-
Notifications
You must be signed in to change notification settings - Fork 8
/
security_rules.go
266 lines (227 loc) · 11.1 KB
/
security_rules.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
package compute
const (
SecurityRuleDescription = "security rules"
SecurityRuleContainerPath = "/network/v1/secrule/"
SecurityRuleResourcePath = "/network/v1/secrule"
)
type SecurityRuleClient struct {
ResourceClient
}
// SecurityRules() returns an SecurityRulesClient that can be used to access the
// necessary CRUD functions for Security Rules.
func (c *ComputeClient) SecurityRules() *SecurityRuleClient {
return &SecurityRuleClient{
ResourceClient: ResourceClient{
ComputeClient: c,
ResourceDescription: SecurityRuleDescription,
ContainerPath: SecurityRuleContainerPath,
ResourceRootPath: SecurityRuleResourcePath,
},
}
}
// SecurityRuleInfo contains the exported fields necessary to hold all the information about a
// Security Rule
type SecurityRuleInfo struct {
// Name of the ACL that contains this rule.
ACL string `json:"acl"`
// Description of the Security Rule
Description string `json:"description"`
// List of IP address prefix set names to match the packet's destination IP address.
DstIpAddressPrefixSets []string `json:"dstIpAddressPrefixSets"`
// Name of virtual NIC set containing the packet's destination virtual NIC.
DstVnicSet string `json:"dstVnicSet"`
// Allows the security rule to be disabled.
Enabled bool `json:"enabledFlag"`
// Direction of the flow; Can be "egress" or "ingress".
FlowDirection string `json:"FlowDirection"`
// The name of the Security Rule
Name string `json:"name"`
// List of security protocol names to match the packet's protocol and port.
SecProtocols []string `json:"secProtocols"`
// List of multipart names of IP address prefix set to match the packet's source IP address.
SrcIpAddressPrefixSets []string `json:"srcIpAddressPrefixSets"`
// Name of virtual NIC set containing the packet's source virtual NIC.
SrcVnicSet string `json:"srcVnicSet"`
// Slice of tags associated with the Security Rule
Tags []string `json:"tags"`
// Uniform Resource Identifier for the Security Rule
Uri string `json:"uri"`
}
type CreateSecurityRuleInput struct {
//Select the name of the access control list (ACL) that you want to add this
// security rule to. Security rules are applied to vNIC sets by using ACLs.
// Optional
ACL string `json:"acl,omitempty"`
// Description of the Security Rule
// Optional
Description string `json:"description"`
// A list of IP address prefix sets to which you want to permit traffic.
// Only packets to IP addresses in the specified IP address prefix sets are permitted.
// When no destination IP address prefix sets are specified, traffic to any
// IP address is permitted.
// Optional
DstIpAddressPrefixSets []string `json:"dstIpAddressPrefixSets"`
// The vNICset to which you want to permit traffic. Only packets to vNICs in the
// specified vNICset are permitted. When no destination vNICset is specified, traffic
// to any vNIC is permitted.
// Optional
DstVnicSet string `json:"dstVnicSet,omitempty"`
// Allows the security rule to be enabled or disabled. This parameter is set to
// true by default. Specify false to disable the security rule.
// Optional
Enabled bool `json:"enabledFlag"`
// Specify the direction of flow of traffic, which is relative to the instances,
// for this security rule. Allowed values are ingress or egress.
// An ingress packet is a packet received by a virtual NIC, for example from
// another virtual NIC or from the public Internet.
// An egress packet is a packet sent by a virtual NIC, for example to another
// virtual NIC or to the public Internet.
// Required
FlowDirection string `json:"flowDirection"`
// The name of the Security Rule
// Object names can contain only alphanumeric characters, hyphens, underscores, and periods.
// Object names are case-sensitive. When you specify the object name, ensure that an object
// of the same type and with the same name doesn't already exist.
// If such an object already exists, another object of the same type and with the same name won't
// be created and the existing object won't be updated.
// Required
Name string `json:"name"`
// A list of security protocols for which you want to permit traffic. Only packets that
// match the specified protocols and ports are permitted. When no security protocols are
// specified, traffic using any protocol over any port is permitted.
// Optional
SecProtocols []string `json:"secProtocols"`
// A list of IP address prefix sets from which you want to permit traffic. Only packets
// from IP addresses in the specified IP address prefix sets are permitted. When no source
// IP address prefix sets are specified, traffic from any IP address is permitted.
// Optional
SrcIpAddressPrefixSets []string `json:"srcIpAddressPrefixSets"`
// The vNICset from which you want to permit traffic. Only packets from vNICs in the
// specified vNICset are permitted. When no source vNICset is specified, traffic from any
// vNIC is permitted.
// Optional
SrcVnicSet string `json:"srcVnicSet,omitempty"`
// Strings that you can use to tag the security rule.
// Optional
Tags []string `json:"tags"`
}
// Create a new Security Rule from an SecurityRuleClient and an input struct.
