update groups parsing, ignore vms without groups (#126)

Signed-off-by: adisos <adisos@il.ibm.com>
np-guard · Jan 13, 2025 · c3c29e5 · c3c29e5
1 parent f769210
commit c3c29e5
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 19 deletions.
diff --git a/pkg/common/strings.go b/pkg/common/strings.go
@@ -11,6 +11,7 @@ const (
 
 	CommaSeparator      string = ","
 	CommaSpaceSeparator string = ", "
+	NewLine             string = "\n"
 
 	// ANSI escape codes - for colored output printed to the terminal
 	Reset   = "\033[0m"

diff --git a/pkg/model/config.go b/pkg/model/config.go
@@ -1,8 +1,11 @@
 package model
 
 import (
+	"fmt"
 	"strings"
+	"text/tabwriter"
 
+	"github.com/np-guard/vmware-analyzer/pkg/collector"
 	"github.com/np-guard/vmware-analyzer/pkg/common"
 	"github.com/np-guard/vmware-analyzer/pkg/logging"
 	"github.com/np-guard/vmware-analyzer/pkg/model/connectivity"
@@ -12,10 +15,11 @@ import (
 
 // config captures nsx config
 type config struct {
-	vms                  []*endpoints.VM          // list of all vms
-	vmsMap               map[string]*endpoints.VM // map from uid to vm objects
-	Fw                   *dfw.DFW                 // currently assuming one DFW only (todo: rename pkg dfw)
-	analyzedConnectivity connectivity.ConnMap     // the resulting connectivity map from analyzing this configuration
+	vms                  []*endpoints.VM                      // list of all vms
+	vmsMap               map[string]*endpoints.VM             // map from uid to vm objects
+	Fw                   *dfw.DFW                             // currently assuming one DFW only (todo: rename pkg dfw)
+	GroupsPerVM          map[*endpoints.VM][]*collector.Group // map from vm to its groups
+	analyzedConnectivity connectivity.ConnMap                 // the resulting connectivity map from analyzing this configuration
 	analysisDone         bool
 }
 
@@ -50,9 +54,12 @@ func (c *config) getConfigInfoStr() string {
 	var sb strings.Builder
 	sb.WriteString(common.OutputSectionSep)
 	sb.WriteString("VMs:\n")
-	for _, vm := range c.vms {
-		sb.WriteString(vm.Name() + "\n")
-	}
+	sb.WriteString(common.JoinStringifiedSlice(c.vms, common.NewLine))
+
+	// groups
+	sb.WriteString(common.OutputSectionSep)
+	sb.WriteString("Groups:\n")
+	sb.WriteString(c.getVMGroupsStr())
 	sb.WriteString(common.OutputSectionSep)
 
 	sb.WriteString("DFW:\n")
@@ -65,3 +72,16 @@ func (c *config) getConfigInfoStr() string {
 
 	return sb.String()
 }
+
+func (c *config) getVMGroupsStr() string {
+	var builder strings.Builder
+	writer := tabwriter.NewWriter(&builder, 1, 1, 1, ' ', tabwriter.Debug)
+	fmt.Fprintln(writer, "VM"+"\t"+"Groups")
+	for vm, groups := range c.GroupsPerVM {
+		groupsStr := common.JoinCustomStrFuncSlice(groups, func(g *collector.Group) string { return *g.DisplayName }, common.CommaSpaceSeparator)
+		line := vm.Name() + "\t" + groupsStr
+		fmt.Fprintln(writer, line)
+	}
+	writer.Flush()
+	return builder.String()
+}
diff --git a/pkg/model/endpoints/vm.go b/pkg/model/endpoints/vm.go
@@ -19,6 +19,10 @@ func (v *VM) Name() string {
 	return v.name
 }
 
+func (v *VM) String() string {
+	return v.Name()
+}
+
 func (v *VM) Kind() string {
 	return "vm"
 }

diff --git a/pkg/model/parser.go b/pkg/model/parser.go
@@ -42,7 +42,7 @@ type NSXConfigParser struct {
 	file         string
 	rc           *collector.ResourcesContainerModel
 	configRes    *config
-	groups       []*collector.Group
+	allGroups    []*collector.Group
 	allGroupsVMs []*endpoints.VM
 	// store references to groups/services objects from paths used in Fw rules
 	groupPathsToObjects   map[string]*collector.Group
@@ -54,24 +54,46 @@ func (p *NSXConfigParser) RunParser() error {
 	p.configRes = &config{}
 	p.groupPathsToObjects = map[string]*collector.Group{}
 	p.servicePathsToObjects = map[string]*collector.Service{}
-	p.getVMs() // get vms config
+	p.getVMs()    // get vms config
+	p.getGroups() // get groups config
+	p.removeVMsWithoutGroups()
 	p.getDFW() // get distributed firewall config
 	p.AddPathsToDisplayNames()
 	return nil
 }
 
