Deny action support for contracts

Six new AIM resources are introduced as children of ContractSubject, which replaces filters and graph fields. Action field is added to filter to subject relation resources for the user to configure deny from AIM
noironetworks · Mar 15, 2021 · 0dd067f · 0dd067f
1 parent dfff338
commit 0dd067f
Show file tree

Hide file tree

Showing 17 changed files with 1,318 additions and 204 deletions.
diff --git a/aim/agent/aid/universes/aci/converter.py b/aim/agent/aid/universes/aci/converter.py
@@ -35,7 +35,6 @@
 MODIFIED_STATUS = "modified"
 CREATED_STATUS = "created"
 
-
 # TODO(amitbose) Instead of aliasing, replace local references with the
 # ones from utils
 default_identity_converter = utils.default_identity_converter
@@ -553,6 +552,56 @@ def bgp_extp_converter(object_dict, otype, helper,
     return result
 
 
+def rsFilt_converter(aci_mo=None):
+    def func(object_dict, otype, helper, source_identity_attributes,
+             destination_identity_attributes, to_aim=True):
+        result = []
+        id_conv = (helper.get('identity_converter') or
+                   default_identity_converter)
+        if to_aim:
+            res_dict = {}
+            aci_type = aci_mo or otype
+            try:
+                id = id_conv(object_dict, aci_type, helper, to_aim=True)
+            except apic_client.DNManager.InvalidNameFormat:
+                return []
+            for index, attr in enumerate(destination_identity_attributes):
+                res_dict[attr] = id[index]
+            if object_dict.get('action'):
+                res_dict['action'] = object_dict['action']
+            result.append(default_to_resource(res_dict, helper, to_aim=True))
+        else:
+            aci_type = aci_mo or helper['resource']
+            dn = id_conv(object_dict, otype, helper,
+                         aci_mo_type=aci_type, to_aim=False)[0]
+            action = 'permit'
+            if object_dict.get('action'):
+                action = object_dict['action']
+            result.append({aci_type:
+                           {'attributes':
+                            {'dn': dn,
+                             'action': action,
+                             'tnVzFilterName': object_dict['filter_name']}}})
+        return result
+    return func
+
+
+def vzterm_converter(object_dict, otype, helper, source_identity_attributes,
+                     destination_identity_attributes, to_aim=True):
+    result = []
+    id_conv = (helper.get('identity_converter') or
+               default_identity_converter)
+    if to_aim:
+        pass
+    else:
+        aci_type = helper['resource']
+        dn = id_conv(object_dict, otype, helper,
+                     aci_mo_type=aci_type, to_aim=False)[0]
+        result.append({aci_type:
+                       {'attributes':
+                        {'dn': dn}}})
+    return result
+
 # Resource map maps APIC objects into AIM ones. the key of this map is the
 # object APIC type, while the values contain the followings:
 # - Resource: AIM resource when direct mapping is applicable
@@ -581,11 +630,9 @@ def bgp_extp_converter(object_dict, otype, helper,
                                           'tnSpanVSrcGrpName')
 infraRsSpanVDestGrp_converter = child_list('span_vdest_group_names',
                                            'tnSpanVDestGrpName')
-vzRsSubjFiltAtt_converter = child_list('bi_filters', 'tnVzFilterName')
-vzInTerm_vzRsFiltAtt_converter = child_list('in_filters', 'tnVzFilterName',
-                                            aci_mo='vzRsFiltAtt__In')
-vzOutTerm_vzRsFiltAtt_converter = child_list('out_filters', 'tnVzFilterName',
-                                             aci_mo='vzRsFiltAtt__Out')
+vzRsSubjFiltAtt_converter = rsFilt_converter()
+vzRsFiltAtt_in_converter = rsFilt_converter(aci_mo='vzRsFiltAtt__In')
+vzRsFiltAtt_out_converter = rsFilt_converter(aci_mo='vzRsFiltAtt__Out')
 fvRsProv_Ext_converter = child_list('provided_contract_names', 'tnVzBrCPName',
                                     aci_mo='fvRsProv__Ext')
 fvRsCons_Ext_converter = child_list('consumed_contract_names', 'tnVzBrCPName',
@@ -629,6 +676,7 @@ def bgp_as_id_converter(object_dict, otype, helper, to_aim=True):
                                       aci_mo_type='bgpAsP__Peer',
                                       to_aim=to_aim)
 
