noironetworks · mpaidipa-aci · Feb 25, 2021
diff --git a/aim/agent/aid/universes/aci/converter.py b/aim/agent/aid/universes/aci/converter.py
@@ -35,7 +35,6 @@
 MODIFIED_STATUS = "modified"
 CREATED_STATUS = "created"
 
-
 # TODO(amitbose) Instead of aliasing, replace local references with the
 # ones from utils
 default_identity_converter = utils.default_identity_converter
@@ -553,6 +552,56 @@ def bgp_extp_converter(object_dict, otype, helper,
     return result
 
 
+def rsFilt_converter(aci_mo=None):
+    def func(object_dict, otype, helper, source_identity_attributes,
+             destination_identity_attributes, to_aim=True):
+        result = []
+        id_conv = (helper.get('identity_converter') or
+                   default_identity_converter)
+        if to_aim:
+            res_dict = {}
+            aci_type = aci_mo or otype
+            try:
+                id = id_conv(object_dict, aci_type, helper, to_aim=True)
+            except apic_client.DNManager.InvalidNameFormat:
+                return []
+            for index, attr in enumerate(destination_identity_attributes):
+                res_dict[attr] = id[index]
+            if object_dict.get('action'):
+                res_dict['action'] = object_dict['action']
+            result.append(default_to_resource(res_dict, helper, to_aim=True))
+        else:
+            aci_type = aci_mo or helper['resource']
+            dn = id_conv(object_dict, otype, helper,
+                         aci_mo_type=aci_type, to_aim=False)[0]
+            action = 'permit'
+            if object_dict.get('action'):
+                action = object_dict['action']
+            result.append({aci_type:
+                           {'attributes':
+                            {'dn': dn,
+                             'action': action,
+                             'tnVzFilterName': object_dict['filter_name']}}})
+        return result
+    return func
+
+
+def vzterm_converter(object_dict, otype, helper, source_identity_attributes,
+                     destination_identity_attributes, to_aim=True):
+    result = []
+    id_conv = (helper.get('identity_converter') or
+               default_identity_converter)
+    if to_aim:
+        pass
+    else:
+        aci_type = helper['resource']
+        dn = id_conv(object_dict, otype, helper,
+                     aci_mo_type=aci_type, to_aim=False)[0]
+        result.append({aci_type:
+                       {'attributes':
+                        {'dn': dn}}})
+    return result
+
 # Resource map maps APIC objects into AIM ones. the key of this map is the
 # object APIC type, while the values contain the followings:
 # - Resource: AIM resource when direct mapping is applicable
@@ -581,11 +630,9 @@ def bgp_extp_converter(object_dict, otype, helper,
                                           'tnSpanVSrcGrpName')
 infraRsSpanVDestGrp_converter = child_list('span_vdest_group_names',
                                            'tnSpanVDestGrpName')
-vzRsSubjFiltAtt_converter = child_list('bi_filters', 'tnVzFilterName')
-vzInTerm_vzRsFiltAtt_converter = child_list('in_filters', 'tnVzFilterName',
-                                            aci_mo='vzRsFiltAtt__In')
-vzOutTerm_vzRsFiltAtt_converter = child_list('out_filters', 'tnVzFilterName',
-                                             aci_mo='vzRsFiltAtt__Out')
+vzRsSubjFiltAtt_converter = rsFilt_converter()
+vzRsFiltAtt_in_converter = rsFilt_converter(aci_mo='vzRsFiltAtt__In')
+vzRsFiltAtt_out_converter = rsFilt_converter(aci_mo='vzRsFiltAtt__Out')
 fvRsProv_Ext_converter = child_list('provided_contract_names', 'tnVzBrCPName',
                                     aci_mo='fvRsProv__Ext')
 fvRsCons_Ext_converter = child_list('consumed_contract_names', 'tnVzBrCPName',
@@ -629,6 +676,7 @@ def bgp_as_id_converter(object_dict, otype, helper, to_aim=True):
                                       aci_mo_type='bgpAsP__Peer',
                                       to_aim=to_aim)
 
