Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

767 sg nacl fields print order #856

Merged
merged 21 commits into from
Sep 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,25 @@ Details:
Path is enabled; The relevant rules are:
Egress:
security group sg1-ky allows connection with the following allow rules
direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all
id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all
network ACL acl1-ky allows connection with the following allow and deny rules
direction: outbound, name: acl1-out-1, priority: 1, action: deny, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: protocol: icmp
direction: outbound, name: acl1-out-3, priority: 3, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all
name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: icmp
name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all

Ingress:
network ACL acl2-ky allows connection with the following allow rules
direction: inbound, name: acl2-in-4, priority: 4, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all
name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all
security group sg1-ky allows connection with the following allow rules
direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all
id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all

TCP response is enabled; The relevant rules are:
Egress:
network ACL acl2-ky allows connection with the following allow rules
direction: outbound, name: acl2-out-3, priority: 3, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all
name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all

Ingress:
network ACL acl1-ky allows connection with the following allow rules
direction: inbound, name: acl1-in-2, priority: 2, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all
name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all

------------------------------------------------------------------------------------------------------------------------

Original file line number Diff line number Diff line change
Expand Up @@ -17,18 +17,18 @@ Details:
Path is enabled; The relevant rules are:
Ingress:
network ACL acl1 allows connection with the following allow and deny rules
ruleNumber: 10, direction: inbound ,cidr: 147.235.0.0/16, action: allow, conn: protocol: tcp, dstPorts: 9080-9080
ruleNumber: 32767, direction: inbound ,cidr: 0.0.0.0/0, action: deny, conn: all
ruleNumber: 10, action: allow, direction: inbound, cidr: 147.235.0.0/16, protocol: tcp, dstPorts: 9080-9080
ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, protocol: all
security group GroupId:35 allows connection with the following allow rules
Inbound index: 0, direction: inbound, target: 147.0.0.0/8, conns: protocol: tcp, dstPorts: 0-65535
Inbound index: 0, direction: inbound, target: 147.0.0.0/8, protocol: tcp, dstPorts: 0-65535
security group GroupId:9 has no relevant allow rules
Ingress to public internet is allowed since subnet public is public

TCP response is partly enabled; The relevant rules are:
Egress:
network ACL acl1 allows connection with the following allow and deny rules
ruleNumber: 10, direction: outbound ,cidr: 147.235.0.0/16, action: allow, conn: protocol: tcp, dstPorts: 1025-5000
ruleNumber: 32767, direction: outbound ,cidr: 0.0.0.0/0, action: deny, conn: all
ruleNumber: 10, action: allow, direction: outbound, cidr: 147.235.0.0/16, protocol: tcp, dstPorts: 1025-5000
ruleNumber: 32767, action: deny, direction: outbound, cidr: 0.0.0.0/0, protocol: all

------------------------------------------------------------------------------------------------------------------------

Original file line number Diff line number Diff line change
Expand Up @@ -15,24 +15,24 @@ Details:
Path is enabled; The relevant rules are:
Egress:
security group GroupId:50 allows connection with the following allow rules
Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all
Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all
network ACL NetworkAclId:65 allows connection with the following allow rules
ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all

Ingress:
network ACL NetworkAclId:65 allows connection with the following allow rules
ruleNumber: 100, direction: inbound ,cidr: 0.0.0.0/0, action: allow, conn: all
ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all
security group GroupId:42 allows connection with the following allow rules
Inbound index: 0, direction: inbound, target: 10.240.40.0/24, conns: protocol: all
Inbound index: 0, direction: inbound, target: 10.240.40.0/24, protocol: all

TCP response is enabled; The relevant rules are:
Egress:
network ACL NetworkAclId:65 allows connection with the following allow rules
ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all

Ingress:
network ACL NetworkAclId:65 allows connection with the following allow rules
ruleNumber: 100, direction: inbound ,cidr: 0.0.0.0/0, action: allow, conn: all
ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all

------------------------------------------------------------------------------------------------------------------------

Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,15 @@ Details:
Path is disabled; The relevant rules are:
Egress:
security group GroupId:9 allows connection with the following allow rules
Outbound index: 0, direction: outbound, target: 10.240.0.0/18, conns: protocol: all
Outbound index: 0, direction: outbound, target: 10.240.0.0/18, protocol: all
network ACL acl1 allows connection with the following allow rules
ruleNumber: 20, direction: outbound ,cidr: 10.240.32.0/19, action: allow, conn: all
ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all

Ingress:
network ACL acl1 blocks connection with the following deny rules:
ruleNumber: 32767, direction: inbound ,cidr: 0.0.0.0/0, action: deny, conn: all
ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, protocol: all
security group GroupId:9 allows connection with the following allow rules
Inbound index: 0, direction: inbound, target: 10.240.0.0/18, conns: protocol: all
Inbound index: 0, direction: inbound, target: 10.240.0.0/18, protocol: all

