false; if (other.getTags() != null && other.getTags().equals(this.getTags()) == false) return false; return true; }
/** * Returns references to all security groups that should be created for the target * * @param references the collection of potential security groups to select from; implementations can choose to provide * additional security groups that are *not* members of this set * @return a list of security groups that need to be created in order to migrate the target security group */ protected Set<MigrateSecurityGroupReference> shouldCreate(Set<MigrateSecurityGroupReference> references) { List<NetflixAmazonCredentials> credentials = references.stream() .map(AbstractAmazonCredentialsDescription::getCredentials).distinct().collect(Collectors.toList()); Map<String, String> vpcMappings = getVpcMappings(credentials); return references.stream().distinct().filter(reference -> { String targetVpc = vpcMappings.get(reference.getAccountId()); reference.setVpcId(targetVpc); Optional<SecurityGroupUpdater> targetMatch = targetLookup.getSecurityGroupByName(reference.getCredentialAccount(), reference.getTargetName(), targetVpc); if (targetMatch.isPresent()) { reference.setTargetId(targetMatch.get().getSecurityGroup().getGroupId()); return false; } return true; }).collect(Collectors.toSet()); }
if (getOwnerId() != null) sb.append("OwnerId: ").append(getOwnerId()).append(","); if (getGroupId() != null) sb.append("GroupId: ").append(getGroupId()).append(","); if (getIpPermissionsEgress() != null) sb.append("IpPermissionsEgress: ").append(getIpPermissionsEgress()).append(",");
@Override public int hashCode() { final int prime = 31; int hashCode = 1; hashCode = prime * hashCode + ((getDescription() == null) ? 0 : getDescription().hashCode()); hashCode = prime * hashCode + ((getGroupName() == null) ? 0 : getGroupName().hashCode()); hashCode = prime * hashCode + ((getIpPermissions() == null) ? 0 : getIpPermissions().hashCode()); hashCode = prime * hashCode + ((getOwnerId() == null) ? 0 : getOwnerId().hashCode()); hashCode = prime * hashCode + ((getGroupId() == null) ? 0 : getGroupId().hashCode()); hashCode = prime * hashCode + ((getIpPermissionsEgress() == null) ? 0 : getIpPermissionsEgress().hashCode()); hashCode = prime * hashCode + ((getTags() == null) ? 0 : getTags().hashCode()); hashCode = prime * hashCode + ((getVpcId() == null) ? 0 : getVpcId().hashCode()); return hashCode; }
/** * Generate sec group file. * * @param secGrpMap the sec grp map * @throws IOException Signals that an I/O exception has occurred. */ public static void generateSecGroupFile(Map<String, List<SecurityGroup>> secGrpMap) throws IOException { String fieldNames; fieldNames = "GroupId`Description`GroupName`OwnerId`vpcid"; FileGenerator.generateFile(secGrpMap, fieldNames, "secgroup-info.data"); fieldNames = "GroupId`tags.key`tags.value"; FileGenerator.generateFile(secGrpMap, fieldNames, "secgroup-tags.data"); Map<String, List<SGRuleVH>> secGrp = new HashMap<>(); secGrpMap.forEach((k,v)-> { List<SGRuleVH> sgruleList = new ArrayList<>(); v.forEach(sg -> { String groupId = sg.getGroupId(); sgruleList.addAll(getRuleInfo(groupId,"inbound",sg.getIpPermissions())); sgruleList.addAll(getRuleInfo(groupId,"outbound",sg.getIpPermissionsEgress())); }); secGrp.put(k,sgruleList); } ); fieldNames = "groupId`type`ipProtocol`fromPort`toPort`cidrIp`cidrIpv6"; FileGenerator.generateFile(secGrp, fieldNames, "secgroup-rules.data"); }
@Override public Map<String, SecurityGroupCheckDetails> check(final Collection<String> groupIds, final String account, final Region region) { final DescribeSecurityGroupsRequest describeSecurityGroupsRequest = new DescribeSecurityGroupsRequest(); describeSecurityGroupsRequest.setGroupIds(groupIds); final AmazonEC2Client amazonEC2Client = clientProvider.getClient( AmazonEC2Client.class, account, region); final DescribeSecurityGroupsResult describeSecurityGroupsResult = amazonEC2Client.describeSecurityGroups( describeSecurityGroupsRequest); final ImmutableMap.Builder<String, SecurityGroupCheckDetails> result = ImmutableMap.builder(); for (final SecurityGroup securityGroup : describeSecurityGroupsResult.getSecurityGroups()) { final List<String> offendingRules = securityGroup.getIpPermissions().stream() .filter(isOffending) .map(Object::toString) .collect(toList()); if (!offendingRules.isEmpty()) { final SecurityGroupCheckDetails details = new SecurityGroupCheckDetails( securityGroup.getGroupName(), ImmutableList.copyOf(offendingRules)); result.put(securityGroup.getGroupId(), details); } } return result.build(); } }
