vpcmodel

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 6, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// filter-resources layer names (grouping all vpc resources of that kind)
	NaclLayer          = "NaclLayer"
	SecurityGroupLayer = "SecurityGroupLayer"
)

todo: define enum for filters

View Source 
const (
	NoRules       = iota // there are no relevant rules in this filter
	OnlyAllow            // there are only relevant allow rules in this filter
	OnlyDeny             // there are only relevant deny rules in this filter
	BothAllowDeny        // there are relevant allow and deny rules in this filter
)
View Source 
const (
	DetailsAttributeKind = "kind"
	DetailsAttributeName = "name"
	DetailsAttributeCIDR = "cidr"
)
View Source 
const (
	Vsis diffAnalysisType = iota
	Subnets
)
View Source 
const ResourceTypeIKSNode = "IKSNodeNetworkInterface"

Variables

This section is empty.

Functions

func AllConns 

func AllConns() *connection.Set

func CreateMultiExplanationsInput added in v0.4.0 

func CreateMultiExplanationsInput(
	cConfigs *MultipleVPCConfigs,
	vpcConns map[string]*VPCConnectivity,
	gConns map[string]*GroupConnLines) []explainInputEntry

CreateMultiExplanationsInput given configs and results of connectivity analysis, generates input in the format required by MultiExplain it creates the explainInputEntry of all the following cases: (1) src and dst are internal nodes from the same vpc: {src,dst,vpcConfig} (2) src is internal and dst is external: {src,dst,srcVpcConfig} (3) dst is internal and src is external: {src,dst,dstVpcConfig} (4) src and dst are internal nodes from different vpcs and has a multivpc connection: {src,dst,multiVpcConfig} (5) src and dst are internal nodes from different vpcs and has no connection: {src,dst,nil}

func FilterKindName added in v0.4.0 

func FilterKindName(filterLayer string) string

FilterKindName returns the name of a filter kind within filter layers - e.g. "security group".

func GetPublicInternetIPblocksList added in v0.4.0 

func GetPublicInternetIPblocksList() (internetIPblocksList []*ipblock.IPBlock, allInternetRagnes *ipblock.IPBlock, err error)

func HasNode 

func HasNode(listNodes []Node, node Node) bool

func MultiExplain added in v0.4.0 

func MultiExplain(srcDstCouples []explainInputEntry, vpcConns map[string]*VPCConnectivity) []explainOutputEntry

MultiExplain multi-explanation mode: given a slice of <VPCConfig, Endpoint, Endpoint> such that each Endpoint is either a vsi or grouped external addresses of the given config, returns []explainOutputEntry where item i provides explanation to input i

func NoConns 

func NoConns() *connection.Set

func WriteToFile 

func WriteToFile(content, fileName string) (string, error)

Types

type AbstractionInfo added in v0.5.0 

type AbstractionInfo struct {
	// contains filtered or unexported fields
}

AbstractionInfo is the abstraction information of one nodeSet

type ArchDrawioOutputFormatter 

type ArchDrawioOutputFormatter struct {
	DrawioOutputFormatter
}

///////////////////////////////////////////////////////////////// ArchDrawioOutputFormatter display only the architecture So we omit the connectivity, so we send nil to write output. (In archDrawio format we do not call GetVPCNetworkConnectivity, and conn should be nil, However, in Testing GetVPCNetworkConnectivity is called for all formats)

func (*ArchDrawioOutputFormatter) WriteOutput added in v0.2.0 

func (d *ArchDrawioOutputFormatter) WriteOutput(cConfigs *MultipleVPCConfigs,
	conn map[string]*VPCConnectivity,
	subnetsConn map[string]*VPCsubnetConnectivity,
	cfgsDiff *diffBetweenCfgs,
	outFile string,
	grouping bool,
	uc OutputUseCase,
	explanation *Explanation) (string, error)

type ConfigBasedConnectivityResults 

type ConfigBasedConnectivityResults struct {
	IngressAllowedConns map[VPCResourceIntf]*connection.Set
	EgressAllowedConns  map[VPCResourceIntf]*connection.Set
}

ConfigBasedConnectivityResults is used to capture allowed connectivity to/from elements in the vpc config1 (subnets / external ip-blocks) It is associated with a subnet when analyzing connectivity of subnets based on NACL resources

func NewConfigBasedConnectivityResults 

func NewConfigBasedConnectivityResults() *ConfigBasedConnectivityResults

type ConnectivityResult 

type ConnectivityResult struct {
	IngressAllowedConns map[Node]*connection.Set
	EgressAllowedConns  map[Node]*connection.Set
}

