firewalls - ec2 security groups - revision 3

[marios]

* main change is the way we define rule id (explained in detail below if you 
are interested).

* adds a version constraint for aws 2.5.4 (yet to be released - waiting)

* addresses comments in response to rev 2 (patches sent 30 May 2011):

  ==> from Michal Fojtik (31 May 2011) 
    - patch 2/3 fixes the failing cucumber scenarios
    - patch 1/3 includes validation of params for the create rule operation and 
string descriptions
  
  ==> from David Lutterkort (03 June 2011) 
    - patch 3/3 moves the 'improved json support for blobs' into a seperate 
patch, 
    - patch 1/3 changes the way we define the rule_id - no longer using base64 
encoding. A rule id looks like: 
"user_id~protocol~from_port~to_port~sources_string" where the format of 
sources_string depends on the source types (address vs groups) delimited by 
'@'. An example rule id is: 
297467797945~tcp~12~13~@group,297467797945,test@group,297467797945,new_firewall@address,ipv4,10.0.0.0,0@address,ipv4,192.168.1.1,16
    - patch 1/3 fixes various other nits identified by David


marios


*******************************************************************************************
Original message from rev 2 included below for convenience (amended for the 
above changes):


This patch implements 'firewalls' - which are ec2 security groups. Some notes:

 * This functionality relies on some modifications to the appoxy aws gem - the 
requested changes have been merged into appoxy/aws 
https://github.com/appoxy/aws/pull/91 and will be available in the next gem 
release (look for aws-2.5.4)

=======================================================================

 * XML looks like:
<firewall href='http://localhost:3001/api/firewalls/new_firewall' 
id='new_firewall'>
  <name><![CDATA[new_firewall]]></name>
  <description><![CDATA[new_one]]></description>
  <owner_id>297467797945</owner_id>
  <rules>
    <rule 
id='297467797945~tcp~12~13~@group,297467797945,test@address,ipv4,10.0.0.0,0@address,ipv4,192.168.1.1,16'>
      <allow_protocol>tcp</allow_protocol>
      <port_from>12</port_from>

      <port_to>13</port_to>
      <direction>ingress</direction>
      <sources>
        <source name='test' owner='297467797945' type='group'></source>
        <source address='10.0.0.0' family='ipv4' prefix='0' 
type='address'></source>
        <source address='192.168.1.1' family='ipv4' prefix='16' 
type='address'></source>
      </sources>
    </rule>

  </rules>
</firewall>

=======================================================================

 * OPERATIONS: implemented GET/POST/DELETE [list, create, destroy] for 
firewalls (both html and xml interfaces), GET/POST/DELETE for firewall rules. 
You can also use curl rather than html interface if you prefer:


list firewalls: 
GET /api/firewalls
GET /api/firewalls/:firewall
curl   --user 'aws_key:aws_secret_key' 
http://localhost:3001/api/firewalls?format=xml

create new firewall:
POST /api/firewalls
curl -F "name=some_new_firewall" -F "description=gonna be deleted immediately"  
--user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml

delete a firewall: 
DELETE /api/firewalls/:firewall
curl -X DELETE  --user 'aws_key:aws_secret_key' 
http://localhost:3001/api/firewalls/some_new_firewall?format=xml

create firewall rule:
POST /api/firewalls/:firewall/rules
curl -F "protocol=tcp" -F "from_port=22" -F "to_port=22" -F 
"ip_address1=192.168.1.1/24" -F "ip_address2=10.1.1.1/24" -F "group1=new_group" 
-F "group1owner=123456789"   --user 'aws_key:aws_secret_key' 
http://localhost:3001/api/firewalls/default/rules?format=xml
(and can specify additional sources for a given rule using ip_addressN and 
groupN/groupNowner)

delete firewall rule:
DELETE /api/firewalls/:firewall/rule
curl -X DELETE -F "rule_id=:rule_id" --user 'aws_key:aws_secret_key' 
http://localhost:3001/api/firewalls/firewall_id/rule?format=xml

=======================================================================

* Firewall rule ids... amazon doesn't have any notion of an 'id' for a single 
firewall rule, rather each firewall rule is identified by its constituent parts 
(protocol, from&to ports, and sources [groups and ipaddress ranges]). In order 
to allow for a 'delete /api/firewalls/:firewall/:rule' type operation I use 
"user_id~protocol~from_port~to_port~sources_string" (base64 encoding made the 
id 'ugly' and also padding just made it longer).

I'm sure theres more but this is already way too long, thanks to anyone brave 
enough to try this stuff out,

all the best, marios