/** * Generates a list of security groups that should be applied to the target load balancer * * @param sourceDescription AWS descriptor of source load balancer * @param result result object of the calling migate operation * @return the list of security groups that will be created or added, excluding the elb-specific security group */ protected List<MigrateSecurityGroupResult> getTargetSecurityGroups(LoadBalancerDescription sourceDescription, MigrateLoadBalancerResult result) { sourceDescription.getSecurityGroups().stream() .filter(g -> !sourceLookup.getSecurityGroupById(source.getCredentialAccount(), g, source.getVpcId()).isPresent()) .forEach(m -> result.getWarnings().add("Skipping creation of security group: " + m + " (could not be found in source location)")); List<SecurityGroup> currentGroups = sourceDescription.getSecurityGroups().stream() .filter(g -> sourceLookup.getSecurityGroupById(source.getCredentialAccount(), g, source.getVpcId()).isPresent()) .map(g -> sourceLookup.getSecurityGroupById(source.getCredentialAccount(), g, source.getVpcId()) .get().getSecurityGroup()).collect(Collectors.toList()); return sourceDescription.getSecurityGroups().stream() .filter(g -> currentGroups.stream().anyMatch(g2 -> g2.getGroupId().equals(g))) .map(g -> { SecurityGroup match = currentGroups.stream().filter(g3 -> g3.getGroupId().equals(g)).findFirst().get(); SecurityGroupLocation sourceLocation = new SecurityGroupLocation(); sourceLocation.setName(match.getGroupName()); sourceLocation.setRegion(source.getRegion()); sourceLocation.setCredentials(source.getCredentials()); sourceLocation.setVpcId(source.getVpcId()); return new SecurityGroupMigrator(sourceLookup, targetLookup, migrateSecurityGroupStrategy, sourceLocation, new SecurityGroupLocation(target)).migrate(dryRun); }) .collect(Collectors.toList()); }
private Set<MigrateSecurityGroupReference> getTargetReferences(SecurityGroupUpdater source) { SecurityGroup group = source.getSecurityGroup(); if (getInfrastructureApplications().contains(Names.parseName(group.getGroupName()).getApp())) { return new HashSet<>(); } return group.getIpPermissions() .stream() .map(IpPermission::getUserIdGroupPairs) .flatMap(List::stream) .filter(pair -> !pair.getGroupId().equals(group.getGroupId()) || !pair.getUserId().equals(group.getOwnerId())) .map(pair -> { NetflixAmazonCredentials account = sourceLookup.getCredentialsForId(pair.getUserId()); if (pair.getGroupName() == null) { if (account == null) { pair.setGroupName(pair.getGroupId()); } else { sourceLookup.getSecurityGroupById(account.getName(), pair.getGroupId(), pair.getVpcId()) .ifPresent(u -> pair.setGroupName(u.getSecurityGroup().getGroupName())); } } return new MigrateSecurityGroupReference(pair, account); }) .collect(Collectors.toSet()); }
/** * Get a list of security group ids for the slave */ private List<String> getEc2SecurityGroups(AmazonEC2 ec2) throws AmazonClientException { List<String> groupIds = new ArrayList<String>(); DescribeSecurityGroupsResult groupResult = getSecurityGroupsBy("group-name", securityGroupSet, ec2); if (groupResult.getSecurityGroups().size() == 0) { groupResult = getSecurityGroupsBy("group-id", securityGroupSet, ec2); } for (SecurityGroup group : groupResult.getSecurityGroups()) { if (group.getVpcId() != null && !group.getVpcId().isEmpty()) { List<Filter> filters = new ArrayList<Filter>(); filters.add(new Filter("vpc-id").withValues(group.getVpcId())); filters.add(new Filter("state").withValues("available")); filters.add(new Filter("subnet-id").withValues(getCurrentSubnetId())); DescribeSubnetsRequest subnetReq = new DescribeSubnetsRequest(); subnetReq.withFilters(filters); DescribeSubnetsResult subnetResult = ec2.describeSubnets(subnetReq); List<Subnet> subnets = subnetResult.getSubnets(); if (subnets != null && !subnets.isEmpty()) { groupIds.add(group.getGroupId()); } } } if (securityGroupSet.size() != groupIds.size()) { throw new AmazonClientException("Security groups must all be VPC security groups to work in a VPC context"); } return groupIds; }