ConnectivityResult is used to capture allowed connectivity between Node elements A Node object has its associated ConnectivityResult (see VPCConnectivity.AllowedConns) The ConnectivityResult holds the allowed ingress and egress connections (to/from the associated node) with other Node objects and the connection attributes for each such node

type DebugOutputFormatter 

type DebugOutputFormatter struct {
}

func (*DebugOutputFormatter) WriteOutput added in v0.2.0 

func (t *DebugOutputFormatter) WriteOutput(c1, c2 *VPCConfig,
	conn *VPCConnectivity,
	subnetsConn *VPCsubnetConnectivity,
	cfgsDiff *diffBetweenCfgs,
	outFile string,
	grouping bool,
	uc OutputUseCase,
	explanation *Explanation) (*SingleAnalysisOutput, error)

WriteOutput at the moment only AllEndpoints supported for Debug mode

type DiffType added in v0.2.0 

type DiffType = int

type DrawioGenerator added in v0.2.0 

type DrawioGenerator struct {
	// contains filtered or unexported fields
}

DrawioGenerator is the struct that generate the drawio tree. its main interface is: 1. TreeNode() - generate and returns the drawio tree node of a resource 2. the constructor - generate the treeNodes that does not represent a specific resource (the constructor creates the publicNetwork tree node, and the Cloud TreeNode) the rest of the interface i getters: Network(), PublicNetwork(), Cloud() returns the tree nodes which are created at the constructor please notice: creating the cloud treeNode is vendor specific (IBM, aws...). currently, the input that distinguish between the vendors is the cloudName, which is provided to NewDrawioGenerator() as parameter. we might later give as parameters more information to create the cloud, or create the cloud at the specific pkg.

func NewDrawioGenerator added in v0.2.0 

func NewDrawioGenerator(cloudName string, lbAbstraction bool, uc OutputUseCase) *DrawioGenerator

func (*DrawioGenerator) Cloud added in v0.2.0 

func (gen *DrawioGenerator) Cloud() *drawio.CloudTreeNode

func (*DrawioGenerator) LBAbstraction added in v0.5.0 

func (gen *DrawioGenerator) LBAbstraction() bool

func (*DrawioGenerator) Network added in v0.2.0 

func (gen *DrawioGenerator) Network() *drawio.NetworkTreeNode

func (*DrawioGenerator) PublicNetwork added in v0.2.0 

func (gen *DrawioGenerator) PublicNetwork() *drawio.PublicNetworkTreeNode

func (*DrawioGenerator) TreeNode added in v0.2.0 

func (gen *DrawioGenerator) TreeNode(res DrawioResourceIntf) drawio.TreeNodeInterface

type DrawioOutputFormatter 

type DrawioOutputFormatter struct {
	// contains filtered or unexported fields
}

func (*DrawioOutputFormatter) WriteOutput added in v0.2.0 

func (d *DrawioOutputFormatter) WriteOutput(cConfigs *MultipleVPCConfigs,
	conn map[string]*VPCConnectivity,
	subnetsConn map[string]*VPCsubnetConnectivity,
	cfgsDiff *diffBetweenCfgs,
	outFile string,
	grouping bool,
	uc OutputUseCase,
	explanation *Explanation) (string, error)

type DrawioResourceIntf added in v0.2.0 

type DrawioResourceIntf interface {
	GenerateDrawioTreeNode(gen *DrawioGenerator) drawio.TreeNodeInterface
	IsExternal() bool
	ShowOnSubnetMode() bool
	Kind() string
}

DrawioResourceIntf is the interface of all the resources that are converted to a drawio treeNodes

type Endpoint added in v0.4.0 

type Endpoint struct {
	VpcResource VPCResourceIntf
	IPBlock     *ipblock.IPBlock
	NextHop     *NextHopEntry
}

Endpoint captures possible types for elements within routing paths: concrete vpc resource, IP Address, and nextHopEntry

type EndpointElem 

type EndpointElem interface {
	Name() string
	ExtendedName(*VPCConfig) string
	UID() string
	IsExternal() bool
	DrawioResourceIntf
}

