Documentation ¶
Index ¶
- Constants
- func DiffErrorf(t *testing.T, item string, expected, actual interface{})
- func NewSubjectError(details string) error
- func ProtocolName(protocol Protocol) string
- func ValidSubjectRole(role SubjectRole) bool
- type Analysis
- type Factor
- type NetworkPoint
- type NetworkVector
- type Perspective
- type Protocol
- type ProtocolContent
- type Resource
- type ResourceCollection
- type ResourceReference
- type RestrictedProtocol
- type Subject
- type SubjectRole
- type TrafficContent
- func NewTrafficContentForAllTraffic() TrafficContent
- func NewTrafficContentForCustomProtocol(protocol Protocol, hasContent bool) TrafficContent
- func NewTrafficContentForICMP(protocol Protocol, icmp set.ICMPSet) TrafficContent
- func NewTrafficContentForNoTraffic() TrafficContent
- func NewTrafficContentForPorts(protocol Protocol, ports set.PortSet) TrafficContent
- func NewTrafficContentFromIntersectingMultiple(contents []TrafficContent) (TrafficContent, error)
- func NewTrafficContentFromMergingMultiple(contents []TrafficContent) (TrafficContent, error)
- func ReturnTrafficContentsFromFactors(factors []Factor) []TrafficContent
- func TrafficContentsFromFactors(factors []Factor) []TrafficContent
- func (tc TrafficContent) All() bool
- func (tc TrafficContent) ColorString() string
- func (tc TrafficContent) ColorStringWithSymbols() string
- func (tc *TrafficContent) Intersect(other TrafficContent) (TrafficContent, error)
- func (tc TrafficContent) MarshalJSON() ([]byte, error)
- func (tc *TrafficContent) Merge(other TrafficContent) (TrafficContent, error)
- func (tc TrafficContent) None() bool
- func (tc TrafficContent) Protocols() []Protocol
- func (tc TrafficContent) ProtocolsWithRestrictedReturnPath(returnTraffic TrafficContent) []RestrictedProtocol
- func (tc TrafficContent) String() string
- func (tc TrafficContent) StringWithSymbols() string
- func (tc *TrafficContent) Subtract(other TrafficContent) (TrafficContent, error)
- type VectorAnalyzer
- type VectorDiscoverer
Constants ¶
const ( ProtocolNameAll = "all" ProtocolNameICMPv4 = "ICMPv4" ProtocolNameTCP = "TCP" ProtocolNameUDP = "UDP" ProtocolNameICMPv6 = "ICMPv6" )
Names of the most common IP protocols.
const ( ErrSubjectPrefix = "subject creation error" ErrSubjectRoleValidation = "subject role must be 'source' or 'destination'" ErrSubjectIDValidation = "id must be a non-empty string" )
Common errors for the Subject type.
Variables ¶
This section is empty.
Functions ¶
func DiffErrorf ¶
DiffErrorf provides a convenient way to output a difference between two values (such as between an expected value and an actual value) that caused a test to fail.
func NewSubjectError ¶
NewSubjectError generates a new error related to a subject operation.
func ProtocolName ¶
ProtocolName returns the name of an IP protocol given the protocol's assigned number.
func ValidSubjectRole ¶
func ValidSubjectRole(role SubjectRole) bool
ValidSubjectRole returns a boolean indicating whether or not the specified subject role is valid.
Types ¶
type Analysis ¶
type Analysis struct { Subjects []*Subject Resources *ResourceCollection NetworkVectors []NetworkVector }
Analysis is the central structure of a Reach analysis. It describes what subjects were analyzed, what resources were retrieved, and a collection of network vectors between all source-to-destination pairings of subjects.
func NewAnalysis ¶
func NewAnalysis(subjects []*Subject, resources *ResourceCollection, networkVectors []NetworkVector) *Analysis
NewAnalysis simply creates a new Analysis struct.
func (*Analysis) MergedReturnTraffic ¶ added in v0.2.0
func (a *Analysis) MergedReturnTraffic() (TrafficContent, error)
MergedReturnTraffic gets the return TrafficContent results of each of the analysis's network vectors and returns them as a merged TrafficContent.
func (*Analysis) MergedTraffic ¶
func (a *Analysis) MergedTraffic() (TrafficContent, error)
MergedTraffic gets the TrafficContent results of each of the analysis's network vectors and returns them as a merged TrafficContent.
