Initial support for creating firewall rule for inbound SSH.

tintoy · tintoy · commit c356c438d07b · 2016-11-03T18:08:48.000+11:00
diff --git a/Makefile b/Makefile
@@ -32,4 +32,4 @@ test: fmt
 	go test -v github.com/DimensionDataResearch/docker-machine-driver-ddcloud/...
 
 version:
-	echo "package main\n\n// DriverVersion is the current version of the CloudControl driver for Docker Machine.\nconst DriverVersion = \"v0.1 (`git rev-parse HEAD`)\"" > ./version-info.go
+	echo "package main\n\n// DriverVersion is the current version of the CloudControl driver for Docker Machine.\nconst DriverVersion = \"v0.2 (`git rev-parse HEAD`)\"" > ./version-info.go
diff --git a/client.go b/client.go
@@ -5,9 +5,12 @@ import (
 	"fmt"
 	"github.com/DimensionDataResearch/go-dd-cloud-compute/compute"
 	"github.com/docker/machine/libmachine/log"
+	"strings"
 	"time"
 )
 
+var firewallRuleNameSanitizer = strings.NewReplacer("-", ".", "_", ".")
+
 // Get the CloudControl API client used by the driver.
 func (driver *Driver) getCloudControlClient() (client *compute.Client, err error) {
 	client = driver.client
@@ -49,7 +52,7 @@ func (driver *Driver) isServerCreated() bool {
 // Retrieve the target server (must have been created, or an error is returned).
 func (driver *Driver) getServer() (*compute.Server, error) {
 	if !driver.isServerCreated() {
-		return nil, errors.New("Server has not been created")
+		return nil, fmt.Errorf("Server '%s' has not been created", driver.MachineName)
 	}
 
 	client, err := driver.getCloudControlClient()
@@ -273,7 +276,7 @@ func (driver *Driver) isNATRuleCreated() bool {
 // Create a NAT rule to expose the server.
 func (driver *Driver) createNATRuleForServer() error {
 	if !driver.isServerCreated() {
-		return errors.New("Server has not been created")
+		return fmt.Errorf("Server '%s' has not been created", driver.MachineName)
 	}
 
 	if driver.isNATRuleCreated() {
@@ -328,7 +331,7 @@ func (driver *Driver) createNATRuleForServer() error {
 // Delete the the server's NAT rule (if any).
 func (driver *Driver) deleteNATRuleForServer() error {
 	if !driver.isServerCreated() {
-		return errors.New("Server has not been created")
+		return fmt.Errorf("Server '%s' has not been created", driver.MachineName)
 	}
 