EndpointElem can be Node(networkInterface) / groupedExternalNodes / groupedEndpointsElems / NodeSet(subnet or LB)

type Explanation added in v0.3.0 

type Explanation struct {
	// contains filtered or unexported fields
}

func (*Explanation) String added in v0.3.0 

func (explanation *Explanation) String(verbose bool) string

String main printing function for the Explanation struct - returns a string with the explanation

type ExplanationArgs added in v0.3.0 

type ExplanationArgs struct {
	// contains filtered or unexported fields
}

func NewExplanationArgs added in v0.3.0 

func NewExplanationArgs(src, dst, protocol string, srcMinPort, srcMaxPort, dstMinPort, dstMaxPort int64) *ExplanationArgs

func (*ExplanationArgs) Dst added in v0.3.0 

func (e *ExplanationArgs) Dst() string

func (*ExplanationArgs) GetConnectionSet added in v0.3.0 

func (e *ExplanationArgs) GetConnectionSet() *connection.Set

GetConnectionSet TODO: handle also input ICMP properties (type, code) as input args translates explanation args to a connection set

func (*ExplanationArgs) Src added in v0.3.0 

func (e *ExplanationArgs) Src() string

type ExternalNetwork 

type ExternalNetwork struct {
	ResourceType string
	CidrStr      string
	// contains filtered or unexported fields
}

ExternalNetwork implements Node interface

func (*ExternalNetwork) CidrOrAddress added in v0.3.0 

func (exn *ExternalNetwork) CidrOrAddress() string

func (*ExternalNetwork) ExtendedName added in v0.5.0 

func (exn *ExternalNetwork) ExtendedName(c *VPCConfig) string

func (*ExternalNetwork) ExtendedPrefix added in v0.5.0 

func (exn *ExternalNetwork) ExtendedPrefix(c *VPCConfig) string

func (*ExternalNetwork) GenerateDrawioTreeNode added in v0.2.0 

func (exn *ExternalNetwork) GenerateDrawioTreeNode(gen *DrawioGenerator) drawio.TreeNodeInterface

func (*ExternalNetwork) IPBlock added in v0.3.0 

func (exn *ExternalNetwork) IPBlock() *ipblock.IPBlock

func (*ExternalNetwork) IsExternal added in v0.2.0 

func (exn *ExternalNetwork) IsExternal() bool

func (*ExternalNetwork) IsInternal 

func (exn *ExternalNetwork) IsInternal() bool

func (*ExternalNetwork) IsPublicInternet 

func (exn *ExternalNetwork) IsPublicInternet() bool

func (*ExternalNetwork) Kind 

func (exn *ExternalNetwork) Kind() string

func (*ExternalNetwork) Name 

func (exn *ExternalNetwork) Name() string

func (*ExternalNetwork) RegionName added in v0.4.0 

func (exn *ExternalNetwork) RegionName() string

func (*ExternalNetwork) ShowOnSubnetMode added in v0.3.0 

func (exn *ExternalNetwork) ShowOnSubnetMode() bool

func (*ExternalNetwork) UID added in v0.2.0 

func (exn *ExternalNetwork) UID() string

func (*ExternalNetwork) VPC added in v0.3.0 

func (exn *ExternalNetwork) VPC() VPCResourceIntf

func (*ExternalNetwork) ZoneName added in v0.2.0 

func (exn *ExternalNetwork) ZoneName() string

type FilterTrafficResource 

type FilterTrafficResource interface {
	VPCResourceIntf
	// AllowedConnectivity computes the connectivity from src Node to dst Node considering this filterTraffic resource
	AllowedConnectivity(src, dst Node, isIngress bool) (*connection.Set, error)
	// RulesInConnectivity computes the list of rules of a given filter that contributes to the connection between src and dst
	// if conn is also given the above is per connection
	RulesInConnectivity(src, dst Node, conn *connection.Set, isIngress bool) ([]RulesInTable, []RulesInTable, error)
	// StringDetailsOfRules gets, for a specific filter (sg/nacl), a struct with relevant rules in it,
	// and prints the effect of each filter (e.g. security group sg1-ky allows connection)
	// and the detailed list of relevant rules
	// todo: replace by StringDetailsOfRules to rulesBasedResources interface
	StringDetailsOfRules(listRulesInFilter []RulesInTable) string
	// ListFilterWithAction return map from filter's name to true if it allows traffic, false otherwise
	// to be used by explainability printing functions
	// todo:move to rulesBasedResources interface
	ListFilterWithAction(listRulesInFilter []RulesInTable) map[string]bool
	ReferencedIPblocks() []*ipblock.IPBlock
	ConnectivityMap() (map[string]*IPbasedConnectivityResult, error)
	GetConnectivityOutputPerEachElemSeparately() string
}

FilterTrafficResource capture allowed traffic between 2 endpoints

type GeneralConnectivityMap added in v0.3.0 

type GeneralConnectivityMap map[VPCResourceIntf]map[VPCResourceIntf]*connection.Set

type GroupConnLines 

type GroupConnLines struct {
	GroupedLines []*groupedConnLine
	// contains filtered or unexported fields
}

