/// <summary>
/// Unmarshaller the response from the service to the response class.
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public override AmazonWebServiceResponse Unmarshall(XmlUnmarshallerContext context)
{
RevokeSecurityGroupIngressResponse response = new RevokeSecurityGroupIngressResponse();
int originalDepth = context.CurrentDepth;
int targetDepth = originalDepth + 1;
if (context.IsStartOfDocument)
{
targetDepth = 2;
}
while (context.ReadAtDepth(originalDepth))
{
if (context.IsStartElement || context.IsAttribute)
{
if (context.TestExpression("return", targetDepth))
{
var unmarshaller = BoolUnmarshaller.Instance;
response.Return = unmarshaller.Unmarshall(context);
continue;
}
if (context.TestExpression("unknownIpPermissionSet/item", targetDepth))
{
var unmarshaller = IpPermissionUnmarshaller.Instance;
var item = unmarshaller.Unmarshall(context);
response.UnknownIpPermissions.Add(item);
continue;
}
}
}
return(response);
}
public override AmazonWebServiceResponse Unmarshall(XmlUnmarshallerContext context)
{
RevokeSecurityGroupIngressResponse response = new RevokeSecurityGroupIngressResponse();
while (context.Read())
{
}
return(response);
}
private PortChangeResult ClosePort(Configs.Rule rule)
{
var client = new AmazonEC2Client();
RevokeSecurityGroupIngressResponse res = null;
try
{
var ipRule = GetIpPermissionRule(rule, false);
res = client.RevokeSecurityGroupIngress(new RevokeSecurityGroupIngressRequest()
{
IpPermissions = new List <IpPermission>()
{
ipRule
},
GroupId = rule.SecurityGroupId
});
}
catch (AmazonEC2Exception ex)
{
if (ex.Message.Contains("The specified rule does not exist"))
{
return(new PortChangeResult
{
Message = $"Success: Connection to port {rule.Port} (already) CLOSED",
Color = Color.DarkGreen
});
}
return(new PortChangeResult
{
Message = $"Error (Port {rule.Port}): " + ex.Message,
Color = Color.DarkRed
});
}
if (res.HttpStatusCode == HttpStatusCode.OK)
{
return(new PortChangeResult
{
Message = $"Success: Connection to port {rule.Port} CLOSED",
Color = Color.DarkGreen
});
}
return(new PortChangeResult
{
Message = $"Error: couldn't close port {rule.Port}. Code: " + res.HttpStatusCode,
Color = Color.DarkRed
});
}
public override AmazonWebServiceResponse Unmarshall(XmlUnmarshallerContext context)
{
RevokeSecurityGroupIngressResponse response = new RevokeSecurityGroupIngressResponse();
int originalDepth = context.CurrentDepth;
int targetDepth = originalDepth + 1;
if (context.IsStartOfDocument)
{
targetDepth = 2;
}
while (context.ReadAtDepth(originalDepth))
{
if (context.IsStartElement || context.IsAttribute)
{
}
}
return(response);
}
/// <summary>
/// Run a single item
/// </summary>
/// <param name="item">The item to run</param>
public void RunItem(EC2SecurityGroupEntry item)
{
AmazonEC2Client ec2Client =
new AmazonEC2Client(
Config.BaseSettings.AWSAccessKeyID,
Config.BaseSettings.AWSSecretAccessKey,
new AmazonEC2Config
{
RegionEndpoint = RegionEndpoint
});
//1) Revoke Old entries/permissions
if (IpState.HasOldIP && IpState.Changed)
{
bool oldIpStillInUse =
MultiClientState?
.Clients?
.Where(mcei => mcei.IP == IpState.OldIP)
.Any()
??
false;
if (!oldIpStillInUse)
{
RevokeSecurityGroupIngressRequest revokeRequest =
new RevokeSecurityGroupIngressRequest
{
GroupId = item.GroupId,
IpPermissions =
new List <IpPermission>
{
new IpPermission
{
IpProtocol = item.IpProtocol,
FromPort = item.PortRange.FromPort,
ToPort = item.PortRange.ToPort,
Ipv4Ranges =
new List <IpRange>
{
new IpRange
{
CidrIp = IpState.NewIPRange
}
}
}
}
};
RevokeSecurityGroupIngressResponse revokeResponse = null;
try
{
revokeResponse =
ec2Client
.RevokeSecurityGroupIngressAsync(revokeRequest)
.GetAwaiter()
.GetResult();
//Output
Output($"EC2SG: Revoked Security Group Rule: {item} for Old IP: {IpState.OldIP}");
}
catch (Exception ex)
{
//In this case we do nothing.
//The old rule was not removed for whatever reason, but we choose to do nothing here
//so that the new rules continue to be added.
Output($"EC2SG: [ACTION REQUIRED] An exception was thrown while trying to revoke Security Group Rule: {item} for Old IP: {IpState.OldIP}\nRule was likely not revoked.\nException was: {ex}");
}
}
}
//2) Insert new entries/permissions
AuthorizeSecurityGroupIngressRequest authorizeRequest =
new AuthorizeSecurityGroupIngressRequest
{
GroupId = item.GroupId,
IpPermissions =
new List <IpPermission>
{
new IpPermission
{
IpProtocol = "tcp",
FromPort = item.PortRange.FromPort,
ToPort = item.PortRange.ToPort,
Ipv4Ranges =
new List <IpRange>
{
new IpRange
{
CidrIp = IpState.NewIPRange
}
}
}
}
};
AuthorizeSecurityGroupIngressResponse authorizeResponse = null;
try
{
//Output
Output($"EC2SG: START : Adding Security Group Rule: {item} for New IP: {IpState.NewIP}");
//Send
authorizeResponse =
ec2Client
.AuthorizeSecurityGroupIngressAsync(authorizeRequest)
.GetAwaiter()
.GetResult();
}
catch (AmazonEC2Exception ex)
{
//Diagnostics
Debug.WriteLine($"{DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss.fff")}: EXCEPTION: \n" + ex.ToString());
//Handle
if (string.Equals(ex.ErrorCode, "InvalidPermission.Duplicate", StringComparison.InvariantCultureIgnoreCase))
{
//Apparently it is already there, and we're perfectly happy with that
Output($"EC2SG: ERROR : The entry: {item} for New IP: {IpState.NewIP} was already present. No entry was added.");
}
else
{
//Don't really know quite exactly what went wrong :-|
Output($"EC2SG: ERROR : While adding the entry: {item} for New IP: {IpState.NewIP} an exception was thrown. Error Code: {ex.ErrorCode}, Message: {ex.Message}");
}
}
catch (Exception ex)
{
//Diagnostics
Debug.WriteLine($"{DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss.fff")}: EXCEPTION: \n" + ex.ToString());
//Throw
throw new ApplicationException("EC2SG: An unknown exception was thrown while trying to update AWS EC2 Security Group", ex);
}
finally
{
//Output
Output($"EC2SG: COMPLETE: Finished adding Security Group Rule: {item} for New IP: {IpState.NewIP}");
}
}
