290 explainability external ip (#295)

grouping of external addresses
np-guard · Dec 31, 2023 · 294f54e · 294f54e
1 parent 72cbfa3
commit 294f54e
Show file tree

Hide file tree

Showing 2 changed files with 307 additions and 71 deletions.
diff --git a/pkg/ibmvpc/explainability_test.go b/pkg/ibmvpc/explainability_test.go
@@ -13,7 +13,7 @@ import (
 )
 
 // todo: quick and dirty tmp until added to the cli, by which these will be added as end-to-end tests
-func TestExplainability1(t *testing.T) {
+func TestVsiToVsi(t *testing.T) {
 	vpcConfig := getConfig(t, "input_sg_testing1_new.json")
 	if vpcConfig == nil {
 		require.Fail(t, "vpcConfig equals nil")
@@ -28,8 +28,8 @@ func TestExplainability1(t *testing.T) {
 		"SecurityGroupLayer Rules\n------------------------\nenabling rules from sg2-ky:"+
 		"\n\tindex: 5, direction: outbound, protocol: all, cidr: 10.240.30.0/24"+
 		"\n\tindex: 6, direction: outbound,  conns: protocol: tcp,  dstPorts: 1-65535, cidr: 10.240.20.4/32,10.240.30.4/32"+
-		"\n\nIngress Rules:\n~~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n------------------------\nenabling rules from sg2-ky:"+
-		"\n\tindex: 7, direction: inbound,  conns: protocol: tcp,  dstPorts: 1-65535, cidr: 10.240.20.4/32,10.240.30.4/32\n\n", explanbilityStr1)
+		"\nIngress Rules:\n~~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n------------------------\nenabling rules from sg2-ky:"+
+		"\n\tindex: 7, direction: inbound,  conns: protocol: tcp,  dstPorts: 1-65535, cidr: 10.240.20.4/32,10.240.30.4/32\n", explanbilityStr1)
 	explanbilityStr2, err2 := vpcConfig.ExplainConnectivity("vsi2-ky[10.240.20.4]", "vsi1-ky[10.240.10.4]")
 	if err2 != nil {
 		require.Fail(t, err2.Error())
@@ -38,9 +38,9 @@ func TestExplainability1(t *testing.T) {
 	require.Equal(t, "The following connection exists between vsi2-ky[10.240.20.4] and vsi1-ky[10.240.10.4]: "+
 		"All Connections; its enabled by\nEgress Rules:\n~~~~~~~~~~~~~\n"+
 		"SecurityGroupLayer Rules\n------------------------\nenabling rules from sg2-ky:"+
-		"\n\tindex: 1, direction: outbound, protocol: all, cidr: 10.240.10.0/24\n\nIngress Rules:"+
+		"\n\tindex: 1, direction: outbound, protocol: all, cidr: 10.240.10.0/24\nIngress Rules:"+
 		"\n~~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n------------------------\nenabling rules from sg1-ky:\n\t"+
-		"index: 3, direction: inbound, protocol: all, cidr: 10.240.20.4/32,10.240.30.4/32\n\n", explanbilityStr2)
+		"index: 3, direction: inbound, protocol: all, cidr: 10.240.20.4/32,10.240.30.4/32\n", explanbilityStr2)
 	explanbilityStr3, err3 := vpcConfig.ExplainConnectivity("vsi3a-ky[10.240.30.5]", "vsi1-ky[10.240.10.4]")
 	if err3 != nil {
 		require.Fail(t, err3.Error())
@@ -49,24 +49,24 @@ func TestExplainability1(t *testing.T) {
 	require.Equal(t, "The following connection exists between vsi3a-ky[10.240.30.5] and vsi1-ky[10.240.10.4]: "+
 		"All Connections; its enabled by\n"+
 		"Egress Rules:\n~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n------------------------\nenabling rules from sg3-ky:\n"+
-		"\tindex: 0, direction: outbound, protocol: all, cidr: 0.0.0.0/0\n\nIngress Rules:\n~~~~~~~~~~~~~~\nSecurityGroupLayer Rules"+
+		"\tindex: 0, direction: outbound, protocol: all, cidr: 0.0.0.0/0\nIngress Rules:\n~~~~~~~~~~~~~~\nSecurityGroupLayer Rules"+
 		"\n------------------------\nenabling rules from sg1-ky:\n"+