GroupConnLines used both for VPCConnectivity and for VPCsubnetConnectivity, one at a time. The other must be nil todo: define abstraction above both?

func (*GroupConnLines) String 

func (g *GroupConnLines) String(c *VPCConfig) string

get the grouped connectivity output

type IPbasedConnectivityResult 

type IPbasedConnectivityResult struct {
	IngressAllowedConns map[*ipblock.IPBlock]*connection.Set
	EgressAllowedConns  map[*ipblock.IPBlock]*connection.Set
}

IPbasedConnectivityResult is used to capture allowed connectivity to/from ip-blocks (vpc internal/external) It is associated with a subnet when analyzing connectivity of subnets based on NACL resources (see func (nl *NaclLayer) ConnectivityMap() )

type InternalNode added in v0.3.0 

type InternalNode struct {
	// AddressStr is an IPv4 string, as the node's IP Address
	AddressStr string
	// IPBlockObj is an IPBlock object of the node's address (created from AddressStr).
	// This field is skipped in the JSON output (nodes connectivity output in JSON format),
	// since it is sufficient to have the AddressStr, and no need to represent IPBlockObj as another
	// attribute in the JSON output.
	IPBlockObj *ipblock.IPBlock `json:"-"`
	// SubnetResource is the subnet on which this node resides in
	SubnetResource Subnet `json:"-"`
}

InternalNode implements interface InternalNodeIntf

func (*InternalNode) Address added in v0.3.0 

func (n *InternalNode) Address() string

func (*InternalNode) AppliedFiltersKinds added in v0.4.0 

func (n *InternalNode) AppliedFiltersKinds(otherNode InternalNodeIntf) map[string]bool

AppliedFiltersKinds returns relevant filters between two internal nodes

func (*InternalNode) CidrOrAddress added in v0.3.0 

func (n *InternalNode) CidrOrAddress() string

func (*InternalNode) IPBlock added in v0.3.0 

func (n *InternalNode) IPBlock() *ipblock.IPBlock

func (*InternalNode) IsInternal added in v0.3.0 

func (n *InternalNode) IsInternal() bool

func (*InternalNode) IsPublicInternet added in v0.3.0 

func (n *InternalNode) IsPublicInternet() bool

func (*InternalNode) SetIPBlockFromAddress added in v0.3.0 

func (n *InternalNode) SetIPBlockFromAddress() (err error)

SetIPBlockFromAddress sets the node's IPBlockObj field from its AddressStr field. Assumes its AddressStr field is assigned with valid IPv4 string value.

func (*InternalNode) Subnet added in v0.4.0 

func (n *InternalNode) Subnet() Subnet

type InternalNodeIntf added in v0.3.0 

type InternalNodeIntf interface {
	// Address returns the node's address
	// an InternalNodeIntf has an exact one IP Address
	Address() string
	// IPBlock returns the IPBlock object representing the node's IP Address
	IPBlock() *ipblock.IPBlock
	// Subnet returns the subnet of the internal node
	Subnet() Subnet
	// AppliedFiltersKinds returns relevant filters for connectivity between internal nodes
	//  specifically, nacl is non-relevant if me and otherNode are in the same subnet
	AppliedFiltersKinds(otherNode InternalNodeIntf) map[string]bool
}

InternalNodeIntf captures common properties for internal nodes: single IP address Implemented by NetworkInterface, IKSNode, ReservedIP (embedding InternalNode)

type JSONoutputFormatter 

type JSONoutputFormatter struct {
}

func (*JSONoutputFormatter) WriteOutput added in v0.2.0 

func (j *JSONoutputFormatter) WriteOutput(c1, c2 *VPCConfig,
	conn *VPCConnectivity,
	subnetsConn *VPCsubnetConnectivity,
	cfgsDiff *diffBetweenCfgs,
	outFile string,
	grouping bool,
	uc OutputUseCase,
	explanation *Explanation) (*SingleAnalysisOutput, error)

type LoadBalancer added in v0.4.0 

type LoadBalancer interface {
	NodeSet
	// DenyConnectivity() - check if the lb denies connection from src to dst
	DenyConnectivity(src, dst Node) bool
	SetAbstractionInfo(*AbstractionInfo)
	AbstractionInfo() *AbstractionInfo
}

LoadBalancer is elaboration of a NodeSet - the nodes are the private IPs of the load balancer todo: elaborate more - get list of servers, expandability,...

