Examples with IpPermission software.amazon.awssdk.services.ec2.model.IpPermission used on opensource projects

Example 6 with IpPermission

use of software.amazon.awssdk.services.ec2.model.IpPermission in project photon-model by vmware.

the class TestAWSSecurityGroupService method testSecurityGroupRulesCalculation.

/*
     * Test calculating Rule range and Cidr based on the AWS IpPermission configuration
     */
@Test
public void testSecurityGroupRulesCalculation() throws Throwable {
    IpRange ipv4Range = new IpRange();
    ipv4Range.setCidrIp("0.0.0.0/0");
    Ipv6Range ipv6Range = new Ipv6Range();
    ipv6Range.setCidrIpv6("::/0");
    // {IpProtocol: -1,UserIdGroupPairs: [],Ipv6Ranges: [],PrefixListIds: [], Ipv4Ranges: [{CidrIp: 0.0.0.0/0}]}
    // expected output: cidr = "0.0.0.0/0"  range = "1-65535"
    IpPermission mockPermission1 = new IpPermission();
    mockPermission1.setFromPort(-1);
    mockPermission1.setToPort(-1);
    mockPermission1.setIpProtocol("-1");
    mockPermission1.setIpv4Ranges(Collections.singleton(ipv4Range));
    Rule outputRule1 = new Rule();
    outputRule1.protocol = AWSSecurityGroupUtils.calculateProtocol(outputRule1, mockPermission1.getIpProtocol());
    outputRule1.ports = AWSSecurityGroupUtils.calculatePorts(outputRule1, mockPermission1);
    outputRule1.ipRangeCidr = AWSSecurityGroupUtils.calculateIpRangeCidr(outputRule1, mockPermission1);
    assertEquals("wrong ports range:", SecurityGroupService.ALL_PORTS, outputRule1.ports);
    assertEquals("wrong cidr:", "0.0.0.0/0", outputRule1.ipRangeCidr);
    // {IpProtocol: icmpv6,FromPort: -1,ToPort: -1,UserIdGroupPairs: [], Ipv6Ranges: [{CidrIpv6: ::/0}],
    // PrefixListIds: [],Ipv4Ranges: []}
    // expected output: cidr = "::/0"  range = "1-65535"
    IpPermission mockPermission2 = new IpPermission();
    mockPermission2.setFromPort(-1);
    mockPermission2.setToPort(-1);
    mockPermission2.setIpProtocol("icmpv6");
    mockPermission2.setIpv6Ranges(Collections.singleton(ipv6Range));
    Rule outputRule2 = new Rule();
    outputRule2.protocol = AWSSecurityGroupUtils.calculateProtocol(outputRule2, mockPermission2.getIpProtocol());
    outputRule2.ports = AWSSecurityGroupUtils.calculatePorts(outputRule2, mockPermission2);
    outputRule2.ipRangeCidr = AWSSecurityGroupUtils.calculateIpRangeCidr(outputRule2, mockPermission2);
    assertEquals("wrong ports range:", SecurityGroupService.ALL_PORTS, outputRule2.ports);
    assertEquals("wrong cidr:", "::/0", outputRule2.ipRangeCidr);
    // {IpProtocol: icmp,FromPort: -1,ToPort: -1,UserIdGroupPairs: [], Ipv6Ranges: [{CidrIpv6: ::/0}],
    // PrefixListIds: [],Ipv4Ranges: []}
    // expected output: cidr = "::/0"  range = "1-65535"
    IpPermission mockPermission3 = new IpPermission();
    mockPermission3.setFromPort(-1);
    mockPermission3.setToPort(-1);
    mockPermission3.setIpProtocol("icmp");
    mockPermission3.setIpv6Ranges(Collections.singleton(ipv6Range));
    Rule outputRule3 = new Rule();
    outputRule3.protocol = AWSSecurityGroupUtils.calculateProtocol(outputRule3, mockPermission3.getIpProtocol());
    outputRule3.ports = AWSSecurityGroupUtils.calculatePorts(outputRule3, mockPermission3);
    outputRule3.ipRangeCidr = AWSSecurityGroupUtils.calculateIpRangeCidr(outputRule3, mockPermission3);
    assertEquals("wrong ports range:", SecurityGroupService.ALL_PORTS, outputRule3.ports);
    assertEquals("wrong cidr:", "::/0", outputRule3.ipRangeCidr);
    // {IpProtocol: icmp,FromPort: 0,ToPort: -1,UserIdGroupPairs: [], Ipv6Ranges: [],
    // PrefixListIds: [],Ipv4Ranges: [{CidrIp: 0.0.0.0/0}]}
    // expected output: cidr = "0.0.0.0/0" range = "0"
    IpPermission mockPermission4 = new IpPermission();
    mockPermission4.setFromPort(0);
    mockPermission4.setToPort(-1);
    mockPermission4.setIpProtocol("icmp");
    mockPermission4.setIpv4Ranges(Collections.singleton(ipv4Range));
    Rule outputRule4 = new Rule();
    outputRule4.protocol = AWSSecurityGroupUtils.calculateProtocol(outputRule4, mockPermission4.getIpProtocol());
    outputRule4.ports = AWSSecurityGroupUtils.calculatePorts(outputRule4, mockPermission4);
    outputRule4.ipRangeCidr = AWSSecurityGroupUtils.calculateIpRangeCidr(outputRule4, mockPermission4);
    assertEquals("wrong ports range:", "0", outputRule4.ports);
    assertEquals("wrong cidr:", "0.0.0.0/0", outputRule4.ipRangeCidr);
    // {IpProtocol: icmpv6,FromPort: -1,ToPort: -1,UserIdGroupPairs: [], Ipv6Ranges: [],PrefixListIds: [],
    // Ipv4Ranges: [{CidrIp: 0.0.0.0/0}]}
    // expected output: cidr = "*" range = "1-65535"
    IpPermission mockPermission5 = new IpPermission();
    mockPermission5.setFromPort(-1);
    mockPermission5.setToPort(-1);
    mockPermission5.setIpProtocol("icmpv6");
    mockPermission5.setIpv4Ranges(Collections.singleton(ipv4Range));
    Rule outputRule5 = new Rule();
    outputRule5.protocol = AWSSecurityGroupUtils.calculateProtocol(outputRule5, mockPermission5.getIpProtocol());
    outputRule5.ports = AWSSecurityGroupUtils.calculatePorts(outputRule5, mockPermission5);
    outputRule5.ipRangeCidr = AWSSecurityGroupUtils.calculateIpRangeCidr(outputRule5, mockPermission5);
    assertEquals("wrong ports range:", SecurityGroupService.ALL_PORTS, outputRule5.ports);
    assertEquals("wrong cidr:", SecurityGroupService.ANY, outputRule5.ipRangeCidr);
    // {IpProtocol: icmp,FromPort: 3,ToPort: 0,UserIdGroupPairs: [], Ipv6Ranges: [],PrefixListIds: [],
    // Ipv4Ranges: [{CidrIp: 0.0.0.0/0}]}
    // expected output: protocol = "ICMPv4" cidr = "0.0.0.0/0" range = "3-0"
    IpPermission mockPermission6 = new IpPermission();
    mockPermission6.setFromPort(3);
    mockPermission6.setToPort(0);
    mockPermission6.setIpProtocol("icmp");
    mockPermission6.setIpv4Ranges(Collections.singleton(ipv4Range));
    Rule outputRule6 = new Rule();
    outputRule6.protocol = AWSSecurityGroupUtils.calculateProtocol(outputRule6, mockPermission6.getIpProtocol());
    outputRule6.ports = AWSSecurityGroupUtils.calculatePorts(outputRule6, mockPermission6);
    outputRule6.ipRangeCidr = AWSSecurityGroupUtils.calculateIpRangeCidr(outputRule6, mockPermission6);
    assertEquals("wrong ports range:", "3-0", outputRule6.ports);
    assertEquals("wrong cidr:", "0.0.0.0/0", outputRule6.ipRangeCidr);
    // {IpProtocol: icmp,FromPort: 8,ToPort: -1,UserIdGroupPairs: [], Ipv6Ranges: [],PrefixListIds: [],
    // Ipv4Ranges: [{CidrIp: 0.0.0.0/0}]}
    // expected output: cidr = "0.0.0.0/0" range = "8"
    IpPermission mockPermission7 = new IpPermission();
    mockPermission7.setFromPort(8);
    mockPermission7.setToPort(-1);
    mockPermission7.setIpProtocol("icmp");
    mockPermission7.setIpv4Ranges(Collections.singleton(ipv4Range));
    Rule outputRule7 = new Rule();
    outputRule7.protocol = AWSSecurityGroupUtils.calculateProtocol(outputRule7, mockPermission7.getIpProtocol());
    outputRule7.ports = AWSSecurityGroupUtils.calculatePorts(outputRule7, mockPermission7);
    outputRule7.ipRangeCidr = AWSSecurityGroupUtils.calculateIpRangeCidr(outputRule7, mockPermission7);
    assertEquals("wrong ports range:", "8", outputRule7.ports);
    assertEquals("wrong cidr:", "0.0.0.0/0", outputRule7.ipRangeCidr);
}

Example 7 with IpPermission

use of software.amazon.awssdk.services.ec2.model.IpPermission in project photon-model by vmware.

the class TestAWSSecurityGroupService method testBuildRules.

