Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

display security group id rules #47152

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,053 changes: 573 additions & 480 deletions api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go

Large diffs are not rendered by default.

12 changes: 12 additions & 0 deletions api/proto/teleport/integration/v1/awsoidc_service.proto
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,15 @@ message SecurityGroupRuleCIDR {
string description = 2;
}

// SecurityGroupRuleGroupID has an allowed security group ID and a description
// for the rule.
message SecurityGroupRuleGroupID {
// GroupID is the allowed security group ID.
string group_id = 1;
// Description contains a small text describing the allowed security group.
string description = 2;
}

// SecurityGroupRule is a representation of a SecurityGroupRule.
// Either for Inbound or Outbound rules.
message SecurityGroupRule {
Expand All @@ -228,6 +237,9 @@ message SecurityGroupRule {
int32 to_port = 3;
// CIDRs contains a list of IP ranges that this rule applies to and a description for the value.
repeated SecurityGroupRuleCIDR cidrs = 4;
// GroupIds is a list of rules that allow another security group referenced
// by ID.
repeated SecurityGroupRuleGroupID group_ids = 5;
}

// SecurityGroup is a representation of a SecurityGroup
Expand Down
17 changes: 16 additions & 1 deletion lib/auth/integration/integrationv1/awsoidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -395,18 +395,33 @@ func (s *AWSOIDCService) ListSecurityGroups(ctx context.Context, req *integratio
func convertSecurityGroupRulesToProto(inRules []awsoidc.SecurityGroupRule) []*integrationpb.SecurityGroupRule {
out := make([]*integrationpb.SecurityGroupRule, 0, len(inRules))
for _, r := range inRules {
cidrs := make([]*integrationpb.SecurityGroupRuleCIDR, 0, len(r.CIDRs))
var cidrs []*integrationpb.SecurityGroupRuleCIDR
if len(r.CIDRs) > 0 {
cidrs = make([]*integrationpb.SecurityGroupRuleCIDR, 0, len(r.CIDRs))
}
for _, cidr := range r.CIDRs {
cidrs = append(cidrs, &integrationpb.SecurityGroupRuleCIDR{
Cidr: cidr.CIDR,
Description: cidr.Description,
})
}

var groupIDs []*integrationpb.SecurityGroupRuleGroupID
if len(r.Groups) > 0 {
groupIDs = make([]*integrationpb.SecurityGroupRuleGroupID, 0, len(r.Groups))
}
for _, group := range r.Groups {
groupIDs = append(groupIDs, &integrationpb.SecurityGroupRuleGroupID{
GroupId: group.GroupId,
Description: group.Description,
})
}
out = append(out, &integrationpb.SecurityGroupRule{
IpProtocol: r.IPProtocol,
FromPort: int32(r.FromPort),
ToPort: int32(r.ToPort),
Cidrs: cidrs,
GroupIds: groupIDs,
})
}
return out
Expand Down
30 changes: 29 additions & 1 deletion lib/integrations/awsoidc/list_security_groups.go
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,19 @@ type SecurityGroupRule struct {

// CIDRs contains a list of IP ranges that this rule applies to and a description for the value.
CIDRs []CIDR `json:"cidrs"`

// Groups is a list of rules that allow another security group referenced
// by ID.
Groups []GroupIDRule `json:"groups"`
}

// GroupIDRule is a security group rule that refers to another security group by
// ID and has a description.
type GroupIDRule struct {
// GroupId is the ID of the security group that is allowed by the rule.
GroupId string `json:"groupId"`
// Description contains a small text describing the CIDR.
Description string `json:"description"`
}

// CIDR has a CIDR (IP Range) and a description for the value.
Expand Down Expand Up @@ -187,14 +200,28 @@ func convertAWSIPPermissions(permissions []ec2Types.IpPermission) []SecurityGrou
ipProtocol = aws.ToString(permission.IpProtocol)
}

cidrs := make([]CIDR, 0, len(permission.IpRanges))
var cidrs []CIDR
if len(permission.IpRanges) > 0 {
cidrs = make([]CIDR, 0, len(permission.IpRanges))
}
for _, r := range permission.IpRanges {
cidrs = append(cidrs, CIDR{
CIDR: aws.ToString(r.CidrIp),
Description: aws.ToString(r.Description),
})
}

var groupIDs []GroupIDRule
if len(permission.UserIdGroupPairs) > 0 {
groupIDs = make([]GroupIDRule, 0, len(permission.UserIdGroupPairs))
}
for _, pair := range permission.UserIdGroupPairs {
groupIDs = append(groupIDs, GroupIDRule{
GroupId: aws.ToString(pair.GroupId),
Description: aws.ToString(pair.Description),
})
}

fromPort := int(aws.ToInt32(permission.FromPort))
toPort := int(aws.ToInt32(permission.ToPort))

