github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/enforcer/flowstats/state.go

github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/enforcer/flowstats/state.go (about)

     1  package flowstats
     2  
     3  import (
     4  	"net"
     5  	"net/http"
     6  
     7  	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/apiauth"
     8  
     9  	"go.aporeto.io/enforcerd/trireme-lib/collector"
    10  	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
    11  	"go.aporeto.io/enforcerd/trireme-lib/policy"
    12  )
    13  
    14  // ConnectionState captures the connection state. This state
    15  // is passed to the RoundTripper for any last minute adjustments.
    16  type ConnectionState struct {
    17  	Stats  *collector.FlowRecord
    18  	Cookie *http.Cookie
    19  }
    20  
    21  // NewAppConnectionState will create the initial connection state object.
    22  func NewAppConnectionState(nativeID string, r *http.Request, authRequest *apiauth.Request, resp *apiauth.AppAuthResponse) *ConnectionState {
    23  
    24  	sourceIP := "0.0.0.0/0"
    25  	sourcePort := 0
    26  	if sourceAddress, err := net.ResolveTCPAddr("tcp", r.RemoteAddr); err == nil {
    27  		sourceIP = sourceAddress.IP.String()
    28  		sourcePort = sourceAddress.Port
    29  	}
    30  
    31  	var tags policy.TagStore
    32  	if resp.PUContext.Annotations() != nil {
    33  		tags = *resp.PUContext.Annotations()
    34  	}
    35  
    36  	return &ConnectionState{
    37  		Stats: &collector.FlowRecord{
    38  			ContextID: nativeID,
    39  			Destination: collector.EndPoint{
    40  				URI:        r.Method + " " + r.RequestURI,
    41  				HTTPMethod: r.Method,
    42  				Type:       collector.EndPointTypeExternalIP,
    43  				Port:       uint16(authRequest.OriginalDestination.Port),
    44  				IP:         authRequest.OriginalDestination.IP.String(),
    45  				ID:         resp.NetworkServiceID,
    46  			},
    47  			Source: collector.EndPoint{
    48  				Type:       collector.EndPointTypePU,
    49  				ID:         resp.PUContext.ManagementID(),
    50  				IP:         sourceIP,
    51  				Port:       uint16(sourcePort),
    52  				HTTPMethod: r.Method,
    53  				URI:        r.Method + " " + r.RequestURI,
    54  			},
    55  			Action:      resp.Action,
    56  			L4Protocol:  packet.IPProtocolTCP,
    57  			ServiceType: policy.ServiceHTTP,
    58  			ServiceID:   resp.ServiceID,
    59  			Tags:        tags.GetSlice(),
    60  			Namespace:   resp.PUContext.ManagementNamespace(),
    61  			PolicyID:    resp.NetworkPolicyID,
    62  			Count:       1,
    63  		},
    64  	}
    65  }
    66  
    67  // NewNetworkConnectionState will create the initial connection state object.
    68  func NewNetworkConnectionState(nativeID string, userID string, r *apiauth.Request, d *apiauth.NetworkAuthResponse) *ConnectionState {
    69  
    70  	var mgmtID, namespace, serviceID string
    71  	var tags policy.TagStore
    72  
    73  	if d.PUContext != nil {
    74  		mgmtID = d.PUContext.ManagementID()
    75  		namespace = d.PUContext.ManagementNamespace()
    76  		if d.PUContext.Annotations() != nil {
    77  			tags = *d.PUContext.Annotations()
    78  		}
    79  		serviceID = d.ServiceID
    80  	} else {
    81  		mgmtID = collector.DefaultEndPoint
    82  		namespace = collector.DefaultEndPoint
    83  		tags = *policy.NewTagStore()
    84  		serviceID = collector.DefaultEndPoint
    85  	}
    86  
    87  	sourceType := collector.EndPointTypeExternalIP
    88  	sourceID := collector.DefaultEndPoint
    89  	networkPolicyID := collector.DefaultEndPoint
    90  	action := policy.Reject | policy.Log
    91  
    92  	if d != nil {
    93  		sourceType = d.SourceType
    94  		if sourceType == collector.EndPointTypeClaims {
    95  			sourceType = collector.EndPointTypeExternalIP
    96  		}
    97  
    98  		switch d.SourceType {
    99  		case collector.EndPointTypePU:
   100  			sourceID = d.SourcePUID
   101  		case collector.EndPointTypeClaims:
   102  			sourceID = d.NetworkServiceID
   103  		default:
   104  			sourceID = d.NetworkServiceID
   105  		}
   106  
   107  		if d.NetworkPolicyID != "" {
   108  			networkPolicyID = d.NetworkPolicyID
   109  		}
   110  		action = d.Action
   111  	}
   112  
   113  	c := &ConnectionState{
   114  		Stats: &collector.FlowRecord{
   115  			ContextID: nativeID,
   116  			Destination: collector.EndPoint{
   117  				ID:         mgmtID,
   118  				Type:       collector.EndPointTypePU,
   119  				IP:         r.OriginalDestination.IP.String(),
   120  				Port:       uint16(r.OriginalDestination.Port),
   121  				URI:        r.Method + " " + r.RequestURI,
   122  				HTTPMethod: r.Method,
   123  				UserID:     userID,
   124  			},
   125  			Source: collector.EndPoint{
   126  				ID:     sourceID,
   127  				Type:   sourceType,
   128  				IP:     r.SourceAddress.IP.String(),
   129  				Port:   uint16(r.SourceAddress.Port),
   130  				UserID: userID,
   131  			},
   132  			Action:      action,
   133  			L4Protocol:  packet.IPProtocolTCP,
   134  			ServiceType: policy.ServiceHTTP,
   135  			PolicyID:    networkPolicyID,
   136  			ServiceID:   serviceID,
   137  			Tags:        tags.GetSlice(),
   138  			Namespace:   namespace,
   139  			Count:       1,
   140  		},
   141  	}
   142  
   143  	if d != nil {
   144  		if d.Action.Rejected() {
   145  			c.Stats.DropReason = d.DropReason
   146  		}
   147  
   148  		if d.ObservedPolicyID != "" {
   149  			c.Stats.ObservedPolicyID = d.ObservedPolicyID
   150  			c.Stats.ObservedAction = d.ObservedAction
   151  		}
   152  
   153  		c.Cookie = d.Cookie
   154  	}
   155  
   156  	return c
   157  }