+
 resource_map = {
     'fvBD': [{
         'resource': resource.BridgeDomain,
@@ -788,41 +836,34 @@ def bgp_as_id_converter(object_dict, otype, helper, to_aim=True):
                  'out_service_graph_name'],
     }],
     'vzRsSubjFiltAtt': [{
-        'resource': resource.ContractSubject,
-        'converter': vzRsSubjFiltAtt_converter
+        'resource': resource.ContractSubjFilter,
+        'converter': vzRsSubjFiltAtt_converter,
     }],
     'vzRsSubjGraphAtt': [{
-        'resource': resource.ContractSubject,
-        'exceptions': {'tnVnsAbsGraphName': {'other': 'service_graph_name',
-                                             'skip_if_empty': True}},
+        'resource': resource.ContractSubjGraph,
+        'exceptions': {'tnVnsAbsGraphName': {'other': 'graph_name'}},
         'to_resource': default_to_resource_strict,
     }],
-    'vzRsFiltAtt': [{'resource': resource.ContractSubject,
-                     'converter': vzInTerm_vzRsFiltAtt_converter},
-                    {'resource': resource.ContractSubject,
-                     'converter': vzOutTerm_vzRsFiltAtt_converter}],
-    'vzInTerm': [{
-        'resource': resource.ContractSubject,
-        'to_resource': to_resource_filter_container,
-        'skip': ['display_name']
-    }],
-    'vzOutTerm': [{
-        'resource': resource.ContractSubject,
-        'to_resource': to_resource_filter_container,
-        'skip': ['display_name']
-    }],
+    'vzRsFiltAtt': [{'resource': resource.ContractSubjInFilter,
+                     'converter': vzRsFiltAtt_in_converter},
+                    {'resource': resource.ContractSubjOutFilter,
+                     'converter': vzRsFiltAtt_out_converter}],
+    'vzInTerm': [{'resource': resource.ContractSubjInFilter,
+                  'converter': vzterm_converter},
+                 {'resource': resource.ContractSubjInGraph,
+                  'converter': vzterm_converter}],
+    'vzOutTerm': [{'resource': resource.ContractSubjOutFilter,
+                   'converter': vzterm_converter},
+                  {'resource': resource.ContractSubjOutGraph,
+                   'converter': vzterm_converter}],
     'vzRsInTermGraphAtt': [{
-        'resource': resource.ContractSubject,
-        'exceptions': {'tnVnsAbsGraphName':
-                       {'other': 'in_service_graph_name',
-                        'skip_if_empty': True}},
+        'resource': resource.ContractSubjInGraph,
+        'exceptions': {'tnVnsAbsGraphName': {'other': 'graph_name'}},
         'to_resource': default_to_resource_strict,
     }],
     'vzRsOutTermGraphAtt': [{
-        'resource': resource.ContractSubject,
-        'exceptions': {'tnVnsAbsGraphName':
-                       {'other': 'out_service_graph_name',
-                        'skip_if_empty': True}},
+        'resource': resource.ContractSubjOutGraph,
+        'exceptions': {'tnVnsAbsGraphName': {'other': 'graph_name'}},
         'to_resource': default_to_resource_strict,
     }],
     'l3extOut': [{
@@ -1140,10 +1181,10 @@ def bgp_as_id_converter(object_dict, otype, helper, to_aim=True):
 #  vzRsFiltAtt__In, vzRsFiltAtt__Out
 #  fvRsProv__Ext, fvRsCons__Ext
 resource_map.update({
-    'vzRsFiltAtt__In': [{'resource': resource.ContractSubject,
-                         'converter': vzInTerm_vzRsFiltAtt_converter}],
-    'vzRsFiltAtt__Out': [{'resource': resource.ContractSubject,
-                          'converter': vzOutTerm_vzRsFiltAtt_converter}],
+    'vzRsFiltAtt__In': [{'resource': resource.ContractSubjInFilter,
+                         'converter': vzRsFiltAtt_in_converter}],
+    'vzRsFiltAtt__Out': [{'resource': resource.ContractSubjOutFilter,
+                          'converter': vzRsFiltAtt_out_converter}],
     'fvRsProv__Ext': [{'resource': resource.ExternalNetwork,
                        'converter': fvRsProv_Ext_converter,
                        'convert_pre_existing': True,