-		"\tindex: 4, direction: inbound, protocol: all, cidr: 10.240.30.5/32,10.240.30.6/32\n\n", explanbilityStr3)
+		"\tindex: 4, direction: inbound, protocol: all, cidr: 10.240.30.5/32,10.240.30.6/32\n", explanbilityStr3)
 	explanbilityStr4, err4 := vpcConfig.ExplainConnectivity("vsi1-ky[10.240.10.4]", "vsi2-ky[10.240.20.4]")
 	if err4 != nil {
 		require.Fail(t, err4.Error())
 	}
 	fmt.Println(explanbilityStr4)
 	require.Equal(t, "No connection between vsi1-ky[10.240.10.4] and vsi2-ky[10.240.20.4]; "+
-		"connection blocked by egress\nIngress Rules:\n~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n------------------------\n"+
+		"connection blocked by egress\nIngress Rules:\n~~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n------------------------\n"+
 		"enabling rules from sg2-ky:\n\tindex: 4, direction: inbound, protocol: all, cidr: 10.240.10.4/32\n", explanbilityStr4)
 	explanbilityStr5, err5 := vpcConfig.ExplainConnectivity("vsi3a-ky[10.240.30.5]", "vsi2-ky[10.240.20.4]")
 	if err5 != nil {
 		require.Fail(t, err5.Error())
 	}
 	fmt.Println(explanbilityStr5)
 	require.Equal(t, "No connection between vsi3a-ky[10.240.30.5] and vsi2-ky[10.240.20.4]; connection blocked by ingress\n"+
-		"Egress Rules:\n~~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n------------------------\nenabling rules from sg3-ky:"+
+		"Egress Rules:\n~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n------------------------\nenabling rules from sg3-ky:"+
 		"\n\tindex: 0, direction: outbound, protocol: all, cidr: 0.0.0.0/0\n", explanbilityStr5)
 	fmt.Println("done")
 }
@@ -76,7 +76,7 @@ func TestExplainability1(t *testing.T) {
 // sg3-ky: vsi3a-ky
 // sg1-ky, sg3-ky: default
 // sg2-ky: allow all
-func TestExplainability2(t *testing.T) {
+func TestSGDefaultRules(t *testing.T) {
 	vpcConfig := getConfig(t, "input_sg_testing_default.json")
 	if vpcConfig == nil {
 		require.Fail(t, "vpcConfig equals nil")
@@ -88,7 +88,7 @@ func TestExplainability2(t *testing.T) {
 	}
 	fmt.Println(explanbilityStr1)
 	require.Equal(t, "No connection between vsi1-ky[10.240.10.4] and vsi3a-ky[10.240.30.5]; "+
-		"connection blocked by ingress\nEgress Rules:\n~~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n"+
+		"connection blocked by ingress\nEgress Rules:\n~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n"+
 		"------------------------\nrules in sg1-ky are the default, namely this is the enabling egress rule:\n"+
 		"\tindex: 0, direction: outbound, protocol: all, cidr: 0.0.0.0/0\n", explanbilityStr1)
 	// connection, egress (sg3-ky) is default
@@ -100,12 +100,67 @@ func TestExplainability2(t *testing.T) {
 	require.Equal(t, "The following connection exists between vsi3a-ky[10.240.30.5] and vsi2-ky[10.240.20.4]: All Connections; "+
 		"its enabled by\nEgress Rules:\n~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n------------------------\n"+
 		"rules in sg3-ky are the default, namely this is the enabling egress rule:\n"+
-		"\tindex: 0, direction: outbound, protocol: all, cidr: 0.0.0.0/0\n\n"+
+		"\tindex: 0, direction: outbound, protocol: all, cidr: 0.0.0.0/0\n"+
 		"Ingress Rules:\n~~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n------------------------\n"+
-		"enabling rules from sg2-ky:\n\tindex: 1, direction: inbound, protocol: all, cidr: 0.0.0.0/0\n\n", explanbilityStr2)
+		"enabling rules from sg2-ky:\n\tindex: 1, direction: inbound, protocol: all, cidr: 0.0.0.0/0\n", explanbilityStr2)
 	fmt.Println("done")
 }
 
