67 path string (#201)

pkg/symbolicexpr/symbolicPath.go

@@ -7,7 +7,7 @@ import (
 )
 
 func (path *SymbolicPath) String() string {
-	return path.Conn.String() + " from " + path.Src.string() + " to " + path.Dst.string()
+	return "src: " + path.Src.string() + " dst: " + path.Dst.string() + " conn: " + path.Conn.String()
 }
 
 // if the source or destination is empty then so is the entire path

pkg/symbolicexpr/symbolicexpr_test.go

@@ -61,8 +61,8 @@ func TestSymbolicPaths(t *testing.T) {
 	}
 	conjSymbolicPath := SymbolicPath{Src: conjSrc, Dst: conjDst, Conn: netset.AllTCPTransport()}
 	fmt.Printf("\nconjSymbolicPath:\n%v\n", conjSymbolicPath.String())
-	require.Equal(t, "TCP from (group = str1 and group = str2 and group = str3) to "+
-		"(group != str1 and group != str2 and group != str3)",
+	require.Equal(t, "src: (group = str1 and group = str2 and group = str3) dst: "+
+		"(group != str1 and group != str2 and group != str3) conn: TCP",
 		conjSymbolicPath.String(), "conjSymbolicPath not as expected")
 	println("conjEmpty", conjEmpty.string())
 	require.Equal(t, emptySet, conjEmpty.string(), "empty conjunction not as expected")
@@ -80,7 +80,7 @@ func TestSymbolicPaths(t *testing.T) {
 	hints := Hints{GroupsDisjoint: disjoint}
 	pathNoRedundant := path.removeRedundant(&hints)
 	fmt.Printf("pathNoRedundant:%v\n", pathNoRedundant)
-	require.Equal(t, "TCP from (group = Gryffindor) to (group = Slytherin)", pathNoRedundant.String(),
+	require.Equal(t, "src: (group = Gryffindor) dst: (group = Slytherin) conn: TCP", pathNoRedundant.String(),
 		"redundant removal not working")
 }
 
@@ -108,9 +108,9 @@ func TestComputeAllowGivenDenySingleTermEach1(t *testing.T) {
 	fmt.Printf("allowPath is %v\ndenyPath is %v\n", allowPath.String(), denyPath.String())
 	allowGivenDeny := *computeAllowGivenAllowHigherDeny(allowPath, denyPath, &Hints{GroupsDisjoint: [][]string{}})
 	fmt.Printf("computeAllowGivenAllowHigherDeny(allowPath, denyPath) is\n%v\n", allowGivenDeny.String())
-	require.Equal(t, "All Connections from (tag = src1 and tag != src2) to (tag = dst1)\n"+
-		"All Connections from (tag = src1) to (tag = dst1 and tag != dst2)\n"+
-		"ICMP,TCP from (tag = src1) to (tag = dst1)",
+	require.Equal(t, "src: (tag = src1 and tag != src2) dst: (tag = dst1) conn: All Connections\n"+
+		"src: (tag = src1) dst: (tag = dst1 and tag != dst2) conn: All Connections\n"+
+		"src: (tag = src1) dst: (tag = dst1) conn: ICMP,TCP",
 		allowGivenDeny.String(), "allowGivenDeny single term computation not as expected")
 }
 
@@ -137,14 +137,14 @@ func TestComputeAllowGivenDenySingleTermEach2(t *testing.T) {
 	allowGivenDeny := *computeAllowGivenAllowHigherDeny(allowPath, denyPath, &Hints{GroupsDisjoint: [][]string{}})
 	fmt.Printf("computeAllowGivenAllowHigherDeny(allowPath, denyPath) is\n%v\n", allowGivenDeny.String())
 	// computeAllowGivenAllowHigherDeny not optimized
-	require.Equal(t, "UDP from (tag = src1 and tag != src2) to (tag = dst1)\n"+
-		"UDP from (tag = src1) to (tag = dst1 and tag != dst2)\nUDP from (tag = src1) to (tag = dst1)",
+	require.Equal(t, "src: (tag = src1 and tag != src2) dst: (tag = dst1) conn: UDP\n"+
+		"src: (tag = src1) dst: (tag = dst1 and tag != dst2) conn: UDP\nsrc: (tag = src1) dst: (tag = dst1) conn: UDP",
 		allowGivenDeny.String(), "allowGivenDeny single term computation not as expected")
 	// ComputeAllowGivenDenies optimize
 	allowGivenDenyPaths := *ComputeAllowGivenDenies(&SymbolicPaths{&allowPath}, &SymbolicPaths{&denyPath},
 		&Hints{GroupsDisjoint: [][]string{}})
 	fmt.Printf("allowGivenDenyPaths is %v\n", allowGivenDenyPaths.String())
-	require.Equal(t, "UDP from (tag = src1) to (tag = dst1)", allowGivenDenyPaths.String(),
+	require.Equal(t, "src: (tag = src1) dst: (tag = dst1) conn: UDP", allowGivenDenyPaths.String(),
 		"ComputeAllowGivenDenies does not work as expected")
 }
 