/*
     * Test conversion of Allow rules to AWS IpPermssions
     */
@Test
public void testBuildRules() throws Throwable {
    ArrayList<Rule> rules = TestUtils.getAllowIngressRules();
    List<IpPermission> awsRules = this.client.buildRules(rules);
    for (IpPermission rule : awsRules) {
        assertDefaultRules(rule);
    }
}

Example 8 with IpPermission

use of software.amazon.awssdk.services.ec2.model.IpPermission in project photon-model by vmware.

the class TestAWSSecurityGroupService method testAllocateSecurityGroupUpdate.

/*
     * update an existing security group to the required default ports
     */
@Test
public void testAllocateSecurityGroupUpdate() throws Throwable {
    String groupId = this.client.createDefaultSecurityGroup(null);
    List<IpPermission> rules = new ArrayList<>();
    IpRange ipRange = new IpRange().withCidrIp(DEFAULT_ALLOWED_NETWORK);
    rules.add(new IpPermission().withIpProtocol(DEFAULT_PROTOCOL).withFromPort(22).withToPort(22).withIpv4Ranges(ipRange));
    this.client.addIngressRules(groupId, rules);
    SecurityGroup updatedGroup = this.client.getDefaultSecurityGroup(null);
    validateDefaultRules(updatedGroup.getIpPermissions());
    this.client.deleteSecurityGroup(groupId);
}

Example 9 with IpPermission

use of software.amazon.awssdk.services.ec2.model.IpPermission in project photon-model by vmware.

the class AWSComputeDiskDay2ServiceTest method assertAndSetVMSecurityGroupsToBeDeleted.

private void assertAndSetVMSecurityGroupsToBeDeleted(Instance instance, ComputeState vm) {
    // This assert is only suitable for real (non-mocking env).
    if (this.isMock) {
        return;
    }
    this.host.log(Level.INFO, "%s: Assert security groups configuration for [%s] VM", this.currentTestName.getMethodName(), this.vmState.name);
    // Get the SecurityGroupStates that were provided in the request ComputeState
    Collector<SecurityGroupService.SecurityGroupState, ?, Map<String, SecurityGroupService.SecurityGroupState>> convertToMap = Collectors.<SecurityGroupService.SecurityGroupState, String, SecurityGroupService.SecurityGroupState>toMap(sg -> sg.name, sg -> sg);
    Map<String, SecurityGroupService.SecurityGroupState> currentSGNamesToStates = vm.networkInterfaceLinks.stream().map(nicLink -> this.host.getServiceState(null, NetworkInterfaceService.NetworkInterfaceState.class, UriUtils.buildUri(this.host, nicLink))).<// collect all SecurityGroup States from all NIC states
    SecurityGroupService.SecurityGroupState>flatMap(nicState -> nicState.securityGroupLinks.stream().map(sgLink -> {
        SecurityGroupService.SecurityGroupState sgState = this.host.getServiceState(null, SecurityGroupService.SecurityGroupState.class, UriUtils.buildUri(this.host, sgLink));
        return sgState;
    })).collect(convertToMap);
    // Compare ComputeState after provisioning to the ComputeState in the request
    assertNotNull("Instance should have security groups attached.", instance.getSecurityGroups());
    // Provisioned Instance should have the same number of SecurityGroups as requested
    assertEquals(instance.getSecurityGroups().size(), currentSGNamesToStates.size());
    for (SecurityGroupService.SecurityGroupState currentSGState : currentSGNamesToStates.values()) {
        // Get corresponding requested state
        GroupIdentifier provisionedGroupIdentifier = null;
        for (GroupIdentifier awsGroupIdentifier : instance.getSecurityGroups()) {
            if (awsGroupIdentifier.getGroupId().equals(currentSGState.id)) {
                provisionedGroupIdentifier = awsGroupIdentifier;
                break;
            }
        }
        // Ensure that the requested SecurityGroup was actually provisioned
        assertNotNull(provisionedGroupIdentifier);
        if (currentSGState.name.contains(TestAWSSetupUtils.AWS_NEW_GROUP_PREFIX)) {
            this.sgToCleanUp = currentSGState.id;
            SecurityGroup awsSecurityGroup = getSecurityGroupsIdUsingEC2Client(this.client, provisionedGroupIdentifier.getGroupId());
            assertNotNull(awsSecurityGroup);
            // Validate rules are correctly created as requested
            IpPermission awsIngressRule = awsSecurityGroup.getIpPermissions().get(0);
            IpPermission awsEgressRule = awsSecurityGroup.getIpPermissionsEgress().get(1);
            assertNotNull(awsIngressRule);
            assertNotNull(awsEgressRule);
            assertEquals("Error in created ingress rule", awsIngressRule.getIpProtocol(), currentSGState.ingress.get(0).protocol);
            assertEquals("Error in created ingress rule", awsIngressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.ingress.get(0).ipRangeCidr);
            assertEquals("Error in created egress rule", awsEgressRule.getIpProtocol(), currentSGState.egress.get(0).protocol);
            assertEquals("Error in created egress rule", awsEgressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.egress.get(0).ipRangeCidr);
        }
    }
}