+func (p *NSXConfigParser) removeVMsWithoutGroups() {
+	toRemove := []*endpoints.VM{}
+	for vm, groups := range p.configRes.GroupsPerVM {
+		if len(groups) == 0 {
+			logging.Debugf("ignoring VM without groups: %s", vm.Name())
+			toRemove = append(toRemove, vm)
+		}
+	}
+	for _, vm := range toRemove {
+		delete(p.configRes.GroupsPerVM, vm)
+		p.configRes.vms = slices.DeleteFunc(p.configRes.vms, func(v *endpoints.VM) bool { return v.ID() == vm.ID() })
+		delete(p.configRes.vmsMap, vm.ID())
+	}
+}
+
 func (p *NSXConfigParser) GetConfig() *config {
 	return p.configRes
 }
 
-func (p *NSXConfigParser) VMsGroups() map[*endpoints.VM][]*collector.Group {
+func (p *NSXConfigParser) vMsGroups() map[*endpoints.VM][]*collector.Group {
 	groups := map[*endpoints.VM][]*collector.Group{}
-	for _, g := range p.groups {
+	for _, g := range p.allGroups {
 		vms := p.groupToVMsList(g)
 		for _, vm := range vms {
 			groups[vm] = append(groups[vm], g)
 		}
 	}
+	for _, vm := range p.VMs() {
+		if _, ok := groups[vm]; !ok {
+			groups[vm] = nil
+		}
+	}
 	return groups
 }
 
@@ -90,6 +112,11 @@ func (p *NSXConfigParser) AddPathsToDisplayNames() {
 	p.configRes.Fw.SetPathsToDisplayNames(res)
 }
 
+func (p *NSXConfigParser) getGroups() {
+	p.getAllGroups()
+	p.configRes.GroupsPerVM = p.vMsGroups()
+}
+
 // getVMs assigns the parsed VM objects from the NSX resources container into the res config object
 func (p *NSXConfigParser) getVMs() {
 	p.configRes.vmsMap = map[string]*endpoints.VM{}
@@ -222,11 +249,8 @@ type parsedRule struct {
 	defaultRuleObj *collector.FirewallRule
 }
 
-func (p *NSXConfigParser) allGroups() ([]*endpoints.VM, []*collector.Group) {
+func (p *NSXConfigParser) getAllGroups() {
 	// p.allGroupsVMs and p.groups are written together
-	if len(p.allGroupsVMs) > 0 {
-		return p.allGroupsVMs, p.groups
-	}
 	vms := []*endpoints.VM{}
 	groups := []*collector.Group{}
 	for i := range p.rc.DomainList {
@@ -237,14 +261,13 @@ func (p *NSXConfigParser) allGroups() ([]*endpoints.VM, []*collector.Group) {
 		}
 	}
 	p.allGroupsVMs = vms
-	p.groups = groups
-	return vms, groups
+	p.allGroups = groups
 }
 
 func (p *NSXConfigParser) getEndpointsFromGroupsPaths(groupsPaths []string) ([]*endpoints.VM, []*collector.Group) {
 	if slices.Contains(groupsPaths, anyStr) {
 		// TODO: if a VM is not within any group, this should not include that VM?
-		return p.allGroups() // all groups
+		return p.allGroupsVMs, p.allGroups // all groups
 	}
 	vms := []*endpoints.VM{}
 	groups := []*collector.Group{}

diff --git a/pkg/synthesis/synthesis.go b/pkg/synthesis/synthesis.go
@@ -20,7 +20,7 @@ func NSXToAbstractModelSynthesis(recourses *collector.ResourcesContainerModel,
 	fmt.Println(stringCategoryToSymbolicPolicy(config.Fw.CategoriesSpecs, categoryToPolicy))
 	allowOnlyPolicy := computeAllowOnlyRulesForPolicy(config.Fw.CategoriesSpecs, categoryToPolicy, hints)
 	abstractModel := &AbstractModelSyn{}
-	abstractModel.epToGroups = parser.VMsGroups()
+	abstractModel.epToGroups = parser.GetConfig().GroupsPerVM
 	abstractModel.vms = parser.VMs()
 	abstractModel.policy = append(abstractModel.policy, &allowOnlyPolicy)
 	return &allowOnlyPolicy, nil