From f11b6eaf8d0e2ddfd92897634417639f37b20c78 Mon Sep 17 00:00:00 2001 From: Lucas Kent Date: Mon, 30 Sep 2024 10:19:18 +1000 Subject: [PATCH] Allow user to restrict ingress rules (#60) --- Cargo.lock | 596 ++++++++++++++++-- aws-throwaway/Cargo.toml | 1 + .../examples/aws-throwaway-test-large-file.rs | 5 +- .../aws-throwaway-test-multiple-instances.rs | 5 +- aws-throwaway/examples/aws-throwaway-test.rs | 5 +- aws-throwaway/examples/create-instance.rs | 1 + aws-throwaway/src/backend/cli/mod.rs | 25 +- aws-throwaway/src/backend/sdk/aws.rs | 37 +- aws-throwaway/src/lib.rs | 43 ++ 9 files changed, 654 insertions(+), 64 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5e3025b..a970046 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -127,6 +127,12 @@ dependencies = [ "syn", ] +[[package]] +name = "atomic-waker" +version = "1.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" + [[package]] name = "autocfg" version = "1.4.0" @@ -135,9 +141,9 @@ checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" [[package]] name = "aws-config" -version = "1.5.6" +version = "1.5.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "848d7b9b605720989929279fa644ce8f244d0ce3146fcca5b70e4eb7b3c020fc" +checksum = "8191fb3091fa0561d1379ef80333c3c7191c6f0435d986e85821bcf7acbd1126" dependencies = [ "aws-credential-types", "aws-runtime", @@ -202,9 +208,9 @@ dependencies = [ [[package]] name = "aws-sdk-ec2" -version = "1.74.1" +version = "1.75.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab6f74dd8b24475ed56ffaeabbbbc3748ec639d16e78ff73f3eefa95b90bfebe" +checksum = "f6787d920877cca6a4ee3953093f6a47cefe26de95a4f7b3681c5850bfe657b4" dependencies = [ "aws-credential-types", "aws-runtime", @@ -226,9 +232,9 @@ dependencies = [ [[package]] name = "aws-sdk-iam" -version = "1.45.0" +version = "1.46.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "99f65f73a963d0c4c1a6f139a7f48cf2f1ff9e8f9ad8598c1d1413bd9739c417" +checksum = "053df3024ea2ed0431359b3cddecc92dcfadeaedf71dd497292b39e37e597b46" dependencies = [ "aws-credential-types", "aws-runtime", @@ -249,9 +255,9 @@ dependencies = [ [[package]] name = "aws-sdk-sso" -version = "1.43.0" +version = "1.44.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70a9d27ed1c12b1140c47daf1bc541606c43fdafd918c4797d520db0043ceef2" +checksum = "0b90cfe6504115e13c41d3ea90286ede5aa14da294f3fe077027a6e83850843c" dependencies = [ "aws-credential-types", "aws-runtime", @@ -271,9 +277,9 @@ dependencies = [ [[package]] name = "aws-sdk-ssooidc" -version = "1.44.0" +version = "1.45.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44514a6ca967686cde1e2a1b81df6ef1883d0e3e570da8d8bc5c491dcb6fc29b" +checksum = "167c0fad1f212952084137308359e8e4c4724d1c643038ce163f06de9662c1d0" dependencies = [ "aws-credential-types", "aws-runtime", @@ -293,9 +299,9 @@ dependencies = [ [[package]] name = "aws-sdk-sts" -version = "1.43.0" +version = "1.44.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd7a4d279762a35b9df97209f6808b95d4fe78547fe2316b4d200a0283960c5a" +checksum = "2cb5f98188ec1435b68097daa2a37d74b9d17c9caa799466338a8d1544e71b9d" dependencies = [ "aws-credential-types", "aws-runtime", @@ -399,17 +405,17 @@ dependencies = [ "aws-smithy-types", "bytes", "fastrand", - "h2", + "h2 0.3.26", "http 0.2.12", "http-body 0.4.6", "http-body 1.0.1", "httparse", - "hyper", - "hyper-rustls", + "hyper 0.14.30", + "hyper-rustls 0.24.2", "once_cell", "pin-project-lite", "pin-utils", - "rustls", + "rustls 0.21.12", "tokio", "tracing", ] @@ -479,6 +485,7 @@ dependencies = [ "base64 0.22.1", "clap", "futures", + "reqwest", "russh", "russh-keys", "serde", @@ -599,6 +606,12 @@ dependencies = [ "cipher", ] +[[package]] +name = "bumpalo" +version = "3.16.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c" + [[package]] name = "byteorder" version = "1.5.0" @@ -632,9 +645,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.1.21" +version = "1.1.