Synthesis pre processing

pkg/collector/data_model.go

@@ -431,6 +431,13 @@ func (group *Group) UnmarshalJSON(b []byte) error {
 	)
 }
 
+func (group *Group) Name() string {
+	if group.Group.DisplayName == nil {
+		return ""
+	}
+	return *group.Group.DisplayName
+}
+
 ///////////////////////////////////////////////////////////////////////////////////////
 
 type Domain struct {

pkg/model/config.go

@@ -13,7 +13,7 @@ import (
 type config struct {
 	vms                  []*endpoints.VM          // list of all vms
 	vmsMap               map[string]*endpoints.VM // map from uid to vm objects
-	fw                   *dfw.DFW                 // currently assuming one DFW only (todo: rename pkg dfw)
+	Fw                   *dfw.DFW                 // currently assuming one DFW only (todo: rename pkg dfw)
 	analyzedConnectivity connMap                  // the resulting connectivity map from analyzing this configuration
 	analysisDone         bool
 }
@@ -29,14 +29,14 @@ func (c *config) ComputeConnectivity(vmsFilter []string) {
 	logging.Debugf("compute connectivity on parsed config")
 	res := connMap{}
 	// make sure all vm pairs are in the result, by init with global default
-	res.initPairs(c.fw.GlobalDefaultAllow(), c.vms, vmsFilter)
+	res.initPairs(c.Fw.GlobalDefaultAllow(), c.vms, vmsFilter)
 	// iterate over all vm pairs in the initialized map at res, get the analysis result per pair
 	for src, srcMap := range res {
 		for dst := range srcMap {
 			if src == dst {
 				continue
 			}
-			conn := c.fw.AllowedConnections(src, dst)
+			conn := c.Fw.AllowedConnections(src, dst)
 			res.add(src, dst, conn)
 		}
 	}
@@ -55,11 +55,11 @@ func (c *config) getConfigInfoStr() string {
 	sb.WriteString(common.OutputSectionSep)
 
 	sb.WriteString("DFW:\n")
-	sb.WriteString(c.fw.OriginalRulesStrFormatted())
+	sb.WriteString(c.Fw.OriginalRulesStrFormatted())
 	sb.WriteString(common.ShortSep)
-	sb.WriteString(c.fw.String())
+	sb.WriteString(c.Fw.String())
 	sb.WriteString(common.ShortSep)
-	sb.WriteString(c.fw.AllEffectiveRules())
+	sb.WriteString(c.Fw.AllEffectiveRules())
 	sb.WriteString(common.OutputSectionSep)
 
 	return sb.String()

pkg/model/connectivity_test.go

@@ -26,12 +26,12 @@ var dfwAllowAllByDefault = dfw.NewEmptyDFW(true)      // no rules and global def
 // basic test
 var config1 = &config{
 	vms: allVms,
-	fw:  dfwAllowNothingByDefault,
+	Fw:  dfwAllowNothingByDefault,
 }
 
 var config2 = &config{
 	vms: allVms,
-	fw:  dfwAllowAllByDefault,
+	Fw:  dfwAllowAllByDefault,
 }
 
 func sumPairs(c connMap) int {

pkg/model/dfw/category.go

@@ -8,7 +8,6 @@ import (
 	"github.com/np-guard/vmware-analyzer/pkg/collector"
 	"github.com/np-guard/vmware-analyzer/pkg/logging"
 	"github.com/np-guard/vmware-analyzer/pkg/model/endpoints"
-	"github.com/np-guard/vmware-analyzer/pkg/symbolicexpr"
 )
 
 // https://dp-downloads.broadcom.com/api-content/apis/API_NTDCRA_001/4.2/html/api_includes/types_SecurityPolicy.html
@@ -52,7 +51,7 @@ const (
 	}
 }*/
 
-func (d DfwCategory) string() string {
+func (d DfwCategory) String() string {
 	switch d {
 	case ethernetCategory:
 		return EthernetStr
@@ -75,30 +74,30 @@ var categoriesList = []DfwCategory{
 	ethernetCategory, emergencyCategory, infrastructureCategory, envCategory, appCategoty, emptyCategory,
 }
 
-// effectiveRules are built from original rules, split to separate inbound & outbound rules
+// EffectiveRules are built from original rules, split to separate Inbound & Outbound rules
 // consider already the scope from the original rules
-type effectiveRules struct {
-	inbound  []*FwRule
-	outbound []*FwRule
+type EffectiveRules struct {
+	Inbound  []*FwRule
+	Outbound []*FwRule
 }
 
