added allowFromCategory and relevant tests

np-guard · Jan 16, 2025 · 52bc545 · 52bc545
1 parent 80c7aad
commit 52bc545
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 11 deletions.
diff --git a/pkg/model/dfw/category.go b/pkg/model/dfw/category.go
@@ -22,7 +22,7 @@ const (
 	emergencyCategory
 	infrastructureCategory
 	envCategory
-	appCategoty
+	AppCategoty
 	emptyCategory
 )
 
@@ -46,7 +46,7 @@ const (
 	case EnvironmentStr:
 		return envCategory
 	case ApplicationStr:
-		return appCategoty
+		return AppCategoty
 	case EmptyStr:
 		return emptyCategory
 	default:
@@ -64,7 +64,7 @@ func (d DfwCategory) String() string {
 		return InfrastructureStr
 	case envCategory:
 		return EnvironmentStr
-	case appCategoty:
+	case AppCategoty:
 		return ApplicationStr
 	case emptyCategory:
 		return EmptyStr
@@ -74,7 +74,7 @@ func (d DfwCategory) String() string {
 }
 
 var categoriesList = []DfwCategory{
-	ethernetCategory, emergencyCategory, infrastructureCategory, envCategory, appCategoty, emptyCategory,
+	ethernetCategory, emergencyCategory, infrastructureCategory, envCategory, AppCategoty, emptyCategory,
 }
 
 // EffectiveRules are built from original rules, split to separate Inbound & Outbound rules

diff --git a/pkg/synthesis/allowOnlyConversion.go b/pkg/synthesis/allowOnlyConversion.go
@@ -13,21 +13,27 @@ import (
 /////////////////////////////////////////////////////////////////////////////////////
 
 func computeAllowOnlyRulesForPolicy(categoriesSpecs []*dfw.CategorySpec,
-	categoryToPolicy map[dfw.DfwCategory]*symbolicPolicy, hints *symbolicexpr.Hints) symbolicPolicy {
-	allowOnlyPolicy := symbolicPolicy{}
+	categoryToPolicy map[dfw.DfwCategory]*symbolicPolicy, allowOnlyFromCategory dfw.DfwCategory,
+	hints *symbolicexpr.Hints) symbolicPolicy {
+	computedPolicy := symbolicPolicy{}
 	globalInboundDenies, globalOutboundDenies := symbolicexpr.SymbolicPaths{}, symbolicexpr.SymbolicPaths{}
 	// we go over categoriesSpecs to make sure we follow the correct order of categories
 	for _, category := range categoriesSpecs {
 		thisCategoryPolicy := categoryToPolicy[category.Category]
 		if thisCategoryPolicy == nil {
 			continue
 		}
+		if category.Category < allowOnlyFromCategory {
+			computedPolicy.inbound = append(computedPolicy.inbound, thisCategoryPolicy.inbound...)
+			computedPolicy.outbound = append(computedPolicy.outbound, thisCategoryPolicy.outbound...)
+			continue
+		}
 		inboundAllow, outboundAllow := computeAllowOnlyRulesForCategory(thisCategoryPolicy,
 			&globalInboundDenies, &globalOutboundDenies, hints)
-		allowOnlyPolicy.inbound = append(allowOnlyPolicy.inbound, inboundAllow...)
-		allowOnlyPolicy.outbound = append(allowOnlyPolicy.outbound, outboundAllow...)
+		computedPolicy.inbound = append(computedPolicy.inbound, inboundAllow...)
+		computedPolicy.outbound = append(computedPolicy.outbound, outboundAllow...)
 	}
-	return allowOnlyPolicy
+	return computedPolicy
 }
 
 // gets here only if policy is not nil

diff --git a/pkg/synthesis/synthesis.go b/pkg/synthesis/synthesis.go
@@ -21,7 +21,7 @@ func NSXToK8sSynthesis(
 	config := parser.GetConfig()
 	categoryToPolicy := preProcessing(config.Fw.CategoriesSpecs)
 	fmt.Println(stringCategoryToSymbolicPolicy(config.Fw.CategoriesSpecs, categoryToPolicy))
-	allowOnlyPolicy := computeAllowOnlyRulesForPolicy(config.Fw.CategoriesSpecs, categoryToPolicy, hints)
+	allowOnlyPolicy := computeAllowOnlyRulesForPolicy(config.Fw.CategoriesSpecs, categoryToPolicy, allowOnlyFromCategory, hints)
 	abstractModel := &AbstractModelSyn{vms: parser.VMs(), epToGroups: parser.GetConfig().GroupsPerVM,
 		allowOnlyFromCategory: allowOnlyFromCategory, policy: []*symbolicPolicy{&allowOnlyPolicy}}
 	return abstractModel, createK8sResources(abstractModel, outDir)

