Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix inconsistent firewall rules #1883

Merged
merged 11 commits into from
May 14, 2024
Merged

Fix inconsistent firewall rules #1883

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
fe30066
:truck: Move azure_dns_zone_names function to infrastructure.common
jemrobinson May 10, 2024
c2abc98
:sparkles: Add permitted_domains function to infrastructure.common
jemrobinson May 10, 2024
93f4a92
:recycle: Replace all raw domains and allowed_dns_lookups with permit…
jemrobinson May 10, 2024
f0708f5
:truck: Move time_as_string to strings.py
jemrobinson May 10, 2024
60d5ae7
:bug: Allow graph.microsoft.com for SRE identity servers
jemrobinson May 10, 2024
1078008
:recycle: Switch from permitted_domains function to PermittedDomains …
jemrobinson May 10, 2024
c66a03b
:recycle: Replace azure_dns_zone_names with AzureDnsZoneNames enum
jemrobinson May 10, 2024
2e155a4
:truck: Move enums to data_safe_haven.types
jemrobinson May 10, 2024
a988ea7
:truck: Rename time_as_string to more descriptive next_occurrence
jemrobinson May 13, 2024
fba7c74
:bug: Fix next_occurrence so that it transforms from local time to UT…
jemrobinson May 13, 2024
921e722
:white_check_mark: Add tests for next_occurrence
jemrobinson May 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 2 additions & 8 deletions data_safe_haven/functions/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,7 @@
from .miscellaneous import (
allowed_dns_lookups,
ordered_private_dns_zones,
time_as_string,
)
from .strings import (
alphanumeric,
b64encode,
next_occurrence,
password,
replace_separators,
sanitise_sre_name,
Expand All @@ -15,15 +11,13 @@
)

__all__ = [
"allowed_dns_lookups",
"alphanumeric",
"b64encode",
"ordered_private_dns_zones",
"next_occurrence",
JimMadge marked this conversation as resolved.
Show resolved Hide resolved
"password",
"replace_separators",
"sanitise_sre_name",
"seeded_uuid",
"sha256hash",
"time_as_string",
"truncate_tokens",
]
70 changes: 0 additions & 70 deletions data_safe_haven/functions/miscellaneous.py
View file
Open in desktop

This file was deleted.

28 changes: 28 additions & 0 deletions data_safe_haven/functions/strings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,16 @@
import base64
import datetime
import hashlib
import random
import secrets
import string
import uuid
from collections.abc import Sequence

import pytz

from data_safe_haven.exceptions import DataSafeHavenInputError


def alphanumeric(input_string: str) -> str:
"""Strip any characters that are not letters or numbers from a string."""
Expand All @@ -21,6 +26,29 @@ def b64encode(input_string: str) -> str:
return base64.b64encode(input_string.encode("utf-8")).decode()


def next_occurrence(hour: int, minute: int, timezone: str) -> str:
"""
Get an ISO-formatted string representing the next occurence in UTC of a daily
repeating time in the local timezone.
"""
try:
local_tz = pytz.timezone(timezone)
local_dt = datetime.datetime.now(local_tz).replace(
hour=hour,
minute=minute,
second=0,
microsecond=0,
) + datetime.timedelta(days=1)
utc_dt = local_dt.astimezone(pytz.utc)
return utc_dt.isoformat()
except pytz.exceptions.UnknownTimeZoneError as exc:
msg = f"Timezone '{timezone}' was not recognised.\n{exc}"
raise DataSafeHavenInputError(msg) from exc
except ValueError as exc:
msg = f"Time '{hour}:{minute}' was not recognised.\n{exc}"
raise DataSafeHavenInputError(msg) from exc


def password(length: int) -> str:
"""
Generate a string of 'length' random alphanumeric characters.
Expand Down
4 changes: 0 additions & 4 deletions data_safe_haven/infrastructure/common/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
from .enums import FirewallPriorities, NetworkingPriorities, Ports
from .ip_ranges import SREDnsIpRanges, SREIpRanges
from .transformations import (
get_available_ips_from_subnet,
Expand All @@ -14,7 +13,6 @@
)

__all__ = [
"FirewallPriorities",
"get_available_ips_from_subnet",
"get_id_from_rg",
"get_id_from_subnet",
Expand All @@ -25,8 +23,6 @@
"get_name_from_subnet",
"get_name_from_vnet",
"get_subscription_id_from_rg",
"NetworkingPriorities",
"Ports",
"SREDnsIpRanges",
"SREIpRanges",
]
71 changes: 0 additions & 71 deletions data_safe_haven/infrastructure/common/enums.py
View file
Open in desktop

This file was deleted.