-func (e *effectiveRules) addInboundRule(r *FwRule) {
+func (e *EffectiveRules) addInboundRule(r *FwRule) {
 	if r != nil {
-		e.inbound = append(e.inbound, r)
+		e.Inbound = append(e.Inbound, r)
 	}
 }
 
-func (e *effectiveRules) addOutboundRule(r *FwRule) {
+func (e *EffectiveRules) addOutboundRule(r *FwRule) {
 	if r != nil {
-		e.outbound = append(e.outbound, r)
+		e.Outbound = append(e.Outbound, r)
 	}
 }
 
-type categorySpec struct {
-	category       DfwCategory
+type CategorySpec struct {
+	Category       DfwCategory
 	rules          []*FwRule // ordered list of rules
-	defaultAction  ruleAction
-	processedRules *effectiveRules // ordered list of effective rules
+	defaultAction  RuleAction
+	ProcessedRules *EffectiveRules // ordered list of effective rules
 	dfwRef         *DFW
 }
 
@@ -110,16 +109,16 @@ type categorySpec struct {
 // todo: may possibly eliminate jumpToAppConns and unify them with notDeterminedConns
 //
 //nolint:gocritic // for now keep commentedOutCode
-func (c *categorySpec) analyzeCategory(src, dst *endpoints.VM, isIngress bool,
+func (c *CategorySpec) analyzeCategory(src, dst *endpoints.VM, isIngress bool,
 ) (allowedConns, jumpToAppConns, deniedConns, nonDet *netset.TransportSet) {
 	allowedConns, jumpToAppConns, deniedConns = netset.NoTransports(), netset.NoTransports(), netset.NoTransports()
-	rules := c.processedRules.inbound // inbound effective rules
+	rules := c.ProcessedRules.Inbound // inbound effective rules
 	if !isIngress {
-		rules = c.processedRules.outbound // outbound effective rules
+		rules = c.ProcessedRules.Outbound // outbound effective rules
 	}
 	for _, rule := range rules /*c.rules*/ {
 		if rule.processedRuleCapturesPair(src, dst) /*rule.capturesPair(src, dst, isIngress)*/ {
-			switch rule.action {
+			switch rule.Action {
 			case actionAllow:
 				addedAllowedConns := rule.conn.Subtract(deniedConns).Subtract(jumpToAppConns)
 				allowedConns = allowedConns.Union(addedAllowedConns)
@@ -147,76 +146,79 @@ func (c *categorySpec) analyzeCategory(src, dst *endpoints.VM, isIngress bool,
 	return allowedConns, jumpToAppConns, deniedConns, nonDet
 }
 
-func (c *categorySpec) originalRulesStr() []string {
+func (c *CategorySpec) originalRulesStr() []string {
 	rulesStr := make([]string, len(c.rules))
 	for i := range c.rules {
 		rulesStr[i] = c.rules[i].originalRuleStr()
 	}
 	return rulesStr
 }
 
-func (c *categorySpec) string() string {
+func (c *CategorySpec) string() string {
 	rulesStr := make([]string, len(c.rules)+1)
 	rulesStr[0] = "rules:"
 	for i := range c.rules {
 		rulesStr[i+1] = c.rules[i].string()
 	}
-	return fmt.Sprintf("category: %s\n%s\ndefault action: %s", c.category.string(),
+	return fmt.Sprintf("category: %s\n%s\ndefault action: %s", c.Category.String(),
 		strings.Join(rulesStr, lineSeparatorStr), string(c.defaultAction))
 }
 
-func (c *categorySpec) inboundEffectiveRules() string {
-	rulesStr := make([]string, len(c.processedRules.inbound))
-	for i := range c.processedRules.inbound {
-		rulesStr[i] = c.processedRules.inbound[i].effectiveRuleStr()
+func (c *CategorySpec) inboundEffectiveRules() string {
+	rulesStr := make([]string, len(c.ProcessedRules.Inbound))
+	for i := range c.ProcessedRules.Inbound {
+		rulesStr[i] = c.ProcessedRules.Inbound[i].effectiveRuleStr()
 	}
 	return strings.Join(rulesStr, lineSeparatorStr)
 }
 
-func (c *categorySpec) outboundEffectiveRules() string {
-	rulesStr := make([]string, len(c.processedRules.outbound))
-	for i := range c.processedRules.outbound {
-		rulesStr[i] = c.processedRules.outbound[i].effectiveRuleStr()
+func (c *CategorySpec) outboundEffectiveRules() string {
+	rulesStr := make([]string, len(c.ProcessedRules.Outbound))
+	for i := range c.ProcessedRules.Outbound {
+		rulesStr[i] = c.ProcessedRules.Outbound[i].effectiveRuleStr()
 	}
 	return strings.Join(rulesStr, lineSeparatorStr)
 }
 
