github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

AWS: Ignore the UserId when determining whether we can skip revoking a security group 

Otherwise we weren't correctly de-authorizing the AWS LB SG from the Node SG
pull/6/head
Justin Santa Barbara 2015-06-06 12:35:39 -04:00
parent 8fafefd728
commit 1700259508
1 changed files with 25 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
pkg/cloudprovider/aws/aws.go
View File

@ -1426,7 +1426,7 @@ func isEqualStringPointer(l, r *string) bool {
return *l == *r return *l == *r
} }
func isEqualIPPermission(l, r *ec2.IPPermission) bool { func isEqualIPPermission(l, r *ec2.IPPermission, compareGroupUserIDs bool) bool {
if !isEqualIntPointer(l.FromPort, r.FromPort) { if !isEqualIntPointer(l.FromPort, r.FromPort) {
return false return false
} }
@ -1452,8 +1452,10 @@ func isEqualIPPermission(l, r *ec2.IPPermission) bool {
if !isEqualStringPointer(l.UserIDGroupPairs[j].GroupID, r.UserIDGroupPairs[j].GroupID) { if !isEqualStringPointer(l.UserIDGroupPairs[j].GroupID, r.UserIDGroupPairs[j].GroupID) {
return false return false
} }
if !isEqualStringPointer(l.UserIDGroupPairs[j].UserID, r.UserIDGroupPairs[j].UserID) { if compareGroupUserIDs {
return false if !isEqualStringPointer(l.UserIDGroupPairs[j].UserID, r.UserIDGroupPairs[j].UserID) {
return false
}
} }
} }
@ -1476,9 +1478,16 @@ func (s *AWSCloud) ensureSecurityGroupIngress(securityGroupId string, addPermiss
changes := []*ec2.IPPermission{} changes := []*ec2.IPPermission{}
for _, addPermission := range addPermissions { for _, addPermission := range addPermissions {
hasUserID := false
for i := range addPermission.UserIDGroupPairs {
if addPermission.UserIDGroupPairs[i].UserID != nil {
hasUserID = true
}
}
found := false found := false
for _, groupPermission := range group.IPPermissions { for _, groupPermission := range group.IPPermissions {
if isEqualIPPermission(addPermission, groupPermission) { if isEqualIPPermission(addPermission, groupPermission, hasUserID) {
found = true found = true
break break
} }
@ -1524,16 +1533,23 @@ func (s *AWSCloud) removeSecurityGroupIngress(securityGroupId string, removePerm
changes := []*ec2.IPPermission{} changes := []*ec2.IPPermission{}
for _, removePermission := range removePermissions { for _, removePermission := range removePermissions {
found := false hasUserID := false
for i := range removePermission.UserIDGroupPairs {
if removePermission.UserIDGroupPairs[i].UserID != nil {
hasUserID = true
}
}
var found *ec2.IPPermission
for _, groupPermission := range group.IPPermissions { for _, groupPermission := range group.IPPermissions {
if isEqualIPPermission(groupPermission, removePermission) { if isEqualIPPermission(groupPermission, removePermission, hasUserID) {
found = true found = groupPermission
break break
} }
} }
if found { if found != nil {
changes = append(changes, removePermission) changes = append(changes, found)
} }
} }