type MDoutputFormatter 

type MDoutputFormatter struct {
}

func (*MDoutputFormatter) WriteOutput added in v0.2.0 

func (m *MDoutputFormatter) WriteOutput(c1, c2 *VPCConfig,
	conn *VPCConnectivity,
	subnetsConn *VPCsubnetConnectivity,
	cfgsDiff *diffBetweenCfgs,
	outFile string,
	grouping bool,
	uc OutputUseCase,
	explanation *Explanation) (*SingleAnalysisOutput, error)

type MultipleVPCConfigs added in v0.4.0 

type MultipleVPCConfigs struct {
	// contains filtered or unexported fields
}

///////////////////////////////////////////////////////////////////////////////// MultipleVPCConfigs struct of all the configs. Once multivpc support is elaborating , the struct may change thus, please use get/set methods to access the structs; avoid direct access

func NewMultipleVPCConfigs added in v0.5.0 

func NewMultipleVPCConfigs(cloudName string) *MultipleVPCConfigs

func (*MultipleVPCConfigs) CloudName added in v0.5.0 

func (c *MultipleVPCConfigs) CloudName() string

func (*MultipleVPCConfigs) Config added in v0.5.0 

func (c *MultipleVPCConfigs) Config(uid string) *VPCConfig

func (*MultipleVPCConfigs) ConfigToCompare added in v0.5.0 

func (c *MultipleVPCConfigs) ConfigToCompare(uid string) *VPCConfig

func (*MultipleVPCConfigs) Configs added in v0.5.0 

func (c *MultipleVPCConfigs) Configs() map[string]*VPCConfig

func (*MultipleVPCConfigs) ExplainConnectivity added in v0.4.0 

func (c *MultipleVPCConfigs) ExplainConnectivity(src, dst string, connQuery *connection.Set) (res *Explanation, err error)

ExplainConnectivity returns Explanation object, that explains connectivity of a single <src, dst> couple given by the user

func (*MultipleVPCConfigs) HasConfig added in v0.5.0 

func (c *MultipleVPCConfigs) HasConfig(uid string) bool

func (*MultipleVPCConfigs) RemoveConfig added in v0.5.0 

func (c *MultipleVPCConfigs) RemoveConfig(uid string)

func (*MultipleVPCConfigs) SetConfig added in v0.5.0 

func (c *MultipleVPCConfigs) SetConfig(uid string, config *VPCConfig)

func (*MultipleVPCConfigs) SetConfigsToCompare added in v0.5.0 

func (c *MultipleVPCConfigs) SetConfigsToCompare(toCompare map[string]*VPCConfig)

type NextHopEntry added in v0.4.0 

type NextHopEntry struct {
	NextHop  *ipblock.IPBlock // the next hop address
	OrigDest *ipblock.IPBlock // the original destination

}

NextHopEntry captures an endpoint within a routing path, which redirects traffic to its nextHop instead of the original dest

type Node 

type Node interface {
	VPCResourceIntf
	// CidrOrAddress returns the string of the Node's IP-address (for internal node) or CIDR (for external node)
	CidrOrAddress() string
	// IPBlock returns the IPBlock object of the IP addresses associated with this node
	IPBlock() *ipblock.IPBlock
	// IsInternal returns true if the node is internal, within a VPC
	IsInternal() bool
	// IsPublicInternet returns true if the node is external,
	// currently nodes which are external but not public Internet are ignored
	IsPublicInternet() bool
}

Node is the basic endpoint element in the connectivity graph [ network interface , reserved ip, iks node, external cidrs]

func GetExternalNetworkNodes 

func GetExternalNetworkNodes(disjointRefExternalIPBlocks []*ipblock.IPBlock) ([]Node, error)

type NodeSet 

type NodeSet interface {
	VPCResourceIntf
	Nodes() []Node
	AddressRange() *ipblock.IPBlock
}

NodeSet is an element that may capture several nodes [vsi, vpe, vpc ,subnet]

type NodeSetAbstraction added in v0.5.0 

type NodeSetAbstraction struct {
	// contains filtered or unexported fields
}

NodeSetAbstraction abstract nodesets, one after the other

type OutFormat 

type OutFormat int64
const (
	JSON OutFormat = iota
	Text
	MD
	CSV
	DRAWIO
	ARCHDRAWIO
	SVG
	ARCHSVG
	HTML
	ARCHHTML
	Debug // extended txt format with more details
)

type OutputFormatter 

type OutputFormatter interface {
	WriteOutput(cConfigs *MultipleVPCConfigs, conn map[string]*VPCConnectivity,
		subnetsConn map[string]*VPCsubnetConnectivity, subnetsDiff *diffBetweenCfgs,
		outFile string, grouping bool, uc OutputUseCase, explainStruct *Explanation) (string, error)
}