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07b1695e2c7e8fc85310cde85aeaab7e3097f593c91d209d3f9df76c928100f0" +checksum = "9540e661f81799159abee814118cc139a2004b3a3aa3ea37724a1b66530b90e0" dependencies = [ "shlex", ] @@ -939,12 +952,31 @@ dependencies = [ "zeroize", ] +[[package]] +name = "encoding_rs" +version = "0.8.34" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b45de904aa0b010bce2ab45264d0631681847fa7b6f2eaa7dab7619943bc4f59" +dependencies = [ + "cfg-if", +] + [[package]] name = "equivalent" version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" +[[package]] +name = "errno" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" +dependencies = [ + "libc", + "windows-sys 0.52.0", +] + [[package]] name = "fastrand" version = "2.1.1" @@ -983,6 +1015,21 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foreign-types" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +dependencies = [ + "foreign-types-shared", +] + +[[package]] +name = "foreign-types-shared" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" + [[package]] name = "form_urlencoded" version = "1.2.1" @@ -1149,6 +1196,25 @@ dependencies = [ "tracing", ] +[[package]] +name = "h2" +version = "0.4.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "524e8ac6999421f49a846c2d4411f337e53497d8ec55d67753beffa43c5d9205" +dependencies = [ + "atomic-waker", + "bytes", + "fnv", + "futures-core", + "futures-sink", + "http 1.1.0", + "indexmap", + "slab", + "tokio", + "tokio-util", + "tracing", +] + [[package]] name = "hashbrown" version = "0.14.5" @@ -1284,7 +1350,7 @@ dependencies = [ "futures-channel", "futures-core", "futures-util", - "h2", + "h2 0.3.26", "http 0.2.12", "http-body 0.4.6", "httparse", @@ -1298,6 +1364,26 @@ dependencies = [ "want", ] +[[package]] +name = "hyper" +version = "1.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "50dfd22e0e76d0f662d429a5f80fcaf3855009297eab6a0a9f8543834744ba05" +dependencies = [ + "bytes", + "futures-channel", + "futures-util", + "h2 0.4.6", + "http 1.1.0", + "http-body 1.0.1", + "httparse", + "itoa", + "pin-project-lite", + "smallvec", + "tokio", + "want", +] + [[package]] name = "hyper-rustls" version = "0.24.2" @@ -1306,12 +1392,64 @@ checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590" dependencies = [ "futures-util", "http 0.2.12", - "hyper", + "hyper 0.14.30", "log", - "rustls", + "rustls 0.21.12", "rustls-native-certs", "tokio", - "tokio-rustls", + "tokio-rustls 0.24.1", +] + +[[package]] +name = "hyper-rustls" +version = "0.27.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "08afdbb5c31130e3034af566421053ab03787c640246a446327f550d11bcb333" +dependencies = [ + "futures-util", + "http 1.1.0", + "hyper 1.4.1", + "hyper-util", + "rustls 0.23.13", + "rustls-pki-types", + "tokio", + "tokio-rustls 0.26.0", + "tower-service", +] + +[[package]] +name = "hyper-tls" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0" +dependencies = [ + "bytes", + "http-body-util", + "hyper 1.4.1", + "hyper-util", + "native-tls", + "tokio", + "tokio-native-tls", + "tower-service", +] + +[[package]] +name = "hyper-util" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "41296eb09f183ac68eec06e03cdbea2e759633d4067b2f6552fc2e009bcad08b" +dependencies = [ + "bytes", + "futures-channel", + "futures-util", + "http 1.1.0", + "http-body 1.0.1", + "hyper 1.4.1", + "pin-project-lite", + "socket2", + "tokio", + "tower-service", + "tracing", ] [[package]] @@ -1344,6 +1482,12 @@ dependencies = [ "generic-array", ] +[[package]] +name = "ipnet" +version = "2.