+func TestInputValidity(t *testing.T) {
+	vpcConfig := getConfig(t, "input_sg_testing1_new.json")
+	if vpcConfig == nil {
+		require.Fail(t, "vpcConfig equals nil")
+	}
+	cidr1 := "0.0.0.0/0"
+	cidr2 := "161.26.0.0/16"
+	nonExistingVSI := "vsi2-ky[10.240.10.4]"
+	_, err1 := vpcConfig.ExplainConnectivity(cidr1, cidr2)
+	fmt.Println(err1.Error())
+	if err1 == nil {
+		require.Fail(t, err1.Error())
+	}
+	_, err2 := vpcConfig.ExplainConnectivity(cidr1, nonExistingVSI)
+	fmt.Println(err2.Error())
+	if err2 == nil {
+		require.Fail(t, err1.Error())
+	}
+}
+
+func TestSimpleExternal(t *testing.T) {
+	vpcConfig := getConfig(t, "input_sg_testing1_new.json")
+	if vpcConfig == nil {
+		require.Fail(t, "vpcConfig equals nil")
+	}
+	vsi1 := "vsi1-ky[10.240.10.4]"
+	cidr1 := "161.26.0.0/16"
+	cidr2 := "161.26.0.0/32"
+	explanbilityStr1, err1 := vpcConfig.ExplainConnectivity(vsi1, cidr1)
+	if err1 != nil {
+		require.Fail(t, err1.Error())
+	}
+	require.Equal(t, "The following connection exists between vsi1-ky[10.240.10.4] and Public Internet [161.26.0.0/16]: "+
+		"protocol: UDP; its enabled by\n"+
+		"Egress Rules:\n~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n------------------------\nenabling rules from sg1-ky:\n\t"+
+		"index: 2, direction: outbound,  conns: protocol: udp,  dstPorts: 1-65535, cidr: 161.26.0.0/16\n", explanbilityStr1)
+	fmt.Println(explanbilityStr1)
+	explanbilityStr2, err2 := vpcConfig.ExplainConnectivity(cidr1, vsi1)
+	if err2 != nil {
+		require.Fail(t, err2.Error())
+	}
+	fmt.Println(explanbilityStr2)
+	require.Equal(t, "No connection between Public Internet [161.26.0.0/16] and vsi1-ky[10.240.10.4]; "+
+		"connection blocked by ingress\n", explanbilityStr2)
+	explanbilityStr3, err3 := vpcConfig.ExplainConnectivity(vsi1, cidr2)
+	if err3 != nil {
+		require.Fail(t, err3.Error())
+	}
+	require.Equal(t, "The following connection exists between vsi1-ky[10.240.10.4] and Public Internet [161.26.0.0/32]: "+
+		"protocol: UDP; its enabled by\n"+
+		"Egress Rules:\n~~~~~~~~~~~~~\nSecurityGroupLayer Rules\n------------------------\nenabling rules from sg1-ky:\n\t"+
+		"index: 2, direction: outbound,  conns: protocol: udp,  dstPorts: 1-65535, cidr: 161.26.0.0/16\n", explanbilityStr3)
+	fmt.Println(explanbilityStr3)
+}
+
 // getConfigs returns  map[string]*vpcmodel.VPCConfig obj for the input test (config json file)
 func getConfig(t *testing.T, inputConfig string) *vpcmodel.VPCConfig {
 	inputConfigFile := filepath.Join(getTestsDir(), inputConfig)