Add opened_only matcher for security groups.

This matcher allows the user to make exclusivity statements about certain rules. Prior, a user could only make statements about the existence of opened rules for security groups, now they can state that not only is there an opened rule but that that is the _only_ open rule for a given port, protocol, cidr.
k1LoW · Feb 17, 2016 · a576ff0 · a576ff0
1 parent 9f5e4a0
commit a576ff0
Show file tree

Hide file tree

Showing 7 changed files with 93 additions and 13 deletions.
diff --git a/doc/resource_types.md b/doc/resource_types.md
@@ -1109,6 +1109,12 @@ end
 ```
 
 
+### be_inbound_opened_only
+
+### be_opened_only
+
+### be_outbound_opened_only
+
 ### its(:inbound), its(:outbound)
 
 ```ruby

diff --git a/lib/awspec/matcher.rb b/lib/awspec/matcher.rb
@@ -8,6 +8,7 @@
 
 # SecurityGroup
 require 'awspec/matcher/be_opened'
+require 'awspec/matcher/be_opened_only'
 
 # Route53
 require 'awspec/matcher/have_record_set'

diff --git a/lib/awspec/matcher/be_opened_only.rb b/lib/awspec/matcher/be_opened_only.rb
@@ -0,0 +1,17 @@
+RSpec::Matchers.define :be_opened_only do |port|
+  match do |sg|
+    sg.opened_only?(port, @protocol, @cidr)
+  end
+
+  chain :protocol do |protocol|
+    @protocol = protocol
+  end
+
+  chain :for do |cidr|
+    @cidr = cidr
+  end
+
+  chain :target do |cidr|
+    @cidr = cidr
+  end
+end
diff --git a/lib/awspec/stub/security_group.rb b/lib/awspec/stub/security_group.rb
@@ -33,6 +33,28 @@
                 }
               ]
             },
+            {
+              from_port: 60_000,
+              to_port: 60_000,
+              ip_protocol: 'tcp',
+              ip_ranges: [
+                {
+                  cidr_ip: '100.456.789.012/32'
+                }
+              ],
+              user_id_group_pairs: []
+            },
+            {
+              from_port: 70_000,
+              to_port: 70_000,
+              ip_protocol: 'tcp',
+              ip_ranges: [
+                {
+                  cidr_ip: '100.456.789.012/32'
+                }
+              ],
+              user_id_group_pairs: []
+            },
             {
               from_port: 50_000,
               to_port: 50_009,
@@ -47,12 +69,12 @@
           ],
           ip_permissions_egress: [
             {
-              from_port: nil,
-              to_port: nil,
-              ip_protocol: '-1',
+              from_port: 50_000,
+              to_port: 50_000,
+              ip_protocol: 'tcp',
               ip_ranges: [
                 {
-                  cidr_ip: '0.0.0.0/0'
+                  cidr_ip: '100.456.789.012/32'
                 }
               ]
             }

diff --git a/lib/awspec/type/security_group.rb b/lib/awspec/type/security_group.rb
@@ -14,6 +14,11 @@ def opened?(port = nil, protocol = nil, cidr = nil)
       outbound_opened?(port, protocol, cidr)
     end
 
+    def opened_only?(port = nil, protocol = nil, cidr = nil)
+      return inbound_opened_only?(port, protocol, cidr) if @inbound
+      outbound_opened_only?(port, protocol, cidr)
+    end
+
     def inbound_opened?(port = nil, protocol = nil, cidr = nil)
       @resource_via_client[:ip_permissions].find do |permission|
         next true unless port
@@ -38,6 +43,18 @@ def inbound_opened?(port = nil, protocol = nil, cidr = nil)
       end
     end
 
+    def inbound_opened_only?(port = nil, protocol = nil, cidr = nil)
+      permissions = @resource_via_client[:ip_permissions].select do |permission|
+        port_between?(port, permission[:from_port], permission[:to_port])
+      end
+      permissions = permissions.select { |permission| permission[:ip_protocol] == protocol }
+      cidrs = []
+      permissions.each do |permission|
+        permission[:ip_ranges].select { |ip_range| cidrs.push(ip_range[:cidr_ip]) }
+      end
+      cidrs == [cidr]
+    end
+
     def outbound_opened?(port = nil, protocol = nil, cidr = nil)
       @resource_via_client[:ip_permissions_egress].find do |permission|
         next true unless port
@@ -62,6 +79,18 @@ def outbound_opened?(port = nil, protocol = nil, cidr = nil)
       end
     end
 
