Skip to content

Commit

Permalink
package reorg: remove pkg connection, rename ConnetionSet to Endpoint…
Browse files Browse the repository at this point in the history
…sTrafficSet

Signed-off-by: adisos <[email protected]>
  • Loading branch information
adisos committed Oct 2, 2024
1 parent 12ba6cf commit aa7e9fa
Show file tree
Hide file tree
Showing 7 changed files with 161 additions and 203 deletions.
71 changes: 0 additions & 71 deletions pkg/connection/connection.go

This file was deleted.

101 changes: 0 additions & 101 deletions pkg/netset/connectionset.go

This file was deleted.

8 changes: 4 additions & 4 deletions pkg/netset/netset.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@ Copyright 2023- IBM Inc. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/

// package netset implements types for network connection sets objects and operations.
// Package netset implements types for network connection sets objects and operations.
// Types defined in this package:
// IPBlock - captures a set of IP ranges
// TCPUDPSet - captures sets of protocols (within TCP,UDP only) and ports (source and destination)
// ICMPSet - captures sets of types,codes for ICMP protocol
// TransportSet - captures connection-sets for protocols from {TCP, UDP, ICMP}
// ConnectionSet - captures a set of connections for tuples of (src IP range, dst IP range, TransportSet)
// ICMPSet - captures sets of type,code values for ICMP protocol
// TransportSet - captures union of elements from TCPUDPSet, ICMPSet
// EndpointsTrafficSet - captures a set of traffic attribute for tuples of (source IP range, desination IP range, TransportSet)
package netset
101 changes: 101 additions & 0 deletions pkg/netset/trafficset.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
/*
Copyright 2023- IBM Inc. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/

package netset

import (
"fmt"
"sort"
"strings"

"github.com/np-guard/models/pkg/ds"
)

// EndpointsTrafficSet captures a set of traffic attributes for tuples of (source IP range, desination IP range, TransportSet),
// where TransportSet is a set of TCP/UPD/ICMP with their properties (src,dst ports / icmp type,code)
type EndpointsTrafficSet struct {
props ds.TripleSet[*IPBlock, *IPBlock, *TransportSet]
}

// NewEndpointsTrafficSet returns an empty EndpointsTrafficSet
func NewEndpointsTrafficSet() *EndpointsTrafficSet {
return &EndpointsTrafficSet{props: ds.NewLeftTripleSet[*IPBlock, *IPBlock, *TransportSet]()}
}

// Equal returns true is this EndpointsTrafficSet captures the exact same set of connections as `other` does.
func (c *EndpointsTrafficSet) Equal(other *EndpointsTrafficSet) bool {
return c.props.Equal(other.props)
}

// Copy returns new EndpointsTrafficSet object with same set of connections as current one
func (c *EndpointsTrafficSet) Copy() *EndpointsTrafficSet {
return &EndpointsTrafficSet{
props: c.props.Copy(),
}
}

// Intersect returns a EndpointsTrafficSet object with connection tuples that result from intersection of
// this and `other` sets
func (c *EndpointsTrafficSet) Intersect(other *EndpointsTrafficSet) *EndpointsTrafficSet {
return &EndpointsTrafficSet{props: c.props.Intersect(other.props)}
}

// IsEmpty returns true of the EndpointsTrafficSet is empty
func (c *EndpointsTrafficSet) IsEmpty() bool {
return c.props.IsEmpty()
}

// Union returns a EndpointsTrafficSet object with connection tuples that result from union of
// this and `other` sets
func (c *EndpointsTrafficSet) Union(other *EndpointsTrafficSet) *EndpointsTrafficSet {
if other.IsEmpty() {
return c.Copy()
}
if c.IsEmpty() {
return other.Copy()
}
return &EndpointsTrafficSet{
props: c.props.Union(other.props),
}
}

// Subtract returns a EndpointsTrafficSet object with connection tuples that result from subtraction of
// `other` from this set
func (c *EndpointsTrafficSet) Subtract(other *EndpointsTrafficSet) *EndpointsTrafficSet {
if other.IsEmpty() {
return c.Copy()
}
return &EndpointsTrafficSet{props: c.props.Subtract(other.props)}
}

