Merge branch 'main' into 590_refactor

Author: olasaadi99

go.mod

@@ -4,10 +4,10 @@ go 1.22.4
 
 require (
 	github.com/IBM/networking-go-sdk v0.49.0
-	github.com/IBM/vpc-go-sdk v0.56.0
+	github.com/IBM/vpc-go-sdk v0.57.0
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.163.0
 	github.com/np-guard/cloud-resource-collector v0.15.0
-	github.com/np-guard/models v0.3.4
+	github.com/np-guard/models v0.4.0
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
 )

go.sum

@@ -8,8 +8,8 @@ github.com/IBM/networking-go-sdk v0.49.0 h1:lPS34u3C0JVrbxH+Ulua76Nwl6Frv8BEfq6L
 github.com/IBM/networking-go-sdk v0.49.0/go.mod h1:G9CKbmPE8gSLjN+ABh4hIZ1bMx076enl5Eekvj6zQnA=
 github.com/IBM/platform-services-go-sdk v0.65.0 h1:SAk/Rsn2BLRmeU3z6YJm54TK23/9QJaOPjrjYNGBiPU=
 github.com/IBM/platform-services-go-sdk v0.65.0/go.mod h1:6rYd3stLSnotYmZlxclw45EJPaQuLmh5f7c+Mg7rOg4=
-github.com/IBM/vpc-go-sdk v0.56.0 h1:GVlehMD2rYxETF2S/OSIgPHW7xZlfNsz1C59YLTVPis=
-github.com/IBM/vpc-go-sdk v0.56.0/go.mod h1:BpIOxz9FRDsAY7NQFUYdxiPWjqvcRbBrw8fiAvzNqDE=
+github.com/IBM/vpc-go-sdk v0.57.0 h1:E8CPDpUE4z0cvvmFZzqUthMtGJx71Fne6vdvkjZdXfg=
+github.com/IBM/vpc-go-sdk v0.57.0/go.mod h1:swmxiYLT+OfBsBYqJWGeRd6NPmBk4u/het2PZdtzIaw=
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
@@ -165,12 +165,10 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/np-guard/cloud-resource-collector v0.14.0 h1:MBPtPBYVCQoMfUkn/wODpF7SRpJ9TlOfMszO8N0PePo=
-github.com/np-guard/cloud-resource-collector v0.14.0/go.mod h1:klCHnNnuuVcCtGQHA7R1a8fqnvfMCk/5Jdld6V7sN2A=
 github.com/np-guard/cloud-resource-collector v0.15.0 h1:jkmxql6D1uBr/qmSOsBzUgeDxlUXSCe7dBKfqfK+QZ4=
 github.com/np-guard/cloud-resource-collector v0.15.0/go.mod h1:klCHnNnuuVcCtGQHA7R1a8fqnvfMCk/5Jdld6V7sN2A=
-github.com/np-guard/models v0.3.4 h1:HOhVi6wyGvo+KmYBnQ5Km5HYCF+/PQlDs1v7mL1v05g=
-github.com/np-guard/models v0.3.4/go.mod h1:mqE2Irf8r+7HWh8fII0fWbWyQRMHGEo2SgSLN/6VKs8=
+github.com/np-guard/models v0.4.0 h1:lU9XymcjwOJ5RQdVpziurqBmcLtlKVIQxVUwm+qMczk=
+github.com/np-guard/models v0.4.0/go.mod h1:mqE2Irf8r+7HWh8fII0fWbWyQRMHGEo2SgSLN/6VKs8=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=

pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt

@@ -21,12 +21,12 @@ Path is enabled; The relevant rules are:
 			ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, protocol: all
 		security group GroupId:35 allows connection with the following allow rules
 			Inbound index: 0, direction: inbound, target: 147.0.0.0/8, protocol: tcp, dstPorts: 0-65535
-		security group GroupId:9 has no relevant allow rules
-		Ingress to public internet is allowed since subnet public is public
+		security group GroupId:9 has no relevant rules
+		Ingress from public internet is allowed since subnet public is public
 
 TCP response is partly enabled; The relevant rules are:
 	Egress:
-		network ACL acl1 allows connection with the following allow and deny rules
+		network ACL acl1 partly allows connection with the following allow and deny rules
 			ruleNumber: 10, action: allow, direction: outbound, cidr: 147.235.0.0/16, protocol: tcp, dstPorts: 1025-5000
 			ruleNumber: 32767, action: deny, direction: outbound, cidr: 0.0.0.0/0, protocol: all
 

pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt

@@ -3,7 +3,7 @@ Interpreted source(s): p2[10.240.2.28]
 Interpreted destination(s): q2[10.240.32.122]
 ======================================================================
 