+    def outbound_opened_only?(port = nil, protocol = nil, cidr = nil)
+      permissions = @resource_via_client[:ip_permissions_egress].select do |permission|
+        port_between?(port, permission[:from_port], permission[:to_port])
+      end
+      permissions = permissions.select { |permission| permission[:ip_protocol] == protocol }
+      cidrs = []
+      permissions.each do |permission|
+        permission[:ip_ranges].select { |ip_range| cidrs.push(ip_range[:cidr_ip]) }
+      end
+      cidrs == [cidr]
+    end
+
     def inbound
       @inbound = true
       self

diff --git a/spec/generator/spec/security_group_spec.rb b/spec/generator/spec/security_group_spec.rb
@@ -14,11 +14,13 @@
   its(:inbound) { should be_opened(80).protocol('tcp').for('123.456.789.012/32') }
   its(:inbound) { should be_opened(80).protocol('tcp').for('456.789.123.456/32') }
   its(:inbound) { should be_opened(22).protocol('tcp').for('group-name-sg') }
+  its(:inbound) { should be_opened(60000).protocol('tcp').for('100.456.789.012/32') }
+  its(:inbound) { should be_opened(70000).protocol('tcp').for('100.456.789.012/32') }
   its(:inbound) { should be_opened('50000-50009').protocol('tcp').for('123.456.789.012/32') }
-  its(:outbound) { should be_opened }
-  its(:inbound_rule_count) { should eq 4 }
+  its(:outbound) { should be_opened(50000).protocol('tcp').for('100.456.789.012/32') }
+  its(:inbound_rule_count) { should eq 6 }
   its(:outbound_rule_count) { should eq 1 }
-  its(:inbound_permissions_count) { should eq 3 }
+  its(:inbound_permissions_count) { should eq 5 }
   its(:outbound_permissions_count) { should eq 1 }
   it { should belong_to_vpc('my-vpc') }
 end

diff --git a/spec/type/security_group_spec.rb b/spec/type/security_group_spec.rb
@@ -10,12 +10,15 @@
   its(:inbound) { should be_opened(22).protocol('tcp').for('sg-5a6b7cd8') }
   its(:inbound) { should be_opened('50000-50009').protocol('tcp').for('123.456.789.012/32') }
   its(:inbound) { should_not be_opened('50010-50019').protocol('tcp').for('123.456.789.012/32') }
-  its(:outbound) { should be_opened }
-  its(:inbound_permissions_count) { should eq 3 }
-  its(:ip_permissions_count) { should eq 3 }
+  its(:outbound) { should be_opened(50_000) }
+  its(:inbound) { should be_opened_only(60_000).protocol('tcp').for('100.456.789.012/32') }
+  its(:inbound) { should be_opened_only(70_000).protocol('tcp').for('100.456.789.012/32') }
+  its(:outbound) { should be_opened_only(50_000).protocol('tcp').for('100.456.789.012/32') }
+  its(:inbound_permissions_count) { should eq 5 }
+  its(:ip_permissions_count) { should eq 5 }
   its(:outbound_permissions_count) { should eq 1 }
   its(:ip_permissions_egress_count) { should eq 1 }
-  its(:inbound_rule_count) { should eq 4 }
+  its(:inbound_rule_count) { should eq 6 }
   its(:outbound_rule_count) { should eq 1 }
   # its(:inbound) { should be_opened(22).protocol('tcp').for('group-name-sg') }
   # its(:inbound) { should be_opened(22).protocol('tcp').for('my-db-sg') }
@@ -29,13 +32,13 @@
 
 describe security_group('my-security-group-name') do
   it { should exist }
-  its(:outbound) { should be_opened }
+  its(:outbound) { should be_opened(50_000) }
   its(:inbound) { should be_opened(80) }
   it { should belong_to_vpc('my-vpc') }
 end
 
 describe security_group('my-security-tag-name') do
-  its(:outbound) { should be_opened }
+  its(:outbound) { should be_opened(50_000) }
   its(:inbound) { should be_opened(80) }
   it { should belong_to_vpc('my-vpc') }
 end