Expand All @@ -203,6 +230,7 @@ func convertAWSIPPermissions(permissions []ec2Types.IpPermission) []SecurityGrou
FromPort: fromPort,
ToPort: toPort,
CIDRs: cidrs,
Groups: groupIDs,
})
}

Expand Down
10 changes: 10 additions & 0 deletions lib/integrations/awsoidc/list_security_groups_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,10 @@ func TestConvertSecurityGroup(t *testing.T) {
ToPort: aws.Int32(22),
IpProtocol: aws.String("tcp"),
IpRanges: []ec2Types.IpRange{{CidrIp: aws.String("0.0.0.0/0")}},
UserIdGroupPairs: []ec2Types.UserIdGroupPair{{
GroupId: aws.String("sg-123"),
Description: aws.String("allowed from another sg"),
}},
},
},
IpPermissionsEgress: []ec2Types.IpPermission{
Expand All @@ -301,6 +305,10 @@ func TestConvertSecurityGroup(t *testing.T) {
CidrIp: aws.String("0.0.0.0/0"),
Description: aws.String("Everything"),
}},
UserIdGroupPairs: []ec2Types.UserIdGroupPair{{
GroupId: aws.String("sg-456"),
Description: aws.String("allowed to another sg"),
}},
},
},
},
Expand Down Expand Up @@ -333,6 +341,7 @@ func TestConvertSecurityGroup(t *testing.T) {
FromPort: 22,
ToPort: 22,
CIDRs: []CIDR{{CIDR: "0.0.0.0/0"}},
Groups: []GroupIDRule{{GroupId: "sg-123", Description: "allowed from another sg"}},
},
},
OutboundRules: []SecurityGroupRule{
Expand All @@ -352,6 +361,7 @@ func TestConvertSecurityGroup(t *testing.T) {
CIDR: "0.0.0.0/0",
Description: "Everything",
}},
Groups: []GroupIDRule{{GroupId: "sg-456", Description: "allowed to another sg"}},
},
},
},
Expand Down
17 changes: 16 additions & 1 deletion lib/web/integrations_awsoidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -695,18 +695,33 @@ func (h *Handler) awsOIDCListSecurityGroups(w http.ResponseWriter, r *http.Reque
func awsOIDCSecurityGroupsRulesConverter(inRules []*integrationv1.SecurityGroupRule) []awsoidc.SecurityGroupRule {
out := make([]awsoidc.SecurityGroupRule, 0, len(inRules))
for _, r := range inRules {
cidrs := make([]awsoidc.CIDR, 0, len(r.Cidrs))
var cidrs []awsoidc.CIDR
if len(r.Cidrs) > 0 {
cidrs = make([]awsoidc.CIDR, 0, len(r.Cidrs))
}
for _, cidr := range r.Cidrs {
cidrs = append(cidrs, awsoidc.CIDR{
CIDR: cidr.Cidr,
Description: cidr.Description,
})
}

var groupIDs []awsoidc.GroupIDRule
if len(r.GroupIds) > 0 {
groupIDs = make([]awsoidc.GroupIDRule, 0, len(r.GroupIds))
}
for _, group := range r.GroupIds {
groupIDs = append(groupIDs, awsoidc.GroupIDRule{
GroupId: group.GroupId,
Description: group.Description,
})
}
out = append(out, awsoidc.SecurityGroupRule{
IPProtocol: r.IpProtocol,
FromPort: int(r.FromPort),
ToPort: int(r.ToPort),
CIDRs: cidrs,
Groups: groupIDs,
})
}
return out
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,13 @@ const securityGroupsResponse = [
cidrs: [
{ cidr: '192.168.1.0/24', description: 'Subnet Mask 255.255.255.0' },
],
groups: [{ groupId: 'sg-123', description: 'Trusted other group' }],
},
{
ipProtocol: 'tcp',
fromPort: '8080',
toPort: '8080',
groups: [{ groupId: 'sg-456', description: 'Trusted other group' }],
},
],
outboundRules: [
Expand All @@ -263,13 +270,26 @@ const securityGroupsResponse = [
toPort: '22',
cidrs: [{ cidr: '0.0.0.0/0', description: 'Everything' }],
},
{
ipProtocol: 'tcp',
fromPort: '8080',
toPort: '8080',
groups: [
{
groupId: 'sg-abcdef',
description:
'a trusted group on port 8080 for some reason and this description rambles a lot so the table better truncate it with ellipses but you should still see the full thing by hovering on it :D',
},
],
},
{
ipProtocol: 'tcp',
fromPort: '2000',
toPort: '5000',
cidrs: [
{ cidr: '10.0.0.0/16', description: 'Subnet Mask 255.255.0.0' },
],
groups: [{ groupId: 'sg-abc', description: 'some other group' }],
},
],
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -211,12 +211,21 @@ type ExpandedSecurityGroupRule = {
function expandSecurityGroupRule(
rule: SecurityGroupRule
): ExpandedSecurityGroupRule[] {
return rule.cidrs.map(source => ({
return [
...rule.cidrs.map(cidr => ({
source: cidr.cidr,
description: cidr.description,
})),
...rule.groups.map(group => ({
source: group.groupId,
description: group.description,
})),
].map(entry => ({
ipProtocol: rule.ipProtocol,
fromPort: rule.fromPort,
toPort: rule.toPort,
source: source.cidr,
description: source.description,
source: entry.source,
description: entry.description,
}));
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
import React from 'react';
import styled from 'styled-components';

