zhouyuhuan
/
Cloudpods


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230
							// Copyright 2019 Yunion
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package aliyun

import (
	"fmt"
	"strings"
	"time"

	"yunion.io/x/cloudmux/pkg/cloudprovider"
	"yunion.io/x/pkg/util/netutils"
	"yunion.io/x/pkg/util/secrules"
	"yunion.io/x/pkg/utils"
)

type SPermission struct {
	region *SRegion

	CreateTime              time.Time
	Description             string
	DestCidrIp              string
	Ipv6DestCidrIp          string
	DestGroupId             string
	DestGroupName           string
	DestGroupOwnerAccount   string
	Direction               string
	IpProtocol              string
	NicType                 SecurityGroupPermissionNicType
	Policy                  string
	PortRange               string
	Priority                int
	SourceCidrIp            string
	Ipv6SourceCidrIp        string
	SourceGroupId           string
	SourceGroupName         string
	SourceGroupOwnerAccount string
	SecurityGroupRuleId     string
	SecurityGroupId         string
}

func (self *SPermission) GetGlobalId() string {
	return self.SecurityGroupRuleId
}

func (self *SPermission) GetAction() secrules.TSecurityRuleAction {
	if self.Policy == "Drop" {
		return secrules.SecurityRuleDeny
	}
	return secrules.SecurityRuleAllow
}

func (self *SPermission) GetDescription() string {
	return self.Description
}

func (self *SPermission) GetDirection() secrules.TSecurityRuleDirection {
	if self.Direction == "ingress" {
		return secrules.DIR_IN
	}
	return secrules.DIR_OUT
}

func (self *SPermission) GetCIDRs() []string {
	ret := []string{}
	if len(self.SourceCidrIp) > 0 {
		ret = append(ret, self.SourceCidrIp)
	}
	if len(self.SourceGroupId) > 0 {
		ret = append(ret, self.SourceGroupId)
	}
	if len(self.DestGroupId) > 0 {
		ret = append(ret, self.SourceGroupId)
	}
	if len(self.DestCidrIp) > 0 {
		ret = append(ret, self.DestCidrIp)
	}
	if len(self.Ipv6DestCidrIp) > 0 {
		ret = append(ret, self.Ipv6DestCidrIp)
	}
	if len(self.Ipv6SourceCidrIp) > 0 {
		ret = append(ret, self.Ipv6SourceCidrIp)
	}
	return ret
}

func (self *SPermission) GetProtocol() string {
	if strings.ToLower(self.IpProtocol) == "all" {
		return secrules.PROTO_ANY
	}
	return strings.ToLower(self.IpProtocol)
}

func (self *SPermission) GetPorts() string {
	if self.PortRange == "-1/-1" || self.PortRange == "1/65535" || self.PortRange == "" {
		return ""
	}
	info := strings.Split(self.PortRange, "/")
	if len(info) != 2 {
		return ""
	}
	if info[0] == info[1] {
		if info[0] == "-1" {
			return ""
		}
		return info[0]
	}
	return fmt.Sprintf("%s-%s", info[0], info[1])
}

func (self *SPermission) GetPriority() int {
	return self.Priority
}

func (self *SPermission) Delete() error {
	return self.region.DeleteSecurityGroupRule(self.SecurityGroupId, self.GetDirection(), self.SecurityGroupRuleId)
}

func (self *SPermission) Update(opts *cloudprovider.SecurityGroupRuleUpdateOptions) error {
	return self.region.UpdateSecurityGroupRule(self.SecurityGroupId, self.SecurityGroupRuleId, self.GetDirection(), opts)
}

func (self *SRegion) GetSecurityGroupRules(id string) ([]SPermission, error) {
	params := map[string]string{
		"SecurityGroupId": id,
		"RegionId":        self.RegionId,
	}
	resp, err := self.ecsRequest("DescribeSecurityGroupAttribute", params)
	if err != nil {
		return nil, err
	}
	ret := struct {
		Permissions struct {
			Permission []SPermission
		}
		SecurityGroupId string
	}{}
	err = resp.Unmarshal(&ret)
	if err != nil {
		return nil, err
	}
	for i := range ret.Permissions.Permission {
		ret.Permissions.Permission[i].SecurityGroupId = ret.SecurityGroupId
	}
	return ret.Permissions.Permission, nil
}

func (self *SRegion) DeleteSecurityGroupRule(groupId string, direction secrules.TSecurityRuleDirection, ruleId string) error {
	action := "RevokeSecurityGroup"
	if direction == secrules.DIR_OUT {
		action = "RevokeSecurityGroupEgress"
	}
	params := map[string]string{
		"RegionId":              self.RegionId,
		"ClientToken":           utils.GenRequestId(20),
		"SecurityGroupId":       groupId,
		"SecurityGroupRuleId.1": ruleId,
	}
	_, err := self.ecsRequest(action, params)
	return err
}

func (self *SRegion) UpdateSecurityGroupRule(groupId, ruleId string, direction secrules.TSecurityRuleDirection, opts *cloudprovider.SecurityGroupRuleUpdateOptions) error {
	params := map[string]string{
		"ClientToken":         utils.GenRequestId(20),
		"SecurityGroupId":     groupId,
		"SecurityGroupRuleId": ruleId,
	}
	if len(opts.Desc) > 0 {
		params["Description"] = opts.Desc
	}
	switch opts.Protocol {
	case secrules.PROTO_TCP, secrules.PROTO_UDP:
		params["IpProtocol"] = opts.Protocol
		if len(opts.Ports) > 0 {
			params["PortRange"] = fmt.Sprintf("%s/%s", opts.Ports, opts.Ports)
			if strings.Contains(opts.Ports, "-") {
				params["PortRange"] = strings.ReplaceAll(opts.Ports, "-", "/")
			}
		}
	case secrules.PROTO_ICMP:
		params["IpProtocol"] = "icmp"
	case secrules.PROTO_ANY:
		params["IpProtocol"] = "all"
	}

	if opts.Priority > 0 {
		params["Priority"] = fmt.Sprintf("%d", opts.Priority)
	}

	switch opts.Action {
	case secrules.SecurityRuleAllow:
		params["Policy"] = "accept"
	case secrules.SecurityRuleDeny:
		params["Policy"] = "drop"
	}
	action := "ModifySecurityGroupRule"
	switch direction {
	case secrules.DIR_IN:
		if len(opts.CIDR) > 0 {
			if _, err := netutils.NewIPV6Prefix(opts.CIDR); err == nil {
				params["Ipv6SourceCidrIp"] = opts.CIDR
			} else {
				params["SourceCidrIp"] = opts.CIDR
			}
		}
	case secrules.DIR_OUT:
		action = "ModifySecurityGroupEgressRule"
		if len(opts.CIDR) > 0 {
			if _, err := netutils.NewIPV6Prefix(opts.CIDR); err == nil {
				params["Ipv6DestCidrIp"] = opts.CIDR
			} else {
				params["DestCidrIp"] = opts.CIDR
			}
		}
	}
	_, err := self.ecsRequest(action, params)
	return err
}