-No connections from p2[10.240.2.28] to q2[10.240.32.122];
+No connectivity from p2[10.240.2.28] to q2[10.240.32.122];
 	connection is blocked at ingress
 
 Egress: security group GroupId:9 allows connection; network ACL acl1 allows connection

pkg/awsvpc/examples/out/explain_out/subnet_to_subnet_all_vpcs_explain_detail.txt

@@ -3,16 +3,16 @@ Interpreted source(s): r1[10.240.48.198]
 Interpreted destination(s): q2[10.240.32.122], q1[10.240.32.91]
 ==============================================================
 
-Connections from r1[10.240.48.198] to q1[10.240.32.91]: No Connections
+Connections from r1[10.240.48.198] to q2[10.240.32.122]: protocol: TCP dst-ports: 9080
 
 Path:
 	r1[10.240.48.198] -> security group GroupId:22 -> network ACL acl1 -> subnet private2 -> 
-	subnet private1 -> network ACL acl1 -> security group GroupId:15 -> q1[10.240.32.91]
+	subnet private1 -> network ACL acl1 -> security group GroupId:9 -> q2[10.240.32.122]
 
 
 Details:
 ~~~~~~~~
-Path is disabled; The relevant rules are:
+Path is enabled; The relevant rules are:
 	Egress:
 		security group GroupId:22 allows connection with the following allow rules
 			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: tcp, dstPorts: 9080-9080
@@ -22,21 +22,32 @@ Path is disabled; The relevant rules are:
 	Ingress:
 		network ACL acl1 allows connection with the following allow rules
 			ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all
-		security group GroupId:15 allows connection with the following allow rules
-			Inbound index: 0, direction: inbound, target: 0.0.0.0/0, protocol: udp, dstPorts: 0-65535
+		security group GroupId:9 allows connection with the following allow rules
+			Inbound index: 0, direction: inbound, target: 10.240.0.0/18, protocol: all
+
+TCP response is enabled; The relevant rules are:
+	Egress:
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all
+
+	Ingress:
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all
 
 ------------------------------------------------------------------------------------------------------------------------
 
-Connections from r1[10.240.48.198] to q2[10.240.32.122]: protocol: TCP dst-ports: 9080
+No connectivity from r1[10.240.48.198] to q1[10.240.32.91];
+	connectivity is blocked since traffic patterns allowed at ingress are disjoint from the traffic patterns allowed at egress.
+	allowed egress traffic: protocol: TCP dst-ports: 9080, allowed ingress traffic: protocol: UDP
+
+Egress: security group GroupId:22 allows connection; network ACL acl1 allows connection
+Ingress: network ACL acl1 allows connection; security group GroupId:15 allows connection
 
-Path:
-	r1[10.240.48.198] -> security group GroupId:22 -> network ACL acl1 -> subnet private2 -> 
-	subnet private1 -> network ACL acl1 -> security group GroupId:9 -> q2[10.240.32.122]
 
 
 Details:
 ~~~~~~~~
-Path is enabled; The relevant rules are:
+Path is disabled; The relevant rules are:
 	Egress:
 		security group GroupId:22 allows connection with the following allow rules
 			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: tcp, dstPorts: 9080-9080
@@ -46,17 +57,8 @@ Path is enabled; The relevant rules are:
 	Ingress:
 		network ACL acl1 allows connection with the following allow rules
 			ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all
-		security group GroupId:9 allows connection with the following allow rules
-			Inbound index: 0, direction: inbound, target: 10.240.0.0/18, protocol: all
-
-TCP response is enabled; The relevant rules are:
-	Egress:
-		network ACL acl1 allows connection with the following allow rules
-			ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all
-
-	Ingress:
-		network ACL acl1 allows connection with the following allow rules
-			ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all
+		security group GroupId:15 allows connection with the following allow rules
+			Inbound index: 0, direction: inbound, target: 0.0.0.0/0, protocol: udp, dstPorts: 0-65535
 