------------------------------------------------------------------------------------------------------------------------

Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Path is disabled; The relevant rules are:
Egress:
security group GroupId:35 has no relevant allow rules
security group GroupId:9 allows connection with the following allow rules
Outbound index: 0, direction: outbound, target: 10.240.0.0/18, conns: protocol: all
Outbound index: 0, direction: outbound, target: 10.240.0.0/18, protocol: all

Ingress:
security group GroupId:35 has no relevant allow rules
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ Details:
Path is enabled; The relevant rules are:
Egress:
security group GroupId:9 allows connection with the following allow rules
Outbound index: 0, direction: outbound, target: 10.240.0.0/18, conns: protocol: all
Outbound index: 0, direction: outbound, target: 10.240.0.0/18, protocol: all

Ingress:
security group GroupId:15 allows connection with the following allow rules
Inbound index: 0, direction: inbound, target: 0.0.0.0/0, conns: protocol: udp, dstPorts: 0-65535
Inbound index: 0, direction: inbound, target: 0.0.0.0/0, protocol: udp, dstPorts: 0-65535

------------------------------------------------------------------------------------------------------------------------

Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,10 @@ Path is disabled; The relevant rules are:
Egress:
Egress to public internet is blocked since subnet application is private
security group GroupId:35 allows connection with the following allow rules
Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all
Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all
security group GroupId:42 has no relevant allow rules
network ACL NetworkAclId:65 allows connection with the following allow rules
ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all

------------------------------------------------------------------------------------------------------------------------

Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Path is disabled; The relevant rules are:
Egress to public internet is blocked since subnet application is private
security group GroupId:42 has no relevant allow rules
network ACL NetworkAclId:65 allows connection with the following allow rules
ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all

------------------------------------------------------------------------------------------------------------------------

Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,14 @@ Path is enabled; The relevant rules are:
Egress:
Egress to public internet is allowed since subnet edge is public
security group GroupId:35 allows connection with the following allow rules
Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all
Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all
network ACL NetworkAclId:65 allows connection with the following allow rules
ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all

TCP response is enabled; The relevant rules are:
Ingress:
network ACL NetworkAclId:65 allows connection with the following allow rules
ruleNumber: 100, direction: inbound ,cidr: 0.0.0.0/0, action: allow, conn: all
ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all

------------------------------------------------------------------------------------------------------------------------

16 changes: 11 additions & 5 deletions pkg/awsvpc/nacl_analysis.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,10 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm
ruleObj := na.prioritiesEntries[index]
protocol := convertProtocol(*ruleObj.Protocol)
ruleNumber := *ruleObj.RuleNumber
portsStr := ""
switch protocol {
case allProtocols:
conns = connection.All()
connStr = protocol
case protocolTCP, protocolUDP:
minPort := int64(*ruleObj.PortRange.From)
maxPort := int64(*ruleObj.PortRange.To)
Expand All @@ -72,20 +72,26 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm
minPort,
maxPort,
)
connStr = fmt.Sprintf("protocol: %s, dstPorts: %d-%d", protocol, minPort, maxPort)
portsStr = fmt.Sprintf(", dstPorts: %d-%d", minPort, maxPort)
case protocolICMP:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we OK with ICMP? I didn't see an example output

Copy link
Contributor Author

@ShiriMoran ShiriMoran Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Indeed, there is no such example; moreover, I did not find an example that enables only icmp in the inputs file. Perhaps such an example should be added; does not seem related to this PR.
  2. Looking at the code - indeed it seems that the extra ICMP parms are ignored in the returned string; they were ignored from the beginning, nothing new to this PR.
  3. Moreover, looking at the code I do not understand why the printing function of conns was not used in the first place for the returned ruleStr.

Not sure whether to fix it here or open a new issue and ask Ola what she had in mind. See also next comment

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed; At the moment we do not have an example of an icmp rule in aws

We do have an example in IBM (acl5) that is not yet used in explain tests; I'll add a test

