More compact explanation printing.

np-guard · Jan 6, 2025 · 929c75d · 929c75d
1 parent 4395e77
commit 929c75d
Show file tree

Hide file tree

Showing 4 changed files with 105 additions and 235 deletions.
diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go
@@ -326,6 +326,10 @@ func (augInt AugmentedInterval) Equal(other AugmentedInterval) bool {
 	return augInt.inSet == other.inSet && augInt.interval.Equal(other.interval) && augInt.implyingRules.Equal(&other.implyingRules)
 }
 
+func (augInt AugmentedInterval) EqualInSetAndRules(other AugmentedInterval) bool {
+	return augInt.inSet == other.inSet && augInt.implyingRules.Equal(&other.implyingRules)
+}
+
 // AugmentedCanonicalSet is a set of int64 integers, implemented using an ordered slice of non-overlapping, non-touching intervals.
 // The intervals should include both included intervals and holes;
 // i.e., start of every interval is the end of a previous interval incremented by 1.

diff --git a/pkg/netpol/internal/common/connectionset.go b/pkg/netpol/internal/common/connectionset.go
@@ -370,6 +370,10 @@ func (p PortRangeData) Equal(other PortRangeData) bool {
 	return p.Interval.Equal(other.Interval)
 }
 
+func (p PortRangeData) EqualInSetAndRules(other PortRangeData) bool {
+	return p.Interval.EqualInSetAndRules(other.Interval)
+}
+
 func (p *PortRangeData) String() string {
 	if p.isWholeRange() {
 		return allPortsStr
@@ -380,12 +384,16 @@ func (p *PortRangeData) String() string {
 	return fmt.Sprintf("%d", p.Start())
 }
 
-func (p *PortRangeData) StringWithExplanation(protocolString string) string {
+func explOfInSetProtocolPortsAndRules(inSet bool, protocolString, portsString, rulesString string) string {
 	resultStr := allowResultStr
-	if !p.InSet() {
+	if !inSet {
 		resultStr = denyResultStr
 	}
-	return resultStr + SpaceSeparator + protocolString + ":" + p.String() + p.Interval.implyingRules.String()
+	return resultStr + SpaceSeparator + protocolString + ":" + "[" + portsString + "]" + rulesString
+}
+
+func (p *PortRangeData) StringWithExplanation(protocolString string) string {
+	return explOfInSetProtocolPortsAndRules(p.InSet(), protocolString, p.String(), p.Interval.implyingRules.String())
 }
 
 func (p *PortRangeData) InSet() bool {
@@ -416,7 +424,7 @@ const (
 	connsAndPortRangeSeparator = ","
 	allConnsStr                = "All Connections"
 	noConnsStr                 = "No Connections"
-	allPortsStr                = "[ALL PORTS]"
+	allPortsStr                = "ALL PORTS"
 )
 
 func ConnStrFromConnProperties(allProtocolsAndPorts bool, protocolsAndPorts map[v1.Protocol][]PortRange) string {
@@ -467,11 +475,31 @@ func portsString(ports []PortRange) string {
 	return strings.Join(portsStr, connsAndPortRangeSeparator)
 }
 
+type InSetAndRulesStr struct {
+	inSet       bool
+	rulesString string
+}
+
 func portsStringWithExplanation(ports []PortRange, protocolString string) string {
-	portsStr := make([]string, 0, len(ports))
+	// for compact explanation: collect together ranges with the same 'inSet' and impying rules
+	portRangeClasses := map[InSetAndRulesStr]*interval.CanonicalSet{}
 	for i := range ports {
-		portsStr = append(portsStr, ports[i].(*PortRangeData).StringWithExplanation(protocolString))
+		portRangeData := ports[i].(*PortRangeData)
+		thisInSetAndRulesStr := InSetAndRulesStr{portRangeData.Interval.inSet, portRangeData.Interval.implyingRules.String()}
+		_, ok := portRangeClasses[thisInSetAndRulesStr]
+		if !ok {
+			portRangeClasses[thisInSetAndRulesStr] = interval.NewCanonicalSet()
+		}
+		portRangeClasses[thisInSetAndRulesStr].AddInterval(portRangeData.Interval.interval)
+	}
+	portsStr := make([]string, len(portRangeClasses))
+	ind := 0
+	for inSetAndRulesStr, intervals := range portRangeClasses {
+		portsStr[ind] = explOfInSetProtocolPortsAndRules(inSetAndRulesStr.inSet, protocolString,
+			intervals.String(), inSetAndRulesStr.rulesString)
+		ind++
 	}
+	sort.Strings(portsStr)
 	return strings.Join(portsStr, NewLine)
 }
 