func (Analysis) PassesAssertNotReachable ¶ added in v0.2.0
PassesAssertNotReachable determines if the analysis implies the source has no way to send network traffic to the destination.
func (Analysis) PassesAssertReachable ¶ added in v0.2.0
PassesAssertReachable determines if the analysis implies the source can reach the destination over at least one protocol whose return path is unobstructed.
type Factor ¶
type Factor struct { Kind string Resource ResourceReference Traffic TrafficContent ReturnTraffic TrafficContent Properties interface{} `json:"Properties,omitempty"` }
A Factor describes how a particular component of the ingested resources has an impact on the network traffic allowed to flow from a source to a destination.
type NetworkPoint ¶
type NetworkPoint struct { IPAddress net.IP Lineage []ResourceReference Factors []Factor }
A NetworkPoint is a point of termination for an analyzed network vector (on either the source or destination side), such that there is no further subdivision of a source or destination possible beyond the network point. For example, the CIDR block "10.0.1.0/24" contains numerous individual IP addresses, and the analysis result might vary depending on which of these individual IP addresses is used in real network traffic. To break this problem down, such that an analysis result is as definitive as possible, each individual IP address must be analyzed, one at a time. Each IP address could be considered a network point, whereas the CIDR block could not be considered a network point.
func (NetworkPoint) String ¶
func (point NetworkPoint) String() string
String returns the text representation of the NetworkPoint
type NetworkVector ¶
type NetworkVector struct { ID string Source NetworkPoint Destination NetworkPoint Traffic *TrafficContent ReturnTraffic *TrafficContent }
A NetworkVector represents the path between two network points that's able to be analyzed in terms of what kind of network traffic is allowed to flow from point to point.
func NewNetworkVector ¶
func NewNetworkVector(source, destination NetworkPoint) (NetworkVector, error)
NewNetworkVector creates a new network vector given a source and a destination network point.
func (NetworkVector) DestinationPerspective ¶
func (v NetworkVector) DestinationPerspective() Perspective
DestinationPerspective returns an analyzable Perspective based on the NetworkVector's destination network point.
func (NetworkVector) SourcePerspective ¶
func (v NetworkVector) SourcePerspective() Perspective
SourcePerspective returns an analyzable Perspective based on the NetworkVector's source network point.
func (NetworkVector) String ¶
func (v NetworkVector) String() string
String returns the text representation of a NetworkVector.
type Perspective ¶
type Perspective struct { Self NetworkPoint Other NetworkPoint SelfRole SubjectRole OtherRole SubjectRole }
A Perspective provides a reference to one direction of a network vector with knowledge of which network point is currently being analyzed ("self") and which network point is the "other" or "target" network point, such that properties of the "other" network point can be used when determining of it applies to the analysis of the "self" network point.
type Protocol ¶
type Protocol int
A Protocol represents an analyzable IP protocol, whose integer value corresponds to the officially assigned number for the IP protocol (as defined here: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).
const ( ProtocolAll Protocol = -1 ProtocolICMPv4 Protocol = 1 ProtocolTCP Protocol = 6 ProtocolUDP Protocol = 17 ProtocolICMPv6 Protocol = 58 )
Protocol numbers for the most common IP protocols.
func (Protocol) IsCustomProtocol ¶
IsCustomProtocol returns a boolean indicating whether or not the underlying protocol is "custom", meaning that it's not TCP, UDP, ICMPv4, or ICMPv6. The significance of this distinction is that Reach can analyze custom protocols only on an "all-or-nothing" basis, in contrast to protocols like TCP, where Reach can further assess traffic flow on a more granular basis, like ports.
func (Protocol) UsesICMPTypeCodes ¶
UsesICMPTypeCodes returns a boolean indicating whether or not the underlying protocol is ICMP (v4) or ICMPv6.
type ProtocolContent ¶
type ProtocolContent struct { Protocol Protocol Ports *set.PortSet `json:"Ports,omitempty"` ICMP *set.ICMPSet `json:"ICMP,omitempty"` CustomProtocolHasContent *bool `json:"CustomProtocolHasContent,omitempty"` }
ProtocolContent specifies a set of network traffic for a single, specified IP protocol.