-func (c *categorySpec) addRule(src, dst []*endpoints.VM, conn *netset.TransportSet,
-	action, direction string, ruleID int, origRule *collector.Rule, scope []*endpoints.VM,
-	secPolicyName string, origDefaultRule *collector.FirewallRule) {
+func (c *CategorySpec) addRule(src, dst []*endpoints.VM, srcGroups, dstGroups, scopeGroups []*collector.Group,
+	isAllSrcGroup, isAllDstGroup bool, conn *netset.TransportSet, action, direction string, ruleID int,
+	origRule *collector.Rule, scope []*endpoints.VM, secPolicyName string, origDefaultRule *collector.FirewallRule) {
 	newRule := &FwRule{
 		srcVMs:             src,
 		dstVMs:             dst,
+		SrcGroups:          srcGroups,
+		IsAllSrcGroups:     isAllSrcGroup,
+		DstGroups:          dstGroups,
+		IsAllDstGroups:     isAllDstGroup,
 		conn:               conn,
-		action:             actionFromString(action),
+		Action:             actionFromString(action),
 		direction:          direction,
 		ruleID:             ruleID,
 		origRuleObj:        origRule,
 		origDefaultRuleObj: origDefaultRule,
 		scope:              scope,
+		ScopeGroups:        scopeGroups,
 		secPolicyName:      secPolicyName,
-		secPolicyCategory:  c.category.string(),
+		secPolicyCategory:  c.Category.String(),
 		categoryRef:        c,
 		dfwRef:             c.dfwRef,
-		symbolicSrc:        []*symbolicexpr.SymbolicPath{}, // todo tmp
-		symbolicDst:        []*symbolicexpr.SymbolicPath{}, // todo tmp
 	}
 	c.rules = append(c.rules, newRule)
 
 	inbound, outbound := newRule.effectiveRules()
-	if c.category != ethernetCategory {
-		c.processedRules.addInboundRule(inbound)
-		c.processedRules.addOutboundRule(outbound)
+	if c.Category != ethernetCategory {
+		c.ProcessedRules.addInboundRule(inbound)
+		c.ProcessedRules.addOutboundRule(outbound)
 	} else {
-		logging.Debugf("rule %d in ethernet category is ignored and not added to list of effective rules", ruleID)
+		logging.Debugf("rule %d in ethernet Category is ignored and not added to list of effective rules", ruleID)
 	}
 }
 
-func newEmptyCategory(c DfwCategory, d *DFW) *categorySpec {
-	return &categorySpec{
-		category:       c,
+func newEmptyCategory(c DfwCategory, d *DFW) *CategorySpec {
+	return &CategorySpec{
+		Category:       c,
 		dfwRef:         d,
 		defaultAction:  actionNone,
-		processedRules: &effectiveRules{},
+		ProcessedRules: &EffectiveRules{},
 	}
 }

pkg/model/dfw/dfw.go

@@ -13,8 +13,8 @@ import (
 )
 
 type DFW struct {
-	categoriesSpecs []*categorySpec // ordered list of categories
-	defaultAction   ruleAction      // global default (?)
+	CategoriesSpecs []*CategorySpec // ordered list of categories
+	defaultAction   RuleAction      // global default (?)
 
 	pathsToDisplayNames map[string]string // map from printing paths references as display names instead
 }
@@ -36,8 +36,8 @@ func (d *DFW) AllowedConnectionsIngressOrEgress(src, dst *endpoints.VM, isIngres
 	allDeniedConns := netset.NoTransports()
 	allNotDeterminedConns := netset.NoTransports()
 
-	for _, dfwCategory := range d.categoriesSpecs {
-		if dfwCategory.category == ethernetCategory {
+	for _, dfwCategory := range d.CategoriesSpecs {
+		if dfwCategory.Category == ethernetCategory {
 			continue // cuurently skip L2 rules
 		}
 		// get analyzed conns from this category
@@ -75,7 +75,7 @@ func (d *DFW) OriginalRulesStrFormatted() string {
 	writer := tabwriter.NewWriter(&builder, 1, 1, 1, ' ', tabwriter.Debug)
 	fmt.Fprintln(writer, "original rules:")
 	fmt.Fprintln(writer, getRulesFormattedHeaderLine())
-	for _, c := range d.categoriesSpecs {
+	for _, c := range d.CategoriesSpecs {
 		for _, ruleStr := range c.originalRulesStr() {
 			if ruleStr == "" {
 				continue
@@ -89,22 +89,22 @@ func (d *DFW) OriginalRulesStrFormatted() string {
 