Copy link
Contributor Author

@ShiriMoran ShiriMoran Sep 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

acl5 does not have any instances

Need to add examples of NACL rules with reference to ICMP type and code in both IBM and AWS
#860

icmpTypeMin, icmpTypeMax, icmpCodeMin, icmpCodeMax,
err := handleIcmpTypeCode(ruleObj.IcmpTypeCode.Type, ruleObj.IcmpTypeCode.Code)

if err != nil {
return "", nil, false, err
}
if ruleObj.IcmpTypeCode.Type != nil && *ruleObj.IcmpTypeCode.Type != -1 {
portsStr = fmt.Sprintf(", type: %d", *ruleObj.IcmpTypeCode.Type)
}
if ruleObj.IcmpTypeCode.Code != nil && *ruleObj.IcmpTypeCode.Code != -1 {
portsStr += fmt.Sprintf(", code: %d", *ruleObj.IcmpTypeCode.Code)
}
conns = connection.ICMPConnection(icmpTypeMin, icmpTypeMax, icmpCodeMin, icmpCodeMax)
connStr = fmt.Sprintf("protocol: %s", protocol)
default:
err = fmt.Errorf("GetNACLRule unsupported protocol type: %s ", *ruleObj.Protocol)
return "", nil, false, err
}
connStr = "protocol: " + protocol + portsStr
action := string(ruleObj.RuleAction)
ip, err := ipblock.FromCidr(*ruleObj.CidrBlock)
if err != nil {
Expand All @@ -99,8 +105,8 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm
direction = commonvpc.Inbound
}
ruleRes = &commonvpc.NACLRule{Src: src, Dst: dst, Connections: conns, Action: action}
ruleStr = fmt.Sprintf("ruleNumber: %d, direction: %s ,cidr: %s, action: %s, conn: %s\n",
ruleNumber, direction, ip, action, connStr)
ruleStr = fmt.Sprintf("ruleNumber: %d, action: %s, direction: %s, cidr: %s, %s\n",
ruleNumber, action, direction, ip, connStr)
return ruleStr, ruleRes, isIngress, nil
}

Expand Down
2 changes: 1 addition & 1 deletion pkg/awsvpc/sg_analysis.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ func (sga *AWSSGAnalyzer) getProtocolTCPUDPRule(ruleObj *types.IpPermission, dir
}

func getRuleStr(direction, connStr, ipRanges string) string {
return fmt.Sprintf("direction: %s, target: %s, conns: %s\n", direction, ipRanges, connStr)
return fmt.Sprintf("direction: %s, target: %s, %s\n", direction, ipRanges, connStr)
}

func handleIcmpTypeCode(icmpType, icmpCode *int32) (newIcmpTypeMin, newIcmpTypeMax,
Expand Down
8 changes: 4 additions & 4 deletions pkg/awsvpc/sg_analysis_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,12 +84,12 @@ func TestSGRule(t *testing.T) {
require.Nil(t, err)
require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0")
require.Equal(t, sgRule.Index, 0)
require.Equal(t, "Inbound index: 0, direction: inbound, target: 0.0.0.0/0, conns: protocol: all\n", ruleStr)
require.Equal(t, "Inbound index: 0, direction: inbound, target: 0.0.0.0/0, protocol: all\n", ruleStr)
ruleStr, sgRule, _, err = sgResource.Analyzer.SgAnalyzer.GetSGRule(1)
require.Nil(t, err)
require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0")
require.Equal(t, sgRule.Index, 1)
require.Equal(t, "Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all\n", ruleStr)
require.Equal(t, "Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all\n", ruleStr)
}

func newSGobj(groupID, groupName, vpcID string, ipPermissions []types.IpPermission,
Expand Down Expand Up @@ -131,13 +131,13 @@ func TestWithSgObj(t *testing.T) {
require.Nil(t, err)
require.Equal(t, "4.2.0.0/16", sgRule.Remote.Cidr.String())
require.Equal(t, 0, sgRule.Index)
require.Equal(t, "Inbound index: 0, direction: inbound, target: 4.2.0.0/16, conns: protocol: tcp,"+
require.Equal(t, "Inbound index: 0, direction: inbound, target: 4.2.0.0/16, protocol: tcp,"+
" dstPorts: 5-1000\n", ruleStr)
ruleStr, sgRule, _, err = sgResource.Analyzer.SgAnalyzer.GetSGRule(1)
require.Nil(t, err)
require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0")
require.Equal(t, sgRule.Index, 1)
require.Equal(t, "Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: tcp, "+
require.Equal(t, "Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: tcp, "+
"dstPorts: 23-10030\n", ruleStr)
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ Details:
Path is enabled; The relevant rules are:
Egress:
security group sg1-ky allows connection with the following allow rules
direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535
id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, protocol: udp, dstPorts: 1-65535
network ACL acl1-ky allows connection with the following allow rules
direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all
name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all

------------------------------------------------------------------------------------------------------------------------

Expand All @@ -38,7 +38,7 @@ Path is disabled; The relevant rules are:
Egress:
security group sg1-ky has no relevant allow rules
network ACL acl1-ky allows connection with the following allow rules
direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all
name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all

------------------------------------------------------------------------------------------------------------------------

Loading