"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "go/pkg/pass1/check-service-owner.go" between
Netspoc-6.026.tar.gz and Netspoc-6.027.tar.gz

About: NetSPoC is a network security policy compiler (using its own description language) to manage all the packet filter devices inside your network topology.

check-service-owner.go  (Netspoc-6.026):check-service-owner.go  (Netspoc-6.027)
skipping to change at line 25 skipping to change at line 25
// Inversed inheritance: If an aggregate has no direct owner and if // Inversed inheritance: If an aggregate has no direct owner and if
// all contained toplevel networks have the same owner, // all contained toplevel networks have the same owner,
// then set owner of this zone to the one owner. // then set owner of this zone to the one owner.
aggGotNetOwner := make(map[*network]bool) aggGotNetOwner := make(map[*network]bool)
seen := make(map[*zone]bool) seen := make(map[*zone]bool)
for _, z := range c.allZones { for _, z := range c.allZones {
cluster := z.cluster cluster := z.cluster
if len(cluster) > 1 && seen[cluster[0]] { if len(cluster) > 1 && seen[cluster[0]] {
continue continue
} }
AGGREGATE: AGG:
for key, agg := range z.ipmask2aggregate { for key, agg := range z.ipPrefix2aggregate {
// If an explicit owner was set, it has been set for // If an explicit owner was set, it has been set for
// the whole cluster in link_aggregates. // the whole cluster in link_aggregates.
if agg.owner != nil { if agg.owner != nil {
continue continue
} }
var found *owner
var contained netList
if len(cluster) > 1 { if len(cluster) > 1 {
seen[cluster[0]] = true seen[cluster[0]] = true
for _, z2 := range cluster {
contained =
append(contained, z2.ipmask2aggre
gate[key].networks...)
}
} else {
contained = append(contained, agg.networks...)
} }
for _, n := range contained { var found *owner
netOwner := n.owner for _, z2 := range cluster {
if netOwner == nil { for _, n := range z2.ipPrefix2aggregate[key].netw
continue AGGREGATE orks {
} netOwner := n.owner
if found != nil { if netOwner == nil {
if netOwner != found { continue AGG
continue AGGREGATE }
if found != nil {
if netOwner != found {
continue AGG
}
} else {
found = netOwner
} }
} else {
found = netOwner
} }
} }
if found == nil { if found == nil {
continue continue
} }
//debug("Inversed inherit: %s %s", agg.name, found.name) //debug("Inversed inherit: %s %s", agg, found)
if cluster != nil { for _, z2 := range cluster {
for _, z2 := range cluster { agg2 := z2.ipPrefix2aggregate[key]
agg2 := z2.ipmask2aggregate[key] agg2.owner = found
agg2.owner = found aggGotNetOwner[agg2] = true
aggGotNetOwner[agg2] = true
}
} else {
agg.owner = found
aggGotNetOwner[agg] = true
} }
} }
} }
getUp := func(obj ownerer) ownerer { getUp := func(obj ownerer) ownerer {
var a *area var a *area
switch x := obj.(type) { switch x := obj.(type) {
case *host: case *host:
return x.network return x.network
case *routerIntf: case *routerIntf:
skipping to change at line 123 skipping to change at line 113
return inheritOwner(getUp(obj)) return inheritOwner(getUp(obj))
} }
} }
if o != nil { if o != nil {
if !checked[obj] { if !checked[obj] {
checked[obj] = true checked[obj] = true
o2, upper := inheritOwner(getUp(obj)) o2, upper := inheritOwner(getUp(obj))
if o2 != nil && o2 == o { if o2 != nil && o2 == o {
c.warn("Useless %s at %s,\n"+ c.warn("Useless %s at %s,\n"+
" it was already inherited from % s", " it was already inherited from % s",
o.name, obj, upper) o, obj, upper)
} }
} }
o.isUsed = true o.isUsed = true
return o, obj return o, obj
} }
up := getUp(obj) up := getUp(obj)
if up == nil { if up == nil {
return nil, obj return nil, obj
} }
skipping to change at line 163 skipping to change at line 153
} }
inheritOwner(n) inheritOwner(n)
} }
for _, n := range c.allNetworks { for _, n := range c.allNetworks {
processSubnets(n) processSubnets(n)
} }
// Collect list of owners and watchingOwners from areas at // Collect list of owners and watchingOwners from areas at
// zones in attribute .watchingOwners. Is needed in export-netspoc. // zones in attribute .watchingOwners. Is needed in export-netspoc.