func (ProtocolContent) String ¶
func (pc ProtocolContent) String() string
String returns the string representation of the protocol content.
type Resource ¶
type Resource struct { Kind string Properties interface{} }
A Resource is a generic representation of any kind of resource from an infrastructure provider (e.g. AWS). The kind-specific properties can be provided via a kind-specific struct used for the Properties field. Then, given the Kind value, a consumer can assert the kind-specific type when reading the Properties field. Examples of a Resource include an EC2 instance, an AWS VPC, etc.
type ResourceCollection ¶
type ResourceCollection struct {
// contains filtered or unexported fields
}
A ResourceCollection is a structure used to store any number of Resources, across potentially multiple "domains" (e.g. AWS, GCP, Azure) and kinds (e.g. EC2 instance, subnet, etc.).
func NewResourceCollection ¶
func NewResourceCollection() *ResourceCollection
NewResourceCollection returns a reference to a new, empty ResourceCollection.
func (*ResourceCollection) Get ¶
func (rc *ResourceCollection) Get(ref ResourceReference) *Resource
Get retrieves a Resource from the ResourceCollection.
func (*ResourceCollection) MarshalJSON ¶
func (rc *ResourceCollection) MarshalJSON() ([]byte, error)
MarshalJSON returns the JSON representation of the ResourceCollection.
func (*ResourceCollection) Merge ¶
func (rc *ResourceCollection) Merge(other *ResourceCollection)
Merge safely merges two ResourceCollections such that any unique resource from either collection is represented in the merged collection. For any case where both collections contain a resource for a given domain, kind, and resource ID, the "other" (input parameter) resource will overwrite the corresponding resource in the first collection.
func (*ResourceCollection) Put ¶
func (rc *ResourceCollection) Put(ref ResourceReference, resource Resource)
Put adds a new Resource to the ResourceCollection.
type ResourceReference ¶
ResourceReference uniquely identifies a Resource used by Reach. It specifies the resource's Domain (e.g. AWS), Kind (e.g. EC2 instance), and ID (e.g. "i-0136d3233f0ef1924").
func (ResourceReference) String ¶
func (r ResourceReference) String() string
String returns the string representation of the ResourceReference.
type RestrictedProtocol ¶ added in v0.2.0
RestrictedProtocol describes an IP protocol whose return traffic has been restricted
type Subject ¶
type Subject struct { Domain string Kind string ID string Role SubjectRole }
A Subject is an entity about which a network traffic question is being asked. Reach analyses are conducted between "source" subjects and "destination" subjects. For example, when asking about network traffic allowed between instance A and instance B, instances A and B are the "subjects" of the analysis.
func (*Subject) SetRoleToDestination ¶
func (s *Subject) SetRoleToDestination()
SetRoleToDestination sets the subject's role to "destination".
func (*Subject) SetRoleToSource ¶
func (s *Subject) SetRoleToSource()
SetRoleToSource sets the subject's role to "source".
type SubjectRole ¶
type SubjectRole string
SubjectRole specifies the role the subject plays in an analysis -- i.e. that this subject is the "source" or the "destination".
const ( SubjectRoleNone SubjectRole = "none" SubjectRoleSource SubjectRole = "source" SubjectRoleDestination SubjectRole = "destination" )
Allowed values for SubjectRole.
type TrafficContent ¶
type TrafficContent struct {
// contains filtered or unexported fields
}
TrafficContent defines a set of network traffic across potentially multiple IP protocols.
func NewTrafficContentForAllTraffic ¶
func NewTrafficContentForAllTraffic() TrafficContent
NewTrafficContentForAllTraffic creates a new TrafficContent that represents the set of all expressible network traffic across all protocols.
func NewTrafficContentForCustomProtocol ¶
func NewTrafficContentForCustomProtocol(protocol Protocol, hasContent bool) TrafficContent
NewTrafficContentForCustomProtocol creates a new TrafficContent for a specified, custom IP protocol. The resulting TrafficContent will express either all traffic for that protocol or no traffic for that protocol, depending on the `hasContent` parameter.
func NewTrafficContentForICMP ¶
func NewTrafficContentForICMP(protocol Protocol, icmp set.ICMPSet) TrafficContent
NewTrafficContentForICMP creates a new TrafficContent for either ICMPv4 or ICMPv6 traffic.
