-
Notifications
You must be signed in to change notification settings - Fork 2
/
index.js
executable file
·106 lines (88 loc) · 2.81 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
const AWS = require('aws-sdk');
const debug = require('debug')('aws-manage-sg');
function EC2(config) {
const region = config.region || 'us-east-1';
return new AWS.EC2({ apiVersion: '2016-11-15', region });
}
async function getSecurityGroups(config) {
const params = {
GroupIds: config.rules.map(({ securityGroupId }) => securityGroupId),
};
const { SecurityGroups: securityGroups } = await EC2(config)
.describeSecurityGroups(params)
.promise();
if (securityGroups === undefined) {
throw new Error(`No security groups found with for ${JSON.stringify(params)}`);
}
return securityGroups;
}
function isRangeForUser(username, range) {
return range.Description === username;
}
function hasPermissionARangeForUser(username, permission) {
return (
permission.IpRanges
&& permission.IpRanges.some(range => isRangeForUser(username, range))
);
}
async function revokePermission(config, securityGroupId, permission) {
const revokeParam = {
IpRanges: permission.IpRanges.filter(range => isRangeForUser(config.username, range)),
FromPort: permission.FromPort,
ToPort: permission.ToPort,
IpProtocol: permission.IpProtocol,
};
debug(`Revoking rule ${JSON.stringify(revokeParam)} on ${securityGroupId}`);
return EC2(config).revokeSecurityGroupIngress({
GroupId: securityGroupId,
IpPermissions: [revokeParam],
}).promise();
}
async function grantPermission(config, { securityGroupId, ports }) {
debug(`Granting rule to ${securityGroupId} on ports ${ports} for IP ${config.ipAddress} tagged with user ${config.username}`);
const permissions = await ports.map((port) => {
const p = parseInt(port, 10);
return {
IpRanges: [
{
CidrIp: `${config.ipAddress}/32`,
Description: `${config.username}`,
},
],
FromPort: p,
ToPort: p,
IpProtocol: 'tcp',
};
});
return EC2(config).authorizeSecurityGroupIngress({
GroupId: securityGroupId,
IpPermissions: permissions,
})
.promise();
}
function useAWSProfile(profile) {
const credentials = new AWS.SharedIniFileCredentials({ profile });
AWS.config.credentials = credentials;
}
async function revokePermissions(config) {
const results = [];
for (const securityGroup of await getSecurityGroups(config)) {
const result = securityGroup.IpPermissions
.filter(permission => hasPermissionARangeForUser(config.username, permission))
.map(permission => revokePermission(config, securityGroup.GroupId, permission));
results.push(result);
}
return Promise.all(results);
}
async function grantPermissions(config) {
const results = [];
for (const rule of config.rules) {
results.push(grantPermission(config, rule));
}
await Promise.all(results);
}
module.exports = {
revokePermissions,
grantPermissions,
useAWSProfile,
};