OutputFormatter is an interface for formatter that handle multi vpcs. implemented by serialOutputFormatter and drawioOutputFormatter

type OutputGenerator 

type OutputGenerator struct {
	// contains filtered or unexported fields
}

OutputGenerator captures one vpc config1 with its connectivity analysis results, and implements the functionality to generate the analysis output in various formats, for that vpc

func NewOutputGenerator 

func NewOutputGenerator(cConfigs *MultipleVPCConfigs, grouping bool, uc OutputUseCase,
	archOnly bool, explanationArgs *ExplanationArgs, f OutFormat, lbAbstraction bool) (*OutputGenerator, error)

func (*OutputGenerator) Generate 

func (o *OutputGenerator) Generate(f OutFormat, outFile string) (string, error)

Generate returns a string representing the analysis output for all input VPCs

func (*OutputGenerator) UnificationDebugPrint added in v0.4.0 

func (o *OutputGenerator) UnificationDebugPrint() string

UnificationDebugPrint used by testing to test unification

type OutputUseCase 

type OutputUseCase int
const (
	InvalidUseCase  OutputUseCase = iota // A place holder for an illegal value
	AllEndpoints                         // connectivity between network interfaces and external ip-blocks
	SingleSubnet                         // connectivity per single subnet with nacl
	AllSubnets                           // connectivity between subnets (consider nacl + pgw)
	AllSubnetsNoPGW                      // connectivity between subnets (consider nacl only)
	SubnetsDiff                          // diff between subnets connectivity of two cfgs (consider nacl + pgw)
	EndpointsDiff                        // diff between vsis connectivity of two cfgs
	Explain                              // explain specified connectivity, given src,dst and connection
)

ToDo SM: subnets connectivity "only nacl" relevant to diff?

type Path added in v0.4.0 

type Path []*Endpoint

Path captures a list of endpoints within a routing Path. The first endpoint is the src. The last endpoint is dest, or a nextHopEntry element.

func (Path) Empty added in v0.4.0 

func (p Path) Empty() bool

func (Path) Equal added in v0.4.0 

func (p Path) Equal(otherPath Path) bool

func (Path) String added in v0.4.0 

func (p Path) String() string

type RoutingResource 

type RoutingResource interface {
	VPCResourceIntf
	Sources() []Node
	Destinations() []Node
	AllowedConnectivity(src, dst VPCResourceIntf) (*connection.Set, error)
	RulesInConnectivity(src, dst Node) []RulesInTable
	AppliedFiltersKinds() map[string]bool
	ExternalIP() string // ExternalIP of fip, empty string for other resources
	// RouterDefined is this router defined for src and dst? while fip, pgw are defined for src, dst iff they enable traffic
	// tgw may be defined for src, dst and deny traffic
	RouterDefined(src, dst Node) bool
	// StringDetailsOfRules returns a string with the prefix that determines the tgw related routing
	// between src and dst; if non tgw relevant to <src, dst> returns an empty string
	// Non-relevant for fip and pgw, returns always an empty string
	StringDetailsOfRules(listRulesInFilter []RulesInTable, verbose bool) (string, error)
}

RoutingResource routing resource enables connectivity from src to destination via that resource fip, pgw, tgw

type RulesInTable added in v0.5.0 

type RulesInTable struct {
	// todo: is the assumption that the set of rules will always be kept in a list a valid one?
	Table       int   // sg/nacl/transit connection index in sgList/naclList/tgwConnList
	Rules       []int // list of indexes of rules in the sg/nacl/transit connection
	RulesOfType RulesType
}

RulesInTable for a given layer (SGLayer/NACLLayer) or transit gateway contains index of the SG/NACL/transit gateway filter and the indexes of the rules within it

type RulesType added in v0.3.0 

type RulesType int

RulesType Type of rules in a given filter (e.g. specific NACL table) relevant to path between src to destination

type SingleAnalysisOutput added in v0.3.0 

type SingleAnalysisOutput struct {
	VPC1Name string
	VPC2Name string
	Output   string
	// contains filtered or unexported fields
}

SingleAnalysisOutput captures output per connectivity analysis of a single VPC, or per semantic diff between 2 VPCs in the former case VPC2Name will be empty

type SingleVpcOutputFormatter added in v0.3.0 

type SingleVpcOutputFormatter interface {
	WriteOutput(c1, c2 *VPCConfig, conn *VPCConnectivity,
		subnetsConn *VPCsubnetConnectivity, subnetsDiff *diffBetweenCfgs,
		outFile string, grouping bool, uc OutputUseCase, explainStruct *Explanation) (*SingleAnalysisOutput, error)
}