+
 resource_map = {
     'fvBD': [{
         'resource': resource.BridgeDomain,
@@ -788,41 +836,34 @@ def bgp_as_id_converter(object_dict, otype, helper, to_aim=True):
                  'out_service_graph_name'],
     }],
     'vzRsSubjFiltAtt': [{
-        'resource': resource.ContractSubject,
-        'converter': vzRsSubjFiltAtt_converter
+        'resource': resource.ContractSubjFilter,
+        'converter': vzRsSubjFiltAtt_converter,
     }],
     'vzRsSubjGraphAtt': [{
-        'resource': resource.ContractSubject,
-        'exceptions': {'tnVnsAbsGraphName': {'other': 'service_graph_name',
-                                             'skip_if_empty': True}},
+        'resource': resource.ContractSubjGraph,
+        'exceptions': {'tnVnsAbsGraphName': {'other': 'graph_name'}},
         'to_resource': default_to_resource_strict,
     }],
-    'vzRsFiltAtt': [{'resource': resource.ContractSubject,
-                     'converter': vzInTerm_vzRsFiltAtt_converter},
-                    {'resource': resource.ContractSubject,
-                     'converter': vzOutTerm_vzRsFiltAtt_converter}],
-    'vzInTerm': [{
-        'resource': resource.ContractSubject,
-        'to_resource': to_resource_filter_container,
-        'skip': ['display_name']
-    }],
-    'vzOutTerm': [{
-        'resource': resource.ContractSubject,
-        'to_resource': to_resource_filter_container,
-        'skip': ['display_name']
-    }],
+    'vzRsFiltAtt': [{'resource': resource.ContractSubjInFilter,
+                     'converter': vzRsFiltAtt_in_converter},
+                    {'resource': resource.ContractSubjOutFilter,
+                     'converter': vzRsFiltAtt_out_converter}],
+    'vzInTerm': [{'resource': resource.ContractSubjInFilter,
+                  'converter': vzterm_converter},
+                 {'resource': resource.ContractSubjInGraph,
+                  'converter': vzterm_converter}],
+    'vzOutTerm': [{'resource': resource.ContractSubjOutFilter,
+                   'converter': vzterm_converter},
+                  {'resource': resource.ContractSubjOutGraph,
+                   'converter': vzterm_converter}],
     'vzRsInTermGraphAtt': [{
-        'resource': resource.ContractSubject,
-        'exceptions': {'tnVnsAbsGraphName':
-                       {'other': 'in_service_graph_name',
-                        'skip_if_empty': True}},
+        'resource': resource.ContractSubjInGraph,
+        'exceptions': {'tnVnsAbsGraphName': {'other': 'graph_name'}},
         'to_resource': default_to_resource_strict,
     }],
     'vzRsOutTermGraphAtt': [{
-        'resource': resource.ContractSubject,
-        'exceptions': {'tnVnsAbsGraphName':
-                       {'other': 'out_service_graph_name',
-                        'skip_if_empty': True}},
+        'resource': resource.ContractSubjOutGraph,
+        'exceptions': {'tnVnsAbsGraphName': {'other': 'graph_name'}},
         'to_resource': default_to_resource_strict,
     }],
     'l3extOut': [{
@@ -1140,10 +1181,10 @@ def bgp_as_id_converter(object_dict, otype, helper, to_aim=True):
 #  vzRsFiltAtt__In, vzRsFiltAtt__Out
 #  fvRsProv__Ext, fvRsCons__Ext
 resource_map.update({
-    'vzRsFiltAtt__In': [{'resource': resource.ContractSubject,
-                         'converter': vzInTerm_vzRsFiltAtt_converter}],
-    'vzRsFiltAtt__Out': [{'resource': resource.ContractSubject,
-                          'converter': vzOutTerm_vzRsFiltAtt_converter}],
+    'vzRsFiltAtt__In': [{'resource': resource.ContractSubjInFilter,
+                         'converter': vzRsFiltAtt_in_converter}],
+    'vzRsFiltAtt__Out': [{'resource': resource.ContractSubjOutFilter,
+                          'converter': vzRsFiltAtt_out_converter}],
     'fvRsProv__Ext': [{'resource': resource.ExternalNetwork,
                        'converter': fvRsProv_Ext_converter,
                        'convert_pre_existing': True,

