reach

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 16, 2019 License: MIT Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ProtocolNameAll    = "all"
	ProtocolNameICMPv4 = "ICMPv4"
	ProtocolNameTCP    = "TCP"
	ProtocolNameUDP    = "UDP"
	ProtocolNameICMPv6 = "ICMPv6"
)

Names of the most common IP protocols.

View Source 
const (
	ErrSubjectPrefix         = "subject creation error"
	ErrSubjectRoleValidation = "subject role must be 'source' or 'destination'"
	ErrSubjectIDValidation   = "id must be a non-empty string"
)

Common errors for the Subject type.

Variables

This section is empty.

Functions

func DiffErrorf 

func DiffErrorf(t *testing.T, item string, expected, actual interface{})

DiffErrorf provides a convenient way to output a difference between two values (such as between an expected value and an actual value) that caused a test to fail.

func NewSubjectError 

func NewSubjectError(details string) error

NewSubjectError generates a new error related to a subject operation.

func ProtocolName 

func ProtocolName(protocol Protocol) string

ProtocolName returns the name of an IP protocol given the protocol's assigned number.

func ValidSubjectRole 

func ValidSubjectRole(role SubjectRole) bool

ValidSubjectRole returns a boolean indicating whether or not the specified subject role is valid.

Types

type Analysis 

type Analysis struct {
	Subjects       []*Subject
	Resources      *ResourceCollection
	NetworkVectors []NetworkVector
}

Analysis is the central structure of a Reach analysis. It describes what subjects were analyzed, what resources were retrieved, and a collection of network vectors between all source-to-destination pairings of subjects.

func NewAnalysis 

func NewAnalysis(subjects []*Subject, resources *ResourceCollection, networkVectors []NetworkVector) *Analysis

NewAnalysis simply creates a new Analysis struct.

func (*Analysis) MergedReturnTraffic added in v0.2.0 

func (a *Analysis) MergedReturnTraffic() (TrafficContent, error)

MergedReturnTraffic gets the return TrafficContent results of each of the analysis's network vectors and returns them as a merged TrafficContent.

func (*Analysis) MergedTraffic 

func (a *Analysis) MergedTraffic() (TrafficContent, error)

MergedTraffic gets the TrafficContent results of each of the analysis's network vectors and returns them as a merged TrafficContent.

func (Analysis) PassesAssertNotReachable added in v0.2.0 

func (a Analysis) PassesAssertNotReachable() bool

PassesAssertNotReachable determines if the analysis implies the source has no way to send network traffic to the destination.

func (Analysis) PassesAssertReachable added in v0.2.0 

func (a Analysis) PassesAssertReachable() bool

PassesAssertReachable determines if the analysis implies the source can reach the destination over at least one protocol whose return path is unobstructed.

func (*Analysis) ToJSON 

func (a *Analysis) ToJSON() string

ToJSON outputs the Analysis as a JSON string.

type Factor 

type Factor struct {
	Kind          string
	Resource      ResourceReference
	Traffic       TrafficContent
	ReturnTraffic TrafficContent
	Properties    interface{} `json:"Properties,omitempty"`
}

A Factor describes how a particular component of the ingested resources has an impact on the network traffic allowed to flow from a source to a destination.

type NetworkPoint 

type NetworkPoint struct {
	IPAddress net.IP
	Lineage   []ResourceReference
	Factors   []Factor
}

A NetworkPoint is a point of termination for an analyzed network vector (on either the source or destination side), such that there is no further subdivision of a source or destination possible beyond the network point. For example, the CIDR block "10.0.1.0/24" contains numerous individual IP addresses, and the analysis result might vary depending on which of these individual IP addresses is used in real network traffic. To break this problem down, such that an analysis result is as definitive as possible, each individual IP address must be analyzed, one at a time. Each IP address could be considered a network point, whereas the CIDR block could not be considered a network point.

func (NetworkPoint) String 

func (point NetworkPoint) String() string

String returns the text representation of the NetworkPoint

type NetworkVector 

type NetworkVector struct {
	ID            string
	Source        NetworkPoint
	Destination   NetworkPoint
	Traffic       *TrafficContent
	ReturnTraffic *TrafficContent
}

A NetworkVector represents the path between two network points that's able to be analyzed in terms of what kind of network traffic is allowed to flow from point to point.

func NewNetworkVector 

func NewNetworkVector(source, destination NetworkPoint) (NetworkVector, error)

NewNetworkVector creates a new network vector given a source and a destination network point.

func (NetworkVector) DestinationPerspective 

func (v NetworkVector) DestinationPerspective() Perspective

DestinationPerspective returns an analyzable Perspective based on the NetworkVector's destination network point.

func (NetworkVector) SourcePerspective 

func (v NetworkVector) SourcePerspective() Perspective

SourcePerspective returns an analyzable Perspective based on the NetworkVector's source network point.

func (NetworkVector) String 

func (v NetworkVector) String() string

String returns the text representation of a NetworkVector.

type Perspective 

type Perspective struct {
	Self      NetworkPoint
	Other     NetworkPoint
	SelfRole  SubjectRole
	OtherRole SubjectRole
}

A Perspective provides a reference to one direction of a network vector with knowledge of which network point is currently being analyzed ("self") and which network point is the "other" or "target" network point, such that properties of the "other" network point can be used when determining of it applies to the analysis of the "self" network point.

type Protocol 

type Protocol int

A Protocol represents an analyzable IP protocol, whose integer value corresponds to the officially assigned number for the IP protocol (as defined here: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). 

const (
	ProtocolAll    Protocol = -1
	ProtocolICMPv4 Protocol = 1
	ProtocolTCP    Protocol = 6
	ProtocolUDP    Protocol = 17
	ProtocolICMPv6 Protocol = 58
)

Protocol numbers for the most common IP protocols.

func (Protocol) IsCustomProtocol 

func (p Protocol) IsCustomProtocol() bool

IsCustomProtocol returns a boolean indicating whether or not the underlying protocol is "custom", meaning that it's not TCP, UDP, ICMPv4, or ICMPv6. The significance of this distinction is that Reach can analyze custom protocols only on an "all-or-nothing" basis, in contrast to protocols like TCP, where Reach can further assess traffic flow on a more granular basis, like ports.

func (Protocol) String added in v0.2.0 

func (p Protocol) String() string

String returns the common name of the IP protocol.

func (Protocol) UsesICMPTypeCodes 

func (p Protocol) UsesICMPTypeCodes() bool

UsesICMPTypeCodes returns a boolean indicating whether or not the underlying protocol is ICMP (v4) or ICMPv6.

func (Protocol) UsesPorts 

func (p Protocol) UsesPorts() bool

UsesPorts returns a boolean indicating whether or not the described protocol has a "ports" concept that can be further drilled into when analyzing network rules. UsesPorts returns true if the underlying protocol is either TCP or UDP.

type ProtocolContent 

type ProtocolContent struct {
	Protocol                 Protocol
	Ports                    *set.PortSet `json:"Ports,omitempty"`
	ICMP                     *set.ICMPSet `json:"ICMP,omitempty"`
	CustomProtocolHasContent *bool        `json:"CustomProtocolHasContent,omitempty"`
}

ProtocolContent specifies a set of network traffic for a single, specified IP protocol.

func (ProtocolContent) String 

func (pc ProtocolContent) String() string

String returns the string representation of the protocol content.

type Resource 

type Resource struct {
	Kind       string
	Properties interface{}
}

A Resource is a generic representation of any kind of resource from an infrastructure provider (e.g. AWS). The kind-specific properties can be provided via a kind-specific struct used for the Properties field. Then, given the Kind value, a consumer can assert the kind-specific type when reading the Properties field. Examples of a Resource include an EC2 instance, an AWS VPC, etc.

type ResourceCollection 

type ResourceCollection struct {
	// contains filtered or unexported fields
}

A ResourceCollection is a structure used to store any number of Resources, across potentially multiple "domains" (e.g. AWS, GCP, Azure) and kinds (e.g. EC2 instance, subnet, etc.).