SingleVpcOutputFormatter is an interface for a formatter that can handle only one vpc this interface is implemented by textOutputFormatter, jsonOutputFormatter, mdOutputFormatter

type Subnet added in v0.4.0 

type Subnet interface {
	NodeSet
	CIDR() string
}

type TextOutputFormatter 

type TextOutputFormatter struct {
}

func (*TextOutputFormatter) WriteOutput added in v0.2.0 

func (t *TextOutputFormatter) WriteOutput(c1, c2 *VPCConfig,
	conn *VPCConnectivity,
	subnetsConn *VPCsubnetConnectivity,
	cfgsDiff *diffBetweenCfgs,
	outFile string,
	grouping bool,
	uc OutputUseCase,
	explanation *Explanation) (*SingleAnalysisOutput, error)

type VPC added in v0.4.0 

type VPC interface {
	NodeSet
	AddressPrefixes() *ipblock.IPBlock
}

type VPCConfig added in v0.2.0 

type VPCConfig struct {
	// VPC is a reference to the relevant VPC object for which this config belongs
	VPC VPC
	// Subnets is a list of subnets in the VPC
	Subnets []Subnet
	// LoadBalancers is a list of loadBalancers in the VPC
	LoadBalancers []LoadBalancer
	// Nodes is the list of endpoints in the VPC, such as network interfaces, reserved IPs
	// TODO: also separate Nodes to internal and external nodes lists
	Nodes []Node
	// NodeSets is the list of resources that capture multiple nodes (such as VSIs), and are not of a
	// more specific types that embed NodeSet (such as Subnet/VPC)
	NodeSets []NodeSet
	// FilterResources is the list of resources that define filtering traffic rules, such as ACL, SG
	FilterResources []FilterTrafficResource
	// RoutingResources is the list of resources that enable certain types of connectivity, such as PGW, FIP
	RoutingResources []RoutingResource
	// UIDToResource is a map from resource UID to its object in the VPC
	UIDToResource map[string]VPCResourceIntf

	// IsMultipleVPCsConfig is a bool indicator, when set true, it means that the VPCConfig contains resources from
	// multiple VPCs connected to each other, and such config is relevant for reasoning about cross-vpc connectivity
	IsMultipleVPCsConfig bool
}

VPCConfig captures the configured resources for a VPC

func (*VPCConfig) GetConnectivityOutputPerEachSubnetSeparately added in v0.2.0 

func (c *VPCConfig) GetConnectivityOutputPerEachSubnetSeparately() string

GetConnectivityOutputPerEachSubnetSeparately returns string results of connectivity analysis per single subnet with its attached nacl, separately per subnet - useful to get understanding of the connectivity implied from nacl configuration applied on a certain subnet in the vpc

func (*VPCConfig) GetSubnetsConnectivity added in v0.2.0 

func (c *VPCConfig) GetSubnetsConnectivity(includePGW, grouping bool) (*VPCsubnetConnectivity, error)

the main function to compute connectivity per subnet based on resources that capture subnets, such as nacl, pgw, tgw, routing-tables

func (*VPCConfig) GetVPCNetworkConnectivity added in v0.2.0 

func (c *VPCConfig) GetVPCNetworkConnectivity(grouping, lbAbstraction bool) (res *VPCConnectivity, err error)

GetVPCNetworkConnectivity computes VPCConnectivity in few steps (1) compute AllowedConns (map[Node]*ConnectivityResult) : ingress or egress allowed conns separately (2) compute AllowedConnsCombined (map[Node]map[Node]*connection.Set) : allowed conns considering both ingress and egress directions (3) compute AllowedConnsCombinedStateful : stateful allowed connections, for which connection in reverse direction is also allowed (4) if lbAbstraction required - abstract each lb separately (5) if grouping required - compute grouping of connectivity results

func (*VPCConfig) SubnetCidrToSubnetElem added in v0.4.0 

func (c *VPCConfig) SubnetCidrToSubnetElem(cidr string) (Subnet, error)

type VPCConnectivity 

type VPCConnectivity struct {
	// computed for each layer separately its allowed connections (ingress and egress separately)
	// This is used for computing AllowedConns
	AllowedConnsPerLayer map[Node]map[string]*ConnectivityResult

	// computed for each node, by iterating its ConnectivityResult for all relevant VPC resources that capture it
	// a node is mapped to its set of  its allowed ingress (egress) communication as captured by
	// pairs of node+connection
	// This is auxiliary computation based on which AllowedConnsCombined is computed, however the "debug" format uses it
	AllowedConns map[Node]*ConnectivityResult

