Sanity query optimized

nca/NetworkConfig/NetworkConfigQuery.py

@@ -458,7 +458,7 @@ def other_policy_containing_deny(self, self_policy, config_with_self_policy, lay
         :param NetworkPolicy self_policy: The policy to check
         :param NetworkConfig config_with_self_policy: A network config with self_policy as its single policy
         :param NetworkLayerName layer_name: The layer name of the policy
-        :return: A policy containing self_policy's denied connections if exist, None otherwise
+        :return: A policy containing self_policy's denied connections if exists, None otherwise
         :rtype: NetworkPolicy
         """
         policies_list = self.config.policies_container.layers[layer_name].policies_list
@@ -471,26 +471,39 @@ def other_policy_containing_deny(self, self_policy, config_with_self_policy, lay
             if not other_policy.has_deny_rules():
                 continue
             config_with_other_policy = self.config.clone_with_just_one_policy(other_policy.full_name())
-            # calling get_all_peers_group does not require getting dnsEntry peers, since they are not relevant when computing
-            # deny connections
-            pods_to_compare = self.config.peer_container.get_all_peers_group()
-            pods_to_compare |= TwoNetworkConfigsQuery(self.config,
-                                                      config_with_other_policy).disjoint_referenced_ip_blocks()
-            for pod1 in pods_to_compare:
-                for pod2 in pods_to_compare:
-                    if isinstance(pod1, IpBlock) and isinstance(pod2, IpBlock):
-                        continue
-                    if pod1 == pod2:
-                        continue  # no way to prevent a pod from communicating with itself
-                    _, _, _, self_deny_conns = config_with_self_policy.allowed_connections(pod1, pod2, layer_name)
-                    _, _, _, other_deny_conns = config_with_other_policy.allowed_connections(pod1, pod2, layer_name)
-                    if not self_deny_conns:
-                        continue
-                    if not self_deny_conns.contained_in(other_deny_conns):
-                        return None
-            return other_policy
+            if self.config.optimized_run == 'false':
+                res = self.check_deny_containment_original(config_with_self_policy, config_with_other_policy, layer_name)
+            else:
+                res = self.check_deny_containment_optimized(config_with_self_policy, config_with_other_policy, layer_name)
+            if res:
+                return other_policy
         return None
 
+    def check_deny_containment_original(self, config_with_self_policy, config_with_other_policy, layer_name):
+        # calling get_all_peers_group does not require getting dnsEntry peers, since they are not relevant when computing
+        # deny connections
+        pods_to_compare = self.config.peer_container.get_all_peers_group()
+        pods_to_compare |= TwoNetworkConfigsQuery(self.config, config_with_other_policy).disjoint_referenced_ip_blocks()
+        for pod1 in pods_to_compare:
+            for pod2 in pods_to_compare:
+                if isinstance(pod1, IpBlock) and isinstance(pod2, IpBlock):
+                    continue
+                if pod1 == pod2:
+                    continue  # no way to prevent a pod from communicating with itself
+                _, _, _, self_deny_conns = config_with_self_policy.allowed_connections(pod1, pod2, layer_name)
+                _, _, _, other_deny_conns = config_with_other_policy.allowed_connections(pod1, pod2, layer_name)
+                if not self_deny_conns:
+                    continue
+                if not self_deny_conns.contained_in(other_deny_conns):
+                    return False
+        return True
+
+    @staticmethod
+    def check_deny_containment_optimized(config_with_self_policy, config_with_other_policy, layer_name):
+        self_props = config_with_self_policy.allowed_connections_optimized(layer_name)
+        other_props = config_with_other_policy.allowed_connections_optimized(layer_name)
+        return self_props.denied_conns.contained_in(other_props.denied_conns)
+
     def other_rule_containing(self, self_policy, self_rule_index, is_ingress, layer_name):
         """
         Search whether a given policy rule is contained in another policy rule

nca/SchemeRunner.py

@@ -20,7 +20,7 @@ class SchemeRunner(GenericYamlParser):
 
     implemented_opt_queries = {'connectivityMap', 'equivalence', 'vacuity', 'redundancy', 'strongEquivalence',
                                'containment', 'twoWayContainment', 'permits', 'interferes', 'pairwiseInterferes',
-                               'forbids', 'emptiness', 'disjointness', 'allCaptured'}
+                               'forbids', 'emptiness', 'disjointness', 'allCaptured', 'sanity'}
 
     def __init__(self, scheme_file_name, output_format=None, output_path=None, optimized_run='false'):
         GenericYamlParser.__init__(self, scheme_file_name)

tests/run_all_tests.py

@@ -112,7 +112,7 @@ def run_all_test_flow(self, all_results):
         tmp_opt = [i for i in self.test_queries_obj.args_obj.args if '-opt=' in i]
         opt = tmp_opt[0].split('=')[1] if tmp_opt else 'false'
         if isinstance(self.test_queries_obj, CliQuery) and (opt == 'debug' or opt == 'true'):
-            implemented_opt_queries = {'--connectivity', '--equiv', '--permits', '--interferes', '--forbids'}
+            implemented_opt_queries = {'--connectivity', '--equiv', '--permits', '--interferes', '--forbids', '--sanity'}
             # TODO - update/remove the optimization below when all queries are supported in optimized implementation
             if not implemented_opt_queries.intersection(set(self.test_queries_obj.args_obj.args)):
                 print(f'Skipping {self.test_queries_obj.test_name} since it does not have optimized implementation yet')