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "187674a687eed5fe42285b40c6291f9a01517d415fad1c3cbc6a9f778af7fcd4" + [[package]] name = "is_terminal_polyfill" version = "1.70.1" @@ -1356,6 +1500,15 @@ version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" +[[package]] +name = "js-sys" +version = "0.3.70" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1868808506b929d7b0cfa8f75951347aa71bb21144b7791bae35d9bccfcfe37a" +dependencies = [ + "wasm-bindgen", +] + [[package]] name = "lazy_static" version = "1.5.0" @@ -1377,6 +1530,12 @@ version = "0.2.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4ec2a862134d2a7d32d7983ddcdd1c4923530833c9f2ea1a44fc5fa473989058" +[[package]] +name = "linux-raw-sys" +version = "0.4.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" + [[package]] name = "log" version = "0.4.22" @@ -1404,6 +1563,12 @@ version = "2.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" +[[package]] +name = "mime" +version = "0.3.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a" + [[package]] name = "miniz_oxide" version = "0.8.0" @@ -1425,6 +1590,23 @@ dependencies = [ "windows-sys 0.52.0", ] +[[package]] +name = "native-tls" +version = "0.2.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a8614eb2c83d59d1c8cc974dd3f920198647674a0a035e1af1fa58707e317466" +dependencies = [ + "libc", + "log", + "openssl", + "openssl-probe", + "openssl-sys", + "schannel", + "security-framework", + "security-framework-sys", + "tempfile", +] + [[package]] name = "nu-ansi-term" version = "0.46.0" @@ -1510,9 +1692,12 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.19.0" +version = "1.20.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" +checksum = "82881c4be219ab5faaf2ad5e5e5ecdff8c66bd7402ca3160975c93b24961afd1" +dependencies = [ + "portable-atomic", +] [[package]] name = "opaque-debug" @@ -1520,12 +1705,50 @@ version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" +[[package]] +name = "openssl" +version = "0.10.66" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1" +dependencies = [ + "bitflags", + "cfg-if", + "foreign-types", + "libc", + "once_cell", + "openssl-macros", + "openssl-sys", +] + +[[package]] +name = "openssl-macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "openssl-probe" version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" +[[package]] +name = "openssl-sys" +version = "0.9.103" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6" +dependencies = [ + "cc", + "libc", + "pkg-config", + "vcpkg", +] + [[package]] name = "outref" version = "0.5.1" @@ -1674,6 +1897,12 @@ dependencies = [ "spki", ] +[[package]] +name = "pkg-config" +version = "0.3.31" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2" + [[package]] name = "poly1305" version = "0.8.0" @@ -1697,6 +1926,12 @@ dependencies = [ "universal-hash", ] +[[package]] +name = "portable-atomic" +version = "1.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cc9c68a3f6da06753e9335d63e27f6b9754dd1920d941135b7ea8224f141adb2" + [[package]] name = "powerfmt" version = "0.2.0" @@ -1771,14 +2006,14 @@ dependencies = [ [[package]] name = "regex" -version = "1.10.6" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4219d74c6b67a3654a9fbebc4b419e22126d13d2f3c4a07ee0cb61ff79a79619" +checksum = "38200e5ee88914975b69f657f0801b6f6dccafd44fd9326302a4aaeecfacb1d8" dependencies = [ "aho-corasick", "memchr", - "regex-automata 0.4.7", - "regex-syntax 0.8.4", + "regex-automata 0.4.8", + "regex-syntax 0.8.5", ] [[package]] @@ -1792,13 +2027,13 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.7" +version = "0.4.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38caf58cc5ef2fed281f89292ef23f6365465ed9a41b7a7754eb4e26496c92df" +checksum = "368758f23274712b504848e9d5a6f010445cc8b87a7cdb4d7cbee666c1288da3" dependencies = [ "aho-corasick", "memchr", - "regex-syntax 0.8.4", + "regex-syntax 0.8.5", ] [[package]] @@ -1815,9 +2050,52 @@ checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1" [[package]] name = "regex-syntax" -version = "0.8.4" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a66a03ae7c801facd77a29370b4faec201768915ac14a721ba36f20bc9c209b" +checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c" + +[[package]] +name = "reqwest" +version = "0.12.