From b4a9fd01042f13f4844f8a7f80adc7774db7b45d Mon Sep 17 00:00:00 2001 From: Amir Malka Date: Sun, 15 Dec 2024 15:41:36 +0200 Subject: [PATCH 1/4] improve searching in CIDR ranges using cidranger Signed-off-by: Amir Malka --- go.mod | 1 + go.sum | 2 + .../softwarecomposition/knownserversfinder.go | 83 ++++++++++++++ pkg/apis/softwarecomposition/network_types.go | 13 +++ .../networkpolicy/v2/networkpolicy.go | 107 +++++++----------- .../networkpolicy/v2/networkpolicy_test.go | 2 +- .../v1beta1/networkpolicy/v2/networkpolicy.go | 2 +- pkg/registry/file/generatednetworkpolicy.go | 4 +- 8 files changed, 145 insertions(+), 69 deletions(-) create mode 100644 pkg/apis/softwarecomposition/knownserversfinder.go diff --git a/go.mod b/go.mod index baee1beec..297c5da75 100644 --- a/go.mod +++ b/go.mod @@ -25,6 +25,7 @@ require ( github.com/spf13/afero v1.11.0 github.com/spf13/cobra v1.8.1 github.com/stretchr/testify v1.9.0 + github.com/yl2chen/cidranger v1.0.2 go.opentelemetry.io/otel v1.30.0 go.uber.org/multierr v1.11.0 go.uber.org/zap v1.27.0 diff --git a/go.sum b/go.sum index e3c6d499c..667ff9bab 100644 --- a/go.sum +++ b/go.sum @@ -1339,6 +1339,8 @@ github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 h1:QldyIu/L63oPpyvQmHgvgickp1Yw510KJOqX7H24mg8= github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs= +github.com/yl2chen/cidranger v1.0.2 h1:lbOWZVCG1tCRX4u24kuM1Tb4nHqWkDxwLdoS+SevawU= +github.com/yl2chen/cidranger v1.0.2/go.mod h1:9U1yz7WPYDwf0vpNWFaeRh0bjwz5RVgRy/9UEQfHl0g= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= diff --git a/pkg/apis/softwarecomposition/knownserversfinder.go b/pkg/apis/softwarecomposition/knownserversfinder.go new file mode 100644 index 000000000..cc903c641 --- /dev/null +++ b/pkg/apis/softwarecomposition/knownserversfinder.go @@ -0,0 +1,83 @@ +package softwarecomposition + +import ( + "net" + + "github.com/yl2chen/cidranger" +) + +var _ IKnownServersFinder = (*KnownServersFinderImpl)(nil) +var _ IKnownServerEntry = (*KnownServersFinderEntry)(nil) + +type KnownServersFinderImpl struct { + ranger cidranger.Ranger + knownServers []KnownServer +} + +type KnownServersFinderEntry struct { + knownServer KnownServerEntry + network net.IPNet +} + +func NewKnownServersFinderEntry(kse KnownServerEntry) (*KnownServersFinderEntry, error) { + _, res, err := net.ParseCIDR(kse.IPBlock) + if err != nil || res == nil { + return nil, err + } + return &KnownServersFinderEntry{knownServer: kse, network: *res}, nil +} + +func (k *KnownServersFinderEntry) GetServer() string { + return k.knownServer.Server +} + +func (k *KnownServersFinderEntry) GetName() string { + return k.knownServer.Name +} + +func (k *KnownServersFinderEntry) GetIPBlock() string { + return k.knownServer.IPBlock +} + +func (k *KnownServersFinderEntry) Network() net.IPNet { + return k.network +} + +func NewKnownServersFinderImpl(knownServers []KnownServer) IKnownServersFinder { + // build the ranger for searching + ranger := cidranger.NewPCTrieRanger() + for _, knownServer := range knownServers { + for _, knownServerEntry := range knownServer.Spec { + if rangerEntry, err := NewKnownServersFinderEntry(knownServerEntry); err == nil && rangerEntry != nil { + _ = ranger.Insert(rangerEntry) + } + } + } + return &KnownServersFinderImpl{ + ranger: ranger, + knownServers: knownServers, + } +} + +func (k *KnownServersFinderImpl) Contains(ip net.IP) ([]IKnownServerEntry, bool) { + if k.ranger == nil { + return nil, false + } + contains, _ := k.ranger.Contains(ip) + if contains { + if entries, err := k.ranger.ContainingNetworks(ip); err == nil && len(entries) > 0 { + knownServersEntries := make([]IKnownServerEntry, 0, len(entries)) + for _, entry := range entries { + if v, ok := entry.