 	if !driver.isNATRuleCreated() {
@@ -439,3 +442,78 @@ func (driver *Driver) ensurePublicIPAvailable() error {
 func (driver *Driver) isSSHFirewallRuleCreated() bool {
 	return driver.SSHFirewallRuleID != ""
 }
+
+// Create a firewall rule to enable inbound SSH connections to the target server from the client machine's (external) IP address.
+func (driver *Driver) createSSHFirewallRule(clientPublicIPAddress string) error {
+	if !driver.isServerCreated() {
+		return fmt.Errorf("Server '%s' has not been created", driver.MachineName)
+	}
+
+	if driver.isSSHFirewallRuleCreated() {
+		return fmt.Errorf("Firewall rule '%s' has already been created for server '%s'", driver.SSHFirewallRuleID, driver.MachineName)
+	}
+
+	log.Debugf("Creating SSH firewall rule for server '%s' (allow inbound traffic on port %d from '%s' to '%s')...",
+		driver.MachineName,
+		driver.SSHPort,
+		clientPublicIPAddress,
+		driver.IPAddress,
+	)
+
+	ruleConfiguration := compute.FirewallRuleConfiguration{
+		Name: firewallRuleNameSanitizer.Replace(driver.MachineName),
+	}
+	ruleConfiguration.Accept()
+	ruleConfiguration.Enable()
+	ruleConfiguration.MatchSourceAddress(clientPublicIPAddress)
+	ruleConfiguration.MatchDestinationAddress(driver.IPAddress)
+	ruleConfiguration.MatchDestinationPort(driver.SSHPort)
+
+	client, err := driver.getCloudControlClient()
+	if err != nil {
+		return err
+	}
+
+	firewallRuleID, err := client.CreateFirewallRule(ruleConfiguration)
+	if err != nil {
+		return err
+	}
+
+	driver.SSHFirewallRuleID = firewallRuleID
+
+	log.Debugf("Created SSH firewall rule '%s' for server '%s'.", driver.SSHFirewallRuleID, driver.ServerID)
+
+	return nil
+}
+
+// Delete the firewall rule that enables inbound SSH connections to the target server from the client machine's (external) IP address.
+func (driver *Driver) deleteSSHFirewallRule() error {
+	if !driver.isServerCreated() {
+		return fmt.Errorf("Server '%s' has not been created", driver.MachineName)
+	}
+
+	if !driver.isSSHFirewallRuleCreated() {
+		return fmt.Errorf("Firewall rule has not been created for server '%s'", driver.MachineName)
+	}
+
+	log.Debugf("Deleting SSH firewall rule '%s' for server '%s'...",
+		driver.MachineName,
+		driver.SSHFirewallRuleID,
+	)
+
+	client, err := driver.getCloudControlClient()
+	if err != nil {
+		return err
+	}
+
+	err = client.DeleteFirewallRule(driver.SSHFirewallRuleID)
+	if err != nil {
+		return err
+	}
+
+	log.Debugf("Deleted firewall rule '%s'.", driver.SSHFirewallRuleID)
+
+	driver.SSHFirewallRuleID = ""
+
+	return nil
+}
diff --git a/client_public_ip.go b/client_public_ip.go
@@ -11,8 +11,8 @@ type ipInfo struct {
 	IPAddress string `json:"ip"`
 }
 
-// Retrieve the local machine's public IPv4 address.
-func getMyPublicIPv4Address() (string, error) {
+// Retrieve the client machine's public IPv4 address.
+func getClientPublicIPv4Address() (string, error) {
 	response, err := http.Get("http://ifconfig.co/json")
 	if err != nil {
 		return "", err
diff --git a/driver.go b/driver.go
@@ -212,15 +212,9 @@ func (driver *Driver) PreCreateCheck() error {
 
 // Create a new Docker Machine instance on CloudControl.
 func (driver *Driver) Create() error {
-	localPublicIP, err := getMyPublicIPv4Address()
-	if err != nil {
-		return err
-	}
-	log.Infof("Local machine's public IP address is '%s'.", localPublicIP)
-
 	log.Infof("Importing SSH key...")
 
-	err = driver.importSSHKey()
+	err := driver.importSSHKey()
 	if err != nil {
 		return err
 	}
@@ -239,6 +233,20 @@ func (driver *Driver) Create() error {
 	log.Infof("Server '%s' has private IP '%s'.", driver.MachineName, driver.PrivateIPAddress)
 	log.Infof("Server '%s' has public IP '%s'.", driver.MachineName, driver.IPAddress)
 
+	if driver.CreateSSHFirewallRule {
+		var clientPublicIPAddress string
+		clientPublicIPAddress, err = getClientPublicIPv4Address()
+		if err != nil {
+			return err
+		}
+		log.Infof("Local machine's public IP address is '%s'.", clientPublicIPAddress)
+
+		err = driver.createSSHFirewallRule(clientPublicIPAddress)
+		if err != nil {
+			return err
+		}
+	}
+
 	log.Infof("Configuring SSH key for server '%s' ('%s')...", driver.MachineName, driver.IPAddress)
 	err = driver.installSSHKey()
 	if err != nil {
@@ -308,7 +316,19 @@ func (driver *Driver) Remove() error {
 		return err
 	}
 
-	// TODO: Delete server's associated NAT rule, if required.
+	if driver.isSSHFirewallRuleCreated() {
+		err = driver.deleteSSHFirewallRule()
+		if err != nil {
+			return err
+		}
+	}
+
+	if driver.isNATRuleCreated() {
+		err = driver.deleteNATRuleForServer()
+		if err != nil {
+			return err
+		}
+	}
 
 	err = client.DeleteServer(driver.ServerID)
 	if err != nil {
