IBM · tanyaveksler · Sep 12, 2023 · Jun 4, 2023 · Jun 20, 2023 · Jun 20, 2023
diff --git a/nca/CoreDS/ConnectionSet.py b/nca/CoreDS/ConnectionSet.py
@@ -585,8 +585,9 @@ def get_non_tcp_connections():
     #  get rid of ConnectionSet and move the code below to ConnectivityProperties.py
 
     @staticmethod
-    def get_connection_set_and_peers_from_cube(conn_cube, peer_container,
+    def get_connection_set_and_peers_from_cube(the_cube, peer_container,
                                                relevant_protocols=ProtocolSet(True)):
+        conn_cube = the_cube.copy()
         src_peers = conn_cube["src_peers"] or peer_container.get_all_peers_group(True)
         conn_cube.unset_dim("src_peers")
         dst_peers = conn_cube["dst_peers"] or peer_container.get_all_peers_group(True)

diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py
@@ -491,3 +491,14 @@ def are_auto_conns(self):
             if cube[src_peers_index] != cube[dst_peers_index] or not cube[src_peers_index].is_single_value():
                 return False
         return True
+
+    def props_without_auto_conns(self):
+        """
+        Return the properties after removing all connections from peer to itself
+        """
+        peers = self.project_on_one_dimension("src_peers") | self.project_on_one_dimension("dst_peers")
+        auto_conns = ConnectivityProperties()
+        for peer in peers:
+            auto_conns |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({peer}),
+                                                                            "dst_peers": PeerSet({peer})})
+        return self - auto_conns
diff --git a/nca/CoreDS/Peer.py b/nca/CoreDS/Peer.py
@@ -662,7 +662,7 @@ def get_ip_block_canonical_form(self):
                 res |= elem
         return res
 
-    def filter_ipv6_blocks(self, ip_blocks_mask):
+    def filter_ip_blocks_by_mask(self, ip_blocks_mask):
         """
         Update ip blocks in the peer set by keeping only parts overlapping with the given mask.
         :param ip_blocks_mask: the mask according to which ip blocks should be updated

diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py
@@ -57,13 +57,23 @@ def add_edges_from_cube_dict(self, conn_cube, peer_container):
         Add edges to the graph according to the give cube
         :param ConnectivityCube conn_cube: the given cube
          whereas all other values should be filtered out in the output
+         :param PeerContainer peer_container: the peer container
         """
         conns, src_peers, dst_peers = \
             ConnectionSet.get_connection_set_and_peers_from_cube(conn_cube, peer_container)
         for src_peer in src_peers:
             for dst_peer in dst_peers:
                 self.connections_to_peers[conns].append((src_peer, dst_peer))
 
+    def add_props_to_graph(self, props, peer_container):
+        """
+        Add edges to the graph according to the given connectivity properties
+        :param props: the given connectivity properties
+        :param PeerContainer peer_container: the peer container
+        """
+        for cube in props:
+            self.add_edges_from_cube_dict(props.get_connectivity_cube(cube), peer_container)
+
     def _get_peer_details(self, peer, format_requirement=False):
         """
         Get the name of a peer object for connectivity graph, the type and the namespace

diff --git a/nca/NetworkConfig/NetworkConfig.py b/nca/NetworkConfig/NetworkConfig.py
@@ -176,7 +176,7 @@ def get_affected_pods(self, is_ingress, layer_name):
 
         return affected_pods
 
-    def _check_for_excluding_ipv6_addresses(self, exclude_ipv6):
+    def check_for_excluding_ipv6_addresses(self, exclude_ipv6):
         """
         checks and returns if to exclude non-referenced IPv6 addresses from the config
         Excluding the IPv6 addresses will be enabled if the exclude_ipv6 param is True and
@@ -202,7 +202,7 @@ def get_referenced_ip_blocks(self, exclude_non_ref_ipv6=False):
         if self.referenced_ip_blocks is not None:
             return self.referenced_ip_blocks
 