(*KnownServersFinderEntry); ok { + knownServersEntries = append(knownServersEntries, v) + } + } + return knownServersEntries, true + } + } + return nil, false +} + +func (k *KnownServersFinderImpl) GetKnownServers() []KnownServer { + return k.knownServers +} diff --git a/pkg/apis/softwarecomposition/network_types.go b/pkg/apis/softwarecomposition/network_types.go index fd33da117..aab6b8570 100644 --- a/pkg/apis/softwarecomposition/network_types.go +++ b/pkg/apis/softwarecomposition/network_types.go @@ -1,6 +1,8 @@ package softwarecomposition import ( + "net" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -163,3 +165,14 @@ type KnownServerEntry struct { Server string Name string } + +type IKnownServerEntry interface { + GetIPBlock() string + GetName() string + GetServer() string +} + +type IKnownServersFinder interface { + Contains(ip net.IP) ([]IKnownServerEntry, bool) + GetKnownServers() []KnownServer +} diff --git a/pkg/apis/softwarecomposition/networkpolicy/v2/networkpolicy.go b/pkg/apis/softwarecomposition/networkpolicy/v2/networkpolicy.go index 719d20b10..6acaa3b67 100644 --- a/pkg/apis/softwarecomposition/networkpolicy/v2/networkpolicy.go +++ b/pkg/apis/softwarecomposition/networkpolicy/v2/networkpolicy.go @@ -24,7 +24,7 @@ const ( storageV1ApiVersion = "spdx.softwarecomposition.kubescape.io" ) -func GenerateNetworkPolicy(nn *softwarecomposition.NetworkNeighborhood, knownServers []softwarecomposition.KnownServer, timeProvider metav1.Time) (softwarecomposition.GeneratedNetworkPolicy, error) { +func GenerateNetworkPolicy(nn *softwarecomposition.NetworkNeighborhood, knownServers softwarecomposition.IKnownServersFinder, timeProvider metav1.Time) (softwarecomposition.GeneratedNetworkPolicy, error) { if !IsAvailable(nn) { return softwarecomposition.GeneratedNetworkPolicy{}, fmt.Errorf("nn %s/%s status annotation is not ready nor completed", nn.Namespace, nn.Name) } @@ -319,7 +319,7 @@ func mergeEgressRulesByPorts(rules []softwarecomposition.NetworkPolicyEgressRule return mergedRules } -func generateEgressRule(neighbor softwarecomposition.NetworkNeighbor, knownServers []softwarecomposition.KnownServer) (softwarecomposition.NetworkPolicyEgressRule, []softwarecomposition.PolicyRef) { +func generateEgressRule(neighbor softwarecomposition.NetworkNeighbor, knownServers softwarecomposition.IKnownServersFinder) (softwarecomposition.NetworkPolicyEgressRule, []softwarecomposition.PolicyRef) { egressRule := softwarecomposition.NetworkPolicyEgressRule{} policyRefs := []softwarecomposition.PolicyRef{} @@ -342,41 +342,30 @@ func generateEgressRule(neighbor softwarecomposition.NetworkNeighbor, knownServe } if neighbor.IPAddress != "" { - isKnownServer := false // look if this IP is part of any known server - for _, knownServer := range knownServers { - for _, entry := range knownServer.Spec { - _, subNet, err := net.ParseCIDR(entry.IPBlock) - if err != nil { - logger.L().Error("error parsing cidr", helpers.Error(err)) - continue + if entries, contains := knownServers.Contains(net.ParseIP(neighbor.IPAddress)); contains { + for _, entry := range entries { + egressRule.To = append(egressRule.To, softwarecomposition.NetworkPolicyPeer{ + IPBlock: &softwarecomposition.IPBlock{ + CIDR: entry.GetIPBlock(), + }, + }) + + policyRef := softwarecomposition.PolicyRef{ + Name: entry.GetName(), + OriginalIP: neighbor.IPAddress, + IPBlock: entry.GetIPBlock(), + Server: entry.GetServer(), } - if subNet.Contains(net.ParseIP(neighbor.IPAddress)) { - egressRule.To = append(egressRule.To, softwarecomposition.NetworkPolicyPeer{ - IPBlock: &softwarecomposition.IPBlock{ - CIDR: entry.IPBlock, - }, - }) - isKnownServer = true - - policyRef := softwarecomposition.PolicyRef{ - Name: entry.Name, - OriginalIP: neighbor.IPAddress, - IPBlock: entry.IPBlock, - Server: entry.Server, - } - - if neighbor.DNS != "" { - policyRef.DNS = neighbor.DNS - } - - policyRefs = append(policyRefs, policyRef) - break + + if neighbor.DNS != "" { + policyRef.DNS = neighbor.DNS } - } - } - if !isKnownServer { + policyRefs = append(policyRefs, policyRef) + + } + } else { ipBlock := getSingleIP(neighbor.IPAddress) egressRule.To = append(egressRule.To, softwarecomposition.NetworkPolicyPeer{ IPBlock: ipBlock, @@ -405,7 +394,7 @@ func generateEgressRule(neighbor