| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230 |
- // Copyright 2019 Yunion
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- package aliyun
- import (
- "fmt"
- "strings"
- "time"
- "yunion.io/x/cloudmux/pkg/cloudprovider"
- "yunion.io/x/pkg/util/netutils"
- "yunion.io/x/pkg/util/secrules"
- "yunion.io/x/pkg/utils"
- )
- type SPermission struct {
- region *SRegion
- CreateTime time.Time
- Description string
- DestCidrIp string
- Ipv6DestCidrIp string
- DestGroupId string
- DestGroupName string
- DestGroupOwnerAccount string
- Direction string
- IpProtocol string
- NicType SecurityGroupPermissionNicType
- Policy string
- PortRange string
- Priority int
- SourceCidrIp string
- Ipv6SourceCidrIp string
- SourceGroupId string
- SourceGroupName string
- SourceGroupOwnerAccount string
- SecurityGroupRuleId string
- SecurityGroupId string
- }
- func (self *SPermission) GetGlobalId() string {
- return self.SecurityGroupRuleId
- }
- func (self *SPermission) GetAction() secrules.TSecurityRuleAction {
- if self.Policy == "Drop" {
- return secrules.SecurityRuleDeny
- }
- return secrules.SecurityRuleAllow
- }
- func (self *SPermission) GetDescription() string {
- return self.Description
- }
- func (self *SPermission) GetDirection() secrules.TSecurityRuleDirection {
- if self.Direction == "ingress" {
- return secrules.DIR_IN
- }
- return secrules.DIR_OUT
- }
- func (self *SPermission) GetCIDRs() []string {
- ret := []string{}
- if len(self.SourceCidrIp) > 0 {
- ret = append(ret, self.SourceCidrIp)
- }
- if len(self.SourceGroupId) > 0 {
- ret = append(ret, self.SourceGroupId)
- }
- if len(self.DestGroupId) > 0 {
- ret = append(ret, self.SourceGroupId)
- }
- if len(self.DestCidrIp) > 0 {
- ret = append(ret, self.DestCidrIp)
- }
- if len(self.Ipv6DestCidrIp) > 0 {
- ret = append(ret, self.Ipv6DestCidrIp)
- }
- if len(self.Ipv6SourceCidrIp) > 0 {
- ret = append(ret, self.Ipv6SourceCidrIp)
- }
- return ret
- }
- func (self *SPermission) GetProtocol() string {
- if strings.ToLower(self.IpProtocol) == "all" {
- return secrules.PROTO_ANY
- }
- return strings.ToLower(self.IpProtocol)
- }
- func (self *SPermission) GetPorts() string {
- if self.PortRange == "-1/-1" || self.PortRange == "1/65535" || self.PortRange == "" {
- return ""
- }
- info := strings.Split(self.PortRange, "/")
- if len(info) != 2 {
- return ""
- }
- if info[0] == info[1] {
- if info[0] == "-1" {
- return ""
- }
- return info[0]
- }
- return fmt.Sprintf("%s-%s", info[0], info[1])
- }
- func (self *SPermission) GetPriority() int {
- return self.Priority
- }
- func (self *SPermission) Delete() error {
- return self.region.DeleteSecurityGroupRule(self.SecurityGroupId, self.GetDirection(), self.SecurityGroupRuleId)
- }
- func (self *SPermission) Update(opts *cloudprovider.SecurityGroupRuleUpdateOptions) error {
- return self.region.UpdateSecurityGroupRule(self.SecurityGroupId, self.SecurityGroupRuleId, self.GetDirection(), opts)
- }
- func (self *SRegion) GetSecurityGroupRules(id string) ([]SPermission, error) {
- params := map[string]string{
- "SecurityGroupId": id,
- "RegionId": self.RegionId,
- }
- resp, err := self.ecsRequest("DescribeSecurityGroupAttribute", params)
- if err != nil {
- return nil, err
- }
- ret := struct {
- Permissions struct {
- Permission []SPermission
- }
- SecurityGroupId string
- }{}
- err = resp.Unmarshal(&ret)
- if err != nil {
- return nil, err
- }
- for i := range ret.Permissions.Permission {
- ret.Permissions.Permission[i].SecurityGroupId = ret.SecurityGroupId
- }
- return ret.Permissions.Permission, nil
- }
- func (self *SRegion) DeleteSecurityGroupRule(groupId string, direction secrules.TSecurityRuleDirection, ruleId string) error {
- action := "RevokeSecurityGroup"
- if direction == secrules.DIR_OUT {
- action = "RevokeSecurityGroupEgress"
- }
- params := map[string]string{
- "RegionId": self.RegionId,
- "ClientToken": utils.GenRequestId(20),
- "SecurityGroupId": groupId,
- "SecurityGroupRuleId.1": ruleId,
- }
- _, err := self.ecsRequest(action, params)
- return err
- }
- func (self *SRegion) UpdateSecurityGroupRule(groupId, ruleId string, direction secrules.TSecurityRuleDirection, opts *cloudprovider.SecurityGroupRuleUpdateOptions) error {
- params := map[string]string{
- "ClientToken": utils.GenRequestId(20),
- "SecurityGroupId": groupId,
- "SecurityGroupRuleId": ruleId,
- }
- if len(opts.Desc) > 0 {
- params["Description"] = opts.Desc
- }
- switch opts.Protocol {
- case secrules.PROTO_TCP, secrules.PROTO_UDP:
- params["IpProtocol"] = opts.Protocol
- if len(opts.Ports) > 0 {
- params["PortRange"] = fmt.Sprintf("%s/%s", opts.Ports, opts.Ports)
- if strings.Contains(opts.Ports, "-") {
- params["PortRange"] = strings.ReplaceAll(opts.Ports, "-", "/")
- }
- }
- case secrules.PROTO_ICMP:
- params["IpProtocol"] = "icmp"
- case secrules.PROTO_ANY:
- params["IpProtocol"] = "all"
- }
- if opts.Priority > 0 {
- params["Priority"] = fmt.Sprintf("%d", opts.Priority)
- }
- switch opts.Action {
- case secrules.SecurityRuleAllow:
- params["Policy"] = "accept"
- case secrules.SecurityRuleDeny:
- params["Policy"] = "drop"
- }
- action := "ModifySecurityGroupRule"
- switch direction {
- case secrules.DIR_IN:
- if len(opts.CIDR) > 0 {
- if _, err := netutils.NewIPV6Prefix(opts.CIDR); err == nil {
- params["Ipv6SourceCidrIp"] = opts.CIDR
- } else {
- params["SourceCidrIp"] = opts.CIDR
- }
- }
- case secrules.DIR_OUT:
- action = "ModifySecurityGroupEgressRule"
- if len(opts.CIDR) > 0 {
- if _, err := netutils.NewIPV6Prefix(opts.CIDR); err == nil {
- params["Ipv6DestCidrIp"] = opts.CIDR
- } else {
- params["DestCidrIp"] = opts.CIDR
- }
- }
- }
- _, err := self.ecsRequest(action, params)
- return err
- }
|