ROX-29500: Use stackrox protobufs instead of types.NetworkInfo #2189
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found. Additional details and impacted files@@ Coverage Diff @@
## master #2189 +/- ##
=======================================
Coverage 28.83% 28.83%
=======================================
Files 96 96
Lines 5799 5799
Branches 2551 2551
=======================================
Hits 1672 1672
Misses 3408 3408
Partials 719 719
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey @JoukoVirtanen - I've reviewed your changes - here's some feedback:
- Consider replacing the custom CompareBytes implementation with bytes.Compare for simplicity and performance.
- Your Equal and LessNetworkConnection functions ignore the new Protocol field; include Protocol in the equality and ordering logic to avoid silently dropping mismatches.
- The stringToIPNetworkBytes helper hardcodes a /32 mask—if you intend to support arbitrary CIDRs, parse the ipNetwork string into a net.IPNet and extract its mask length instead of always appending 32.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Consider replacing the custom CompareBytes implementation with bytes.Compare for simplicity and performance.
- Your Equal and LessNetworkConnection functions ignore the new Protocol field; include Protocol in the equality and ordering logic to avoid silently dropping mismatches.
- The stringToIPNetworkBytes helper hardcodes a /32 mask—if you intend to support arbitrary CIDRs, parse the ipNetwork string into a net.IPNet and extract its mask length instead of always appending 32.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
JoukoVirtanen
force-pushed
the
jv-use-stackrox-protobufs-instead-of-types
branch
from
92687d0 to
b465bf6
Compare
| return addr1.GetPort() < addr2.GetPort() | ||
| } | ||
|
|
||
| func LessNetworkConnection(conn1 *sensorAPI.NetworkConnection, conn2 *sensorAPI.NetworkConnection) bool { |
There was a problem hiding this comment.
I could do something like convert the connections to a string using the generated String method and then compare them, but I think that might fail in some cases. Two connections that should be identical might result in two different strings. Two identical sets of connections could be ordered differently if they were converted to strings and compared.
There was a problem hiding this comment.
Hey @JoukoVirtanen - I've reviewed your changes and they look great!
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
JoukoVirtanen
changed the title
| Role: "ROLE_SERVER", | ||
| SocketFamily: "SOCKET_FAMILY_UNKNOWN", | ||
| CloseTimestamp: types.NilTimestamp, | ||
| LocalAddress: types.CreateNetworkAddress("", "", 40), |
There was a problem hiding this comment.
I think it's worth it here and in other similar cases to introduce a separate variable keeping the client port. This will explain why there is 40 here and few lines above.
| SocketFamily: "SOCKET_FAMILY_UNKNOWN", | ||
| CloseTimestamp: types.NilTimestamp, | ||
| LocalAddress: types.CreateNetworkAddress("", "", 0), | ||
| RemoteAddress: types.CreateNetworkAddress("", "", 40), |
There was a problem hiding this comment.
From what I understand the original implementation was replacing SERVER_IP with the real IP address. I see that it was done purely for testing, but maybe it makes sense to set the RemoteAddress here correctly as well?
There was a problem hiding this comment.
The server IP is unknown at this point, and SERVER_IP can't be passed to CreateNetworkAddress. Instead RemoteAddress is set in the test suite. The value for the port is set here, but the value for the AddressData is overwritten in the test suite.
There was a problem hiding this comment.
I still find it could be better. Even if the RemoteAddress set somewhere later, it makes sense to have all the information about the test right here where it's defined.
| return peerId.String() | ||
| // The EqualVT method for NetworkAddress returns false if both of them are nil. That is not what | ||
| // we want, so replace nil addr with a default NetworkAddress. | ||
| func adjustNetworkAddressForComparison(addr *sensorAPI.NetworkAddress) *sensorAPI.NetworkAddress { |
There was a problem hiding this comment.
This feels error prone, since the data we're testing is going to be modified. I would prefer to extend the comparison function instead.
There was a problem hiding this comment.
I have removed this function. I switched from using sensor.NeteworkConnection.EqualVT to proto.Equal and the later handles comparison between nils better so that this function is no longer needed. I keep a simplified version of adjustNetworkConnectionForComparison, but it takes in a NetworkConnection by values and returns a NetworkConnection.
There was a problem hiding this comment.
There is still similar adjustNetworkConnectionForComparison, which causes the same question.
There was a problem hiding this comment.
When you wrote that comment I was passing connections by value to adjustNetworkConnectionForComparison and it was also returning NetworkConnection structs by value. @Stringy asked to change it to use pointers instead and I did so. I moved adjustNetworkConnectionForComparison to inside EqualNetworkConnection, to make it safer. The thinking there was that it would make it less likely to be used incorrectly in the future. EqualNetworkConnection takes in connections via value, so it should be safe.
There was a problem hiding this comment.
