脚本阿里云安全组 ECS 白名单

脚本阿里云安全组 ECS 白名单

公司外网ip 重启路由 啥的 就会变ip,如果需要访问 esc 之前ip白名单失效

参考

/**
 * https://api.aliyun.com/document/Ecs/2014-05-26/DescribeSecurityGroups
 * api 地址
 * @throws ExecutionException
 * @throws InterruptedException
 *
 * https://ifconfig.me/ip  获取客户端出网ip
 */

代码

import com.aliyun.sdk.service.ecs20140526.models.*;
import darabonba.core.client.ClientOverrideConfiguration;
import lombok.extern.slf4j.Slf4j;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;

import java.io.IOException;
import java.net.URL;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutionException;

import com.aliyun.auth.credentials.Credential;
import com.aliyun.auth.credentials.provider.StaticCredentialProvider;
import com.aliyun.sdk.service.ecs20140526.AsyncClient;
@Slf4j
public class AliEcsUtil {

    private static final String DESC = "脚本执行";

    /**
     * 阿里云 esc 获取客户端
     * @return
     */
    private static AsyncClient getAsyncClient(){
        StaticCredentialProvider provider = StaticCredentialProvider.create(Credential.builder()
                // Please ensure that the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are set.
                .accessKeyId("")
                .accessKeySecret("")
                //.securityToken(System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN")) // use STS token
                .build());

        // Configure the Client
        AsyncClient client = AsyncClient.builder()
                //.httpClient(httpClient) // Use the configured HttpClient, otherwise use the default HttpClient (Apache HttpClient)
                .credentialsProvider(provider)
                //.serviceConfiguration(Configuration.create()) // Service-level configuration
                // Client-level configuration rewrite, can set Endpoint, Http request parameters, etc.
                .overrideConfiguration(
                        ClientOverrideConfiguration.create()
                                // Endpoint 请参考 https://api.aliyun.com/product/Ecs
                                .setEndpointOverride("")
                        //.setConnectTimeout(Duration.ofSeconds(30))
                )
                .build();
        return client;
    }


    public static String getLocalIp() throws IOException {
      Document parse = Jsoup.parse(new URL("https://ifconfig.me/ip"), 30000);

      return parse.body().text();
    }


    public static void update() throws ExecutionException, InterruptedException, IOException {

        String localIp = getLocalIp();
        AsyncClient client = getAsyncClient();
        DescribeSecurityGroupAttributeRequest request = DescribeSecurityGroupAttributeRequest.builder()
                .regionId("")
                .securityGroupId("")
                .build();
        CompletableFuture<DescribeSecurityGroupAttributeResponse> response = client.describeSecurityGroupAttribute(request);
        DescribeSecurityGroupAttributeResponseBody.Permissions permissions = response.get().getBody().getPermissions();
        List<DescribeSecurityGroupAttributeResponseBody.Permission> permissionList = permissions.getPermission();
        // 获取所有安全组 判断本地ip 在不在里面，不在里面 修改对应的ip
        for (int i = 0; i < permissionList.size(); i++) {
            DescribeSecurityGroupAttributeResponseBody.Permission permission = permissionList.get(i);
            String description = permission.getDescription();
            if(Objects.equals(DESC,description)){
                String ip = localIp;
                String destCidrIp = permission.getSourceCidrIp();
                // ip 不相等 更新
                if(!Objects.equals(ip,destCidrIp)){
                    updateIp(client,permission.getDestCidrIp(),ip,permission.getSecurityGroupRuleId());
                    return;
                }
            }
        }
    }


    private static void updateIp(AsyncClient client, String sourceRegionId, String ip, String securityGroupRuleId) throws ExecutionException, InterruptedException {
        ModifySecurityGroupRuleRequest modifySecurityGroupRuleRequest = ModifySecurityGroupRuleRequest.builder()
                .sourceRegionId(sourceRegionId)
                .portRange("-1/-1")
                .description(DESC)
                .sourceCidrIp(ip)
                .sourcePortRange("-1/-1")
                .securityGroupId("")
                .securityGroupRuleId(securityGroupRuleId)
                .regionId("")
                .ipProtocol("ALL")
                // Request-level configuration rewrite, can set Http request parameters, etc.
                // .requestConfiguration(RequestConfiguration.create().setHttpHeaders(new HttpHeaders()))
                .build();

        CompletableFuture<ModifySecurityGroupRuleResponse> res = client.modifySecurityGroupRule(modifySecurityGroupRuleRequest);
        // Synchronously get the return value of the API request
        ModifySecurityGroupRuleResponse resp = res.get();
        log.info("修改ip白名单 {}",resp.getBody());
        client.close();
    }
}

定时任务

  @Scheduled(cron = "0 0 0/1 * * ?")
    //@Scheduled(cron = "0 0/1 * * * ?")
    public void ip(){
        log.info("ip 白名单 任务");
        try {
            AliEcsUtil.update();
        } catch (ExecutionException e) {
            e.printStackTrace();
        } catch (InterruptedException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }