Skip to content

Commit

Permalink
add external service to graph
Browse files Browse the repository at this point in the history
  • Loading branch information
@noboruma
noboruma committed Jun 11, 2024
1 parent 89e8c26 commit 31fbe0f
Show file tree
Hide file tree
Showing 8 changed files with 69 additions and 13 deletions.
2 changes: 1 addition & 1 deletion deepfence_agent/plugins/YaraHunter
Submodule YaraHunter updated 1 files
+2 −2 docs/yara-rules/listing.json
2 changes: 1 addition & 1 deletion deepfence_agent/plugins/cloud-scanner
Submodule cloud-scanner updated 40 files
+73 −0 Dockerfile
+10 −3 Makefile
+0 −10 README.md
+26 −9 cloud_resource_changes/cloud_resource_changes_aws/cloudtrail.go
+11 −3 cloud_resource_changes/cloud_resource_changes_aws/util.go
+0 −0 cloudformation/deepfence-cloud-scanner-members.template
+16 −17 cloudformation/deepfence-cloud-scanner-org-common.template
+38 −43 cloudformation/deepfence-cloud-scanner-org-mgmt-console.template
+3 −15 cloudformation/deepfence-cloud-scanner-roles.template
+82 −84 cloudformation/deepfence-cloud-scanner.template
+4 −6 ...n/deepfence-managed/automated-deployment/deepfence-cloud-scanner-automated-organization-deployment.template
+2 −2 ...ormation/deepfence-managed/manual-deployment/deepfence-managed-cloud-scanner-organization-iam-role.template
+5 −5 ...ormation/deepfence-managed/manual-deployment/deepfence-managed-cloud-scanner-organization-stackset.template
+0 −35 ...rmation/deepfence-managed/single-account-deployment/deepfence-managed-cloud-scanner-single-account.template
+11 −0 entrypoint.sh
+29 −20 go.mod
+120 −34 go.sum
+1 −1 golang_deepfence_sdk
+0 −2 helm-chart/.gitignore
+0 −23 helm-chart/deepfence-cloud-scanner/.helmignore
+0 −24 helm-chart/deepfence-cloud-scanner/Chart.yaml
+0 −3 helm-chart/deepfence-cloud-scanner/templates/NOTES.txt
+0 −62 helm-chart/deepfence-cloud-scanner/templates/_helpers.tpl
+0 −92 helm-chart/deepfence-cloud-scanner/templates/deployment.yaml
+0 −11 helm-chart/deepfence-cloud-scanner/templates/secret.yaml
+0 −13 helm-chart/deepfence-cloud-scanner/templates/serviceaccount.yaml
+0 −104 helm-chart/deepfence-cloud-scanner/values.yaml
+0 −14 helm-chart/index.yaml
+143 −27 internal/deepfence/client.go
+59 −0 internal/deepfence/diagnosis.go
+27 −0 internal/deepfence/util.go
+89 −50 main.go
+1 −1 output/file_output.go
+39 −2 output/output.go
+43 −66 query_resource/query.go
+9 −9 scanner/parser.go
+80 −41 scanner/scanner.go
+130 −253 service/service.go
+79 −43 util/type.go
+15 −6 util/util.go
2 changes: 1 addition & 1 deletion deepfence_agent/plugins/yara-rules
Submodule yara-rules updated 1 files
+1 −1 build-timestamp
10 changes: 9 additions & 1 deletion deepfence_server/handler/topology.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ func graphToSummaries(
return res
}

for cp, crs := range graph.CloudServices {
for cp, crs := range graph.InternalCloudServices {
for _, crStub := range crs {
cr := string(crStub.ID)
nodes[cr] = detailed.NodeSummary{
Expand All @@ -293,6 +293,14 @@ func graphToSummaries(

nodes["in-the-internet"] = inboundInternetNode
nodes["out-the-internet"] = outboundInternetNode
for _, n := range graph.ExternalCloudServices {
nodes[string(n.ID)] = detailed.NodeSummary{
ID: string(n.ID),
Label: n.Name,
ImmediateParentID: "",
Type: "pseudo",
}
}

for h, n := range graph.Processes {
for _, idStub := range n {
Expand Down
8 changes: 5 additions & 3 deletions deepfence_server/ingesters/agent.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1424,21 +1424,23 @@ func requestCloudInfo(ctx context.Context, strIps []string, token string) ([]Clo

func resolveCloudService(connections []Connection, token string) []Connection {
ips := []string{}
ids := []int{}

