Manage Firewall rules for DB Direct allows IPs

NEWS.md

@@ -11,6 +11,7 @@ sudo make install
 
 ### Features
 - New internal API for managing DB-Direct certificates & IPs ([#15567](https://github.com/CartoDB/cartodb/pull/15567))
+  And managing the firewall: ([#15610](https://github.com/CartoDB/cartodb/pull/15610))
 - Use Dataservices API client 0.30.0
 - Enable deleting Kepler.gl maps ([#15485](https://github.com/CartoDB/cartodb/issues/15485))
 - Add Kepler.gl maps to Recent content section in the Dashboard ([#15486](https://github.com/CartoDB/cartodb/issues/15486))

app/models/carto/dbdirect_ip.rb

@@ -1,4 +1,5 @@
 require 'ip_checker'
+require 'carto/dbdirect/firewall_manager'
 
 module Carto
   class DbdirectIp < ActiveRecord::Base
@@ -12,6 +13,38 @@ class DbdirectIp < ActiveRecord::Base
 
     validate :validate_ips
 
+    after_save do
+      update_firewall(*changes[:ips])
+    end
+
+    after_destroy do
+      update_firewall(ips, nil)
+    end
+
+
+    def self.firewall_manager
+      firewall_manager_class.new(config)
+    end
+
+    def self.firewall_manager_class
+      Carto::Dbdirect::FirewallManager
+    end
+
+    def firewall_rule_name
+      return nil unless self.class.firewall_enabled?
+
+      rule_id = user.dbdirect_bearer.organization&.name || user.dbdirect_bearer.username
+      self.class.config['rule_name'].gsub('{{id}}', rule_id)
+    end
+
+    def self.config
+      Cartodb.get_config(:dbdirect, 'firewall') || {}
+    end
+
+    def self.firewall_enabled?
+      !!config['enabled']
+    end
+
     private
 
     MAX_IP_MASK_HOST_BITS = 8
@@ -46,5 +79,16 @@ def validate_ip(ip)
         exclude_loopback: true
       )
     end
+
+    def update_firewall(old_ips, new_ips)
+      return unless self.class.firewall_enabled?
+
+      old_ips ||= []
+      new_ips ||= []
+      if old_ips.sort != new_ips.sort
+        rule_id = user.dbdirect_bearer.organization&.name || user.dbdirect_bearer.username
+        self.class.firewall_manager.replace_rule(firewall_rule_name, new_ips)
+      end
+    end
   end
 end

app/models/carto/user.rb

@@ -310,7 +310,7 @@ def send_password_reset!
   end
 
   def dbdirect_effective_ips
-    dbdirect_bearer.dbdirect_ip&.ips || []
+    dbdirect_effective_ip&.ips || []
   end
 
   def dbdirect_effective_ips=(ips)
@@ -319,7 +319,9 @@ def dbdirect_effective_ips=(ips)
     bearer.create_dbdirect_ip!(ips: ips) if ips.present?
   end
 
-  private
+  def dbdirect_effective_ip
+    dbdirect_bearer.dbdirect_ip
+  end
 
   def dbdirect_bearer
     if organization.present? && organization.owner != self
@@ -329,6 +331,8 @@ def dbdirect_bearer
     end
   end
 
+  private
+
   def set_database_host
     self.database_host ||= ::SequelRails.configuration.environment_for(Rails.env)['host']
   end

config/app_config.yml.sample

@@ -782,6 +782,13 @@ defaults: &defaults
     pgproxy:
       host: 'dbconn.carto.com'
       port: 5432
+    firewall:
+      enabled: false
+      project_id: ''
+      rule_name: ''
+      network: ''
+      target_tag: ''
+      ports: 'tcp:5432'
 
 development:
   <<: *defaults

lib/carto/dbdirect/firewall_manager.rb

@@ -0,0 +1,81 @@
+require 'google/apis/compute_v1'
+
+module Carto
+  module Dbdirect
+    # Firewall Rule Manager
+    class FirewallManager
+      def initialize(config)
+        @config = config
+        @service = Google::Apis::ComputeV1::ComputeService.new
+        @service.authorization = Google::Auth.get_application_default([AUTH_URL])
+      end
+
+      attr_reader :config
+
+      def replace_rule(name, ips)
+        delete_rule(
+          project_id: config['project_id'],
+          name: name
+        )
+
+        if ips.present?
+          create_rule(
+            project_id: config['project_id'],
+            name: name,
+            network: config['network'],
+            ips: ips,
+            target_tag: config['target_tag'],
+            ports: config['ports']
+          )
+        end
+      end
+
+      private
+
+      def delete_rule(project_id:, name:)
+        # `gcloud compute firewall-rules delete "#{name}"`
+
+        # we could check existence with @service.list_firewalls(project_id).find {|r| r.name == name}
+        # but since there could be race conditions anyway we'll just rescue errors
+        @service.delete_firewall(config['project_id'], name)
+
+      rescue Google::Apis::ClientError => error
+        raise unless error.message =~ /^notFound:/
+      end
+
+      def create_rule(project_id:, name:, network:, ips:, target_tag:, ports:)
+        #   `gcloud -q compute firewall-rules create "#{name}" \
+        #     --network "#{network}" \
+        #     --direction ingress \
+        #     --action allow \
+        #     --source-ranges "#{ips.join(',')}" \
+        #     --target-tags "#{target_tag}" \
+        #     --rules "#{ports}" \
+        #     --no-enable-logging  \
+        #     --project "#{project_id}"`
+
+        protocol, port = config['ports'].split(':')
+        allowed = Google::Apis::ComputeV1::Firewall::Allowed.new(
+          ip_protocol: protocol,
+          ports: [port.split(',')]
+        )
+        rule = Google::Apis::ComputeV1::Firewall.new(
+          name: name,
+          allowed: [allowed],
+          network: network_url(config['project_id'], config['network']),
+          source_ranges: ips,
+          target_tags: [config['target_tag']]
+        )
+
+        @service.insert_firewall(config['project_id'], rule)
+      end
+
+      AUTH_URL = 'https://www.googleapis.com/auth/cloud-platform'.freeze
+      PROJECTS_URL = 'https://www.googleapis.com/compute/v1/projects'.freeze
+
+      def network_url(project_id, network)
+        "#{PROJECTS_URL}/#{project_id}/global/networks/#{network}"
+      end
+    end
+  end
+end

lib/tasks/dbdirect.rake

@@ -78,6 +78,7 @@ namespace :carto do
       if ips.present?
         puts "DBDirect IPs for user #{user_id}:"
         puts ips
+        puts "GCP Firewall Rule name: #{user.dbdirect_effective_ip.firewall_rule_name}"
       else
         puts "No IPs defined for user #{user_id}"
       end