func NewResourceCollection 

func NewResourceCollection() *ResourceCollection

NewResourceCollection returns a reference to a new, empty ResourceCollection.

func (*ResourceCollection) Get 

func (rc *ResourceCollection) Get(ref ResourceReference) *Resource

Get retrieves a Resource from the ResourceCollection.

func (*ResourceCollection) MarshalJSON 

func (rc *ResourceCollection) MarshalJSON() ([]byte, error)

MarshalJSON returns the JSON representation of the ResourceCollection.

func (*ResourceCollection) Merge 

func (rc *ResourceCollection) Merge(other *ResourceCollection)

Merge safely merges two ResourceCollections such that any unique resource from either collection is represented in the merged collection. For any case where both collections contain a resource for a given domain, kind, and resource ID, the "other" (input parameter) resource will overwrite the corresponding resource in the first collection.

func (*ResourceCollection) Put 

func (rc *ResourceCollection) Put(ref ResourceReference, resource Resource)

Put adds a new Resource to the ResourceCollection.

type ResourceReference 

type ResourceReference struct {
	Domain string
	Kind   string
	ID     string
}

ResourceReference uniquely identifies a Resource used by Reach. It specifies the resource's Domain (e.g. AWS), Kind (e.g. EC2 instance), and ID (e.g. "i-0136d3233f0ef1924").

func (ResourceReference) String 

func (r ResourceReference) String() string

String returns the string representation of the ResourceReference.

type RestrictedProtocol added in v0.2.0 

type RestrictedProtocol struct {
	Protocol        Protocol
	NoReturnTraffic bool
}

RestrictedProtocol describes an IP protocol whose return traffic has been restricted

type Subject 

type Subject struct {
	Domain string
	Kind   string
	ID     string
	Role   SubjectRole
}

A Subject is an entity about which a network traffic question is being asked. Reach analyses are conducted between "source" subjects and "destination" subjects. For example, when asking about network traffic allowed between instance A and instance B, instances A and B are the "subjects" of the analysis.

func (*Subject) SetRoleToDestination 

func (s *Subject) SetRoleToDestination()

SetRoleToDestination sets the subject's role to "destination".

func (*Subject) SetRoleToSource 

func (s *Subject) SetRoleToSource()

SetRoleToSource sets the subject's role to "source".

type SubjectRole 

type SubjectRole string

SubjectRole specifies the role the subject plays in an analysis -- i.e. that this subject is the "source" or the "destination". 

const (
	SubjectRoleNone        SubjectRole = "none"
	SubjectRoleSource      SubjectRole = "source"
	SubjectRoleDestination SubjectRole = "destination"
)

Allowed values for SubjectRole.

type TrafficContent 

type TrafficContent struct {
	// contains filtered or unexported fields
}

TrafficContent defines a set of network traffic across potentially multiple IP protocols.

func NewTrafficContentForAllTraffic 

func NewTrafficContentForAllTraffic() TrafficContent

NewTrafficContentForAllTraffic creates a new TrafficContent that represents the set of all expressible network traffic across all protocols.

func NewTrafficContentForCustomProtocol 

func NewTrafficContentForCustomProtocol(protocol Protocol, hasContent bool) TrafficContent

NewTrafficContentForCustomProtocol creates a new TrafficContent for a specified, custom IP protocol. The resulting TrafficContent will express either all traffic for that protocol or no traffic for that protocol, depending on the `hasContent` parameter.

func NewTrafficContentForICMP 

func NewTrafficContentForICMP(protocol Protocol, icmp set.ICMPSet) TrafficContent

NewTrafficContentForICMP creates a new TrafficContent for either ICMPv4 or ICMPv6 traffic.

func NewTrafficContentForNoTraffic 

func NewTrafficContentForNoTraffic() TrafficContent

NewTrafficContentForNoTraffic creates a new TrafficContent that represents a set of no network traffic.