I am now using CloneVT() before passing the connections to adjustNetworkConnectionForComparison.
| func (n *NetworkInfo) IsActive() bool { | ||
| // no close timestamp means the connection is open, and active | ||
| return n.CloseTimestamp == NilTimestamp | ||
| func CompareBytes(b1 []byte, b2 []byte) int { |
There was a problem hiding this comment.
How is this different from bytes.Compare in https://pkg.go.dev/bytes?
There was a problem hiding this comment.
It's not. I now use bytes.Compare.
| func adjustNetworkConnectionForComparison(conn sensorAPI.NetworkConnection) sensorAPI.NetworkConnection { | ||
| if conn.CloseTimestamp != nil { | ||
| conn.CloseTimestamp = NotNilTimestamp | ||
| } | ||
|
|
||
| ipNetwork := utils.IPNetworkFromCIDRBytes(ipNetworkData) | ||
| prefixLen := ipNetwork.PrefixLen() | ||
| // If this is IPv4 and the prefix length is 32 or this is IPv6 and the prefix length | ||
| // is 128 this is a regular IP address and not a CIDR block | ||
| if (ipNetwork.Family() == utils.IPv4 && prefixLen == byte(32)) || | ||
| (ipNetwork.Family() == utils.IPv6 && prefixLen == byte(128)) { | ||
| peerId.Address = ipNetwork.IP() | ||
| } else { | ||
| peerId.IPNetwork = ipNetwork | ||
| } | ||
| return peerId.String() | ||
| return conn | ||
| } |
There was a problem hiding this comment.
It might make sense to only make a copy of the connection if we need to adjust it, but otherwise return the original
e.g.
func adjustNetworkConnectionForComparison(conn *sensorAPI.NetworkConnection) *sensorAPI.NetworkConnection {
if conn.CloseTimestamp != nil {
conn := conn.CloneVT() // IIRC, not sure the exact copy function
conn.CloseTimestamp = NotNilTimestamp
}
return conn
}
| return slices.ContainsFunc(conns, func(c types.NetworkInfo) bool { | ||
| return c.Equal(conn) | ||
| return slices.ContainsFunc(conns, func(c *sensorAPI.NetworkConnection) bool { | ||
| return types.EqualNetworkConnection(*c, *conn) |
There was a problem hiding this comment.
Why do we need to deref the pointers to do the comparison? can't we just make EqualNetworkConnection take the pointers and not pass by value?
There was a problem hiding this comment.
I passed by values to prevent the connections from being modified. I guess I could pass by reference and then be careful. I don't think we need to extremely concerned about the performance of the integration tests. In collector we should be careful about passing by reference versus value, but I don't think it should matter here. It is probably best to be on the safe side and prevent mutation by passing in by value. I am definitely open to passing by reference.
There was a problem hiding this comment.
See @erthalion's comment here about concerns how the values could be mutated #2189 (comment)
There was a problem hiding this comment.
My suggestion is only partially to do with performance and mutation, and slightly more to do with API design.
When these functions are used we are never going to have a protobuf value; we're always going to have a pointer (due to the way the mock sensor works, and how protobufs work in general) so we're making the function needlessly more difficult/confusing to call by requiring the caller to first dereference and create a copy.
These copies are also shallow, which means that internal state could be shared between the copies anyway, which makes this even more error prone IMO. Pretty certain this will happen if we have nested proto definitions, which we do have for the vast majority of our definitions; NetworkConnection and ProcessSignal included.
If we take a copy-on-write approach (using CloneVT where appropriate), we can keep the API nice and clean, avoid these shallow copies in cases where we do have to do some modification.
@erthalion's concerns seem slightly different though, and slightly outside the scope of passing by value vs by reference.
There was a problem hiding this comment.
I now pass in pointers and make deep copies with CloneVT().
| copyConn1 := conn1.CloneVT() | ||
| copyConn2 := conn2.CloneVT() |
There was a problem hiding this comment.
I don't think we need to always copy, and in fact we're copying up to four times in this function (if either copy has no close timestamp we copy it again)
We can drop both of these CloneVT calls, and just pass the conn1 and conn2 pointers to adjustNetworkConnectionForComparison which will do the clone only if we need to modify
Description
Currently the integration tests use
types.NetworkInfowhich largely duplicatessensor.NetworkConnectionfrom the stackrox/stackrox protobuf definitions.types.NetworkInfois unnecessary duplication that introduces complexity and overhead. There is currently a conversion function fromsensor.NetworkConnectiontotypes.NetworkInfo. There is loss of information in this step astypes.NetworkInfodoes not perfectly duplicatesensor.NetworkConnection. Another disadvantage of the current situation is that if a change is made tosensor.NetworkConnection, that change will need to be made manually totypes.NetworkInfo. If that change is not made, that could lead to problems.This PR gets rid of
type.NetworInfoand replaces it withsensor.NetworkConnection.Checklist
Automated testing
- [ ] Added unit tests- [ ] Added integration tests- [ ] Added regression testsIf any of these don't apply, please comment below.
This PR just makes changes to the integration tests.
Testing Performed
CI is sufficient