func NewTrafficContentForNoTraffic ¶
func NewTrafficContentForNoTraffic() TrafficContent
NewTrafficContentForNoTraffic creates a new TrafficContent that represents a set of no network traffic.
func NewTrafficContentForPorts ¶
func NewTrafficContentForPorts(protocol Protocol, ports set.PortSet) TrafficContent
NewTrafficContentForPorts creates a new TrafficContent for a ports-oriented IP protocol, i.e. TCP or UDP.
func NewTrafficContentFromIntersectingMultiple ¶
func NewTrafficContentFromIntersectingMultiple(contents []TrafficContent) (TrafficContent, error)
NewTrafficContentFromIntersectingMultiple creates a new TrafficContent by intersecting any number of input TrafficContents.
func NewTrafficContentFromMergingMultiple ¶
func NewTrafficContentFromMergingMultiple(contents []TrafficContent) (TrafficContent, error)
NewTrafficContentFromMergingMultiple creates a new TrafficContent by merging any number of input TrafficContents.
func ReturnTrafficContentsFromFactors ¶ added in v0.2.0
func ReturnTrafficContentsFromFactors(factors []Factor) []TrafficContent
ReturnTrafficContentsFromFactors returns distinct TrafficContent representations from the input factors's return traffic.
func TrafficContentsFromFactors ¶
func TrafficContentsFromFactors(factors []Factor) []TrafficContent
TrafficContentsFromFactors returns distinct TrafficContent representations from the input factors.
func (TrafficContent) All ¶
func (tc TrafficContent) All() bool
All returns a boolean indicating whether or not the TrafficContent represents all network traffic.
func (TrafficContent) ColorString ¶
func (tc TrafficContent) ColorString() string
ColorString returns the string representation of the TrafficContent, where the positive traffic findings are displayed as green, and the absence of traffic is displayed as red.
func (TrafficContent) ColorStringWithSymbols ¶
func (tc TrafficContent) ColorStringWithSymbols() string
ColorStringWithSymbols returns the colored version of the output from StringWithSymbols().
func (*TrafficContent) Intersect ¶
func (tc *TrafficContent) Intersect(other TrafficContent) (TrafficContent, error)
Intersect performs a set intersection operation on two TrafficContents.
func (TrafficContent) MarshalJSON ¶
func (tc TrafficContent) MarshalJSON() ([]byte, error)
MarshalJSON returns the JSON representation of the TrafficContent.
func (*TrafficContent) Merge ¶
func (tc *TrafficContent) Merge(other TrafficContent) (TrafficContent, error)
Merge performs a set merge operation on two TrafficContents.
func (TrafficContent) None ¶
func (tc TrafficContent) None() bool
None returns a boolean indicating whether or not the TrafficContent represents no network traffic.
func (TrafficContent) Protocols ¶ added in v0.2.0
func (tc TrafficContent) Protocols() []Protocol
Protocols returns a slice of the IP protocols described by the traffic content.
func (TrafficContent) ProtocolsWithRestrictedReturnPath ¶ added in v0.2.0
func (tc TrafficContent) ProtocolsWithRestrictedReturnPath(returnTraffic TrafficContent) []RestrictedProtocol
ProtocolsWithRestrictedReturnPath returns a list of IP protocols whose communication would be disrupted if return traffic was restricted.
func (TrafficContent) String ¶
func (tc TrafficContent) String() string
String returns the string representation of the TrafficContent.
func (TrafficContent) StringWithSymbols ¶
func (tc TrafficContent) StringWithSymbols() string
StringWithSymbols returns the string representation of the TrafficContent, with the added feature of pre-pending each output line with a symbol, intended for display to the user.
func (*TrafficContent) Subtract ¶ added in v0.2.0
func (tc *TrafficContent) Subtract(other TrafficContent) (TrafficContent, error)
Subtract performs a set subtraction (self - other) on two TrafficContents.
type VectorAnalyzer ¶
type VectorAnalyzer interface {
Factors(v NetworkVector) ([]Factor, NetworkVector, error)
}
A VectorAnalyzer can calculate analysis factors for a given network vector.
type VectorDiscoverer ¶
type VectorDiscoverer interface {
Discover([]*Subject) ([]NetworkVector, error)
}
A VectorDiscoverer can return all network vectors that exist between specified subjects.