fixed bug and implied tests (#112)

np-guard · Jan 1, 2025 · 15b954c · 15b954c
1 parent 5566003
commit 15b954c
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 7 deletions.
diff --git a/pkg/symbolicexpr/atomic.go b/pkg/symbolicexpr/atomic.go
@@ -31,7 +31,7 @@ func NewAtomicTerm(label vmProperty, toVal string, neg bool) *atomicTerm {
 	return &atomicTerm{property: label, toVal: toVal, neg: neg}
 }
 
-// negate an atomicTerm expression; return pointer to corresponding expression from Atomics, if not there yet then add it
+// negate an atomicTerm expression
 func (term atomicTerm) negate() atomic {
 	return atomicTerm{property: term.property, toVal: term.toVal, neg: !term.neg}
 }

diff --git a/pkg/synthesis/allowOnlyConversion.go b/pkg/synthesis/allowOnlyConversion.go
@@ -1,6 +1,7 @@
 package synthesis
 
 import (
+	"slices"
 	"strings"
 
 	"github.com/np-guard/vmware-analyzer/pkg/model/dfw"
@@ -67,8 +68,7 @@ func computeAllowOnlyForCategory(inboundOrOutbound *[]*symbolicRule,
 	globalDenies *symbolicexpr.SymbolicPaths) (allowRule []*symbolicRule, denyPaths *symbolicexpr.SymbolicPaths) {
 	allowOnlyRules := []*symbolicRule{}
 	categoryPasses := symbolicexpr.SymbolicPaths{}
-	newGlobalDenies := symbolicexpr.SymbolicPaths{}
-	copy(newGlobalDenies, *globalDenies)
+	newGlobalDenies := slices.Clone(*globalDenies)
 	for _, rule := range *inboundOrOutbound {
 		switch rule.origRule.Action {
 		case dfw.ActionJumpToApp:
@@ -77,8 +77,7 @@ func computeAllowOnlyForCategory(inboundOrOutbound *[]*symbolicRule,
 			newSymbolicPaths := symbolicexpr.ComputeAllowGivenDenies(rule.origSymbolicPaths, &categoryPasses)
 			newGlobalDenies = append(newGlobalDenies, *newSymbolicPaths...)
 		case dfw.ActionAllow:
-			symbolicDeniesAndPasses := symbolicexpr.SymbolicPaths{}
-			symbolicDeniesAndPasses = append(symbolicDeniesAndPasses, newGlobalDenies...)
+			symbolicDeniesAndPasses := slices.Clone(newGlobalDenies)
 			symbolicDeniesAndPasses = append(symbolicDeniesAndPasses, categoryPasses...)
 			newSymbolicPaths := symbolicexpr.ComputeAllowGivenDenies(rule.origSymbolicPaths, &symbolicDeniesAndPasses)
 			newRule := &symbolicRule{origRule: rule.origRule, origRuleCategory: rule.origRuleCategory,

diff --git a/pkg/synthesis/tests_expected_output/ExampleDenyPassSimple_ConvertToAbstract.txt b/pkg/synthesis/tests_expected_output/ExampleDenyPassSimple_ConvertToAbstract.txt
@@ -1,6 +1,12 @@
 Allow Only Rules
 ~~~~~~~~~~~~~~~~~
 inbound rules
-	All Connections from (*) to (*)
+	All Connections from (*) to (group  != Hufflepuff and group  != Slytherin)
+	All Connections from (*) to (group  != Hufflepuff and group  = Dumbledore)
+	All Connections from (*) to (group  = Dumbledore and group  != Slytherin)
+	All Connections from (*) to (group  = Dumbledore)
 outbound rules
-	All Connections from (*) to (*)
+	All Connections from (*) to (group  != Hufflepuff and group  != Slytherin)
+	All Connections from (*) to (group  != Hufflepuff and group  = Dumbledore)
+	All Connections from (*) to (group  = Dumbledore and group  != Slytherin)
+	All Connections from (*) to (group  = Dumbledore)