@@ -168,7 +168,7 @@ func TestComputeAllowGivenDenySingleTermEach3(t *testing.T) {
 	allowGivenDenyPaths := *ComputeAllowGivenDenies(&SymbolicPaths{&allowPath}, &SymbolicPaths{&denyPath},
 		&Hints{GroupsDisjoint: [][]string{}})
 	fmt.Printf("allowGivenDenyPaths is %v\n", allowGivenDenyPaths.String())
-	require.Equal(t, "TCP src-ports: 51-65535 from (group = src1) to (group = dst1)", allowGivenDenyPaths.String(),
+	require.Equal(t, "src: (group = src1) dst: (group = dst1) conn: TCP src-ports: 51-65535", allowGivenDenyPaths.String(),
 		"ComputeAllowGivenDenies does not work as expected")
 }
 
@@ -234,18 +234,18 @@ func TestComputeAllowGivenDenyThreeTermsEach(t *testing.T) {
 	fmt.Printf("symbolicAllow is %s\nsymbolicDeny is %s\n", allowPath.String(), denyPath.String())
 	fmt.Printf("computeAllowGivenAllowHigherDeny(allowPath, denyPath) is\n%v\n", allowGivenDenyPaths.String())
 	require.Equal(t,
-		"TCP from (group = src1 and group = src2 and group = src3 and group != src1`) to"+
-			" (group = dst1 and group = dst2 and group = dst3)\n"+
-			"TCP from (group = src1 and group = src2 and group = src3 and group != src2`) to "+
-			"(group = dst1 and group = dst2 and group = dst3)\n"+
-			"TCP from (group = src1 and group = src2 and group = src3 and group != src3`) to"+
-			" (group = dst1 and group = dst2 and group = dst3)\n"+
-			"TCP from (group = src1 and group = src2 and group = src3) to "+
-			"(group = dst1 and group = dst2 and group = dst3 and group != dst1`)\n"+
-			"TCP from (group = src1 and group = src2 and group = src3) to "+
-			"(group = dst1 and group = dst2 and group = dst3 and group != dst2`)\n"+
-			"TCP from (group = src1 and group = src2 and group = src3) to "+
-			"(group = dst1 and group = dst2 and group = dst3 and group != dst3`)",
+		"src: (group = src1 and group = src2 and group = src3 and group != src1`) dst:"+
+			" (group = dst1 and group = dst2 and group = dst3) conn: TCP\n"+
+			"src: (group = src1 and group = src2 and group = src3 and group != src2`) dst: "+
+			"(group = dst1 and group = dst2 and group = dst3) conn: TCP\n"+
+			"src: (group = src1 and group = src2 and group = src3 and group != src3`) dst:"+
+			" (group = dst1 and group = dst2 and group = dst3) conn: TCP\n"+
+			"src: (group = src1 and group = src2 and group = src3) dst: "+
+			"(group = dst1 and group = dst2 and group = dst3 and group != dst1`) conn: TCP\n"+
+			"src: (group = src1 and group = src2 and group = src3) dst: "+
+			"(group = dst1 and group = dst2 and group = dst3 and group != dst2`) conn: TCP\n"+
+			"src: (group = src1 and group = src2 and group = src3) dst: "+
+			"(group = dst1 and group = dst2 and group = dst3 and group != dst3`) conn: TCP",
 		allowGivenDenyPaths.String(), "allowGivenDeny three terms computation not as expected")
 }
 