diff --git a/aim/aim_lib/nat_strategy.py b/aim/aim_lib/nat_strategy.py
@@ -479,8 +479,12 @@ def _get_nat_objects(self, ctx, l3out):
         subject = resource.ContractSubject(
             tenant_name=contract.tenant_name,
             contract_name=contract.name,
-            name='Allow', display_name='Allow',
-            bi_filters=[fltr.name])
+            name='Allow', display_name='Allow')
+        subject_filter = resource.ContractSubjFilter(
+            tenant_name=contract.tenant_name,
+            contract_name=contract.name,
+            contract_subject_name='Allow',
+            filter_name=fltr.name)
         bd = self._get_nat_bd(ctx, l3out)
         bd.vrf_name = l3out.vrf_name
         ap, epg = self._get_nat_ap_epg(ctx, l3out)
@@ -497,7 +501,7 @@ def _get_nat_objects(self, ctx, l3out):
         epg.consumed_contract_names = [contract.name]
         epg.vmm_domains = vm_doms
         epg.physical_domains = phy_doms
-        return [fltr, entry, contract, subject, bd, ap, epg]
+        return [fltr, entry, contract, subject, subject_filter, bd, ap, epg]
 
     def _select_domains(self, objs, vmm_domains=None, phys_domains=None):
         for obj in objs:

diff --git a/aim/aim_manager.py b/aim/aim_manager.py
@@ -64,6 +64,12 @@ class AimManager(object):
                      api_res.FilterEntry,
                      api_res.Contract,
                      api_res.ContractSubject,
+                     api_res.ContractSubjFilter,
+                     api_res.ContractSubjInFilter,
+                     api_res.ContractSubjOutFilter,
+                     api_res.ContractSubjGraph,
+                     api_res.ContractSubjInGraph,
+                     api_res.ContractSubjOutGraph,
                      api_status.AciStatus,
                      api_status.AciFault,
                      api_res.Endpoint,

diff --git a/aim/aim_store.py b/aim/aim_store.py
@@ -209,6 +209,18 @@ class SqlAlchemyStore(AimStore):
                     api_res.FilterEntry: models.FilterEntry,
                     api_res.Contract: models.Contract,
                     api_res.ContractSubject: models.ContractSubject,
+                    api_res.ContractSubjFilter:
+                        models.ContractSubjFilter,
+                    api_res.ContractSubjInFilter:
+                        models.ContractSubjInFilter,
+                    api_res.ContractSubjOutFilter:
+                        models.ContractSubjOutFilter,
+                    api_res.ContractSubjGraph:
+                        models.ContractSubjGraph,
+                    api_res.ContractSubjInGraph:
+                        models.ContractSubjInGraph,
+                    api_res.ContractSubjOutGraph:
+                        models.ContractSubjOutGraph,
                     api_status.AciStatus: status_model.Status,
                     api_status.AciFault: status_model.Fault,
                     api_res.Endpoint: models.Endpoint,

diff --git a/aim/api/resource.py b/aim/api/resource.py
@@ -671,6 +671,156 @@ def __init__(self, **kwargs):
              'monitored': False}, **kwargs)
 