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8f4955649ef5c38cc7f9e8aa41761d48fb9677197daea9984dc54f56aad5e63" +dependencies = [ + "base64 0.22.1", + "bytes", + "encoding_rs", + "futures-core", + "futures-util", + "h2 0.4.6", + "http 1.1.0", + "http-body 1.0.1", + "http-body-util", + "hyper 1.4.1", + "hyper-rustls 0.27.3", + "hyper-tls", + "hyper-util", + "ipnet", + "js-sys", + "log", + "mime", + "native-tls", + "once_cell", + "percent-encoding", + "pin-project-lite", + "rustls-pemfile 2.1.3", + "serde", + "serde_json", + "serde_urlencoded", + "sync_wrapper", + "system-configuration", + "tokio", + "tokio-native-tls", + "tower-service", + "url", + "wasm-bindgen", + "wasm-bindgen-futures", + "web-sys", + "windows-registry", +] [[package]] name = "rfc6979" @@ -1984,6 +2262,19 @@ dependencies = [ "semver", ] +[[package]] +name = "rustix" +version = "0.38.37" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8acb788b847c24f28525660c4d7758620a7210875711f79e7f663cc152726811" +dependencies = [ + "bitflags", + "errno", + "libc", + "linux-raw-sys", + "windows-sys 0.52.0", +] + [[package]] name = "rustls" version = "0.21.12" @@ -1992,10 +2283,23 @@ checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e" dependencies = [ "log", "ring", - "rustls-webpki", + "rustls-webpki 0.101.7", "sct", ] +[[package]] +name = "rustls" +version = "0.23.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f2dabaac7466917e566adb06783a81ca48944c6898a1b08b9374106dd671f4c8" +dependencies = [ + "once_cell", + "rustls-pki-types", + "rustls-webpki 0.102.8", + "subtle", + "zeroize", +] + [[package]] name = "rustls-native-certs" version = "0.6.3" @@ -2003,7 +2307,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" dependencies = [ "openssl-probe", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "schannel", "security-framework", ] @@ -2017,6 +2321,22 @@ dependencies = [ "base64 0.21.7", ] +[[package]] +name = "rustls-pemfile" +version = "2.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "196fe16b00e106300d3e45ecfcb764fa292a535d7326a29a5875c579c7417425" +dependencies = [ + "base64 0.22.1", + "rustls-pki-types", +] + +[[package]] +name = "rustls-pki-types" +version = "1.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0e696e35370c65c9c541198af4543ccd580cf17fc25d8e05c5a242b202488c55" + [[package]] name = "rustls-webpki" version = "0.101.7" @@ -2027,6 +2347,17 @@ dependencies = [ "untrusted", ] +[[package]] +name = "rustls-webpki" +version = "0.102.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9" +dependencies = [ + "ring", + "rustls-pki-types", + "untrusted", +] + [[package]] name = "ryu" version = "1.0.18" @@ -2147,6 +2478,18 @@ dependencies = [ "serde", ] +[[package]] +name = "serde_urlencoded" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd" +dependencies = [ + "form_urlencoded", + "itoa", + "ryu", + "serde", +] + [[package]] name = "sha1" version = "0.10.6" @@ -2309,15 +2652,58 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "syn" -version = "2.0.77" +version = "2.0.79" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f35bcdf61fd8e7be6caf75f429fdca8beb3ed76584befb503b1569faee373ed" +checksum = "89132cd0bf050864e1d38dc3bbc07a0eb8e7530af26344d3d2bbbef83499f590" dependencies = [ "proc-macro2", "quote", "unicode-ident", ] +[[package]] +name = "sync_wrapper" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a7065abeca94b6a8a577f9bd45aa0867a2238b74e8eb67cf10d492bc39351394" +dependencies = [ + "futures-core", +] + +[[package]] +name = "system-configuration" +version = "0.