softwarecomposition.NetworkNeighbor, knownServe return egressRule, policyRefs } -func generateIngressRule(neighbor softwarecomposition.NetworkNeighbor, knownServers []softwarecomposition.KnownServer) (softwarecomposition.NetworkPolicyIngressRule, []softwarecomposition.PolicyRef) { +func generateIngressRule(neighbor softwarecomposition.NetworkNeighbor, knownServers softwarecomposition.IKnownServersFinder) (softwarecomposition.NetworkPolicyIngressRule, []softwarecomposition.PolicyRef) { ingressRule := softwarecomposition.NetworkPolicyIngressRule{} policyRefs := []softwarecomposition.PolicyRef{} @@ -427,41 +416,29 @@ func generateIngressRule(neighbor softwarecomposition.NetworkNeighbor, knownServ } if neighbor.IPAddress != "" { - isKnownServer := false // look if this IP is part of any known server - for _, knownServer := range knownServers { - for _, entry := range knownServer.Spec { - _, subNet, err := net.ParseCIDR(entry.IPBlock) - if err != nil { - logger.L().Error("error parsing cidr", helpers.Error(err)) - continue + if entries, ok := knownServers.Contains(net.ParseIP(neighbor.IPAddress)); ok { + for _, entry := range entries { + ingressRule.From = append(ingressRule.From, softwarecomposition.NetworkPolicyPeer{ + IPBlock: &softwarecomposition.IPBlock{ + CIDR: entry.GetIPBlock(), + }, + }) + + policyRef := softwarecomposition.PolicyRef{ + Name: entry.GetName(), + OriginalIP: neighbor.IPAddress, + IPBlock: entry.GetIPBlock(), + Server: entry.GetServer(), } - if subNet.Contains(net.ParseIP(neighbor.IPAddress)) { - ingressRule.From = append(ingressRule.From, softwarecomposition.NetworkPolicyPeer{ - IPBlock: &softwarecomposition.IPBlock{ - CIDR: entry.IPBlock, - }, - }) - isKnownServer = true - - policyRef := softwarecomposition.PolicyRef{ - Name: entry.Name, - OriginalIP: neighbor.IPAddress, - IPBlock: entry.IPBlock, - Server: entry.Server, - } - - if neighbor.DNS != "" { - policyRef.DNS = neighbor.DNS - } - - policyRefs = append(policyRefs, policyRef) - break + + if neighbor.DNS != "" { + policyRef.DNS = neighbor.DNS } - } - } - if !isKnownServer { + policyRefs = append(policyRefs, policyRef) + } + } else { ipBlock := getSingleIP(neighbor.IPAddress) ingressRule.From = append(ingressRule.From, softwarecomposition.NetworkPolicyPeer{ IPBlock: ipBlock, diff --git a/pkg/apis/softwarecomposition/networkpolicy/v2/networkpolicy_test.go b/pkg/apis/softwarecomposition/networkpolicy/v2/networkpolicy_test.go index 16bcc1050..278f0bd89 100644 --- a/pkg/apis/softwarecomposition/networkpolicy/v2/networkpolicy_test.go +++ b/pkg/apis/softwarecomposition/networkpolicy/v2/networkpolicy_test.go @@ -1353,7 +1353,7 @@ func TestGenerateNetworkPolicy(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := GenerateNetworkPolicy(&tt.networkNeighborhood, tt.knownServers, timeProvider) + got, err := GenerateNetworkPolicy(&tt.networkNeighborhood, softwarecomposition.NewKnownServersFinderImpl(tt.knownServers), timeProvider) if tt.expectError { assert.Error(t, err) diff --git a/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v2/networkpolicy.go b/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v2/networkpolicy.go index c9991bd39..1ba367602 100644 --- a/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v2/networkpolicy.go +++ b/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v2/networkpolicy.go @@ -21,7 +21,7 @@ func GenerateNetworkPolicy(networkNeighborhood *v1beta1.NetworkNeighborhood, kno return v1beta1.GeneratedNetworkPolicy{}, err } - npv1, err := np.GenerateNetworkPolicy(networkNeighborhoodV1, knownServersV1, timeProvider) + npv1, err := np.GenerateNetworkPolicy(networkNeighborhoodV1, sc.NewKnownServersFinderImpl(knownServersV1), timeProvider) if err != nil { return v1beta1.GeneratedNetworkPolicy{}, err } diff --git a/pkg/registry/file/generatednetworkpolicy.go b/pkg/registry/file/generatednetworkpolicy.go index 6484a9aad..b80e1dfc1 100644 --- a/pkg/registry/file/generatednetworkpolicy.go +++ b/pkg/registry/file/generatednetworkpolicy.go @@ -56,7 +56,7 @@ func (s *GeneratedNetworkPolicyStorage) Get(ctx context.Context, key string, opt return err } - generatedNetworkPolicy, err := networkpolicy.GenerateNetworkPolicy(networkNeighborhoodObjPtr, knownServersListObjPtr.Items, metav1.Now()) + generatedNetworkPolicy, err := networkpolicy.GenerateNetworkPolicy(networkNeighborhoodObjPtr, softwarecomposition.NewKnownServersFinderImpl(knownServersListObjPtr.Items), metav1.Now()) if err != nil { return fmt.Errorf("error generating network policy: %w", err) } @@ -101,7 +101,7 @@ func (s *GeneratedNetworkPolicyStorage) GetList(ctx context.Context, key string, if !networkpolicy.IsAvailable(&networkNeighborhood) { continue } - generatedNetworkPolicy, err := networkpolicy.GenerateNetworkPolicy(&networkNeighborhood, knownServersListObjPtr.Items, metav1.Now()) + generatedNetworkPolicy, err := networkpolicy.GenerateNetworkPolicy(&networkNeighborhood, softwarecomposition.NewKnownServersFinderImpl(knownServersListObjPtr.Items), metav1.Now()) if err != nil { return fmt.Errorf("error generating network policy: %w", err) } From 1a24b07e95068f5e4c3f612aa3790034ba8d76e2 Mon Sep 17 00:00:00 2001 From: Amir Malka Date: Sun, 15 Dec 2024 16:13:46 +0200 Subject: [PATCH 2/4] improve searching in CIDR ranges using cidranger Signed-off-by: Amir Malka --- .../softwarecomposition/knownserversfinder.go | 52 ++++++++--------- .../knownserversfinder_test.go | 57 +++++++++++++++++++ 2 files changed, 83 insertions(+), 26 deletions(-) create mode 100644 pkg/apis/softwarecomposition/knownserversfinder_test.go diff --git a/pkg/apis/softwarecomposition/knownserversfinder.go b/pkg/apis/softwarecomposition/knownserversfinder.go index cc903c641..fd127f9c9 100644 --- a/pkg/apis/softwarecomposition/knownserversfinder.go +++ b/pkg/apis/softwarecomposition/knownserversfinder.go @@ -19,37 +19,13 @@ type KnownServersFinderEntry struct { network net.IPNet } -func NewKnownServersFinderEntry(kse KnownServerEntry) (*KnownServersFinderEntry, error) { - _, res, err := net.ParseCIDR(kse.IPBlock) - if err != nil || res == nil { - return nil, err - } - return &KnownServersFinderEntry{knownServer: kse, network: *res}, nil -} - -func (k *KnownServersFinderEntry) GetServer() string { - return k.knownServer.Server -} - -func (k *KnownServersFinderEntry) GetName() string { - return k.knownServer.Name -} - -func (k *KnownServersFinderEntry) GetIPBlock() string { - return k.knownServer.IPBlock -} - -func (k *KnownServersFinderEntry) Network() net.IPNet { - return k.network -} - func NewKnownServersFinderImpl(knownServers []KnownServer) IKnownServersFinder { // build the ranger for searching ranger := cidranger.NewPCTrieRanger() for _, knownServer := range knownServers { for _, knownServerEntry := range knownServer.Spec { - if rangerEntry, err := NewKnownServersFinderEntry(knownServerEntry); err == nil && rangerEntry != nil { - _ = ranger.Insert(rangerEntry) + if v := NewKnownServersFinderEntry(knownServerEntry); v != nil { + _ = ranger.Insert(v) } } } @@ -81,3 +57,27 @@ func (k *KnownServersFinderImpl) Contains(ip net.IP) ([]IKnownServerEntry, bool) func (k *KnownServersFinderImpl) GetKnownServers() []KnownServer { return k.knownServers } + +func NewKnownServersFinderEntry(kse KnownServerEntry) *KnownServersFinderEntry { + _, res, err := net.ParseCIDR(kse.IPBlock) + if err != nil || res == nil { + return nil + } + return &KnownServersFinderEntry{knownServer: kse, network: *res} +} + +func (k *KnownServersFinderEntry) GetServer() string { + return k.knownServer.Server +} + +func (k *KnownServersFinderEntry) GetName() string { + return k.knownServer.Name +} + +func (k *KnownServersFinderEntry) GetIPBlock() string { + return k.knownServer.IPBlock +} + +func (k *KnownServersFinderEntry) Network() net.IPNet { + return k.network +} diff --git a/pkg/apis/softwarecomposition/knownserversfinder_test.go b/pkg/apis/softwarecomposition/knownserversfinder_test.go new file mode 100644 index 000000000..e5be30714 --- /dev/null +++ b/pkg/apis/softwarecomposition/knownserversfinder_test.go @@ -0,0 +1,57 @@ +package softwarecomposition + +import ( + "net" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestContains(t *testing.T) { + knownServers := []KnownServer{ + { + Spec: []KnownServerEntry{ + {Server: "server1", Name: "name1", IPBlock: "192.168.1.0/24"}, + {Server: "server2", Name: "name2", IPBlock: "10.0.0.0/8"}, + {Server: "server3", Name: "name3", IPBlock: ""}, + {Server: "server4", Name: "name4", IPBlock: "invalid"}, + {Server: "server5", Name: "name5", IPBlock: "192.168.1.128/25"}, + }, + }, + } + + finder := NewKnownServersFinderImpl(knownServers) + + tests := []struct { + ip string + expected bool + expectedIPBlocks []string + expectedServers []string + }{ + {"192.168.1.1", true, []string{"192.168.1.0/24"}, []string{"server1"}}, + {"10.0.0.1", true, []string{"10.0.0.0/8"}, []string{"server2"}}, + {"172.16.0.1", false, nil, nil}, + {"192.168.1.200", true, []string{"192.168.1.0/24", "192.168.1.128/25"}, []string{"server1", "server5"}}, + } + + for _, test := range tests { + ip := net.ParseIP(test.ip) + entries, contains := finder.Contains(ip) + assert.Equal(t, test.expected, contains) + if contains { + assert.NotEmpty(t, entries) + servers := []string{} + for _, entry := range entries { + servers = append(servers, entry.GetServer()) + } + ipBlocks := []string{} + for _, entry := range entries { + ipBlocks = append(ipBlocks, entry.GetIPBlock()) + } + assert.ElementsMatch(t, test.expectedIPBlocks, ipBlocks) + assert.ElementsMatch(t, test.expectedServers, servers) + } else { + assert.Empty(t, entries) + } + } +} From 3660fff6838904dfd5b9d84171deca05965007a7 Mon Sep 17 00:00:00 2001 From: Amir Malka Date: Sun, 15 Dec 2024 17:27:48 +0200 Subject: [PATCH 3/4] fix Signed-off-by: Amir Malka --- .../networkpolicy/v1/networkpolicy.go | 113 +++++++----------- .../networkpolicy/v1/networkpolicy_test.go | 2 +- .../v1beta1/networkpolicy/v1/networkpolicy.go | 8 +- .../networkpolicy/v1/networkpolicy_test.go | 6 +- .../v1beta1/networkpolicy/v2/networkpolicy.go | 8 +- .../networkpolicy/v2/networkpolicy_test.go | 5 +- 6 files changed, 59 insertions(+), 83 deletions(-) diff --git a/pkg/apis/softwarecomposition/networkpolicy/v1/networkpolicy.go b/pkg/apis/softwarecomposition/networkpolicy/v1/networkpolicy.go index 0bcf1577a..c52680d89 100644 --- a/pkg/apis/softwarecomposition/networkpolicy/v1/networkpolicy.go +++ b/pkg/apis/softwarecomposition/networkpolicy/v1/networkpolicy.go @@ -12,8 +12,6 @@ import ( helpersv1 "github.com/kubescape/k8s-interface/instanceidhandler/v1/helpers" - "github.com/kubescape/go-logger" - "github.com/kubescape/go-logger/helpers" "github.com/kubescape/storage/pkg/apis/softwarecomposition" "github.com/kubescape/storage/pkg/apis/softwarecomposition/networkpolicy" "golang.org/x/exp/maps" @@ -21,7 +19,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -func GenerateNetworkPolicy(networkNeighbors softwarecomposition.NetworkNeighbors, knownServers []softwarecomposition.KnownServer, timeProvider metav1.Time) (softwarecomposition.GeneratedNetworkPolicy, error) { +func GenerateNetworkPolicy(networkNeighbors softwarecomposition.NetworkNeighbors, knownServers softwarecomposition.IKnownServersFinder, timeProvider metav1.Time) (softwarecomposition.GeneratedNetworkPolicy, error) { if !IsAvailable(networkNeighbors) { return softwarecomposition.GeneratedNetworkPolicy{}, fmt.Errorf("networkNeighbors %s/%s status annotation is not ready nor completed", networkNeighbors.Namespace, networkNeighbors.Name) } @@ -264,7 +262,7 @@ func mergeEgressRulesByPorts(rules []softwarecomposition.NetworkPolicyEgressRule return mergedRules } -func generateEgressRule(neighbor softwarecomposition.NetworkNeighbor, KnownServer []softwarecomposition.KnownServer) (softwarecomposition.NetworkPolicyEgressRule, []softwarecomposition.PolicyRef) { +func generateEgressRule(neighbor softwarecomposition.NetworkNeighbor, knownServers