 ------------------------------------------------------------------------------------------------------------------------
 

pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt

@@ -3,7 +3,7 @@ Interpreted source(s): app1[10.240.20.245]
 Interpreted destination(s): 161.26.0.0 (external)
 ====================================================================
 
-No connections from app1[10.240.20.245] to Public Internet 161.26.0.0/32;
+No connectivity from app1[10.240.20.245] to Public Internet 161.26.0.0/32;
 	connection is blocked at egress
 
 External traffic via InternetGateway: internet_gw
@@ -20,7 +20,7 @@ Path is disabled; The relevant rules are:
 		Egress to public internet is blocked since subnet application is private
 		security group GroupId:35 allows connection with the following allow rules
 			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all
-		security group GroupId:42 has no relevant allow rules
+		security group GroupId:42 has no relevant rules
 		network ACL NetworkAclId:65 allows connection with the following allow rules
 			ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all
 

pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt

@@ -3,7 +3,7 @@ Interpreted source(s): app1[10.240.20.245]
 Interpreted destination(s): 161.26.0.0 (external)
 ====================================================================
 
-No connections from app1[10.240.20.245] to Public Internet 161.26.0.0/32;
+No connectivity from app1[10.240.20.245] to Public Internet 161.26.0.0/32;
 	connection is blocked at egress
 
 External traffic via InternetGateway: internet_gw
@@ -18,7 +18,7 @@ Details:
 Path is disabled; The relevant rules are:
 	Egress:
 		Egress to public internet is blocked since subnet application is private
-		security group GroupId:42 has no relevant allow rules
+		security group GroupId:42 has no relevant rules
 		network ACL NetworkAclId:65 allows connection with the following allow rules
 			ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all
 

pkg/awsvpc/vpc.go

@@ -88,6 +88,10 @@ func (igw *InternetGateway) StringOfRouterRules(listRulesInFilter []vpcmodel.Rul
 	return "", nil
 }
 
+func (igw *InternetGateway) IsMultipleVPCs() bool {
+	return false
+}
+
 // ////////////////////////////////////
 // todo - these two methods are duplicated from ibm/vpc.go needs to be reunion
 func isNodesPair(src, dst vpcmodel.VPCResourceIntf) (res bool, srcNode, dstNode vpcmodel.Node) {

pkg/commonvpc/vpc.go

@@ -239,11 +239,11 @@ func (psr *privateSubnetRule) String(detail bool) string {
 		return fmt.Sprintf("public subnet %s enables connection", psr.subnet.NameForAnalyzerOut())
 	}
 	// detail
-	prefix := "Egress"
+	prefix := "Egress to"
 	if psr.isIngress {
-		prefix = "Ingress"
+		prefix = "Ingress from"
 	}
-	prefix += " to public internet is"
+	prefix += " public internet is"
 
 	if psr.subnet.IsPrivate() {
 		return fmt.Sprintf("%s blocked since subnet %s is private\n", prefix, psr.subnet.NameForAnalyzerOut())
@@ -353,18 +353,23 @@ func (nl *NaclLayer) AllowedConnectivity(src, dst vpcmodel.Node, isIngress bool)
 
 // RulesInConnectivity list of NACL rules contributing to the connectivity
 func (nl *NaclLayer) RulesInConnectivity(src, dst vpcmodel.Node,
-	conn *connection.Set, isIngress bool) (allowRes []vpcmodel.RulesInTable,
+	connQuery *connection.Set, isIngress bool) (allowRes []vpcmodel.RulesInTable,
 	denyRes []vpcmodel.RulesInTable, err error) {
 	for index, nacl := range nl.NaclList {
-		tableRelevant, allowRules, denyRules, err1 := nacl.rulesFilterInConnectivity(src, dst, conn, isIngress)
+		tableRelevant, allowRules, denyRules, err1 := nacl.rulesFilterInConnectivity(src, dst, connQuery, isIngress)
 		if err1 != nil {
 			return nil, nil, err1
 		}
 		if !tableRelevant {
 			continue
 		}
-		appendToRulesInFilter(&allowRes, &allowRules, index, true)
-		appendToRulesInFilter(&denyRes, &denyRules, index, false)
+		conn, err2 := nacl.AllowedConnectivity(src, dst, isIngress)
+		if err2 != nil {
+			return nil, nil, err2
+		}
+		tableConn, tableHasEffect := getTableConnEffect(connQuery, conn)
+		appendToRulesInFilter(&allowRes, &allowRules, index, tableConn, tableHasEffect, true)
+		appendToRulesInFilter(&denyRes, &denyRules, index, tableConn, tableHasEffect, false)
 	}
 	return allowRes, denyRes, nil
 }
@@ -373,7 +378,8 @@ func (nl *NaclLayer) Name() string {
 	return ""
 }
 
