public static AclIpSpace of(AclIpSpaceLine... lines) { return of(Arrays.asList(lines)); }
@Override public IpSpace visitAclIpSpace(AclIpSpace aclIpSpace) { /* Just specialize the IpSpace of each acl line. */ List<AclIpSpaceLine> specializedLines = aclIpSpace.getLines().stream() .map(line -> line.toBuilder().setIpSpace(visit(line.getIpSpace())).build()) .filter(line -> line.getIpSpace() != EmptyIpSpace.INSTANCE) .collect(ImmutableList.toImmutableList()); if (specializedLines.isEmpty()) { return EmptyIpSpace.INSTANCE; } if (specializedLines.stream() .allMatch(aclIpSpaceLine -> aclIpSpaceLine.getAction() == LineAction.DENY)) { return EmptyIpSpace.INSTANCE; } return AclIpSpace.of(specializedLines); }
return AclIpSpace.of(simplifiedLines);
@Test public void testVisitAclIpSpace() { IpSpace lineIpSpace = UniverseIpSpace.INSTANCE; String lineIpSpaceName = "lineIpSpace"; IpSpaceMetadata lineIpSpaceMetadata = new IpSpaceMetadata("line_space_name", "line_space_type"); IpSpace ipSpace = AclIpSpace.of(AclIpSpaceLine.permit(lineIpSpace)); IpSpaceDescriber describerWithMetadata = new IpSpaceDescriber( new AclTracer( _flow, null, ImmutableMap.of(), ImmutableMap.of(TEST_NAME, ipSpace), ImmutableMap.of(TEST_NAME, TEST_METADATA))); IpSpaceDescriber describerWithLineMetadata = new IpSpaceDescriber( new AclTracer( _flow, null, ImmutableMap.of(), ImmutableMap.of(lineIpSpaceName, lineIpSpace), ImmutableMap.of(lineIpSpaceName, lineIpSpaceMetadata))); assertThat(ipSpace.accept(_describerNoNamesNorMetadata), equalTo("[0: universe]")); assertThat( ipSpace.accept(describerWithLineMetadata), equalTo("[0: 'line_space_type' named 'line_space_name']")); assertThat(ipSpace.accept(describerWithMetadata), equalTo(TEST_METADATA_DESCRIPTION)); }
@Test public void testDeniedByNamedAclIpSpaceLine() { AclIpSpace aclIpSpace = AclIpSpace.of(AclIpSpaceLine.DENY_ALL); IpAccessList acl = IpAccessList.builder() .setName(ACL_NAME) .setLines( ImmutableList.of( IpAccessListLine.acceptingHeaderSpace( HeaderSpace.builder() .setDstIps(new IpSpaceReference(ACL_IP_SPACE_NAME)) .build()))) .build(); Map<String, IpAccessList> availableAcls = ImmutableMap.of(ACL_NAME, acl); Map<String, IpSpace> namedIpSpaces = ImmutableMap.of(ACL_IP_SPACE_NAME, aclIpSpace); Map<String, IpSpaceMetadata> namedIpSpaceMetadata = ImmutableMap.of(ACL_IP_SPACE_NAME, new IpSpaceMetadata(ACL_IP_SPACE_NAME, TEST_ACL)); AclTrace trace = AclTracer.trace( acl, FLOW, SRC_INTERFACE, availableAcls, namedIpSpaces, namedIpSpaceMetadata); assertThat( trace, hasEvents(contains(ImmutableList.of(isDefaultDeniedByIpAccessListNamed(ACL_NAME))))); }
@Test public void testWithAclIpSpaceWithCircularRef() { // Named IP spaces includes AclIpSpace "aclIpSpace". // "aclIpSpace" contains an IpSpaceReference to itself. Rip _c1.setIpSpaces( ImmutableSortedMap.of( "aclIpSpace", AclIpSpace.of(AclIpSpaceLine.permit(new IpSpaceReference("aclIpSpace"))))); _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(new IpSpaceReference("aclIpSpace")) .build())) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have one unmatchable line assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat(spec.acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); }
@Test public void testWithAclIpSpaceWithGoodRefs() { // ACL contains an AclIpSpace that references the same valid named IpSpace twice _aclb .setLines( ImmutableList.of( acceptingHeaderSpace( HeaderSpace.builder() .setSrcIps( AclIpSpace.of( AclIpSpaceLine.permit(new IpSpaceReference("ipSpace")), AclIpSpaceLine.permit(new IpSpaceReference("ipSpace")))) .build()))) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have correctly dereferenced "ipSpace" assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat( spec.acl.getSanitizedAcl().getLines(), equalTo( ImmutableList.of( acceptingHeaderSpace( HeaderSpace.builder() .setSrcIps( AclIpSpace.of( AclIpSpaceLine.permit(Ip.parse("1.2.3.4").toIpSpace()), AclIpSpaceLine.permit(Ip.parse("1.2.3.4").toIpSpace()))) .build())))); }