-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into AggregatedModel
- Loading branch information
Showing
10 changed files
with
373 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -127,3 +127,6 @@ dmypy.json | |
|
||
# Pyre type checker | ||
.pyre/ | ||
|
||
# vim | ||
.*.swp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
from fluentm import ( | ||
Actor, | ||
Process, | ||
DataFlow, | ||
HTTP, | ||
MTLS, | ||
TLS, | ||
DHCP, | ||
) | ||
from fluentm import report | ||
|
||
scenes = { | ||
# Example using variables, which is fine for small things but gets hard with longer flows | ||
"Tink API traffic": [ | ||
DataFlow( | ||
Actor("tink-cli"), | ||
Process("Tink API").inBoundary("Tink Control Plane Network"), | ||
MTLS(HTTP("API request")), | ||
), | ||
DataFlow( | ||
Process("Machine").inBoundary("On Premise Network"), | ||
Process("boots").inBoundary("Tink Control Plane Network"), | ||
DHCP("IP Request"), | ||
), | ||
DataFlow( | ||
Process("boots").inBoundary("Tink Control Plane Network"), | ||
Process("Tink API").inBoundary("Tink Control Plane Network"), | ||
MTLS(HTTP("API request")), | ||
"Boots queries for IP", | ||
), | ||
DataFlow( | ||
Process("Machine").inBoundary("On Premise Network"), | ||
Process("boots").inBoundary("Tink Control Plane Network"), | ||
DHCP("PXE Location Request"), | ||
), | ||
DataFlow( | ||
Process("boots").inBoundary("Tink Control Plane Network"), | ||
Process("Tink API").inBoundary("Tink Control Plane Network"), | ||
MTLS(HTTP("API request")), | ||
"Boots queries for PXE OS location", | ||
), | ||
DataFlow( | ||
Process("Machine").inBoundary("On Premise Network"), | ||
Process("Nginx").inBoundary("Tink Control Plane Network"), | ||
HTTP("Boot OS Request"), | ||
), | ||
DataFlow( | ||
Process("Machine").inBoundary("On Premise Network"), | ||
Process("Tink API").inBoundary("Tink Control Plane Network"), | ||
TLS(HTTP("Workflow")), | ||
), | ||
DataFlow( | ||
Process("Machine").inBoundary("On Premise Network"), | ||
Process("Container Registry").inBoundary("Tink Control Plane Network"), | ||
TLS(HTTP("Container Images")), | ||
), | ||
DataFlow( | ||
Process("Machine").inBoundary("On Premise Network"), | ||
Process("Hegel").inBoundary("Tink Control Plane Network"), | ||
TLS(HTTP("Machine metadata")), | ||
"Metadata request", | ||
), | ||
DataFlow( | ||
Process("Machine").inBoundary("On Premise Network"), | ||
Process("Nginx").inBoundary("Tink Control Plane Network"), | ||
HTTP("Workload OS"), | ||
), | ||
] | ||
} | ||
|
||
if __name__ == "__main__": | ||
report(scenes, outputDir="examples/tinkerbell", dfdLabels=True) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,185 @@ | ||
<html> | ||
<head> | ||
<title> | ||
Threat Models | ||
</title> | ||
<style> | ||
#dataFlowTable { | ||
font-family: Arial, Helvetica, sans-serif; | ||
border-collapse: collapse; | ||
width: 100%; | ||
} | ||
|
||
#dataFlowTable td, #dataFlowTable th { | ||
border: 1px solid #ddd; | ||
padding: 8px; | ||
} | ||
|
||
#dataFlowTable tr:nth-child(even){background-color: #f2f2f2;} | ||
|
||
#dataFlowTable tr:hover {background-color: #ddd;} | ||
|
||
#dataFlowTable th { | ||
padding-top: 12px; | ||