// Returns a populated Info struct for the Security Rule, and any errors
func (c *SecurityRuleClient) CreateSecurityRule(input *CreateSecurityRuleInput) (*SecurityRuleInfo, error) {
input.Name = c.getQualifiedName(input.Name)
input.ACL = c.getQualifiedName(input.ACL)
input.SrcVnicSet = c.getQualifiedName(input.SrcVnicSet)
input.DstVnicSet = c.getQualifiedName(input.DstVnicSet)
input.SrcIpAddressPrefixSets = c.getQualifiedList(input.SrcIpAddressPrefixSets)
input.DstIpAddressPrefixSets = c.getQualifiedList(input.DstIpAddressPrefixSets)
input.SecProtocols = c.getQualifiedList(input.SecProtocols)
var securityRuleInfo SecurityRuleInfo
if err := c.createResource(&input, &securityRuleInfo); err != nil {
return nil, err
}
return c.success(&securityRuleInfo)
}
type GetSecurityRuleInput struct {
// The name of the Security Rule to query for. Case-sensitive
// Required
Name string `json:"name"`
}
// Returns a populated SecurityRuleInfo struct from an input struct
func (c *SecurityRuleClient) GetSecurityRule(input *GetSecurityRuleInput) (*SecurityRuleInfo, error) {
input.Name = c.getQualifiedName(input.Name)
var securityRuleInfo SecurityRuleInfo
if err := c.getResource(input.Name, &securityRuleInfo); err != nil {
return nil, err
}
return c.success(&securityRuleInfo)
}
// UpdateSecurityRuleInput describes a secruity rule to update
type UpdateSecurityRuleInput struct {
//Select the name of the access control list (ACL) that you want to add this
// security rule to. Security rules are applied to vNIC sets by using ACLs.
// Optional
ACL string `json:"acl,omitempty"`
// Description of the Security Rule
// Optional
Description string `json:"description"`
// A list of IP address prefix sets to which you want to permit traffic.
// Only packets to IP addresses in the specified IP address prefix sets are permitted.
// When no destination IP address prefix sets are specified, traffic to any
// IP address is permitted.
// Optional
DstIpAddressPrefixSets []string `json:"dstIpAddressPrefixSets"`
// The vNICset to which you want to permit traffic. Only packets to vNICs in the
// specified vNICset are permitted. When no destination vNICset is specified, traffic
// to any vNIC is permitted.
// Optional
DstVnicSet string `json:"dstVnicSet,omitempty"`
// Allows the security rule to be enabled or disabled. This parameter is set to
// true by default. Specify false to disable the security rule.
// Optional
Enabled bool `json:"enabledFlag"`
// Specify the direction of flow of traffic, which is relative to the instances,
// for this security rule. Allowed values are ingress or egress.
// An ingress packet is a packet received by a virtual NIC, for example from
// another virtual NIC or from the public Internet.
// An egress packet is a packet sent by a virtual NIC, for example to another
// virtual NIC or to the public Internet.
// Required
FlowDirection string `json:"flowDirection"`
// The name of the Security Rule
// Object names can contain only alphanumeric characters, hyphens, underscores, and periods.
// Object names are case-sensitive. When you specify the object name, ensure that an object
// of the same type and with the same name doesn't already exist.
// If such an object already exists, another object of the same type and with the same name won't
// be created and the existing object won't be updated.
// Required
Name string `json:"name"`
// A list of security protocols for which you want to permit traffic. Only packets that
// match the specified protocols and ports are permitted. When no security protocols are
// specified, traffic using any protocol over any port is permitted.
// Optional
SecProtocols []string `json:"secProtocols"`
// A list of IP address prefix sets from which you want to permit traffic. Only packets
// from IP addresses in the specified IP address prefix sets are permitted. When no source
// IP address prefix sets are specified, traffic from any IP address is permitted.
// Optional
SrcIpAddressPrefixSets []string `json:"srcIpAddressPrefixSets"`
// The vNICset from which you want to permit traffic. Only packets from vNICs in the
// specified vNICset are permitted. When no source vNICset is specified, traffic from any
// vNIC is permitted.
// Optional
SrcVnicSet string `json:"srcVnicSet,omitempty"`
// Strings that you can use to tag the security rule.
// Optional
Tags []string `json:"tags"`
}
// UpdateSecRule modifies the properties of the sec rule with the given name.
func (c *SecurityRuleClient) UpdateSecurityRule(updateInput *UpdateSecurityRuleInput) (*SecurityRuleInfo, error) {
updateInput.Name = c.getQualifiedName(updateInput.Name)
updateInput.ACL = c.getQualifiedName(updateInput.ACL)
updateInput.SrcVnicSet = c.getQualifiedName(updateInput.SrcVnicSet)
updateInput.DstVnicSet = c.getQualifiedName(updateInput.DstVnicSet)
updateInput.SrcIpAddressPrefixSets = c.getQualifiedList(updateInput.SrcIpAddressPrefixSets)
updateInput.DstIpAddressPrefixSets = c.getQualifiedList(updateInput.DstIpAddressPrefixSets)
updateInput.SecProtocols = c.getQualifiedList(updateInput.SecProtocols)
var securityRuleInfo SecurityRuleInfo
if err := c.updateResource(updateInput.Name, updateInput, &securityRuleInfo); err != nil {
return nil, err
}
return c.success(&securityRuleInfo)
}
type DeleteSecurityRuleInput struct {
// The name of the Security Rule to query for. Case-sensitive
// Required
Name string `json:"name"`
}
func (c *SecurityRuleClient) DeleteSecurityRule(input *DeleteSecurityRuleInput) error {
return c.deleteResource(input.Name)
}
// Unqualifies any qualified fields in the IPNetworkExchangeInfo struct
func (c *SecurityRuleClient) success(info *SecurityRuleInfo) (*SecurityRuleInfo, error) {
c.unqualify(&info.Name, &info.ACL, &info.SrcVnicSet, &info.DstVnicSet)
info.SrcIpAddressPrefixSets = c.getUnqualifiedList(info.SrcIpAddressPrefixSets)
info.DstIpAddressPrefixSets = c.getUnqualifiedList(info.DstIpAddressPrefixSets)
info.SecProtocols = c.getUnqualifiedList(info.SecProtocols)
return info, nil
}