@@ -278,10 +278,11 @@ func TestComputeAllowGivenDenyAllowTautology(t *testing.T) {
 	allowGivenDeny := *computeAllowGivenAllowHigherDeny(allowPath, denyPath, &Hints{GroupsDisjoint: [][]string{}})
 	fmt.Printf("computeAllowGivenAllowHigherDeny(allowPath, denyPath) is\n%v\n", allowGivenDeny.String())
 	require.Equal(t,
-		"All Connections from (group != src1`) to (*)\nAll Connections from (group != src2`) to (*)\n"+
-			"All Connections from (group != src3`) to (*)\nAll Connections from (*) to (group != dst1`)\n"+
-			"All Connections from (*) to (group != dst2`)\nAll Connections from (*) to (group != dst3`)\n"+
-			"ICMP,TCP from (*) to (*)", allowGivenDeny.String(),
+		"src: (group != src1`) dst: (*) conn: All Connections\n"+
+			"src: (group != src2`) dst: (*) conn: All Connections\nsrc: (group != src3`) dst: (*) conn: All Connections\n"+
+			"src: (*) dst: (group != dst1`) conn: All Connections\n"+
+			"src: (*) dst: (group != dst2`) conn: All Connections\nsrc: (*) dst: (group != dst3`) conn: All Connections\n"+
+			"src: (*) dst: (*) conn: ICMP,TCP", allowGivenDeny.String(),
 		"allowGivenDeny allow tautology computation not as expected")
 }
 
@@ -355,31 +356,31 @@ func TestComputeAllowGivenDenies(t *testing.T) {
 	res := ComputeAllowGivenDenies(&allowPaths, &denyPaths, &Hints{GroupsDisjoint: [][]string{}})
 	fmt.Printf("ComputeAllowGivenDenies:\n%v\n", res.String())
 	require.Equal(t,
-		"TCP from (group = t0 and group != s0 and group != s2 and group != s4) to (group = t1)\n"+
-			"TCP from (group = t0 and group != s0 and group != s2) to (group = t1 and group != s5)\n"+
-			"TCP from (group = t0 and group != s0 and group != s4) to (group = t1 and group != s3)\n"+
-			"TCP from (group = t0 and group != s0) to (group = t1 and group != s3 and group != s5)\n"+
-			"TCP from (group = t0 and group != s2 and group != s4) to (group = t1 and group != s1)\n"+
-			"TCP from (group = t0 and group != s2) to (group = t1 and group != s1 and group != s5)\n"+
-			"TCP from (group = t0 and group != s4) to (group = t1 and group != s1 and group != s3)\n"+
-			"TCP from (group = t0) to (group = t1 and group != s1 and group != s3 and group != s5)\n"+
-			"TCP from (group = t2 and group != s0 and group != s2 and group != s4) to (group = t3)\n"+
-			"TCP from (group = t2 and group != s0 and group != s2) to (group = t3 and group != s5)\n"+
-			"TCP from (group = t2 and group != s0 and group != s4) to (group = t3 and group != s3)\n"+
-			"TCP from (group = t2 and group != s0) to (group = t3 and group != s3 and group != s5)\n"+
-			"TCP from (group = t2 and group != s2 and group != s4) to (group = t3 and group != s1)\n"+
-			"TCP from (group = t2 and group != s2) to (group = t3 and group != s1 and group != s5)\n"+
-			"TCP from (group = t2 and group != s4) to (group = t3 and group != s1 and group != s3)\n"+
-			"TCP from (group = t2) to (group = t3 and group != s1 and group != s3 and group != s5)",
+		"src: (group = t0 and group != s0 and group != s2 and group != s4) dst: (group = t1) conn: TCP\n"+
+			"src: (group = t0 and group != s0 and group != s2) dst: (group = t1 and group != s5) conn: TCP\n"+
+			"src: (group = t0 and group != s0 and group != s4) dst: (group = t1 and group != s3) conn: TCP\n"+
+			"src: (group = t0 and group != s0) dst: (group = t1 and group != s3 and group != s5) conn: TCP\n"+
+			"src: (group = t0 and group != s2 and group != s4) dst: (group = t1 and group != s1) conn: TCP\n"+
+			"src: (group = t0 and group != s2) dst: (group = t1 and group != s1 and group != s5) conn: TCP\n"+
+			"src: (group = t0 and group != s4) dst: (group = t1 and group != s1 and group != s3) conn: TCP\n"+
+			"src: (group = t0) dst: (group = t1 and group != s1 and group != s3 and group != s5) conn: TCP\n"+
+			"src: (group = t2 and group != s0 and group != s2 and group != s4) dst: (group = t3) conn: TCP\n"+
+			"src: (group = t2 and group != s0 and group != s2) dst: (group = t3 and group != s5) conn: TCP\n"+
+			"src: (group = t2 and group != s0 and group != s4) dst: (group = t3 and group != s3) conn: TCP\n"+
+			"src: (group = t2 and group != s0) dst: (group = t3 and group != s3 and group != s5) conn: TCP\n"+
+			"src: (group = t2 and group != s2 and group != s4) dst: (group = t3 and group != s1) conn: TCP\n"+
+			"src: (group = t2 and group != s2) dst: (group = t3 and group != s1 and group != s5) conn: TCP\n"+
+			"src: (group = t2 and group != s4) dst: (group = t3 and group != s1 and group != s3) conn: TCP\n"+
+			"src: (group = t2) dst: (group = t3 and group != s1 and group != s3 and group != s5) conn: TCP",
 		res.String(), "ComputeAllowGivenDenies computation not as expected")
 }
 