import { ButtonSecondary, H2 } from 'design';
import { ButtonSecondary, H2, Text } from 'design';
import Table, { Cell } from 'design/DataTable';
import Dialog, { DialogContent, DialogFooter } from 'design/DialogConfirmation';

Expand Down Expand Up @@ -67,7 +67,11 @@ export function SecurityGroupRulesDialog({
headerText: 'Source',
render: ({ source }) => {
if (source) {
return <Cell>{source}</Cell>;
return (
<Cell>
<Text title={source}>{source}</Text>
</Cell>
);
}
return null;
},
Expand All @@ -77,7 +81,11 @@ export function SecurityGroupRulesDialog({
headerText: 'Description',
render: ({ description }) => {
if (description) {
return <Cell>{description}</Cell>;
return (
<Cell>
<Text title={description}>{description}</Text>
</Cell>
);
}
return null;
},
Expand All @@ -104,6 +112,8 @@ const StyledTable = styled(Table)`
& > tbody > tr > td {
vertical-align: middle;
text-align: left;
max-width: 200px;
text-wrap: nowrap;
}

& > thead > tr > th {
Expand Down
19 changes: 17 additions & 2 deletions web/packages/teleport/src/services/integrations/integrations.ts
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ import {
DeployEc2InstanceConnectEndpointRequest,
DeployEc2InstanceConnectEndpointResponse,
SecurityGroup,
SecurityGroupRule,
ListEksClustersResponse,
EnrollEksClustersResponse,
EnrollEksClustersRequest,
Expand Down Expand Up @@ -469,8 +470,22 @@ function makeSecurityGroup(json: any): SecurityGroup {
name,
id,
description,
inboundRules: inboundRules ?? [],
outboundRules: outboundRules ?? [],
inboundRules: inboundRules?.map(rule => makeSecurityGroupRule(rule)) ?? [],
outboundRules:
outboundRules?.map(rule => makeSecurityGroupRule(rule)) ?? [],
};
}

function makeSecurityGroupRule(json: any): SecurityGroupRule {
json = json ?? {};
const { ipProtocol, fromPort, toPort, cidrs, groups } = json;

return {
ipProtocol,
fromPort,
toPort,
cidrs: cidrs ?? [],
groups: groups ?? [],
};
}

Expand Down
22 changes: 20 additions & 2 deletions web/packages/teleport/src/services/integrations/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -595,12 +595,30 @@ export type SecurityGroupRule = {
toPort: string;
// CIDRs contains a list of IP ranges that this rule applies to and a description for the value.
cidrs: Cidr[];
// Groups is a list of rules that allow another security group referenced
// by ID.
GavinFrazar marked this conversation as resolved.
Show resolved Hide resolved
groups: GroupIdRule[];
};

export type Cidr = {
// CIDR is the IP range using CIDR notation.
/**
* CIDR is the IP range using CIDR notation.
*/
cidr: string;
// Description contains a small text describing the CIDR.
/**
* Description contains a small text describing the CIDR.
*/
description: string;
};

export type GroupIdRule = {
/**
* GroupId is the ID of the security group that is allowed by the rule.
*/
groupId: string;
/**
* Description contains a small text describing the rule.
*/
description: string;
};

Expand Down
Loading