com.netflix.spinnaker.clouddriver.google.provider.view.GoogleSecurityGroupProvider.groovy Maven / Gradle / Ivy
/*
* Copyright 2015 Google, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.netflix.spinnaker.clouddriver.google.provider.view
import com.fasterxml.jackson.databind.ObjectMapper
import com.google.api.services.iam.v1.model.ServiceAccount
import com.netflix.spinnaker.cats.cache.Cache
import com.netflix.spinnaker.cats.cache.CacheData
import com.netflix.spinnaker.cats.cache.RelationshipCacheFilter
import com.netflix.spinnaker.clouddriver.google.GoogleCloudProvider
import com.netflix.spinnaker.clouddriver.google.cache.Keys
import com.netflix.spinnaker.clouddriver.google.config.GoogleConfigurationProperties
import com.netflix.spinnaker.clouddriver.google.deploy.GCEUtil
import com.netflix.spinnaker.clouddriver.google.model.GoogleSecurityGroup
import com.netflix.spinnaker.clouddriver.google.security.GoogleNamedAccountCredentials
import com.netflix.spinnaker.clouddriver.model.AddressableRange
import com.netflix.spinnaker.clouddriver.model.SecurityGroupProvider
import com.netflix.spinnaker.clouddriver.model.securitygroups.IpRangeRule
import com.netflix.spinnaker.clouddriver.model.securitygroups.Rule
import com.netflix.spinnaker.clouddriver.security.AccountCredentialsProvider
import com.netflix.spinnaker.credentials.CredentialsRepository
import groovy.util.logging.Slf4j
import org.springframework.beans.factory.annotation.Autowired
import org.springframework.stereotype.Component
import static com.netflix.spinnaker.clouddriver.google.cache.Keys.Namespace.SECURITY_GROUPS
@Slf4j
@Component
class GoogleSecurityGroupProvider implements SecurityGroupProvider {
private final CredentialsRepository credentialsRepository
private final Cache cacheView
private final ObjectMapper objectMapper
final String cloudProvider = GoogleCloudProvider.ID
@Autowired
GoogleSecurityGroupProvider(CredentialsRepository credentialsRepository, Cache cacheView, ObjectMapper objectMapper) {
this.credentialsRepository = credentialsRepository
this.cacheView = cacheView
this.objectMapper = objectMapper
}
@Override
Set getAll(boolean includeRules) {
getAllMatchingKeyPattern(Keys.getSecurityGroupKey('*', '*', '*', '*'), includeRules)
}
@Override
Set getAllByRegion(boolean includeRules, String region) {
getAllMatchingKeyPattern(Keys.getSecurityGroupKey('*', '*', region, '*'), includeRules)
}
@Override
Set getAllByAccount(boolean includeRules, String account) {
getAllMatchingKeyPattern(Keys.getSecurityGroupKey('*', '*', '*', account), includeRules)
}
@Override
Set getAllByAccountAndName(boolean includeRules, String account, String name) {
getAllMatchingKeyPattern(Keys.getSecurityGroupKey(name, '*', '*', account), includeRules)
}
@Override
Set getAllByAccountAndRegion(boolean includeRules, String account, String region) {
getAllMatchingKeyPattern(Keys.getSecurityGroupKey('*', '*', region, account), includeRules)
}
@Override
GoogleSecurityGroup get(String account, String region, String name, String vpcId) {
// We ignore vpcId here.
getAllMatchingKeyPattern(Keys.getSecurityGroupKey(name, '*', region, account), true)[0]
}
@Override
GoogleSecurityGroup getById(String account, String region, String id, String vpcId) {
getAllMatchingKeyPattern(Keys.getSecurityGroupKey('*', id, region, account), true)[0]
}
Set getAllMatchingKeyPattern(String pattern, boolean includeRules) {
loadResults(includeRules, cacheView.filterIdentifiers(SECURITY_GROUPS.ns, pattern))
}
Set loadResults(boolean includeRules, Collection identifiers) {
def transform = this.&fromCacheData.curry(includeRules)
def data = cacheView.getAll(SECURITY_GROUPS.ns, identifiers, RelationshipCacheFilter.none())
def transformed = data.collect(transform)
return transformed
}
GoogleSecurityGroup fromCacheData(boolean includeRules, CacheData cacheData) {
Map firewall = cacheData.attributes.firewall
Map parts = Keys.parse(cacheData.id)
def project = cacheData.attributes.project
return convertToGoogleSecurityGroup(includeRules, firewall, parts.account, parts.region, project)
}
private GoogleSecurityGroup convertToGoogleSecurityGroup(boolean includeRules, Map firewall, String account, String region, String project) {
List inboundRules = includeRules ? buildInboundIpRangeRules(firewall) : []
new GoogleSecurityGroup(
id: deriveResourceId(project, firewall.selfLink),
name: firewall.name,
description: firewall.description,
accountName: account,
region: region,
network: deriveResourceId(project, firewall.network),
selfLink: firewall.selfLink,
sourceTags: firewall.sourceTags,
targetTags: firewall.targetTags,
sourceServiceAccounts: firewall.sourceServiceAccounts,
targetServiceAccounts: firewall.targetServiceAccounts,
inboundRules: inboundRules
)
}
private List buildInboundIpRangeRules(Map firewall) {
List rangeRules = []
List sourceRanges = firewall.sourceRanges?.collect { sourceRange ->
def rangeParts = sourceRange.split("/") as List
// A sourceRange may in fact be just a single ip address.
if (rangeParts.size() == 1) {
rangeParts << "32"
}
new AddressableRange(ip: rangeParts[0], cidr: "/${rangeParts[1]}")
}
// Build a map from protocol to Allowed's so we can group all the ranges for a particular protocol.
def protocolToAllowedsMap = [:].withDefault { new HashSet © 2015 - 2025 Weber Informatics LLC | Privacy Policy