-        exclude_non_ref_ipv6_from_policies = self._check_for_excluding_ipv6_addresses(exclude_non_ref_ipv6)
+        exclude_non_ref_ipv6_from_policies = self.check_for_excluding_ipv6_addresses(exclude_non_ref_ipv6)
         self.referenced_ip_blocks = Peer.PeerSet()
         for policy in self.policies_container.policies.values():
             self.referenced_ip_blocks |= policy.referenced_ip_blocks(exclude_non_ref_ipv6_from_policies)

diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py
diff --git a/nca/Parsers/IstioPolicyYamlParser.py b/nca/Parsers/IstioPolicyYamlParser.py
@@ -9,6 +9,7 @@
 from nca.CoreDS.Peer import IpBlock, PeerSet
 from nca.CoreDS.ConnectionSet import ConnectionSet
 from nca.CoreDS.PortSet import PortSet
+from nca.CoreDS.ProtocolSet import ProtocolSet
 from nca.CoreDS.MethodSet import MethodSet
 from nca.CoreDS.ConnectivityProperties import ConnectivityProperties
 from nca.Resources.IstioNetworkPolicy import IstioNetworkPolicy, IstioPolicyRule
@@ -489,11 +490,14 @@ def parse_ingress_rule(self, rule, selected_peers):
         # currently parsing only ports
         # TODO: extend operations parsing to include other attributes
         conn_props = ConnectivityProperties.make_empty_props()
+        tcp_props = ConnectivityProperties.make_conn_props_from_dict(
+            {"protocols": ProtocolSet.get_protocol_set_with_single_protocol('TCP')})
         if to_array is not None:
             for operation_dict in to_array:
                 conn_props |= self.parse_operation(operation_dict)
             connections = ConnectionSet()
             connections.add_connections('TCP', conn_props)
+            conn_props &= tcp_props
         else:  # no 'to' in the rule => all connections allowed
             connections = ConnectionSet(True)
             conn_props = ConnectivityProperties.get_all_conns_props_per_config_peers(self.peer_container)
@@ -514,6 +518,7 @@ def parse_ingress_rule(self, rule, selected_peers):
                     condition_props &= condition_res
             condition_conns = ConnectionSet()
             condition_conns.add_connections('TCP', condition_props)
+            condition_props &= tcp_props
         if not res_peers:
             self.warning('Rule selects no pods', rule)
         if not res_peers or not selected_peers:

diff --git a/nca/Resources/NetworkPolicy.py b/nca/Resources/NetworkPolicy.py
@@ -116,7 +116,7 @@ def __str__(self):
         return self.full_name()
 
     def __eq__(self, other):
-        if type(self) == type(other):
+        if isinstance(self, type(other)):
             self.sync_opt_props()
             other.sync_opt_props()
             return \
@@ -324,7 +324,8 @@ def referenced_ip_blocks(self, exclude_ipv6=False):
         """
         return PeerSet()  # default value, can be overridden in derived classes
 
-    def _include_ip_block(self, ip_block, exclude_ipv6):
+    @staticmethod
+    def _include_ip_block(ip_block, exclude_ipv6):
         """
         returns whether to include or not the ipblock in the policy's referenced_ip_blocks
         :param IpBlock ip_block: the ip_block to check

diff --git a/nca/SchemeRunner.py b/nca/SchemeRunner.py
@@ -19,7 +19,8 @@ class SchemeRunner(GenericYamlParser):
     """
 
     implemented_opt_queries = {'connectivityMap', 'equivalence', 'vacuity', 'redundancy', 'strongEquivalence',
-                               'containment', 'twoWayContainment', 'permits', 'interferes', 'pairwiseInterferes'}
+                               'containment', 'twoWayContainment', 'permits', 'interferes', 'pairwiseInterferes',
+                               'forbids', 'emptiness', 'disjointness', 'allCaptured', 'sanity', 'semanticDiff'}
 
     def __init__(self, scheme_file_name, output_format=None, output_path=None, optimized_run='false'):
         GenericYamlParser.__init__(self, scheme_file_name)

diff --git a/tests/run_all_tests.py b/tests/run_all_tests.py
@@ -112,7 +112,8 @@ def run_all_test_flow(self, all_results):
         tmp_opt = [i for i in self.test_queries_obj.args_obj.args if '-opt=' in i]
         opt = tmp_opt[0].split('=')[1] if tmp_opt else 'false'
         if isinstance(self.test_queries_obj, CliQuery) and (opt == 'debug' or opt == 'true'):
-            implemented_opt_queries = {'--connectivity', '--equiv', '--permits', '--interferes'}
+            implemented_opt_queries = {'--connectivity', '--equiv', '--permits', '--interferes', '--forbids',
+                                       '--sanity', '--semantic_diff'}
             # TODO - update/remove the optimization below when all queries are supported in optimized implementation
             if not implemented_opt_queries.intersection(set(self.test_queries_obj.args_obj.args)):
                 print(f'Skipping {self.test_queries_obj.test_name} since it does not have optimized implementation yet')