42 changes: 14 additions & 28 deletions data_safe_haven/infrastructure/programs/shm/firewall.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,15 @@
from pulumi import ComponentResource, Input, Output, ResourceOptions
from pulumi_azure_native import network

from data_safe_haven.functions import allowed_dns_lookups
from data_safe_haven.infrastructure.common import (
FirewallPriorities,
Ports,
SREIpRanges,
get_id_from_subnet,
)
from data_safe_haven.types import (
FirewallPriorities,
PermittedDomains,
Ports,
)


class SHMFirewallProps:
Expand Down Expand Up @@ -58,13 +60,6 @@ def __init__(
"216.239.35.8",
"216.239.35.12",
]
ntp_fqdns = [
"time.google.com",
"time1.google.com",
"time2.google.com",
"time3.google.com",
"time4.google.com",
]
sre_identity_server_subnets = [
str(SREIpRanges(idx).identity_containers)
for idx in range(1, SREIpRanges.max_index)
Expand Down Expand Up @@ -132,7 +127,7 @@ def __init__(
)
],
source_addresses=["*"],
target_fqdns=ntp_fqdns,
target_fqdns=PermittedDomains.TIME_SERVERS,
),
],
),
Expand All @@ -151,10 +146,7 @@ def __init__(
)
],
source_addresses=sre_identity_server_subnets,
target_fqdns=[
"graph.microsoft.com",
"login.microsoftonline.com",
],
target_fqdns=PermittedDomains.MICROSOFT_IDENTITY,
),
],
),
Expand All @@ -173,7 +165,7 @@ def __init__(
)
],
source_addresses=sre_package_repositories_subnets,
target_fqdns=["cran.r-project.org"],
target_fqdns=PermittedDomains.SOFTWARE_REPOSITORIES_R,
),
network.AzureFirewallApplicationRuleArgs(
description="Allow external PyPI package requests",
Expand All @@ -185,7 +177,7 @@ def __init__(
)
],
source_addresses=sre_package_repositories_subnets,
target_fqdns=["files.pythonhosted.org", "pypi.org"],
target_fqdns=PermittedDomains.SOFTWARE_REPOSITORIES_PYTHON,
),
],
),
Expand All @@ -204,7 +196,7 @@ def __init__(
)
],
source_addresses=sre_remote_desktop_gateway_subnets,
target_fqdns=["login.microsoftonline.com"],
target_fqdns=PermittedDomains.MICROSOFT_LOGIN,
),
],
),
Expand All @@ -227,7 +219,7 @@ def __init__(
),
],
source_addresses=sre_apt_proxy_servers,
target_fqdns=allowed_dns_lookups("apt_repositories"),
target_fqdns=PermittedDomains.APT_REPOSITORIES,
),
],
),
Expand All @@ -250,11 +242,7 @@ def __init__(
),
],
source_addresses=sre_workspaces_subnets,
target_fqdns=[
"current.cvd.clamav.net",
"database.clamav.net.cdn.cloudflare.net",
"database.clamav.net",
],
target_fqdns=PermittedDomains.CLAMAV_UPDATES,
),
network.AzureFirewallApplicationRuleArgs(
description="Allow external Linux ClamAV update requests",
Expand All @@ -266,9 +254,7 @@ def __init__(
),
],
source_addresses=sre_workspaces_subnets,
target_fqdns=[
"keyserver.ubuntu.com",
],
target_fqdns=PermittedDomains.UBUNTU_KEYSERVER,
),
],
),
Expand Down Expand Up @@ -342,7 +328,7 @@ def __init__(

# Register outputs
self.external_dns_resolver = external_dns_resolver
self.ntp_fqdns = ntp_fqdns
self.ntp_fqdns = PermittedDomains.TIME_SERVERS
self.ntp_ip_addresses = ntp_ip_addresses
self.public_ip_id = public_ip.id

Expand Down