// IsSubset returns true if c is subset of other
func (c *EndpointsTrafficSet) IsSubset(other *EndpointsTrafficSet) bool {
return c.props.IsSubset(other.props)
}

// EndpointsTrafficSetFrom returns a new EndpointsTrafficSet object from input src, dst IP-ranges sets ands
// TransportSet connections
func EndpointsTrafficSetFrom(src, dst *IPBlock, conn *TransportSet) *EndpointsTrafficSet {
return &EndpointsTrafficSet{props: ds.CartesianLeftTriple(src, dst, conn)}
}

func (c *EndpointsTrafficSet) Partitions() []ds.Triple[*IPBlock, *IPBlock, *TransportSet] {
return c.props.Partitions()
}

func cubeStr(c ds.Triple[*IPBlock, *IPBlock, *TransportSet]) string {
return fmt.Sprintf("src: %s, dst: %s, conns: %s", c.S1.String(), c.S2.String(), c.S3.String())
}

func (c *EndpointsTrafficSet) String() string {
cubes := c.Partitions()
var resStrings = make([]string, len(cubes))
for i, cube := range cubes {
resStrings[i] = cubeStr(cube)
}
sort.Strings(resStrings)
return strings.Join(resStrings, comma)
}
35 changes: 17 additions & 18 deletions pkg/netset/connectionset_test.go → pkg/netset/trafficset_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ import (

"github.com/stretchr/testify/require"

"github.com/np-guard/models/pkg/connection"
"github.com/np-guard/models/pkg/netp"
"github.com/np-guard/models/pkg/netset"
)
Expand All @@ -30,17 +29,17 @@ func TestConnectionSetBasicOperations(t *testing.T) {
rightHalfCidr1, _ := netset.IPBlockFromCidr("10.240.10.128/25")

// relevant connection set objects
conn1 := netset.ConnectionSetFrom(cidr1, cidr2, connection.NewTCPSet()) // conns from cidr1 to cidr2 over all TCP
conn2 := netset.ConnectionSetFrom(cidr1, cidr1MinusCidr2, connection.NewTCPSet()) // conns from cidr1 to cidr1MinusCidr2 over all TCP
conn3 := netset.ConnectionSetFrom(cidr1, cidr1, connection.NewTCPSet()) // conns from cidr1 to cidr1 over all TCP
conn1 := netset.EndpointsTrafficSetFrom(cidr1, cidr2, netset.AllTCPSetTransport()) // conns from cidr1 to cidr2 over all TCP
conn2 := netset.EndpointsTrafficSetFrom(cidr1, cidr1MinusCidr2, netset.AllTCPSetTransport()) // conns from cidr1 to cidr1MinusCidr2 over all TCP
conn3 := netset.EndpointsTrafficSetFrom(cidr1, cidr1, netset.AllTCPSetTransport()) // conns from cidr1 to cidr1 over all TCP

// basic union & Equal test
unionConn := conn1.Union(conn2)
require.True(t, unionConn.Equal(conn3)) // union of dest dimension (src and conn dimensions are common)
require.True(t, conn3.Equal(unionConn))

// basic subtract & Equal test
conn4 := netset.ConnectionSetFrom(cidr1, cidr1MinusCidr2, connection.All())
conn4 := netset.EndpointsTrafficSetFrom(cidr1, cidr1MinusCidr2, netset.AllTransportSet())
subtractionRes := conn3.Subtract(conn4) // removes all connections over (src1, dst2) from conn3
require.True(t, subtractionRes.Equal(conn1))
require.True(t, conn1.Equal(subtractionRes))
Expand All @@ -53,38 +52,38 @@ func TestConnectionSetBasicOperations(t *testing.T) {

// basic IsEmpty test
require.False(t, conn1.IsEmpty())
require.True(t, netset.NewConnectionSet().IsEmpty())
require.True(t, netset.NewEndpointsTrafficSet().IsEmpty())