 // return a string rep that shows the fw-rules in all categories
 func (d *DFW) String() string {
-	categoriesStrings := make([]string, len(d.categoriesSpecs))
-	for i := range d.categoriesSpecs {
-		categoriesStrings[i] = d.categoriesSpecs[i].string()
+	categoriesStrings := make([]string, len(d.CategoriesSpecs))
+	for i := range d.CategoriesSpecs {
+		categoriesStrings[i] = d.CategoriesSpecs[i].string()
 	}
 	return strings.Join(categoriesStrings, lineSeparatorStr)
 }
 
 func (d *DFW) AllEffectiveRules() string {
 	inboundRes := []string{}
 	outboundRes := []string{}
-	for i := range d.categoriesSpecs {
-		if len(d.categoriesSpecs[i].processedRules.inbound) > 0 {
-			inboundRes = append(inboundRes, d.categoriesSpecs[i].inboundEffectiveRules())
+	for i := range d.CategoriesSpecs {
+		if len(d.CategoriesSpecs[i].ProcessedRules.Inbound) > 0 {
+			inboundRes = append(inboundRes, d.CategoriesSpecs[i].inboundEffectiveRules())
 		}
-		if len(d.categoriesSpecs[i].processedRules.outbound) > 0 {
-			outboundRes = append(outboundRes, d.categoriesSpecs[i].outboundEffectiveRules())
+		if len(d.CategoriesSpecs[i].ProcessedRules.Outbound) > 0 {
+			outboundRes = append(outboundRes, d.CategoriesSpecs[i].outboundEffectiveRules())
 		}
 	}
 	inbound := fmt.Sprintf("\nInbound effective rules only:%s%s\n", common.ShortSep, strings.Join(inboundRes, lineSeparatorStr))
@@ -114,34 +114,36 @@ func (d *DFW) AllEffectiveRules() string {
 
 // AddRule func for testing purposes
 
-func (d *DFW) AddRule(src, dst []*endpoints.VM, conn *netset.TransportSet, categoryStr, actionStr, direction string,
+func (d *DFW) AddRule(src, dst []*endpoints.VM, srcGroups, dstGroups, scopeGroups []*collector.Group,
+	isAllSrcGroups, isAllDstGroups bool, conn *netset.TransportSet, categoryStr, actionStr, direction string,
 	ruleID int, origRule *collector.Rule, scope []*endpoints.VM, secPolicyName string, origDefaultRule *collector.FirewallRule) {
-	for _, fwCategory := range d.categoriesSpecs {
-		if fwCategory.category.string() == categoryStr {
-			fwCategory.addRule(src, dst, conn, actionStr, direction, ruleID, origRule, scope, secPolicyName, origDefaultRule)
+	for _, fwCategory := range d.CategoriesSpecs {
+		if fwCategory.Category.String() == categoryStr {
+			fwCategory.addRule(src, dst, srcGroups, dstGroups, scopeGroups, isAllSrcGroups, isAllDstGroups, conn,
+				actionStr, direction, ruleID, origRule, scope, secPolicyName, origDefaultRule)
 		}
 	}
 }
 
 /*func (d *DFW) AddRule(src, dst []*endpoints.VM, conn *netset.TransportSet, categoryStr string, actionStr string) {
-	var categoryObj *categorySpec
-	for _, c := range d.categoriesSpecs {
-		if c.category.string() == categoryStr {
+	var categoryObj *CategorySpec
+	for _, c := range d.CategoriesSpecs {
+		if c.Category.string() == categoryStr {
 			categoryObj = c
 		}
 	}
-	if categoryObj == nil { // create new category if missing
-		categoryObj = &categorySpec{
-			category: dfwCategoryFromString(categoryStr),
+	if categoryObj == nil { // create new Category if missing
+		categoryObj = &CategorySpec{
+			Category: dfwCategoryFromString(categoryStr),
 		}
-		d.categoriesSpecs = append(d.categoriesSpecs, categoryObj)
+		d.CategoriesSpecs = append(d.CategoriesSpecs, categoryObj)
 	}
 
 	newRule := &FwRule{
 		srcVMs: src,
 		dstVMs: dst,
 		conn:   netset.All(), // todo: change
-		action: actionFromString(actionStr),
+		Action: actionFromString(actionStr),
 	}
 	categoryObj.rules = append(categoryObj.rules, newRule)
 }*/
@@ -155,7 +157,7 @@ func NewEmptyDFW(globalDefaultAllow bool) *DFW {
 		res.defaultAction = actionAllow
 	}
 	for _, c := range categoriesList {
-		res.categoriesSpecs = append(res.categoriesSpecs, newEmptyCategory(c, res))
+		res.CategoriesSpecs = append(res.CategoriesSpecs, newEmptyCategory(c, res))
 	}
 	return res
 }