zone2owner2seen := make(map[*zone]map[*owner]bool) type key struct {
z *zone
o *owner
}
zoneOwnerSeen := make(map[key]bool)
for _, area := range c.ascendingAreas { for _, area := range c.ascendingAreas {
o := area.watchingOwner o := area.watchingOwner
if o == nil { if o == nil {
o = area.owner o = area.owner
} }
if o == nil { if o == nil {
continue continue
} }
o.isUsed = true o.isUsed = true
for _, z := range area.zones { for _, z := range area.zones {
owner2seen := zone2owner2seen[z] k := key{z, o}
if !owner2seen[o] { if !zoneOwnerSeen[k] {
if owner2seen == nil { zoneOwnerSeen[k] = true
owner2seen = make(map[*owner]bool)
zone2owner2seen[z] = owner2seen
}
owner2seen[o] = true
z.watchingOwners = append(z.watchingOwners, o) z.watchingOwners = append(z.watchingOwners, o)
} }
} }
} }
// Check owner with attribute showAll. // Check owner with attribute showAll.
for _, o := range symTable.owner { for _, o := range symTable.owner {
if !o.showAll { if !o.showAll {
continue continue
} }
skipping to change at line 214 skipping to change at line 204
if wo == o { if wo == o {
continue NETWORK continue NETWORK
} }
} }
invalid.push(n.name) invalid.push(n.name)
} }
if invalid != nil { if invalid != nil {
c.err("%s has attribute 'show_all',"+ c.err("%s has attribute 'show_all',"+
" but doesn't own whole topology.\n"+ " but doesn't own whole topology.\n"+
" Missing:\n"+ " Missing:\n"+
invalid.nameList(), invalid.nameList(), o)
o.name)
} }
} }
// Handle routerAttributes.owner separately. // Handle routerAttributes.owner separately.
// Areas can be nested. Proceed from small to larger ones. // Areas can be nested. Proceed from small to larger ones.
for _, a := range c.ascendingAreas { for _, a := range c.ascendingAreas {
attributes := a.routerAttributes attributes := a.routerAttributes
if attributes == nil { if attributes == nil {
continue continue
} }
owner := attributes.owner o := attributes.owner
if owner == nil { if o == nil {
continue continue
} }
owner.isUsed = true o.isUsed = true
for _, r := range a.managedRouters { for _, r := range a.managedRouters {
if rOwner := r.owner; rOwner != nil { if rOwner := r.owner; rOwner != nil {
if rOwner == owner { if rOwner == o {
c.warn( c.warn(
"Useless %s at %s,\n"+ "Useless %s at %s,\n"+
" it was already inherite d from %s", " it was already inherite d from %s",
rOwner.name, r.name, attributes.n ame) rOwner, r, attributes.name)
} }
} else { } else {
r.owner = owner r.owner = o
} }
} }
} }
// Set owner for interfaces of managed routers. // Set owner for interfaces of managed routers.
for _, r := range append(c.managedRouters, c.routingOnlyRouters...) { for _, r := range c.managedRouters {
o := r.owner o := r.owner
if o == nil { if o == nil {
continue continue
} }
o.isUsed = true o.isUsed = true
// Interface of managed router is not allowed to have individual owner. // Interface of managed router is not allowed to have individual owner.
for _, intf := range getIntf(r) { for _, intf := range getIntf(r) {
intf.owner = o intf.owner = o
} }
} }
// Propagate owner of loopback interface to loopback network and // Propagate owner of loopback interface to loopback network. Even
// loopback zone. Even reset owners to undef, if loopback interface // reset owner to nil, if loopback interface has no owner.