 // Input:
 // allow symbolic path:
-// group = src1 to *
+// group = src1 dst: *
 // deny symbolic path:
-// (group = src1) to (d1 = dst1)
-// Output allow paths: (group = str1) to (d1 != dst1)
+// (group = src1) dst: (d1 = dst1)
+// Output allow paths: (group = str1) dst: (d1 != dst1)
 func TestAllowDenyOptimizeEmptyPath(t *testing.T) {
 	conjSrc1, conjDst1 := Conjunction{}, Conjunction{}
 	atomicSrc1 := newDummyGroupTerm("src1", false)
@@ -392,19 +393,19 @@ func TestAllowDenyOptimizeEmptyPath(t *testing.T) {
 		&Hints{GroupsDisjoint: [][]string{}})
 	fmt.Printf("allow path: %v with higher priority deny path:%v is:\n%v\n\n",
 		allowPath.String(), denyPath.String(), allowWithDeny.String())
-	require.Equal(t, "All Connections from (group = src1) to (group != dst1)", allowWithDeny.String(),
+	require.Equal(t, "src: (group = src1) dst: (group != dst1) conn: All Connections", allowWithDeny.String(),
 		"optimized with deny not working properly")
 }
 
 // conj1: (group = str1)
 // conj2: (group = str1), (s2 = str2)
 // conj3: (group = str1), (s2 = str2), (s3 = str3)
-// path1: conj1 to conj1 TCP
-// path1Tag: conj1 to conj1 All
-// path2: conj2 to conj2 TCP
-// path3: conj3 to conj3 TCP
-// path4: conj1 to conj2 TCP
-// path5: conj3 to conj2 TCP
+// path1: conj1 dst: conj1 TCP
+// path1Tag: conj1 dst: conj1 All
+// path2: conj2 dst: conj2 TCP
+// path3: conj3 dst: conj3 TCP
+// path4: conj1 dst: conj2 TCP
+// path5: conj3 dst: conj2 TCP
 // tests:
 // path1 is implied by all paths
 // path1Tag is not implied by path3
@@ -437,7 +438,7 @@ func TestSymbolicPathsImplied(t *testing.T) {
 			path1.isSuperset(path5, &Hints{GroupsDisjoint: [][]string{}}),
 		"path1 is a superset of all paths but path2Tag")
 	require.Equal(t, true, !path1.isSuperset(path2Tag, &Hints{GroupsDisjoint: [][]string{}}),
-		"path1 is not a superset of path2Tag due to the connection")
+		"path1 is not a superset of path2Tag due dst: the connection")
 	require.Equal(t, true, path2.isSuperset(path3, &Hints{GroupsDisjoint: [][]string{}}) &&
 		path2.isSuperset(path5, &Hints{GroupsDisjoint: [][]string{}}) &&
 		!path2.isSuperset(path4, &Hints{GroupsDisjoint: [][]string{}}),