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b" +dependencies = [ + "bitflags", + "core-foundation", + "system-configuration-sys", +] + +[[package]] +name = "system-configuration-sys" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4" +dependencies = [ + "core-foundation-sys", + "libc", +] + +[[package]] +name = "tempfile" +version = "3.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0f2c9fc62d0beef6951ccffd757e241266a2c833136efbe35af6cd2567dca5b" +dependencies = [ + "cfg-if", + "fastrand", + "once_cell", + "rustix", + "windows-sys 0.59.0", +] + [[package]] name = "thiserror" version = "1.0.64" @@ -2422,13 +2808,34 @@ dependencies = [ "syn", ] +[[package]] +name = "tokio-native-tls" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2" +dependencies = [ + "native-tls", + "tokio", +] + [[package]] name = "tokio-rustls" version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ - "rustls", + "rustls 0.21.12", + "tokio", +] + +[[package]] +name = "tokio-rustls" +version = "0.26.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" +dependencies = [ + "rustls 0.23.13", + "rustls-pki-types", "tokio", ] @@ -2636,6 +3043,12 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" +[[package]] +name = "vcpkg" +version = "0.2.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" + [[package]] name = "version_check" version = "0.9.5" @@ -2663,6 +3076,83 @@ version = "0.11.0+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" +[[package]] +name = "wasm-bindgen" +version = "0.2.93" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a82edfc16a6c469f5f44dc7b571814045d60404b55a0ee849f9bcfa2e63dd9b5" +dependencies = [ + "cfg-if", + "once_cell", + "wasm-bindgen-macro", +] + +[[package]] +name = "wasm-bindgen-backend" +version = "0.2.93" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9de396da306523044d3302746f1208fa71d7532227f15e347e2d93e4145dd77b" +dependencies = [ + "bumpalo", + "log", + "once_cell", + "proc-macro2", + "quote", + "syn", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-futures" +version = "0.4.43" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "61e9300f63a621e96ed275155c108eb6f843b6a26d053f122ab69724559dc8ed" +dependencies = [ + "cfg-if", + "js-sys", + "wasm-bindgen", + "web-sys", +] + +[[package]] +name = "wasm-bindgen-macro" +version = "0.2.93" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "585c4c91a46b072c92e908d99cb1dcdf95c5218eeb6f3bf1efa991ee7a68cccf" +dependencies = [ + "quote", + "wasm-bindgen-macro-support", +] + +[[package]] +name = "wasm-bindgen-macro-support" +version = "0.2.93" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836" +dependencies = [ + "proc-macro2", + "quote", + "syn", + "wasm-bindgen-backend", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-shared" +version = "0.2.93" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c62a0a307cb4a311d3a07867860911ca130c3494e8c2719593806c08bc5d0484" + +[[package]] +name = "web-sys" +version = "0.3.70" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "26fdeaafd9bd129f65e7c031593c24d62186301e0c72c8978fa1678be7d532c0" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + [[package]] name = "winapi" version = "0.3.9" @@ -2685,6 +3175,36 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" +[[package]] +name = "windows-registry" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e400001bb720a623c1c69032f8e3e4cf09984deec740f007dd2b03ec864804b0" +dependencies = [ + "windows-result", + "windows-strings", + "windows-targets", +] + +[[package]] +name = "windows-result" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1d1043d8214f791817bab27572aaa8af63732e11bf84aa21a45a78d6c317ae0e" +dependencies = [ + "windows-targets", +] + +[[package]] +name = "windows-strings" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4cd9b125c486025df0eabcb585e62173c6c9eddcec5d117d3b6e8c30e2ee4d10" +dependencies = [ + "windows-result", + "windows-targets", +] + [[package]] name = "windows-sys" version = "0.52.0" diff --git a/aws-throwaway/Cargo.toml b/aws-throwaway/Cargo.toml index 16bf1af..ce7f8b3 100644 --- a/aws-throwaway/Cargo.toml +++ b/aws-throwaway/Cargo.toml @@ -29,6 +29,7 @@ async-trait = "0.1.30" serde = { version = "1.0.195", features = ["derive"] } serde_json = "1.0.111" futures = "0.3.30" +reqwest = "0.12.0" [dev-dependencies] tracing-subscriber = { version = "0.3.1", features = ["env-filter", "json"] } diff --git a/aws-throwaway/examples/aws-throwaway-test-large-file.rs b/aws-throwaway/examples/aws-throwaway-test-large-file.rs index 0168299..18e0c25 100644 --- a/aws-throwaway/examples/aws-throwaway-test-large-file.rs +++ b/aws-throwaway/examples/aws-throwaway-test-large-file.rs @@ -12,7 +12,10 @@ async fn main() { .with_writer(non_blocking) .init(); - let aws = Aws::builder(CleanupResources::AllResources).build().await; + let aws = Aws::builder(CleanupResources::AllResources) + .use_ingress_restriction(aws_throwaway::IngressRestriction::LocalPublicAddress) + .build() + .await; let instance = aws .create_ec2_instance(Ec2InstanceDefinition::new(InstanceType::T2Micro)) .await; diff --git a/aws-throwaway/examples/aws-throwaway-test-multiple-instances.rs b/aws-throwaway/examples/aws-throwaway-test-multiple-instances.rs index 7947081..daacee5 100644 --- a/aws-throwaway/examples/aws-throwaway-test-multiple-instances.rs +++ b/aws-throwaway/examples/aws-throwaway-test-multiple-instances.rs @@ -10,7 +10,10 @@ async fn main() { .init(); println!("Creating instances"); - let aws = Aws::builder(CleanupResources::AllResources).build().await; + let aws = Aws::builder(CleanupResources::AllResources) + .use_ingress_restriction(aws_throwaway::IngressRestriction::LocalPublicAddress) + .build() + .await; let (instance1, instance2) = tokio::join!( aws.create_ec2_instance(Ec2InstanceDefinition::new(InstanceType::T2Small)), aws.create_ec2_instance( diff --git a/aws-throwaway/examples/aws-throwaway-test.rs b/aws-throwaway/examples/aws-throwaway-test.rs index bf18dc1..00909c3 100644 --- a/aws-throwaway/examples/aws-throwaway-test.rs +++ b/aws-throwaway/examples/aws-throwaway-test.rs @@ -10,7 +10,10 @@ async fn main() { .with_writer(non_blocking) .init(); - let aws = Aws::builder(CleanupResources::AllResources).build().await; + let aws = Aws::builder(CleanupResources::AllResources) + .use_ingress_restriction(aws_throwaway::IngressRestriction::LocalPublicAddress) + .build() + .await; let instance = aws .create_ec2_instance(Ec2InstanceDefinition::new(InstanceType::T2Micro)) .await; diff --git a/aws-throwaway/examples/create-instance.rs b/aws-throwaway/examples/create-instance.rs index d13e9b1..77abcd3 100644 --- a/aws-throwaway/examples/create-instance.rs +++ b/aws-throwaway/examples/create-instance.rs @@ -22,6 +22,7 @@ async fn main() { println!("Creating instance of type {instance_type}"); let aws = Aws::builder(CleanupResources::WithAppTag(AWS_THROWAWAY_TAG.to_owned())) + .use_ingress_restriction(aws_throwaway::IngressRestriction::LocalPublicAddress) .build() .await; let instance_type = InstanceType::from_str(&instance_type).unwrap(); diff --git a/aws-throwaway/src/backend/cli/mod.rs b/aws-throwaway/src/backend/cli/mod.rs index 8d15c30..1ffde38 100644 --- a/aws-throwaway/src/backend/cli/mod.rs +++ b/aws-throwaway/src/backend/cli/mod.rs @@ -3,7 +3,8 @@ mod placement_strategy; use crate::{ backend::cli::instance_type::get_arch_of_instance_type, AwsBuilder, CleanupResources, - Ec2Instance, Ec2InstanceDefinition, InstanceOs, NetworkInterface, APP_TAG_NAME, USER_TAG_NAME, + Ec2Instance, Ec2InstanceDefinition, IngressRestriction, InstanceOs, NetworkInterface, + APP_TAG_NAME, USER_TAG_NAME, }; use anyhow::{anyhow, Result}; use