// has no owner.
for _, r := range c.allRouters { for _, r := range c.allRouters {
for _, intf := range r.interfaces { for _, intf := range r.interfaces {
if intf.loopback { if intf.loopback {
owner := intf.owner o := intf.owner
if owner != nil { if o != nil {
owner.isUsed = true o.isUsed = true
} }
intf.network.owner = owner intf.network.owner = o
} }
} }
} }
} }
func (c *spoc) checkServiceOwner(sRules *serviceRules) { func (c *spoc) checkServiceOwner(sRules *serviceRules) {
c.progress("Checking service owner") c.progress("Checking service owner")
// Sorts error messages before output. // Sorts error messages before output.
c.sortedSpoc(func(c *spoc) { c.sortedSpoc(func(c *spoc) {
skipping to change at line 384 skipping to change at line 372
hasUnknown = true hasUnknown = true
} }
} }
// Check for redundant service owner. // Check for redundant service owner.
// Allow dedicated service owner, if we have multiple own ers // Allow dedicated service owner, if we have multiple own ers
// from objects of rule. // from objects of rule.
if subOwner := svc.subOwner; subOwner != nil { if subOwner := svc.subOwner; subOwner != nil {
subOwner.isUsed = true subOwner.isUsed = true
if len(ownerSeen) == 1 && ownerSeen[subOwner] { if len(ownerSeen) == 1 && ownerSeen[subOwner] {
c.warn("Useless %s at %s", subOwner.name, svc.name) c.warn("Useless %s at %s", subOwner, svc)
} }
} }
// Check for multiple owners. // Check for multiple owners.
hasMulti := !info.isCoupling && len(svc.owners) > 1 hasMulti := !info.isCoupling && len(svc.owners) > 1
if svc.multiOwner { if svc.multiOwner {
if !hasMulti { if !hasMulti {
c.warn("Useless use of attribute 'multi_o wner' at %s", svc.name) c.warn("Useless use of attribute 'multi_o wner' at %s", svc)
} else { } else {
// Check if attribute 'multi_owner' is re stricted at this service. // Check if attribute 'multi_owner' is re stricted at this service.
restricted := false restricted := false
for obj, _ := range objects { for obj, _ := range objects {
if obj.getOwner() != nil && if obj.getOwner() != nil &&
obj.getAttr(multiOwnerAtt r) == restrictVal { obj.getAttr(multiOwnerAtt r) == restrictVal {
restricted = true restricted = true
break break
} }
} }
if restricted { if restricted {
c.warn("Must not use attribute 'm ulti_owner' at %s", svc.name) c.warn("Must not use attribute 'm ulti_owner' at %s", svc)
} else if info.sameObjects { } else if info.sameObjects {
// Check if attribute 'multi_owne r' could be avoided, // Check if attribute 'multi_owne r' could be avoided,
// if objects of user and objects of rules are swapped. // if objects of user and objects of rules are swapped.