 
+class ContractSubjInFilter(AciResourceBase):
+    """Resource representing a subject within a contract in ACI.
+
+    Identity attributes: name of ACI tenant, name of contract and
+    name of subject.
+    """
+
+    identity_attributes = t.identity(
+        ('tenant_name', t.name),
+        ('contract_name', t.name),
+        ('contract_subject_name', t.name),
+        ('filter_name', t.name))
+    other_attributes = t.other(
+        ('display_name', t.name),
+        ('action', t.enum('permit', 'deny')),
+        ('monitored', t.bool))
+
+    _aci_mo_name = 'vzRsFiltAtt__In'
+    _tree_parent = ContractSubject
+
+    def __init__(self, **kwargs):
+        super(ContractSubjInFilter, self).__init__({'action': 'permit',
+                                                    'monitored': False},
+                                                   **kwargs)
+
+
+class ContractSubjOutFilter(AciResourceBase):
+    """Resource representing a subject within a contract in ACI.
+
+    Identity attributes: name of ACI tenant, name of contract and
+    name of subject.
+    """
+
+    identity_attributes = t.identity(
+        ('tenant_name', t.name),
+        ('contract_name', t.name),
+        ('contract_subject_name', t.name),
+        ('filter_name', t.name))
+    other_attributes = t.other(
+        ('display_name', t.name),
+        ('action', t.enum('permit', 'deny')),
+        ('monitored', t.bool))
+
+    _aci_mo_name = 'vzRsFiltAtt__Out'
+    _tree_parent = ContractSubject
+
+    def __init__(self, **kwargs):
+        super(ContractSubjOutFilter, self).__init__({'action': 'permit',
+                                                     'monitored': False},
+                                                    **kwargs)
+
+
+class ContractSubjFilter(AciResourceBase):
+    """Resource representing a subject within a contract in ACI.
+
+    Identity attributes: name of ACI tenant, name of contract and
+    name of subject.
+    """
+
+    identity_attributes = t.identity(
+        ('tenant_name', t.name),
+        ('contract_name', t.name),
+        ('contract_subject_name', t.name),
+        ('filter_name', t.name))
+    other_attributes = t.other(
+        ('display_name', t.name),
+        ('action', t.enum('permit', 'deny')),
+        ('monitored', t.bool))
+
+    _aci_mo_name = 'vzRsSubjFiltAtt'
+    _tree_parent = ContractSubject
+
+    def __init__(self, **kwargs):
+        super(ContractSubjFilter, self).__init__({'action': 'permit',
+                                                  'monitored': False},
+                                                 **kwargs)
+
+
+class ContractSubjInGraph(AciResourceBase):
+    """Resource representing a subject within a contract in ACI.
+
+    Identity attributes: name of ACI tenant, name of contract and
+    name of subject.
+    """
+
+    identity_attributes = t.identity(
+        ('tenant_name', t.name),
+        ('contract_name', t.name),
+        ('contract_subject_name', t.name))
+    other_attributes = t.other(
+        ('graph_name', t.name),
+        ('display_name', t.name),
+        ('monitored', t.bool))
+
+    _aci_mo_name = 'vzRsInTermGraphAtt'
+    _tree_parent = ContractSubject
+
+    def __init__(self, **kwargs):
+        super(ContractSubjInGraph, self).__init__({'monitored': False},
+                                                  **kwargs)
+
+
+class ContractSubjOutGraph(AciResourceBase):
+    """Resource representing a subject within a contract in ACI.
+
+    Identity attributes: name of ACI tenant, name of contract and
+    name of subject.
+    """
+
+    identity_attributes = t.identity(
+        ('tenant_name', t.name),
+        ('contract_name', t.name),
+        ('contract_subject_name', t.name))
+    other_attributes = t.other(
+        ('graph_name', t.name),
+        ('display_name', t.name),
+        ('monitored', t.bool))
+
+    _aci_mo_name = 'vzRsOutTermGraphAtt'
+    _tree_parent = ContractSubject
+
+    def __init__(self, **kwargs):
+        super(ContractSubjOutGraph, self).__init__({'monitored': False},
+                                                   **kwargs)
+
+
+class ContractSubjGraph(AciResourceBase):
+    """Resource representing a subject within a contract in ACI.
+
+    Identity attributes: name of ACI tenant, name of contract and
+    name of subject.
+    """
+
+    identity_attributes = t.identity(
+        ('tenant_name', t.name),
+        ('contract_name', t.name),
+        ('contract_subject_name', t.name))
+    other_attributes = t.other(
+        ('graph_name', t.name),
+        ('display_name', t.name),
+        ('monitored', t.bool))
+
+    _aci_mo_name = 'vzRsSubjGraphAtt'
+    _tree_parent = ContractSubject
+
+    def __init__(self, **kwargs):
+        super(ContractSubjGraph, self).__init__({'monitored': False},
+                                                **kwargs)
+
+
 class Endpoint(ResourceBase):
     """Resource representing an endpoint.