futures::stream::FuturesUnordered; @@ -140,7 +141,8 @@ impl Aws { &security_group_name, &builder.vpc_id, builder.security_group_id, - &builder.expose_ports_to_internet + &builder.expose_ports_to_internet, + builder.ingress_restriction ), Aws::create_placement_group(&tags, &placement_group_name, builder.placement_strategy), Aws::get_subnet(builder.subnet_id, az_name.clone()) @@ -200,6 +202,7 @@ impl Aws { vpc_id: &Option, security_group_id: Option, ports: &[u16], + ingress_restriction: IngressRestriction, ) -> String { match security_group_id { Some(id) => id, @@ -224,7 +227,11 @@ impl Aws { command.push("--vpc-id"); command.push(vpc_id); } - let result: SecurityGroup = run_command(&command).await.unwrap(); + let (result, cidr_ip) = tokio::join!( + run_command::(&command), + ingress_restriction.cidr_ip() + ); + let group_id = result.unwrap().group_id; tracing::info!("created security group"); let mut futures = @@ -232,16 +239,18 @@ impl Aws { futures.push(Box::pin(Aws::create_ingress_rule_internal(tags, name))); if !ports.contains(&22) { // SSH - futures.push(Box::pin(Aws::create_ingress_rule_for_port(tags, name, 22))); + futures.push(Box::pin(Aws::create_ingress_rule_for_port( + tags, name, &cidr_ip, 22, + ))); } for port in ports { futures.push(Box::pin(Aws::create_ingress_rule_for_port( - tags, name, *port, + tags, name, &cidr_ip, *port, ))); } while futures.next().await.is_some() {} - result.group_id + group_id } } } @@ -262,7 +271,7 @@ impl Aws { tracing::info!("created security group rule - internal"); } - async fn create_ingress_rule_for_port(tags: &Tags, group_name: &str, port: u16) { + async fn create_ingress_rule_for_port(tags: &Tags, group_name: &str, cidr_ip: &str, port: u16) { let port = port.to_string(); let _result: Ignore = run_command(&[ "ec2", @@ -276,7 +285,7 @@ impl Aws { "--to-port", &port, "--cidr-ip", - "0.0.0.0/0", + cidr_ip, "--tag-specifications", &tags.create_tags("security-group-rule", &format!("port {port}")), ]) diff --git a/aws-throwaway/src/backend/sdk/aws.rs b/aws-throwaway/src/backend/sdk/aws.rs index 704ade2..cdc1bf6 100644 --- a/aws-throwaway/src/backend/sdk/aws.rs +++ b/aws-throwaway/src/backend/sdk/aws.rs @@ -1,8 +1,8 @@ use super::tags::Tags; use crate::ec2_instance::{Ec2Instance, NetworkInterface}; use crate::ec2_instance_definition::{Ec2InstanceDefinition, InstanceOs}; -use crate::AwsBuilder; use crate::CleanupResources; +use crate::{AwsBuilder, IngressRestriction}; use anyhow::anyhow; use aws_config::meta::region::RegionProviderChain; use aws_config::retry::ProvideErrorKind; @@ -75,7 +75,8 @@ impl Aws { &security_group_name, &builder.vpc_id, builder.security_group_id, - &builder.expose_ports_to_internet + &builder.expose_ports_to_internet, + builder.ingress_restriction, ), Aws::create_placement_group( &client, @@ -143,20 +144,24 @@ impl Aws { vpc_id: &Option, security_group_id: Option, ports: &[u16], + ingress_restriction: IngressRestriction, ) -> String { match security_group_id { Some(id) => id, None => { - let security_group_id = client - .create_security_group() - .group_name(name) - .set_vpc_id(vpc_id.clone()) - .description("aws-throwaway security group") - .tag_specifications( - tags.create_tags(ResourceType::SecurityGroup, "aws-throwaway"), - ) - .send() - .await + let (security_group, cidr_ip) = tokio::join!