-func appendToRulesInFilter(resRulesInFilter *[]vpcmodel.RulesInTable, rules *[]int, filterIndex int, isAllow bool) {
+func appendToRulesInFilter(resRulesInFilter *[]vpcmodel.RulesInTable, rules *[]int, filterIndex int,
+	tableConn *connection.Set, tableEffect vpcmodel.TableEffect, isAllow bool) {
 	var rType vpcmodel.RulesType
 	switch {
 	case len(*rules) == 0:
@@ -384,9 +390,11 @@ func appendToRulesInFilter(resRulesInFilter *[]vpcmodel.RulesInTable, rules *[]i
 		rType = vpcmodel.OnlyDeny
 	}
 	rulesInNacl := vpcmodel.RulesInTable{
-		TableIndex:  filterIndex,
-		Rules:       *rules,
-		RulesOfType: rType,
+		TableIndex:     filterIndex,
+		Rules:          *rules,
+		RulesOfType:    rType,
+		TableConn:      tableConn,
+		TableHasEffect: tableEffect,
 	}
 	*resRulesInFilter = append(*resRulesInFilter, rulesInNacl)
 }
@@ -571,13 +579,13 @@ func (sgl *SecurityGroupLayer) AllowedConnectivity(src, dst vpcmodel.Node, isIng
 }
 
 // RulesInConnectivity return allow rules between src and dst,
-// or between src and dst of connection conn if conn specified
+// or between src and dst of connection connQuery if connQuery specified
 // denyRules not relevant here - returns nil
 func (sgl *SecurityGroupLayer) RulesInConnectivity(src, dst vpcmodel.Node,
-	conn *connection.Set, isIngress bool) (allowRes []vpcmodel.RulesInTable,
+	connQuery *connection.Set, isIngress bool) (allowRes []vpcmodel.RulesInTable,
 	denyRes []vpcmodel.RulesInTable, err error) {
 	for index, sg := range sgl.SgList {
-		tableRelevant, sgRules, err1 := sg.rulesFilterInConnectivity(src, dst, conn, isIngress)
+		tableRelevant, sgRules, err1 := sg.rulesFilterInConnectivity(src, dst, connQuery, isIngress)
 		if err1 != nil {
 			return nil, nil, err1
 		}
@@ -586,10 +594,14 @@ func (sgl *SecurityGroupLayer) RulesInConnectivity(src, dst vpcmodel.Node,
 			if len(sgRules) == 0 {
 				rType = vpcmodel.NoRules
 			}
+			conn := sg.AllowedConnectivity(src, dst, isIngress)
+			tableConn, tableHasEffect := getTableConnEffect(connQuery, conn)
 			rulesInSg := vpcmodel.RulesInTable{
-				TableIndex:  index,
-				Rules:       sgRules,
-				RulesOfType: rType,
+				TableIndex:     index,
+				Rules:          sgRules,
+				RulesOfType:    rType,
+				TableConn:      tableConn,
+				TableHasEffect: tableHasEffect,
 			}
 			allowRes = append(allowRes, rulesInSg)
 		}
@@ -708,3 +720,20 @@ func (sg *SecurityGroup) getMemberTargetStrAddress(src, dst vpcmodel.Node,
 	// TODO: member is expected to be internal node (validate?) [could use member.(vpcmodel.InternalNodeIntf).Address()]
 	return member.IPBlock(), target.IPBlock(), member.CidrOrAddress()
 }
+
+func getTableConnEffect(connQuery, conn *connection.Set) (*connection.Set, vpcmodel.TableEffect) {
+	switch {
+	case connQuery == nil: // connection not part of query
+		if !conn.IsEmpty() {
+			return conn, vpcmodel.Allow
+		} else {
+			return conn, vpcmodel.Deny
+		}
+	case conn.Intersect(connQuery).IsEmpty():
+		return connection.None(), vpcmodel.Deny
+	case connQuery.ContainedIn(conn):
+		return connQuery, vpcmodel.Allow
+	default:
+		return conn.Intersect(connQuery), vpcmodel.PartlyAllow
+	}
+}