Check failure on line 1427 in deepfence_server/ingesters/agent.go

View workflow job for this annotation

GitHub Actions / lint-server 

File is not `gofmt`-ed with `-s` (gofmt)
for i := range connections {
if connections[i].rightIP != nil {
ips = append(ips, *connections[i].rightIP)
ids = append(ids, i)
}
}
if len(ips) == 0 {
return connections
}
infos, err := requestCloudInfo(context.Background(), ips, token)
if err != nil || len(connections) != len(infos) {
log.Error().Err(err).Msgf("issue fetching cloud infos %d/%d", len(infos), len(connections))
if err != nil || len(ids) != len(infos) {
log.Error().Err(err).Msgf("issue fetching cloud infos %v/%v", infos, connections)
return connections
}
for i := range infos {
connections[i].destination = infos[i].NodeID()
connections[ids[i]].destination = infos[i].NodeID()
}
return connections
}
53 changes: 49 additions & 4 deletions deepfence_server/reporters/graph/topology_reporter.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -436,7 +436,7 @@ func extractResourceNodeIds(ids []interface{}) []NodeID {
return res
}

func (ntp *neo4jTopologyReporter) GetCloudServices(
func (ntp *neo4jTopologyReporter) GetInternalCloudServices(
ctx context.Context,
tx neo4j.ExplicitTransaction,
cloudProvider []string,
Expand Down Expand Up @@ -491,6 +491,46 @@ func (ntp *neo4jTopologyReporter) GetCloudServices(

}

func (ntp *neo4jTopologyReporter) GetExternalCloudServices(
ctx context.Context,
tx neo4j.ExplicitTransaction,
cloudProvider []string,
cloudRegions []string,
fieldfilters mo.Option[reporters.FieldsFilters]) ([]NodeStub, error) {

ctx, span := telemetry.NewSpan(ctx, "toploogy", "get-cloud-services")
defer span.End()

res := []NodeStub{}

r, err := tx.Run(ctx, `
MATCH (n:Node) -[:CONNECTS]- (:Node)
WHERE n.cloud_provider = "internet"
RETURN n.node_id`,
map[string]interface{}{},
)

if err != nil {
return res, err
}
records, err := r.Collect(ctx)

if err != nil {
return res, err
}

for _, record := range records {
nodeID := record.Values[0].(string)
res = append(res,
NodeStub{
ID: NodeID(nodeID),
Name: nodeID,
})
}
return res, nil

}

func (ntp *neo4jTopologyReporter) GetPublicCloudResources(
ctx context.Context,
tx neo4j.ExplicitTransaction,
Expand Down Expand Up @@ -921,8 +961,9 @@ type RenderedGraph struct {
Connections []ConnectionSummary `json:"connections" required:"true"`
// PublicCloudResources map[NodeID][]ResourceStub `json:"public-cloud-resources" required:"true"`
// NonPublicCloudResources map[NodeID][]ResourceStub `json:"non-public-cloud-resources" required:"true"`
CloudServices map[NodeID][]ResourceStub `json:"cloud-services" required:"true"`
SkippedConnections bool `json:"skipped_connections" required:"true"`
InternalCloudServices map[NodeID][]ResourceStub `json:"cloud-services" required:"true"`
ExternalCloudServices []NodeStub `json:"external-cloud-services" required:"true"`
SkippedConnections bool `json:"skipped_connections" required:"true"`
}