Example 10 with IpPermission

use of software.amazon.awssdk.services.ec2.model.IpPermission in project photon-model by vmware.

the class AWSRebootServiceTest method assertAndSetVMSecurityGroupsToBeDeleted.

private void assertAndSetVMSecurityGroupsToBeDeleted(Instance instance, ComputeState vm) {
    // This assert is only suitable for real (non-mocking env).
    if (this.isMock) {
        return;
    }
    this.host.log(Level.INFO, "%s: Assert security groups configuration for [%s] VM", this.currentTestName.getMethodName(), this.vmState.name);
    // Get the SecurityGroupStates that were provided in the request ComputeState
    Collector<SecurityGroupState, ?, Map<String, SecurityGroupState>> convertToMap = Collectors.<SecurityGroupState, String, SecurityGroupState>toMap(sg -> sg.name, sg -> sg);
    Map<String, SecurityGroupState> currentSGNamesToStates = vm.networkInterfaceLinks.stream().map(nicLink -> this.host.getServiceState(null, NetworkInterfaceState.class, UriUtils.buildUri(this.host, nicLink))).<// collect all SecurityGroup States from all NIC states
    SecurityGroupState>flatMap(nicState -> nicState.securityGroupLinks.stream().map(sgLink -> {
        SecurityGroupState sgState = this.host.getServiceState(null, SecurityGroupState.class, UriUtils.buildUri(this.host, sgLink));
        return sgState;
    })).collect(convertToMap);
    // Compare ComputeState after provisioning to the ComputeState in the request
    assertNotNull("Instance should have security groups attached.", instance.getSecurityGroups());
    // Provisioned Instance should have the same number of SecurityGroups as requested
    assertEquals(instance.getSecurityGroups().size(), currentSGNamesToStates.size());
    for (SecurityGroupState currentSGState : currentSGNamesToStates.values()) {
        // Get corresponding requested state
        GroupIdentifier provisionedGroupIdentifier = null;
        for (GroupIdentifier awsGroupIdentifier : instance.getSecurityGroups()) {
            if (awsGroupIdentifier.getGroupId().equals(currentSGState.id)) {
                provisionedGroupIdentifier = awsGroupIdentifier;
                break;
            }
        }
        // Ensure that the requested SecurityGroup was actually provisioned
        assertNotNull(provisionedGroupIdentifier);
        if (currentSGState.name.contains(TestAWSSetupUtils.AWS_NEW_GROUP_PREFIX)) {
            this.sgToCleanUp = currentSGState.id;
            SecurityGroup awsSecurityGroup = getSecurityGroupsIdUsingEC2Client(this.client, provisionedGroupIdentifier.getGroupId());
            assertNotNull(awsSecurityGroup);
            // Validate rules are correctly created as requested
            IpPermission awsIngressRule = awsSecurityGroup.getIpPermissions().get(0);
            IpPermission awsEgressRule = awsSecurityGroup.getIpPermissionsEgress().get(1);
            assertNotNull(awsIngressRule);
            assertNotNull(awsEgressRule);
            assertEquals("Error in created ingress rule", awsIngressRule.getIpProtocol(), currentSGState.ingress.get(0).protocol);
            assertEquals("Error in created ingress rule", awsIngressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.ingress.get(0).ipRangeCidr);
            assertEquals("Error in created egress rule", awsEgressRule.getIpProtocol(), currentSGState.egress.get(0).protocol);
            assertEquals("Error in created egress rule", awsEgressRule.getIpv4Ranges().get(0).getCidrIp(), currentSGState.egress.get(0).ipRangeCidr);
        }
    }
}