func NewTrafficContentForPorts 

func NewTrafficContentForPorts(protocol Protocol, ports set.PortSet) TrafficContent

NewTrafficContentForPorts creates a new TrafficContent for a ports-oriented IP protocol, i.e. TCP or UDP.

func NewTrafficContentFromIntersectingMultiple 

func NewTrafficContentFromIntersectingMultiple(contents []TrafficContent) (TrafficContent, error)

NewTrafficContentFromIntersectingMultiple creates a new TrafficContent by intersecting any number of input TrafficContents.

func NewTrafficContentFromMergingMultiple 

func NewTrafficContentFromMergingMultiple(contents []TrafficContent) (TrafficContent, error)

NewTrafficContentFromMergingMultiple creates a new TrafficContent by merging any number of input TrafficContents.

func ReturnTrafficContentsFromFactors added in v0.2.0 

func ReturnTrafficContentsFromFactors(factors []Factor) []TrafficContent

ReturnTrafficContentsFromFactors returns distinct TrafficContent representations from the input factors's return traffic.

func TrafficContentsFromFactors 

func TrafficContentsFromFactors(factors []Factor) []TrafficContent

TrafficContentsFromFactors returns distinct TrafficContent representations from the input factors.

func (TrafficContent) All 

func (tc TrafficContent) All() bool

All returns a boolean indicating whether or not the TrafficContent represents all network traffic.

func (TrafficContent) ColorString 

func (tc TrafficContent) ColorString() string

ColorString returns the string representation of the TrafficContent, where the positive traffic findings are displayed as green, and the absence of traffic is displayed as red.

func (TrafficContent) ColorStringWithSymbols 

func (tc TrafficContent) ColorStringWithSymbols() string

ColorStringWithSymbols returns the colored version of the output from StringWithSymbols().

func (*TrafficContent) Intersect 

func (tc *TrafficContent) Intersect(other TrafficContent) (TrafficContent, error)

Intersect performs a set intersection operation on two TrafficContents.

func (TrafficContent) MarshalJSON 

func (tc TrafficContent) MarshalJSON() ([]byte, error)

MarshalJSON returns the JSON representation of the TrafficContent.

func (*TrafficContent) Merge 

func (tc *TrafficContent) Merge(other TrafficContent) (TrafficContent, error)

Merge performs a set merge operation on two TrafficContents.

func (TrafficContent) None 

func (tc TrafficContent) None() bool

None returns a boolean indicating whether or not the TrafficContent represents no network traffic.

func (TrafficContent) Protocols added in v0.2.0 

func (tc TrafficContent) Protocols() []Protocol

Protocols returns a slice of the IP protocols described by the traffic content.

func (TrafficContent) ProtocolsWithRestrictedReturnPath added in v0.2.0 

func (tc TrafficContent) ProtocolsWithRestrictedReturnPath(returnTraffic TrafficContent) []RestrictedProtocol

ProtocolsWithRestrictedReturnPath returns a list of IP protocols whose communication would be disrupted if return traffic was restricted.

func (TrafficContent) String 

func (tc TrafficContent) String() string

String returns the string representation of the TrafficContent.

func (TrafficContent) StringWithSymbols 

func (tc TrafficContent) StringWithSymbols() string

StringWithSymbols returns the string representation of the TrafficContent, with the added feature of pre-pending each output line with a symbol, intended for display to the user.

func (*TrafficContent) Subtract added in v0.2.0 

func (tc *TrafficContent) Subtract(other TrafficContent) (TrafficContent, error)

Subtract performs a set subtraction (self - other) on two TrafficContents.

type VectorAnalyzer 

type VectorAnalyzer interface {
	Factors(v NetworkVector) ([]Factor, NetworkVector, error)
}

A VectorAnalyzer can calculate analysis factors for a given network vector.

type VectorDiscoverer 

type VectorDiscoverer interface {
	Discover([]*Subject) ([]NetworkVector, error)
}

A VectorDiscoverer can return all network vectors that exist between specified subjects.

Source Files

View all Source files

Directories

Path Synopsis
terraform
aws
api

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.