pkg/synthesis/tests_expected_output/Example1c_ConvertToAbstractNoHint.txt

@@ -1,6 +1,6 @@
 Allow Only Rules
 ~~~~~~~~~~~~~~~~~
 inbound rules
-	TCP dst-ports: 445 from (group = frontend) to (group = backend)
+	src: (group = frontend) dst: (group = backend) conn: TCP dst-ports: 445
 outbound rules
-	TCP dst-ports: 445 from (group = frontend) to (group = backend)
+	src: (group = frontend) dst: (group = backend) conn: TCP dst-ports: 445

pkg/synthesis/tests_expected_output/Example1c_PreProcessing.txt

@@ -1,8 +1,8 @@
 category: Application
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 symbolic inbound rules:
-	0. action: allow paths: TCP dst-ports: 445 from (group = frontend) to (group = backend)
-	1. action: deny paths: All Connections from (*) to (*)
+	0. action: allow paths: src: (group = frontend) dst: (group = backend) conn: TCP dst-ports: 445
+	1. action: deny paths: src: (*) dst: (*) conn: All Connections
 symbolic outbound rules:
-	0. action: allow paths: TCP dst-ports: 445 from (group = frontend) to (group = backend)
-	1. action: deny paths: All Connections from (*) to (*)
+	0. action: allow paths: src: (group = frontend) dst: (group = backend) conn: TCP dst-ports: 445
+	1. action: deny paths: src: (*) dst: (*) conn: All Connections

pkg/synthesis/tests_expected_output/ExampleDenyPassSimple_ConvertToAbstractNoHint.txt

@@ -1,8 +1,8 @@
 Allow Only Rules
 ~~~~~~~~~~~~~~~~~
 inbound rules
-	All Connections from (*) to (group != Hufflepuff and group != Slytherin)
-	All Connections from (*) to (group = Dumbledore)
+	src: (*) dst: (group != Hufflepuff and group != Slytherin) conn: All Connections
+	src: (*) dst: (group = Dumbledore) conn: All Connections
 outbound rules
-	All Connections from (*) to (group != Hufflepuff and group != Slytherin)
-	All Connections from (*) to (group = Dumbledore)
+	src: (*) dst: (group != Hufflepuff and group != Slytherin) conn: All Connections
+	src: (*) dst: (group = Dumbledore) conn: All Connections

pkg/synthesis/tests_expected_output/ExampleDenyPassSimple_PreProcessing.txt

@@ -1,18 +1,18 @@
 category: Environment
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 symbolic inbound rules:
-	0. action: jump_to_application paths: All Connections from (*) to (group = Dumbledore)
-	1. action: deny paths: All Connections from (*) to (group = Hufflepuff)
-	2. action: deny paths: All Connections from (*) to (group = Slytherin)
+	0. action: jump_to_application paths: src: (*) dst: (group = Dumbledore) conn: All Connections
+	1. action: deny paths: src: (*) dst: (group = Hufflepuff) conn: All Connections
+	2. action: deny paths: src: (*) dst: (group = Slytherin) conn: All Connections
 symbolic outbound rules:
-	0. action: jump_to_application paths: All Connections from (*) to (group = Dumbledore)
-	1. action: deny paths: All Connections from (*) to (group = Hufflepuff)
-	2. action: deny paths: All Connections from (*) to (group = Slytherin)
+	0. action: jump_to_application paths: src: (*) dst: (group = Dumbledore) conn: All Connections
+	1. action: deny paths: src: (*) dst: (group = Hufflepuff) conn: All Connections
+	2. action: deny paths: src: (*) dst: (group = Slytherin) conn: All Connections
 category: Application
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 symbolic inbound rules:
-	0. action: allow paths: All Connections from (*) to (*)
-	1. action: deny paths: All Connections from (*) to (*)
+	0. action: allow paths: src: (*) dst: (*) conn: All Connections
+	1. action: deny paths: src: (*) dst: (*) conn: All Connections
 symbolic outbound rules:
-	0. action: allow paths: All Connections from (*) to (*)
-	1. action: deny paths: All Connections from (*) to (*)
+	0. action: allow paths: src: (*) dst: (*) conn: All Connections
+	1. action: deny paths: src: (*) dst: (*) conn: All Connections

pkg/synthesis/tests_expected_output/ExampleDumbeldore_ConvertToAbstractNoHint.txt