	// combined connectivity - considering both ingress and egress per connection
	// The main outcome of the computation of which most of the outputs are based
	// (outputs excluding json and debug)
	// For each src node provides a map of dsts and the connection it has to these dsts, including stateful attributes
	// a connection is considered stateful if all paths in it are stateful
	// that stateful component is computed along with the following  AllowedConnsCombinedStateful
	AllowedConnsCombined GeneralConnectivityMap

	// allowed connectivity combined and stateful
	// used by debug and json format only (at the moment)
	// For src node provides a map of dsts and the stateful connection it has to these dsts
	// note that subset of a non-stateful connection from AllowedConnsCombined can still be stateful
	// and as such add to this map
	AllowedConnsCombinedStateful GeneralConnectivityMap

	// grouped connectivity result
	GroupedConnectivity *GroupConnLines
}

VPCConnectivity holds detailed representation of allowed connectivity considering all resources in a vpc config1 instance

func (*VPCConnectivity) DetailedString 

func (v *VPCConnectivity) DetailedString() string

func (*VPCConnectivity) SplitAllowedConnsToUnidirectionalAndBidirectional 

func (v *VPCConnectivity) SplitAllowedConnsToUnidirectionalAndBidirectional() (
	bidirectional, unidirectional GeneralConnectivityMap)

func (*VPCConnectivity) String 

func (v *VPCConnectivity) String() string

type VPCResource 

type VPCResource struct {
	ResourceName string
	ResourceUID  string
	ResourceType string
	Zone         string
	Region       string
	// the VPC to which this resource belongs to
	VPCRef VPCResourceIntf `json:"-"`
}

VPCResource implements part of the VPCResourceIntf every concrete resource type should contain VPCResource and also implement the DrawioResourceIntf

func (*VPCResource) ExtendedName added in v0.5.0 

func (n *VPCResource) ExtendedName(c *VPCConfig) string

func (*VPCResource) ExtendedPrefix added in v0.5.0 

func (n *VPCResource) ExtendedPrefix(c *VPCConfig) string

func (*VPCResource) IsExternal added in v0.2.0 

func (n *VPCResource) IsExternal() bool

func (*VPCResource) Kind 

func (n *VPCResource) Kind() string

func (*VPCResource) Name 

func (n *VPCResource) Name() string

func (*VPCResource) NameAndUID added in v0.3.0 

func (n *VPCResource) NameAndUID() string

func (*VPCResource) RegionName added in v0.4.0 

func (n *VPCResource) RegionName() string

func (*VPCResource) UID 

func (n *VPCResource) UID() string

func (*VPCResource) VPC added in v0.3.0 

func (n *VPCResource) VPC() VPCResourceIntf

func (*VPCResource) ZoneName 

func (n *VPCResource) ZoneName() string

type VPCResourceIntf 

type VPCResourceIntf interface {
	UID() string
	Name() string
	// ExtendedName returns a resource name that includes its VPC as prefix when necessary.
	// for example, a subnet with name "s1" within VPC "v1" will have extended name: "v1/s1"
	// note this method is relevant only for Node and Subnet objects.
	// note it adds the prefix only for input config that has multiple VPCs context.
	ExtendedName(*VPCConfig) string
	// ExtendedPrefix returns the prefix to be added for ExtendedName, given the input config
	ExtendedPrefix(config *VPCConfig) string
	ZoneName() string
	Kind() string
	VPC() VPCResourceIntf // the VPC to which this resource belongs to
	RegionName() string

	DrawioResourceIntf
}

VPCResourceIntf captures common properties for VPC resources

type VPCsubnetConnectivity 

type VPCsubnetConnectivity struct {
	VPCConfig *VPCConfig

	// computed for each node (subnet), by iterating its ConnectivityResult for all relevant VPC resources that capture it
	// computed for each subnet, by iterating its ConfigBasedConnectivityResults for all relevant VPC resources that capture it
	// a subnet is mapped to its set of  its allowed ingress (egress) communication as captured by
	// pairs of external ip/subnet+connection
	// This is auxiliary computation based on which AllowedConnsCombined is computed
	// todo: add debug output mode based on this structure
	AllowedConns map[VPCResourceIntf]*ConfigBasedConnectivityResults

	// combined connectivity - considering both ingress and egress per connection
	// The main outcome of the computation of which the outputs is based
	// For each src node provides a map of dsts and the connection it has to these dsts, including stateful attributes
	// a connection is considered stateful if all paths in it are stateful
	AllowedConnsCombined GeneralConnectivityMap

	// grouped connectivity result
	GroupedConnectivity *GroupConnLines
}

VPCsubnetConnectivity captures allowed connectivity for subnets, considering nacl and pgw resources

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.