( + client + .create_security_group() + .group_name(name) + .set_vpc_id(vpc_id.clone()) + .description("aws-throwaway security group") + .tag_specifications( + tags.create_tags(ResourceType::SecurityGroup, "aws-throwaway"), + ) + .send(), + ingress_restriction.cidr_ip() + ); + let security_group_id = security_group .map_err(|e| e.into_service_error()) .unwrap() .group_id @@ -168,15 +173,16 @@ impl Aws { futures.push(Box::pin(Aws::create_ingress_rule_internal( client, tags, name, ))); + // SSH if !ports.contains(&22) { futures.push(Box::pin(Aws::create_ingress_rule_for_port( - client, tags, name, 22, + client, tags, name, &cidr_ip, 22, ))); } for port in ports { futures.push(Box::pin(Aws::create_ingress_rule_for_port( - client, tags, name, *port, + client, tags, name, &cidr_ip, *port, ))); } while futures.next().await.is_some() {} @@ -210,6 +216,7 @@ impl Aws { client: &aws_sdk_ec2::Client, tags: &Tags, group_name: &str, + cidr_ip: &str, port: u16, ) { let port = port.to_string(); @@ -219,7 +226,7 @@ impl Aws { .ip_protocol("tcp") .from_port(22) .to_port(22) - .cidr_ip("0.0.0.0/0") + .cidr_ip(cidr_ip) .tag_specifications( tags.create_tags(ResourceType::SecurityGroupRule, &format!("port {port}")) ) diff --git a/aws-throwaway/src/lib.rs b/aws-throwaway/src/lib.rs index 74e9755..926dd68 100644 --- a/aws-throwaway/src/lib.rs +++ b/aws-throwaway/src/lib.rs @@ -3,6 +3,8 @@ mod ec2_instance; mod ec2_instance_definition; mod ssh; +use std::net::IpAddr; + pub use backend::{Aws, InstanceType, PlacementStrategy}; pub use ec2_instance::{Ec2Instance, NetworkInterface}; pub use ec2_instance_definition::{Ec2InstanceDefinition, InstanceOs}; @@ -15,6 +17,7 @@ const APP_TAG_NAME: &str = "aws-throwaway-23c2d22c-d929-43fc-b2a4-c1c72f0b733f:a pub struct AwsBuilder { cleanup: CleanupResources, use_public_addresses: bool, + ingress_restriction: IngressRestriction, vpc_id: Option, az_name: Option, subnet_id: Option, @@ -38,6 +41,7 @@ impl AwsBuilder { AwsBuilder { cleanup, use_public_addresses: true, + ingress_restriction: IngressRestriction::NoRestrictions, vpc_id: None, az_name: None, subnet_id: None, @@ -64,6 +68,11 @@ impl AwsBuilder { self } + pub fn use_ingress_restriction(mut self, ingress_restriction: IngressRestriction) -> Self { + self.ingress_restriction = ingress_restriction; + self + } + /// * Some(_) => All resources will go into the specified vpc /// * None => All resources will go into the default vpc /// @@ -112,6 +121,7 @@ impl AwsBuilder { } /// Adds the provided ports as allowing traffic in+out to internet in the automatically generated security group. + /// By default ingress is allowed from port 22 and this cannot be disabled. pub fn expose_ports_to_internet(mut self, ports: Vec) -> Self { self.expose_ports_to_internet = ports; self @@ -136,3 +146,36 @@ pub enum CleanupResources { /// Cleanup resources created by all [`Aws`] instances regardless of whether it was created via [`CleanupResources::AllResources`] or [`CleanupResources::WithAppTag`] AllResources, } + +/// Defines how to derive the ingress rules of the generated security group for external access. +/// +/// Internal network traffic between instances created through aws-throwaway is always allowed, +/// regardless of the `IngressRestriction` value used. +/// +/// These rules apply to the always enabled port 22 and any extra ports enabled by `AwsBuilder::expose_ports_to_internet`. +#[non_exhaustive] +pub enum IngressRestriction { + /// Allow ingress from any machine on the internet. + /// Many corporate environments will disallow this. + NoRestrictions, + /// Allow ingress only from the public IP address of the machine aws-throwaway is running on. + /// Possibly slightly slower to startup, the public IP will be fetched from https://api.ipify.org in parallel to other work. + LocalPublicAddress, + // In the future we might add: + //UseSpecificAddress(IpAddr) +} + +impl IngressRestriction { + async fn cidr_ip(&self) -> String { + match self { + IngressRestriction::NoRestrictions => "0.0.0.0/0".to_owned(), + IngressRestriction::LocalPublicAddress => { + let api = "https://api.ipify.org"; + let ip = reqwest::get(api).await.unwrap().text().await.unwrap(); + // roundtrip through IpAddr to ensure that we did in fact receive an IP. + let ip: IpAddr = ip.parse().unwrap(); + format!("{ip}/32") + } + } + } +}