private void performMigration(MigrateSecurityGroupResult results) { final Optional<SecurityGroupUpdater> sourceGroupUpdater = sourceLookup.getSecurityGroupByName( source.getCredentialAccount(), source.getName(), source.getVpcId()); final SecurityGroup securityGroup = sourceGroupUpdater.isPresent() ? sourceGroupUpdater.get().getSecurityGroup() : null; Set<MigrateSecurityGroupReference> targetGroups = new HashSet<>(results.getCreated()); targetGroups.addAll(results.getReused()); if (!results.targetExists()) { targetGroups.add(results.getTarget()); } results.getCreated().forEach(r -> r.setTargetId( createDependentSecurityGroup(r).getSecurityGroup().getGroupId())); Optional<SecurityGroupUpdater> targetGroup = targetLookup.getSecurityGroupByName( target.getCredentialAccount(), results.getTarget().getTargetName(), target.getVpcId() ); if (!targetGroup.isPresent()) { throw new IllegalStateException("Target group cannot be found: " + results.getTarget().getTargetName()); } if (sourceGroupUpdater.isPresent() && shouldCreateTargetPermissions(sourceGroupUpdater.get().getSecurityGroup())) { createTargetPermissions(securityGroup, targetGroup.get(), targetGroups, results); } results.getTarget().setTargetId(targetGroup.get().getSecurityGroup().getGroupId()); }
/** * Get a list of security group ids for the slave */ private List<String> getEc2SecurityGroups(AmazonEC2 ec2) throws AmazonClientException{ List<String> group_ids = new ArrayList<String>(); DescribeSecurityGroupsResult group_result = getSecurityGroupsBy("group-name", securityGroupSet, ec2); if (group_result.getSecurityGroups().size() == 0) { group_result = getSecurityGroupsBy("group-id", securityGroupSet, ec2); } for (SecurityGroup group : group_result.getSecurityGroups()) { if (group.getVpcId() != null && !group.getVpcId().isEmpty()) { List<Filter> filters = new ArrayList<Filter>(); filters.add(new Filter("vpc-id").withValues(group.getVpcId())); filters.add(new Filter("state").withValues("available")); filters.add(new Filter("subnet-id").withValues(getSubnetId())); DescribeSubnetsRequest subnet_req = new DescribeSubnetsRequest(); subnet_req.withFilters(filters); DescribeSubnetsResult subnet_result = ec2.describeSubnets(subnet_req); List<Subnet> subnets = subnet_result.getSubnets(); if(subnets != null && !subnets.isEmpty()) { group_ids.add(group.getGroupId()); } } } if (securityGroupSet.size() != group_ids.size()) { throw new AmazonClientException( "Security groups must all be VPC security groups to work in a VPC context" ); } return group_ids; }
protected String getVpcGroupId() { AmazonEC2 client = null; try { client = getEc2Client(); Filter nameFilter = new Filter().withName("group-name").withValues(envVariables.getDynomiteClusterName()); // SG Filter vpcFilter = new Filter().withName("vpc-id").withValues(retriever.getVpcId()); logger.info("Dynomite name: " + envVariables.getDynomiteClusterName()); DescribeSecurityGroupsRequest req = new DescribeSecurityGroupsRequest().withFilters(nameFilter, vpcFilter); DescribeSecurityGroupsResult result = client.describeSecurityGroups(req); for (SecurityGroup group : result.getSecurityGroups()) { logger.debug(String.format("got group-id:%s for group-name:%s,vpc-id:%s", group.getGroupId(), envVariables.getDynomiteClusterName(), retriever.getVpcId())); return group.getGroupId(); } logger.error(String.format("unable to get group-id for group-name=%s vpc-id=%s", envVariables.getDynomiteClusterName(), retriever.getVpcId())); return ""; } finally { if (client != null) client.shutdown(); } }
default void addClassicLinkIngress(SecurityGroupLookup lookup, String classicLinkGroupName, String groupId, NetflixAmazonCredentials credentials, String vpcId) { if (classicLinkGroupName == null) { return; } lookup.getSecurityGroupById(credentials.getName(), groupId, vpcId).ifPresent(targetGroupUpdater -> { SecurityGroup targetGroup = targetGroupUpdater.getSecurityGroup(); lookup.getSecurityGroupByName(credentials.getName(), classicLinkGroupName, vpcId) .map(updater -> updater.getSecurityGroup().getGroupId()) .ifPresent(classicLinkGroupId -> { // don't attach if there's already some rule already configured if (targetGroup.getIpPermissions().stream() .anyMatch(p -> p.getUserIdGroupPairs().stream() .anyMatch(p2 -> p2.getGroupId().equals(classicLinkGroupId)))) { return; } targetGroupUpdater.addIngress(Collections.singletonList( new IpPermission() .withIpProtocol("tcp").withFromPort(80).withToPort(65535) .withUserIdGroupPairs( new UserIdGroupPair() .withUserId(credentials.getAccountId()) .withGroupId(classicLinkGroupId) .withVpcId(vpcId) ) )); }); }); } }