diff --git a/pkg/synthesis/synthesis_test.go b/pkg/synthesis/synthesis_test.go
@@ -86,6 +86,12 @@ var allTests = []synthesisTest{
 		allowOnlyFromCategory: 0,
 		noHint:                false,
 	},
+	{
+		name:                  "ExampleHogwarts",
+		exData:                tests.ExampleHogwarts,
+		allowOnlyFromCategory: dfw.AppCategoty,
+		noHint:                false,
+	},
 }
 
 func (synTest *synthesisTest) runPreprocessing(t *testing.T, mode testMode) {
@@ -97,7 +103,11 @@ func (synTest *synthesisTest) runPreprocessing(t *testing.T, mode testMode) {
 	categoryToPolicy := preProcessing(config.Fw.CategoriesSpecs)
 	actualOutput := stringCategoryToSymbolicPolicy(config.Fw.CategoriesSpecs, categoryToPolicy)
 	fmt.Println(actualOutput)
-	expectedOutputFileName := filepath.Join(getTestsDirOut(), synTest.name+"_PreProcessing.txt")
+	suffix := "_PreProcessing"
+	if synTest.allowOnlyFromCategory > 0 {
+		suffix = fmt.Sprintf("%v_%s", suffix, synTest.allowOnlyFromCategory)
+	}
+	expectedOutputFileName := filepath.Join(getTestsDirOut(), synTest.name+suffix+".txt")
 	compareOrRegenerateOutputPerTest(t, mode, actualOutput, expectedOutputFileName, synTest.name)
 }
 
@@ -120,6 +130,10 @@ func (synTest *synthesisTest) runConvertToAbstract(t *testing.T, mode testMode)
 		hintsParm.GroupsDisjoint = synTest.exData.DisjointGroups
 		suffix = "_ConvertToAbstract.txt"
 	}
+	if synTest.allowOnlyFromCategory > 0 {
+		suffix = fmt.Sprintf("%v_%s", suffix, synTest.allowOnlyFromCategory)
+	}
+	fmt.Println("suffix:", suffix)
 	outDir := path.Join("out", synTest.name)
 	abstractModel, err := NSXToK8sSynthesis(rc, outDir, hintsParm, synTest.allowOnlyFromCategory)
 	require.Nil(t, err)

diff --git a/pkg/synthesis/tests_expected_output/ExampleHogwarts_ConvertToAbstract.txt_Application b/pkg/synthesis/tests_expected_output/ExampleHogwarts_ConvertToAbstract.txt_Application
@@ -0,0 +1,10 @@
+Allow Only Rules
+~~~~~~~~~~~~~~~~~
+inbound rules
+	All Connections from (*) to (group = Web)
+	All Connections from (group = Web) to (group = App)
+	All Connections from (group = App) to (group = DB)
+outbound rules
+	All Connections from (*) to (group = Web)
+	All Connections from (group = Web) to (group = App)
+	All Connections from (group = App) to (group = DB)
diff --git a/pkg/synthesis/tests_expected_output/ExampleHogwarts_PreProcessing_Application.txt b/pkg/synthesis/tests_expected_output/ExampleHogwarts_PreProcessing_Application.txt
@@ -0,0 +1,26 @@
+category: Environment
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+symbolic inbound rules:
+	0. action: jump_to_application paths: All Connections from (group = Gryffindor) to (group = Gryffindor)
+	1. action: jump_to_application paths: All Connections from (group = Hufflepuff) to (group = Hufflepuff)
+	2. action: jump_to_application paths: All Connections from (group = Slytherin) to (group = Slytherin)
+	3. action: jump_to_application paths: All Connections from (group = Dumbledore) to (group = Gryffindor)
+	4. action: deny paths: All Connections from (*) to (*)
+symbolic outbound rules:
+	0. action: jump_to_application paths: All Connections from (group = Gryffindor) to (group = Gryffindor)
+	1. action: jump_to_application paths: All Connections from (group = Hufflepuff) to (group = Hufflepuff)
+	2. action: jump_to_application paths: All Connections from (group = Slytherin) to (group = Slytherin)
+	3. action: jump_to_application paths: All Connections from (group = Dumbledore) to (group = Gryffindor)
+	4. action: deny paths: All Connections from (*) to (*)
+category: Application
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+symbolic inbound rules:
+	0. action: allow paths: All Connections from (*) to (group = Web)
+	1. action: allow paths: All Connections from (group = Web) to (group = App)
+	2. action: allow paths: All Connections from (group = App) to (group = DB)
+	3. action: deny paths: All Connections from (*) to (*)
+symbolic outbound rules:
+	0. action: allow paths: All Connections from (*) to (group = Web)
+	1. action: allow paths: All Connections from (group = Web) to (group = App)
+	2. action: allow paths: All Connections from (group = App) to (group = DB)
+	3. action: deny paths: All Connections from (*) to (*)