type TopologyFilters struct {
Expand Down Expand Up @@ -1239,7 +1280,11 @@ func (ntp *neo4jTopologyReporter) getGraph(ctx context.Context, filters Topology
if err != nil {
return res, err
}
res.CloudServices, err = ntp.GetCloudServices(ctx, tx, cloudFilter, regionFilter, mo.None[reporters.FieldsFilters]())
res.InternalCloudServices, err = ntp.GetInternalCloudServices(ctx, tx, cloudFilter, regionFilter, mo.None[reporters.FieldsFilters]())
if err != nil {
return res, err
}
res.ExternalCloudServices, err = ntp.GetExternalCloudServices(ctx, tx, cloudFilter, regionFilter, mo.None[reporters.FieldsFilters]())
if err != nil {
return res, err
}
Expand Down
3 changes: 2 additions & 1 deletion deepfence_worker/cronjobs/neo4j.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -780,6 +780,7 @@ func LinkNodes(ctx context.Context, task *asynq.Task) error {
AND NOT n.cloud_provider IS NULL
AND NOT n.cloud_region IS NULL
AND NOT n.node_id IN ["in-the-internet", "out-the-internet", "`+ConsoleAgentId+`"]
AND NOT n.cloud_provider = 'internet'
WITH n LIMIT 50000
MERGE (cp:CloudProvider{node_id: n.cloud_provider})
MERGE (cr:CloudRegion{node_id: n.cloud_region})
Expand Down Expand Up @@ -816,7 +817,7 @@ func LinkNodes(ctx context.Context, task *asynq.Task) error {
WHERE NOT exists((n) -[:ALIAS]-> ())
MERGE (t:ImageTag{node_id: n.docker_image_name + "_" + n.docker_image_tag})
MERGE (n) -[a:ALIAS]-> (t)
SET t.updated_at = TIMESTAMP(),
SET t.updated_at = TIMESTAMP(),
a.updated_at = TIMESTAMP()`,
map[string]interface{}{}, txConfig); err != nil {
return err
Expand Down
2 changes: 1 addition & 1 deletion golang_deepfence_sdk
Submodule golang_deepfence_sdk updated 35 files
+6 −2 client/.openapi-generator/FILES
+1 −1 client/.openapi-generator/VERSION
+5 −3 client/README.md
+178 −201 client/api/openapi.yaml
+25 −14 client/api_cloud_nodes.go
+0 −139 client/api_completion.go
+132 −0 client/api_diagnosis.go
+1 −1 client/client.go
+7 −5 client/docs/CloudNodesAPI.md
+0 −67 client/docs/CompletionAPI.md
+1 −1 client/docs/ComplianceAPI.md
+71 −0 client/docs/DiagnosisAPI.md
+36 −0 client/docs/DiagnosisGetDiagnosticLogsResponse.md
+5 −5 client/docs/ModelAddScheduledTaskRequest.md
+0 −23 client/docs/ModelBenchmarkType.md
+118 −0 client/docs/ModelCloudComplianceBenchmark.md
+180 −0 client/docs/ModelCloudComplianceScanDetails.md
+34 −50 client/docs/ModelCloudNodeAccountRegisterReq.md
+56 −0 client/docs/ModelCloudNodeAccountRegisterResp.md
+118 −0 client/docs/ModelCloudNodeAccountRegisterRespData.md
+7 −2 client/docs/ModelCloudNodeAccountsListReq.md
+82 −0 client/docs/ModelCloudNodeCloudtrailTrail.md
+5 −5 client/docs/ModelComplianceScanTriggerReq.md
+1 −1 client/docs/SettingsAPI.md
+37 −0 client/model_diagnosis_get_diagnostic_logs_response.go
+7 −7 client/model_model_add_scheduled_task_request.go
+0 −122 client/model_model_benchmark_type.go
+200 −0 client/model_model_cloud_compliance_benchmark.go
+273 −0 client/model_model_cloud_compliance_scan_details.go
+67 −87 client/model_model_cloud_node_account_register_req.go
+127 −0 client/model_model_cloud_node_account_register_resp.go
+200 −0 client/model_model_cloud_node_account_register_resp_data.go
+22 −14 client/model_model_cloud_node_accounts_list_req.go
+163 −0 client/model_model_cloud_node_cloudtrail_trail.go
+7 −7 client/model_model_compliance_scan_trigger_req.go

0 comments on commit 31fbe0f

Please sign in to comment.