padding-bottom: 12px; | ||
text-align: left; | ||
background-color: #a34a4a; | ||
color: white; | ||
} | ||
</style> | ||
</head> | ||
<body> | ||
<hr /> | ||
|
||
<h2> Tink API traffic </h2> | ||
<img src="Tink API traffic-dfd.png"> | ||
<table id="dataFlowTable"> | ||
<tr> | ||
|
||
<th>Flow ID</th> | ||
|
||
<th>Pitcher</th> | ||
|
||
<th>Catcher</th> | ||
|
||
<th>Data Flow</th> | ||
|
||
</tr> | ||
|
||
<tr> | ||
|
||
<td>1</td> | ||
|
||
<td>tink-cli</td> | ||
|
||
<td>Tink API</td> | ||
|
||
<td>MTLS( HTTP( API request ) )</td> | ||
|
||
</tr> | ||
|
||
|
||
<tr> | ||
|
||
<td>2</td> | ||
|
||
<td>Machine</td> | ||
|
||
<td>boots</td> | ||
|
||
<td>DHCP( IP Request )</td> | ||
|
||
</tr> | ||
|
||
|
||
<tr> | ||
|
||
<td>3</td> | ||
|
||
<td>boots</td> | ||
|
||
<td>Tink API</td> | ||
|
||
<td>MTLS( HTTP( API request ) )</td> | ||
|
||
</tr> | ||
|
||
|
||
<tr> | ||
|
||
<td>4</td> | ||
|
||
<td>Machine</td> | ||
|
||
<td>boots</td> | ||
|
||
<td>DHCP( PXE Location Request )</td> | ||
|
||
</tr> | ||
|
||
|
||
<tr> | ||
|
||
<td>5</td> | ||
|
||
<td>boots</td> | ||
|
||
<td>Tink API</td> | ||
|
||
<td>MTLS( HTTP( API request ) )</td> | ||
|
||
</tr> | ||
|
||
|
||
<tr> | ||
|
||
<td>6</td> | ||
|
||
<td>Machine</td> | ||
|
||
<td>Nginx</td> | ||
|
||
<td>HTTP( Boot OS Request )</td> | ||
|
||
</tr> | ||
|
||
|
||
<tr> | ||
|
||
<td>7</td> | ||
|
||
<td>Machine</td> | ||
|
||
<td>Tink API</td> | ||
|
||
<td>TLS( HTTP( Workflow ) )</td> | ||
|
||
</tr> | ||
|
||
|
||
<tr> | ||
|
||
<td>8</td> | ||
|
||
<td>Machine</td> | ||
|
||
<td>Container Registry</td> | ||
|
||
<td>TLS( HTTP( Container Images ) )</td> | ||
|
||
</tr> | ||
|
||
|
||
<tr> | ||
|
||
<td>9</td> | ||
|
||
<td>Machine</td> | ||
|
||
<td>Hegel</td> | ||
|
||
<td>TLS( HTTP( Machine metadata ) )</td> | ||
|
||
</tr> | ||
|
||
|
||
<tr> | ||
|
||
<td>10</td> | ||
|
||
<td>Machine</td> | ||
|
||
<td>Nginx</td> | ||
|
||
<td>HTTP( Workload OS )</td> | ||
|
||
</tr> | ||
|
||
|
||
</table> | ||
|
||
|
||
<hr /> | ||
|
||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
digraph "Tink API traffic" { | ||
color=blue rankdir=LR | ||
node [fontname=Arial fontsize=14] | ||
"tink-cli" | ||
subgraph "cluster_Tink Control Plane Network" { | ||
graph [color=red fontname=Arial fontsize=12 label="Tink Control Plane Network" line=dotted] | ||
"Tink API" | ||
boots | ||
Nginx | ||
"Container Registry" | ||
Hegel | ||
} | ||
subgraph "cluster_On Premise Network" { | ||
graph [color=red fontname=Arial fontsize=12 label="On Premise Network" line=dotted] | ||
Machine | ||
} | ||
"tink-cli" -> "Tink API" [label="(1) API request"] | ||
Machine -> boots [label="(2) IP Request"] | ||
boots -> "Tink API" [label="(3) Boots queries for IP"] | ||
Machine -> boots [label="(4) PXE Location Request"] | ||
boots -> "Tink API" [label="(5) Boots queries for PXE OS location"] | ||
Machine -> Nginx [label="(6) Boot OS Request"] | ||
Machine -> "Tink API" [label="(7) Workflow"] | ||
Machine -> "Container Registry" [label="(8) Container Images"] | ||
Machine -> Hegel [label="(9) Metadata request"] | ||
Machine -> Nginx [label="(10) Workload OS"] | ||
} |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.