var userOwner *owner var userOwner *owner
simpleUser := true simpleUser := true
for _, user := range svc.expanded User { for _, user := range svc.expanded User {
var o *owner var o *owner
if obj, ok := user.(srvOb j); ok { if obj, ok := user.(srvOb j); ok {
o = obj.getOwner( ) o = obj.getOwner( )
skipping to change at line 433 skipping to change at line 421
} else if userOwner != o { } else if userOwner != o {
simpleUser = fals e simpleUser = fals e
break break
} }
} }
if simpleUser && userOwner != nil { if simpleUser && userOwner != nil {
c.warn("Useless use of at tribute 'multi_owner' at %s\n"+ c.warn("Useless use of at tribute 'multi_owner' at %s\n"+
" All 'user' obje cts belong to single %s.\n"+ " All 'user' obje cts belong to single %s.\n"+
" Either swap obj ects of 'user' and objects of rules,\n"+ " Either swap obj ects of 'user' and objects of rules,\n"+
" or split servic e into multiple parts,"+ " or split servic e into multiple parts,"+
" one for each ow ner.", svc.name, userOwner.name) " one for each ow ner.", svc, userOwner)
} }
} }
} }
} else if hasMulti { } else if hasMulti {
if printType := conf.Conf.CheckServiceMultiOwner; printType != "" { if printType := conf.Conf.CheckServiceMultiOwner; printType != "" {
var names stringList var names stringList
ok := true ok := true
seen := make(map[string]bool) seen := make(map[string]bool)
for obj, _ := range objects { for obj, _ := range objects {
if obj.getOwner() != nil { if obj.getOwner() != nil {
skipping to change at line 459 skipping to change at line 447
names.push(name) names.push(name)
seen[name] = true seen[name] = true
} }
} }
} }
if !ok { if !ok {
sort.Strings(names) sort.Strings(names)
c.warnOrErr(printType, c.warnOrErr(printType,
"%s has multiple owners:\ n %s", "%s has multiple owners:\ n %s",
svc.name, strings.Join(na mes, ", ")) svc, strings.Join(names, ", "))
} }
} }
} }
// Check for unknown owners. // Check for unknown owners.
if svc.unknownOwner { if svc.unknownOwner {
if !hasUnknown { if !hasUnknown {
c.warn("Useless use of attribute 'unknown _owner' at %s", svc.name) c.warn("Useless use of attribute 'unknown _owner' at %s", svc)
} else { } else {
for obj, _ := range objects { for obj, _ := range objects {
if obj.getOwner() == nil && if obj.getOwner() == nil &&
obj.getAttr(unknownOwnerA ttr) == restrictVal { obj.getAttr(unknownOwnerA ttr) == restrictVal {
c.warn("Must not use attr c.warn("Must not use attr
ibute 'unknown_owner' at %s", ibute 'unknown_owner' at %s", svc)
svc.name)
break break
} }
} }
} }
} else if hasUnknown && conf.Conf.CheckServiceUnknownOwne r != "" { } else if hasUnknown && conf.Conf.CheckServiceUnknownOwne r != "" {
for obj, _ := range objects { for obj, _ := range objects {
if obj.getOwner() == nil && if obj.getOwner() == nil &&
obj.getAttr(unknownOwnerAttr) != okVal { obj.getAttr(unknownOwnerAttr) != okVal {
unknown2services[obj] = unknown2services[obj] =
append(unknown2services[o bj], svc.name) append(unknown2services[o bj], svc.name)
} }
} }
} }
} }
// Show unused owners. // Show unused owners.
if printType := conf.Conf.CheckUnusedOwners; printType != "" { if printType := conf.Conf.CheckUnusedOwners; printType != "" {
for _, o := range symTable.owner { for _, o := range symTable.owner {
if !o.isUsed { if !o.isUsed {
c.warnOrErr(printType, "Unused %s", o.nam e) c.warnOrErr(printType, "Unused %s", o)
} }
} }
} }
// Show objects with unknown owner. // Show objects with unknown owner.
for obj, names := range unknown2services { for obj, names := range unknown2services {
sort.Strings(names) sort.Strings(names)
c.warnOrErr(conf.Conf.CheckServiceUnknownOwner, c.warnOrErr(conf.Conf.CheckServiceUnknownOwner,
"Unknown owner for %s in %s", "Unknown owner for %s in %s",
obj, strings.Join(names, ", ")) obj, strings.Join(names, ", "))
 End of changes. 27 change blocks. 
66 lines changed or deleted 53 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)