softwarecomposition.IKnownServersFinder) (softwarecomposition.NetworkPolicyEgressRule, []softwarecomposition.PolicyRef) { egressRule := softwarecomposition.NetworkPolicyEgressRule{} policyRefs := []softwarecomposition.PolicyRef{} @@ -288,41 +286,32 @@ func generateEgressRule(neighbor softwarecomposition.NetworkNeighbor, KnownServe } if neighbor.IPAddress != "" { - isKnownServer := false - // look if this IP is part of any known server - for _, knownServer := range KnownServer { - for _, entry := range knownServer.Spec { - _, subNet, err := net.ParseCIDR(entry.IPBlock) - if err != nil { - logger.L().Error("error parsing cidr", helpers.Error(err)) - continue + if entries, contains := knownServers.Contains(net.ParseIP(neighbor.IPAddress)); contains { + // look if this IP is part of any known server + for _, entry := range entries { + + egressRule.To = append(egressRule.To, softwarecomposition.NetworkPolicyPeer{ + IPBlock: &softwarecomposition.IPBlock{ + CIDR: entry.GetIPBlock(), + }, + }) + + policyRef := softwarecomposition.PolicyRef{ + Name: entry.GetName(), + OriginalIP: neighbor.IPAddress, + IPBlock: entry.GetIPBlock(), + Server: entry.GetServer(), } - if subNet.Contains(net.ParseIP(neighbor.IPAddress)) { - egressRule.To = append(egressRule.To, softwarecomposition.NetworkPolicyPeer{ - IPBlock: &softwarecomposition.IPBlock{ - CIDR: entry.IPBlock, - }, - }) - isKnownServer = true - - policyRef := softwarecomposition.PolicyRef{ - Name: entry.Name, - OriginalIP: neighbor.IPAddress, - IPBlock: entry.IPBlock, - Server: entry.Server, - } - - if neighbor.DNS != "" { - policyRef.DNS = neighbor.DNS - } - - policyRefs = append(policyRefs, policyRef) - break + + if neighbor.DNS != "" { + policyRef.DNS = neighbor.DNS } + + policyRefs = append(policyRefs, policyRef) + } - } - if !isKnownServer { + } else { ipBlock := getSingleIP(neighbor.IPAddress) egressRule.To = append(egressRule.To, softwarecomposition.NetworkPolicyPeer{ IPBlock: ipBlock, @@ -361,7 +350,7 @@ func hash(s any) (string, error) { return hex.EncodeToString(vv[:]), nil } -func generateIngressRule(neighbor softwarecomposition.NetworkNeighbor, KnownServer []softwarecomposition.KnownServer) (softwarecomposition.NetworkPolicyIngressRule, []softwarecomposition.PolicyRef) { +func generateIngressRule(neighbor softwarecomposition.NetworkNeighbor, knownServers softwarecomposition.IKnownServersFinder) (softwarecomposition.NetworkPolicyIngressRule, []softwarecomposition.PolicyRef) { ingressRule := softwarecomposition.NetworkPolicyIngressRule{} policyRefs := []softwarecomposition.PolicyRef{} @@ -384,41 +373,30 @@ func generateIngressRule(neighbor softwarecomposition.NetworkNeighbor, KnownServ } if neighbor.IPAddress != "" { - isKnownServer := false // look if this IP is part of any known server - for _, knownServer := range KnownServer { - for _, entry := range knownServer.Spec { - _, subNet, err := net.ParseCIDR(entry.IPBlock) - if err != nil { - logger.L().Error("error parsing cidr", helpers.Error(err)) - continue + if entries, contains := knownServers.Contains(net.ParseIP(neighbor.IPAddress)); contains { + for _, entry := range entries { + ingressRule.From = append(ingressRule.From, softwarecomposition.NetworkPolicyPeer{ + IPBlock: &softwarecomposition.IPBlock{ + CIDR: entry.GetIPBlock(), + }, + }) + + policyRef := softwarecomposition.PolicyRef{ + Name: entry.GetName(), + OriginalIP: neighbor.IPAddress, + IPBlock: entry.GetIPBlock(), + Server: entry.GetServer(), } - if subNet.Contains(net.ParseIP(neighbor.IPAddress)) { - ingressRule.From = append(ingressRule.From, softwarecomposition.NetworkPolicyPeer{ - IPBlock: &softwarecomposition.IPBlock{ - CIDR: entry.IPBlock, - }, - }) - isKnownServer = true - - policyRef := softwarecomposition.PolicyRef{ - Name: entry.Name, - OriginalIP: neighbor.IPAddress, - IPBlock: entry.IPBlock, - Server: entry.Server, - } - - if neighbor.DNS != "" { - policyRef.DNS = neighbor.DNS - } - - policyRefs = append(policyRefs, policyRef) - break + + if neighbor.DNS != "" { + policyRef.DNS = neighbor.DNS } - } - } - if !isKnownServer { + policyRefs = append(policyRefs, policyRef) + + } + } else { ipBlock := getSingleIP(neighbor.IPAddress) ingressRule.From = append(ingressRule.From, softwarecomposition.NetworkPolicyPeer{ IPBlock: ipBlock, @@ -432,6 +410,7 @@ func generateIngressRule(neighbor softwarecomposition.NetworkNeighbor, KnownServ }) } } + } for _, networkPort := range neighbor.Ports { diff --git a/pkg/apis/softwarecomposition/networkpolicy/v1/networkpolicy_test.go b/pkg/apis/softwarecomposition/networkpolicy/v1/networkpolicy_test.go index ac953dabb..c4c881b97 100644 --- a/pkg/apis/softwarecomposition/networkpolicy/v1/networkpolicy_test.go +++ b/pkg/apis/softwarecomposition/networkpolicy/v1/networkpolicy_test.go @@ -2010,7 +2010,7 @@ func TestGenerateNetworkPolicy(t *testing.T) { for _, test := range tests { - got, err := GenerateNetworkPolicy(test.networkNeighbors, test.KnownServer, timeProvider) + got, err := GenerateNetworkPolicy(test.networkNeighbors, softwarecomposition.NewKnownServersFinderImpl(test.KnownServer), timeProvider) assert.NoError(t, err) diff --git a/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v1/networkpolicy.go b/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v1/networkpolicy.go index e3a5cd18e..6f2d02eaf 100644 --- a/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v1/networkpolicy.go +++ b/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v1/networkpolicy.go @@ -11,17 +11,13 @@ const ( storageV1Beta1ApiVersion = "spdx.softwarecomposition.kubescape.io/v1beta1" ) -func GenerateNetworkPolicy(networkNeighbors v1beta1.NetworkNeighbors, knownServers []v1beta1.KnownServer, timeProvider metav1.Time) (v1beta1.GeneratedNetworkPolicy, error) { +func GenerateNetworkPolicy(networkNeighbors v1beta1.NetworkNeighbors, knownServers sc.IKnownServersFinder, timeProvider metav1.Time) (v1beta1.GeneratedNetworkPolicy, error) { networkNeighborsV1, err := convertNetworkNeighbors(&networkNeighbors) if err != nil { return v1beta1.GeneratedNetworkPolicy{}, err } - knownServersV1, err := convertKnownServersList(knownServers) - if err != nil { - return v1beta1.GeneratedNetworkPolicy{}, err - } - npv1, err := np.GenerateNetworkPolicy(networkNeighborsV1, knownServersV1, timeProvider) + npv1, err := np.GenerateNetworkPolicy(networkNeighborsV1, knownServers, timeProvider) if err != nil { return v1beta1.GeneratedNetworkPolicy{}, err } diff --git a/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v1/networkpolicy_test.go b/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v1/networkpolicy_test.go index a59a6228a..dd4d58d42 100644 --- a/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v1/networkpolicy_test.go +++ b/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v1/networkpolicy_test.go @@ -5,6 +5,7 @@ import ( helpersv1 "github.com/kubescape/k8s-interface/instanceidhandler/v1/helpers" + sc "github.com/kubescape/storage/pkg/apis/softwarecomposition" softwarecomposition "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" @@ -2009,8 +2010,9 @@ func TestGenerateNetworkPolicy(t *testing.T) { } for _, test := range tests { - - got, err := GenerateNetworkPolicy(test.networkNeighbors, test.KnownServer, timeProvider) + knownServersV1, err := convertKnownServersList(test.KnownServer) + assert.NoError(t, err) + got, err := GenerateNetworkPolicy(test.networkNeighbors, sc.NewKnownServersFinderImpl(knownServersV1), timeProvider) assert.NoError(t, err) diff --git a/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v2/networkpolicy.go b/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v2/networkpolicy.go index 1ba367602..d82b7fce2 100644 --- a/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v2/networkpolicy.go +++ b/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v2/networkpolicy.go @@ -11,17 +11,13 @@ const ( storageV1Beta1ApiVersion = "spdx.softwarecomposition.kubescape.io/v1beta1" ) -func GenerateNetworkPolicy(networkNeighborhood *v1beta1.NetworkNeighborhood, knownServers []v1beta1.KnownServer, timeProvider