@@ -1,8 +1,8 @@
 Allow Only Rules
 ~~~~~~~~~~~~~~~~~
 inbound rules
-	All Connections from (group = DumbledoreAll) to (*)
-	All Connections from (group = DumbledoreNoSly) to (group != Slytherin)
+	src: (group = DumbledoreAll) dst: (*) conn: All Connections
+	src: (group = DumbledoreNoSly) dst: (group != Slytherin) conn: All Connections
 outbound rules
-	All Connections from (group = DumbledoreAll) to (*)
-	All Connections from (group = DumbledoreNoSly) to (group != Slytherin)
+	src: (group = DumbledoreAll) dst: (*) conn: All Connections
+	src: (group = DumbledoreNoSly) dst: (group != Slytherin) conn: All Connections

pkg/synthesis/tests_expected_output/ExampleDumbeldore_PreProcessing.txt

@@ -1,12 +1,12 @@
 category: Application
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 symbolic inbound rules:
-	0. action: allow paths: All Connections from (group = DumbledoreAll) to (*)
-	1. action: deny paths: All Connections from (group = DumbledoreNoSly) to (group = Slytherin)
-	2. action: allow paths: All Connections from (group = DumbledoreNoSly) to (*)
-	3. action: deny paths: All Connections from (*) to (*)
+	0. action: allow paths: src: (group = DumbledoreAll) dst: (*) conn: All Connections
+	1. action: deny paths: src: (group = DumbledoreNoSly) dst: (group = Slytherin) conn: All Connections
+	2. action: allow paths: src: (group = DumbledoreNoSly) dst: (*) conn: All Connections
+	3. action: deny paths: src: (*) dst: (*) conn: All Connections
 symbolic outbound rules:
-	0. action: allow paths: All Connections from (group = DumbledoreAll) to (*)
-	1. action: deny paths: All Connections from (group = DumbledoreNoSly) to (group = Slytherin)
-	2. action: allow paths: All Connections from (group = DumbledoreNoSly) to (*)
-	3. action: deny paths: All Connections from (*) to (*)
+	0. action: allow paths: src: (group = DumbledoreAll) dst: (*) conn: All Connections
+	1. action: deny paths: src: (group = DumbledoreNoSly) dst: (group = Slytherin) conn: All Connections
+	2. action: allow paths: src: (group = DumbledoreNoSly) dst: (*) conn: All Connections
+	3. action: deny paths: src: (*) dst: (*) conn: All Connections

pkg/synthesis/tests_expected_output/ExampleExprAndConds_ConvertToAbstract.txt

@@ -1,10 +1,10 @@
 Allow Only Rules
 ~~~~~~~~~~~~~~~~~
 inbound rules
-	All Connections from (*) to (tag = Slytherin and tag != DB)
-	All Connections from (*) to (tag = Gryffindor and tag != DB)
-	All Connections from (*) to (tag = Hufflepuff and tag != DB)
+	src: (*) dst: (tag = Slytherin and tag != DB) conn: All Connections
+	src: (*) dst: (tag = Gryffindor and tag != DB) conn: All Connections
+	src: (*) dst: (tag = Hufflepuff and tag != DB) conn: All Connections
 outbound rules
-	All Connections from (*) to (tag = Slytherin and tag != DB)
-	All Connections from (*) to (tag = Gryffindor and tag != DB)
-	All Connections from (*) to (tag = Hufflepuff and tag != DB)
+	src: (*) dst: (tag = Slytherin and tag != DB) conn: All Connections
+	src: (*) dst: (tag = Gryffindor and tag != DB) conn: All Connections
+	src: (*) dst: (tag = Hufflepuff and tag != DB) conn: All Connections