diff --git a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt
@@ -25,79 +25,57 @@ No Connections due to the following policies//rules:
 ----------------------------------------------------------------------------------------------------------------------------------------------------------------
 CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => bar/my-bar[Pod]:
 
-ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all)
-
-DENIED TCP:1-1233 due to the following policies//rules:
-	EGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
-	INGRESS DIRECTION (DENIED)
-		1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny)
-
-ALLOWED TCP:1234 due to the following policies//rules:
+ALLOWED TCP:[1234] due to the following policies//rules:
 	EGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
 	INGRESS DIRECTION (ALLOWED)
 		1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow)
 
-DENIED TCP:1235-8079 due to the following policies//rules:
+ALLOWED TCP:[9001-65535] the system default (Allow all)
+
+DENIED TCP:[1-1233,1235-8079,8081-9000] due to the following policies//rules:
 	EGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
 	INGRESS DIRECTION (DENIED)
 		1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny)
 
-DENIED TCP:8080 due to the following policies//rules:
+DENIED TCP:[8080] due to the following policies//rules:
 	EGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
 	INGRESS DIRECTION (DENIED)
 		1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass)
 		2) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny)
 
-DENIED TCP:8081-9000 due to the following policies//rules:
-	EGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
-	INGRESS DIRECTION (DENIED)
-		1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny)
-
-ALLOWED TCP:9001-65535 the system default (Allow all)
+ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all)
 
 ----------------------------------------------------------------------------------------------------------------------------------------------------------------
 CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => baz/my-baz[Pod]:
 
-ALLOWED TCP:1-1233 the system default (Allow all)
+ALLOWED TCP:[1-1233,1235-65535] the system default (Allow all)
 
-ALLOWED TCP:1234 due to the following policies//rules:
+ALLOWED TCP:[1234] due to the following policies//rules:
 	EGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
 	INGRESS DIRECTION (ALLOWED)
 		1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow)
 
-ALLOWED TCP:1235-65535 the system default (Allow all)
-
 ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all)
 
 ----------------------------------------------------------------------------------------------------------------------------------------------------------------
 CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => foo/my-foo[Pod]:
 
-ALLOWED TCP:1-1233 due to the following policies//rules:
+ALLOWED TCP:[1-1233,1235-8079,8081-65535] due to the following policies//rules:
 	EGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
 	INGRESS DIRECTION (ALLOWED)
 		1) [NP] foo/allow-monitoring//Ingress rule #1
 
-ALLOWED TCP:1234 due to the following policies//rules:
+ALLOWED TCP:[1234] due to the following policies//rules:
 	EGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
 	INGRESS DIRECTION (ALLOWED)
 		1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow)
 
-ALLOWED TCP:1235-8079 due to the following policies//rules:
-	EGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
-	INGRESS DIRECTION (ALLOWED)
-		1) [NP] foo/allow-monitoring//Ingress rule #1
-
-ALLOWED TCP:8080 due to the following policies//rules:
+ALLOWED TCP:[8080] due to the following policies//rules:
 	EGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
 	INGRESS DIRECTION (ALLOWED)
 		1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass)
 		2) [NP] foo/allow-monitoring//Ingress rule #1
 
-ALLOWED TCP:8081-65535 due to the following policies//rules:
-	EGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
-	INGRESS DIRECTION (ALLOWED)
-		1) [NP] foo/allow-monitoring//Ingress rule #1
-
 ALLOWED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules:
 	EGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
 	INGRESS DIRECTION (ALLOWED)