new CanonicalAcl( acl1, acl1, ImmutableSet.of()); CanonicalAcl canonicalAcl2 = new CanonicalAcl( acl1, acl1,
BDDFactory bddFactory = bddPacket.getFactory(); BDDSourceManager sourceMgr = BDDSourceManager.forInterfaces(bddPacket, aclSpec.acl.getInterfaces()); IpAccessListToBDD ipAccessListToBDD = IpAccessListToBDD.create( bddPacket, sourceMgr, aclSpec.acl.getDependencies(), ImmutableMap.of()); IpAccessList ipAcl = aclSpec.acl.getSanitizedAcl(); List<IpAccessListLine> lines = ipAcl.getLines();
@Nonnull SortedSet<Integer> blockingLines) { if (aclSpecs.acl.inCycle(lineNumber)) { return; IpAccessList acl = aclSpecs.acl.getOriginalAcl(); IpAccessListLine blockedLine = acl.getLines().get(lineNumber); boolean diffAction = canonicalAcl.hasUndefinedRef(lineNumber) ? Reason.UNDEFINED_REFERENCE : unmatchable ? Reason.INDEPENDENTLY_UNMATCHABLE : Reason.BLOCKING_LINES;
new CanonicalAcl( node.getSanitizedAcl(), node.getAcl(), if (aclSpec.getAcl().equals(currentAcl)) { aclSpec.addSource(hostname, aclName); added = true;
@Test public void testWithUndefinedSrcInterfaceReference() { _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition(new MatchSrcInterface(ImmutableList.of("???"))) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have one unmatchable line assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat(spec.acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); }
if (spec.acl.getAclName().equals("acl3")) { spec.acl.getSanitizedAcl().getLines(), equalTo( ImmutableList.of( } else { assertThat(spec.acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); assertThat(spec.acl.inCycle(0), equalTo(true));
@Test public void testUndefinedReference() { _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting().setMatchCondition(new PermittedByAcl("???")).build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have one unmatchable line assertThat(aclSpecs, hasSize(1)); CanonicalAcl acl = aclSpecs.get(0).acl; assertThat(acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); assertThat(acl.hasUndefinedRef(0), equalTo(true)); }
.filter(spec -> !spec.acl.getAclName().equals("acl0")) .map(spec -> spec.acl.getDependencies().keySet()) .collect(Collectors.toList()); assertThat(
@Test public void testReferencedAclUsesSrcInterface() { // Create ACL that references an ACL that references an interface _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition(new PermittedByAcl("referencedAcl")) .build())) .build(); _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition(new MatchSrcInterface(ImmutableList.of("iface"))) .build())) .setName("referencedAcl") .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // There should be two AclSpecs. Both should be aware of the interface "iface" assertThat(aclSpecs, hasSize(2)); for (AclSpecs spec : aclSpecs) { assertThat( spec.acl.getInterfaces(), equalTo(ImmutableSet.of("iface", "unreferencedInterface"))); } }
@Override public boolean equals(Object o) { if (o == this) { return true; } else if (!(o instanceof CanonicalAcl)) { return false; } else if (hashCode() != o.hashCode()) { return false; } CanonicalAcl otherAcl = (CanonicalAcl) o; return _acl.equals(otherAcl._acl) && _dependencies.equals(otherAcl._dependencies) && _interfaces.equals(otherAcl._interfaces) && _sanitizedAcl.equals(otherAcl._sanitizedAcl) && _linesWithUndefinedReferences.equals(otherAcl._linesWithUndefinedReferences) && _linesInCycles.equals(otherAcl._linesInCycles); }
@Test public void testWithUndefinedIpSpaceReference() { _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder().setSrcIps(new IpSpaceReference("???")).build())) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have one unmatchable line assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat(spec.acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); }
aclSpecs.get(0).acl.getInterfaces(), equalTo(ImmutableSet.of("iface1", "iface2", "iface3")));
@Test public void testWithUndefinedIpSpaceReferenceChain() { // Make sure it correctly interprets a chain of IpSpaceReferences ending with an undefined ref _c1.setIpSpaces( ImmutableSortedMap.of( "ipSpace1", new IpSpaceReference("ipSpace2"), "ipSpace2", new IpSpaceReference("ipSpace3"))); _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(new IpSpaceReference("ipSpace1")) .build())) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have one unmatchable line assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat(spec.acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); }
new CanonicalAcl( acl1, acl1, ImmutableMap.of(), ImmutableSet.of(), ImmutableSet.of(), ImmutableSet.of()); CanonicalAcl canonicalAcl2 = new CanonicalAcl( acl2, acl2, ImmutableMap.of(), ImmutableSet.of(), ImmutableSet.of(), ImmutableSet.of());
@Test public void testWithIpSpaceReference() { _aclb .setLines( ImmutableList.of( IpAccessListLine.rejecting() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(new IpSpaceReference("ipSpace")) .build())) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should directly reject 1.2.3.4 assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat( spec.acl.getSanitizedAcl().getLines(), equalTo( ImmutableList.of( rejectingHeaderSpace( HeaderSpace.builder().setSrcIps(Ip.parse("1.2.3.4").toIpSpace()).build())))); }
new CanonicalAcl( acl1, acl1, ImmutableSet.of()); CanonicalAcl canonicalAcl2 = new CanonicalAcl( acl2, acl2,
@Test public void testWithAclIpSpaceWithCircularRef() { // Named IP spaces includes AclIpSpace "aclIpSpace". // "aclIpSpace" contains an IpSpaceReference to itself. Rip _c1.setIpSpaces( ImmutableSortedMap.of( "aclIpSpace", AclIpSpace.of(AclIpSpaceLine.permit(new IpSpaceReference("aclIpSpace"))))); _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(new IpSpaceReference("aclIpSpace")) .build())) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have one unmatchable line assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat(spec.acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); }
new CanonicalAcl( acl1, acl1, ImmutableSet.of()); CanonicalAcl canonicalAcl2 = new CanonicalAcl( acl2, acl2,
@Test public void testWithCircularIpSpaceReferenceChain() { // Make sure it identifies an undefined reference for a circular chain of IpSpaceReferences _c1.setIpSpaces( ImmutableSortedMap.of( "ipSpace1", new IpSpaceReference("ipSpace2"), "ipSpace2", new IpSpaceReference("ipSpace3"), "ipSpace3", new IpSpaceReference("ipSpace1"))); _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(new IpSpaceReference("ipSpace1")) .build())) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have one unmatchable line assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat(spec.acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); }
@Test public void testWithAclIpSpaceWithGoodRefs() { // ACL contains an AclIpSpace that references the same valid named IpSpace twice _aclb .setLines( ImmutableList.of( acceptingHeaderSpace( HeaderSpace.builder() .setSrcIps( AclIpSpace.of( AclIpSpaceLine.permit(new IpSpaceReference("ipSpace")), AclIpSpaceLine.permit(new IpSpaceReference("ipSpace")))) .build()))) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have correctly dereferenced "ipSpace" assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat( spec.acl.getSanitizedAcl().getLines(), equalTo( ImmutableList.of( acceptingHeaderSpace( HeaderSpace.builder() .setSrcIps( AclIpSpace.of( AclIpSpaceLine.permit(Ip.parse("1.2.3.4").toIpSpace()), AclIpSpaceLine.permit(Ip.parse("1.2.3.4").toIpSpace()))) .build())))); }