diff --git a/aim/aim_lib/nat_strategy.py b/aim/aim_lib/nat_strategy.py
@@ -479,8 +479,12 @@ def _get_nat_objects(self, ctx, l3out):
         subject = resource.ContractSubject(
             tenant_name=contract.tenant_name,
             contract_name=contract.name,
-            name='Allow', display_name='Allow',
-            bi_filters=[fltr.name])
+            name='Allow', display_name='Allow')
+        subject_filter = resource.ContractSubjFilter(
+            tenant_name=contract.tenant_name,
+            contract_name=contract.name,
+            contract_subject_name='Allow',
+            filter_name=fltr.name)
         bd = self._get_nat_bd(ctx, l3out)
         bd.vrf_name = l3out.vrf_name
         ap, epg = self._get_nat_ap_epg(ctx, l3out)
@@ -497,7 +501,7 @@ def _get_nat_objects(self, ctx, l3out):
         epg.consumed_contract_names = [contract.name]
         epg.vmm_domains = vm_doms
         epg.physical_domains = phy_doms
-        return [fltr, entry, contract, subject, bd, ap, epg]
+        return [fltr, entry, contract, subject, subject_filter, bd, ap, epg]
 
     def _select_domains(self, objs, vmm_domains=None, phys_domains=None):
         for obj in objs:

diff --git a/aim/aim_manager.py b/aim/aim_manager.py
@@ -64,6 +64,12 @@ class AimManager(object):
                      api_res.FilterEntry,
                      api_res.Contract,
                      api_res.ContractSubject,
+                     api_res.ContractSubjFilter,
+                     api_res.ContractSubjInFilter,
+                     api_res.ContractSubjOutFilter,
+                     api_res.ContractSubjGraph,
+                     api_res.ContractSubjInGraph,
+                     api_res.ContractSubjOutGraph,
                      api_status.AciStatus,
                      api_status.AciFault,
                      api_res.Endpoint,

diff --git a/aim/aim_store.py b/aim/aim_store.py
@@ -209,6 +209,18 @@ class SqlAlchemyStore(AimStore):
                     api_res.FilterEntry: models.FilterEntry,
                     api_res.Contract: models.Contract,
                     api_res.ContractSubject: models.ContractSubject,
+                    api_res.ContractSubjFilter:
+                        models.ContractSubjFilter,
+                    api_res.ContractSubjInFilter:
+                        models.ContractSubjInFilter,
+                    api_res.ContractSubjOutFilter:
+                        models.ContractSubjOutFilter,
+                    api_res.ContractSubjGraph:
+                        models.ContractSubjGraph,
+                    api_res.ContractSubjInGraph:
+                        models.ContractSubjInGraph,
+                    api_res.ContractSubjOutGraph:
+                        models.ContractSubjOutGraph,
                     api_status.AciStatus: status_model.Status,
                     api_status.AciFault: status_model.Fault,
                     api_res.Endpoint: models.Endpoint,

diff --git a/aim/api/resource.py b/aim/api/resource.py
@@ -671,6 +671,156 @@ def __init__(self, **kwargs):
              'monitored': False}, **kwargs)
 