// demonstrate split in allowed connections for dest dimension, to be reflected in partitions
conn5 := netset.ConnectionSetFrom(cidr1, subsetOfCidr1MinusCidr2, connection.AllICMP())
conn5 := netset.EndpointsTrafficSetFrom(cidr1, subsetOfCidr1MinusCidr2, netset.AllICMPTransport())
conn5UnionConn2 := conn5.Union(conn2) // for certain dest- icmp+tcp, and for remaining dest- only tcp [common src for both]
require.Equal(t, 2, len(conn5UnionConn2.Partitions()))

// other operations on other objects, to get equiv object of conn5UnionConn2:
tcpAndICMP := connection.NewTCPSet().Union(connection.AllICMP())
conn6 := netset.ConnectionSetFrom(cidr1, cidr1MinusCidr2, tcpAndICMP)
tcpAndICMP := netset.AllTCPSetTransport().Union(netset.AllICMPTransport())
conn6 := netset.EndpointsTrafficSetFrom(cidr1, cidr1MinusCidr2, tcpAndICMP)
deltaCidrs := cidr1MinusCidr2.Subtract(subsetOfCidr1MinusCidr2)
conn7 := netset.ConnectionSetFrom(cidr1, deltaCidrs, connection.AllICMP())
conn7 := netset.EndpointsTrafficSetFrom(cidr1, deltaCidrs, netset.AllICMPTransport())
conn8 := conn6.Subtract(conn7)
require.True(t, conn8.Equal(conn5UnionConn2))

// add udp to tcpAndICMP => check it is All()
conn9 := netset.ConnectionSetFrom(cidr1, cidr1MinusCidr2, connection.NewUDPSet())
conn10 := netset.ConnectionSetFrom(cidr1, cidr1MinusCidr2, connection.All())
conn9 := netset.EndpointsTrafficSetFrom(cidr1, cidr1MinusCidr2, netset.AllUDPSetTransport())
conn10 := netset.EndpointsTrafficSetFrom(cidr1, cidr1MinusCidr2, netset.AllTransportSet())
conn9UnionConn6 := conn9.Union(conn6)
require.True(t, conn10.Equal(conn9UnionConn6))

// demonstrate split in allowed connections for src dimensions, to be reflected in partitions
// starting from conn8
udp53 := connection.NewUDP(netp.MinPort, netp.MaxPort, 53, 53)
conn11 := netset.ConnectionSetFrom(leftHalfCidr1, subsetOfCidr1MinusCidr2, udp53)
udp53 := netset.NewUDPTransport(netp.MinPort, netp.MaxPort, 53, 53)
conn11 := netset.EndpointsTrafficSetFrom(leftHalfCidr1, subsetOfCidr1MinusCidr2, udp53)
conn12 := conn11.Union(conn8)

// another way to produce obj equiv to conn12 :
conn13 := netset.ConnectionSetFrom(leftHalfCidr1, subsetOfCidr1MinusCidr2, tcpAndICMP.Union(udp53))
conn14 := netset.ConnectionSetFrom(leftHalfCidr1, cidr1MinusCidr2, connection.NewTCPSet())
conn15 := netset.ConnectionSetFrom(rightHalfCidr1, subsetOfCidr1MinusCidr2, tcpAndICMP)
conn16 := netset.ConnectionSetFrom(rightHalfCidr1, cidr1MinusCidr2, connection.NewTCPSet())
conn13 := netset.EndpointsTrafficSetFrom(leftHalfCidr1, subsetOfCidr1MinusCidr2, tcpAndICMP.Union(udp53))
conn14 := netset.EndpointsTrafficSetFrom(leftHalfCidr1, cidr1MinusCidr2, netset.AllTCPSetTransport())
conn15 := netset.EndpointsTrafficSetFrom(rightHalfCidr1, subsetOfCidr1MinusCidr2, tcpAndICMP)
conn16 := netset.EndpointsTrafficSetFrom(rightHalfCidr1, cidr1MinusCidr2, netset.AllTCPSetTransport())
conn17 := (conn13.Union(conn14)).Union(conn15.Union(conn16))
require.True(t, conn12.Equal(conn17))

Expand Down
Loading

0 comments on commit aa7e9fa

Please sign in to comment.