metav1.Time) (v1beta1.GeneratedNetworkPolicy, error) { +func GenerateNetworkPolicy(networkNeighborhood *v1beta1.NetworkNeighborhood, knownServersFinder sc.IKnownServersFinder, timeProvider metav1.Time) (v1beta1.GeneratedNetworkPolicy, error) { networkNeighborhoodV1, err := convertNetworkNeighborhood(networkNeighborhood) if err != nil { return v1beta1.GeneratedNetworkPolicy{}, err } - knownServersV1, err := convertKnownServersList(knownServers) - if err != nil { - return v1beta1.GeneratedNetworkPolicy{}, err - } - npv1, err := np.GenerateNetworkPolicy(networkNeighborhoodV1, sc.NewKnownServersFinderImpl(knownServersV1), timeProvider) + npv1, err := np.GenerateNetworkPolicy(networkNeighborhoodV1, knownServersFinder, timeProvider) if err != nil { return v1beta1.GeneratedNetworkPolicy{}, err } diff --git a/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v2/networkpolicy_test.go b/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v2/networkpolicy_test.go index b4c6335af..b1239666a 100644 --- a/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v2/networkpolicy_test.go +++ b/pkg/apis/softwarecomposition/v1beta1/networkpolicy/v2/networkpolicy_test.go @@ -10,6 +10,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + sc "github.com/kubescape/storage/pkg/apis/softwarecomposition" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" "github.com/stretchr/testify/assert" ) @@ -39,8 +40,10 @@ func TestGenerateNetworkPolicyFromFile(t *testing.T) { if err := json.Unmarshal([]byte(networkPolicyFile), expectedNetworkPolicy); err != nil { t.Fatalf("failed to unmarshal JSON data from file %s: %v", networkNeighborhoodFile, err) } + knownServersV1, err := convertKnownServersList(knownServers) + assert.NoError(t, err) // Generate the network policy - generatedNetworkPolicy, err := GenerateNetworkPolicy(networkNeighborhood, knownServers, timeProvider) + generatedNetworkPolicy, err := GenerateNetworkPolicy(networkNeighborhood, sc.NewKnownServersFinderImpl(knownServersV1), timeProvider) if err != nil { t.Fatalf("failed to generate network policy: %v", err) } From aac0800a73f66830670d93312846fb8c504e3271 Mon Sep 17 00:00:00 2001 From: Amir Malka Date: Sun, 15 Dec 2024 17:37:55 +0200 Subject: [PATCH 4/4] remove known servers Signed-off-by: Amir Malka --- pkg/apis/softwarecomposition/knownserversfinder.go | 10 ++-------- pkg/apis/softwarecomposition/network_types.go | 1 - 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/pkg/apis/softwarecomposition/knownserversfinder.go b/pkg/apis/softwarecomposition/knownserversfinder.go index fd127f9c9..29dba56d0 100644 --- a/pkg/apis/softwarecomposition/knownserversfinder.go +++ b/pkg/apis/softwarecomposition/knownserversfinder.go @@ -10,8 +10,7 @@ var _ IKnownServersFinder = (*KnownServersFinderImpl)(nil) var _ IKnownServerEntry = (*KnownServersFinderEntry)(nil) type KnownServersFinderImpl struct { - ranger cidranger.Ranger - knownServers []KnownServer + ranger cidranger.Ranger } type KnownServersFinderEntry struct { @@ -30,8 +29,7 @@ func NewKnownServersFinderImpl(knownServers []KnownServer) IKnownServersFinder { } } return &KnownServersFinderImpl{ - ranger: ranger, - knownServers: knownServers, + ranger: ranger, } } @@ -54,10 +52,6 @@ func (k *KnownServersFinderImpl) Contains(ip net.IP) ([]IKnownServerEntry, bool) return nil, false } -func (k *KnownServersFinderImpl) GetKnownServers() []KnownServer { - return k.knownServers -} - func NewKnownServersFinderEntry(kse KnownServerEntry) *KnownServersFinderEntry { _, res, err := net.ParseCIDR(kse.IPBlock) if err != nil || res == nil { diff --git a/pkg/apis/softwarecomposition/network_types.go b/pkg/apis/softwarecomposition/network_types.go index aab6b8570..c91fdad70 100644 --- a/pkg/apis/softwarecomposition/network_types.go +++ b/pkg/apis/softwarecomposition/network_types.go @@ -174,5 +174,4 @@ type IKnownServerEntry interface { type IKnownServersFinder interface { Contains(ip net.IP) ([]IKnownServerEntry, bool) - GetKnownServers() []KnownServer }