 
+class ContractSubjInFilter(AciResourceBase):
+    """Resource representing a subject within a contract in ACI.
+
+    Identity attributes: name of ACI tenant, name of contract and
+    name of subject.
+    """
+
+    identity_attributes = t.identity(
+        ('tenant_name', t.name),
+        ('contract_name', t.name),
+        ('contract_subject_name', t.name),
+        ('filter_name', t.name))
+    other_attributes = t.other(
+        ('display_name', t.name),
+        ('action', t.enum('permit', 'deny')),
+        ('monitored', t.bool))
+
+    _aci_mo_name = 'vzRsFiltAtt__In'
+    _tree_parent = ContractSubject
+
+    def __init__(self, **kwargs):
+        super(ContractSubjInFilter, self).__init__({'action': 'permit',
+                                                    'monitored': False},
+                                                   **kwargs)
+
+
+class ContractSubjOutFilter(AciResourceBase):
+    """Resource representing a subject within a contract in ACI.
+
+    Identity attributes: name of ACI tenant, name of contract and
+    name of subject.
+    """
+
+    identity_attributes = t.identity(
+        ('tenant_name', t.name),
+        ('contract_name', t.name),
+        ('contract_subject_name', t.name),
+        ('filter_name', t.name))
+    other_attributes = t.other(
+        ('display_name', t.name),
+        ('action', t.enum('permit', 'deny')),
+        ('monitored', t.bool))
+
+    _aci_mo_name = 'vzRsFiltAtt__Out'
+    _tree_parent = ContractSubject
+
+    def __init__(self, **kwargs):
+        super(ContractSubjOutFilter, self).__init__({'action': 'permit',
+                                                     'monitored': False},
+                                                    **kwargs)
+
+
+class ContractSubjFilter(AciResourceBase):
+    """Resource representing a subject within a contract in ACI.
+
+    Identity attributes: name of ACI tenant, name of contract and
+    name of subject.
+    """
+
+    identity_attributes = t.identity(
+        ('tenant_name', t.name),
+        ('contract_name', t.name),
+        ('contract_subject_name', t.name),
+        ('filter_name', t.name))
+    other_attributes = t.other(
+        ('display_name', t.name),
+        ('action', t.enum('permit', 'deny')),
+        ('monitored', t.bool))
+
+    _aci_mo_name = 'vzRsSubjFiltAtt'
+    _tree_parent = ContractSubject
+
+    def __init__(self, **kwargs):
+        super(ContractSubjFilter, self).__init__({'action': 'permit',
+                                                  'monitored': False},
+                                                 **kwargs)
+
+
+class ContractSubjInGraph(AciResourceBase):
+    """Resource representing a subject within a contract in ACI.
+
+    Identity attributes: name of ACI tenant, name of contract and
+    name of subject.
+    """
+
+    identity_attributes = t.identity(
+        ('tenant_name', t.name),
+        ('contract_name', t.name),
+        ('contract_subject_name', t.name))
+    other_attributes = t.other(
+        ('graph_name', t.name),
+        ('display_name', t.name),
+        ('monitored', t.bool))
+
+    _aci_mo_name = 'vzRsInTermGraphAtt'
+    _tree_parent = ContractSubject
+
+    def __init__(self, **kwargs):
+        super(ContractSubjInGraph, self).__init__({'monitored': False},
+                                                  **kwargs)
+
+
+class ContractSubjOutGraph(AciResourceBase):
+    """Resource representing a subject within a contract in ACI.
+
+    Identity attributes: name of ACI tenant, name of contract and
+    name of subject.
+    """
+
+    identity_attributes = t.identity(
+        ('tenant_name', t.name),
+        ('contract_name', t.name),
+        ('contract_subject_name', t.name))
+    other_attributes = t.other(
+        ('graph_name', t.name),
+        ('display_name', t.name),
+        ('monitored', t.bool))
+
+    _aci_mo_name = 'vzRsOutTermGraphAtt'
+    _tree_parent = ContractSubject
+
+    def __init__(self, **kwargs):
+        super(ContractSubjOutGraph, self).__init__({'monitored': False},
+                                                   **kwargs)
+
+
+class ContractSubjGraph(AciResourceBase):
+    """Resource representing a subject within a contract in ACI.
+
+    Identity attributes: name of ACI tenant, name of contract and
+    name of subject.
+    """
+
+    identity_attributes = t.identity(
+        ('tenant_name', t.name),
+        ('contract_name', t.name),
+        ('contract_subject_name', t.name))
+    other_attributes = t.other(
+        ('graph_name', t.name),
+        ('display_name', t.name),
+        ('monitored', t.bool))
+
+    _aci_mo_name = 'vzRsSubjGraphAtt'
+    _tree_parent = ContractSubject
+
+    def __init__(self, **kwargs):
+        super(ContractSubjGraph, self).__init__({'monitored': False},
+                                                **kwargs)
+
+
 class Endpoint(ResourceBase):
     """Resource representing an endpoint.