Skip to content

fix(xtest): replace brittle per-SDK 403 regexes with shared PERMISSION_DENIED_RE#539

Open
dmihalcik-virtru wants to merge 2 commits into
mainfrom
feature/simplify-errcode-text-check
Open

fix(xtest): replace brittle per-SDK 403 regexes with shared PERMISSION_DENIED_RE#539
dmihalcik-virtru wants to merge 2 commits into
mainfrom
feature/simplify-errcode-text-check

Conversation

@dmihalcik-virtru

Copy link
Copy Markdown
Member

Problem

Several negative-decrypt tests assert on the exact wording of KAS 403 / policy-denial errors. Because each SDK (go, java, js) phrases the error differently, these regexes broke whenever an SDK updated its message — even though the behavior (correct policy denial) was unchanged.

Recent concrete example: the JS SDK changed its rewrap error message, breaking test_policytypes and test_obligations_not_entitled purely on wording.

Brittle patterns replaced:

File Location Old pattern
test_policytypes.py decrypt_or_dont() r"forbidden|unable to reconstruct split key"
test_abac.py module-level rewrap_403_pattern, used in 3 tests "tdf: rewrap request 403|403 for \\[https?://[^\\]]+\\]; rewrap permission denied"

Solution

Add PERMISSION_DENIED_RE to tdfs.py (already imported by every test file) — a single compiled, case-insensitive regex covering the union of current SDK phrasings:

# SDK-agnostic matcher for KAS 403 / policy-denial errors from any supported SDK.
# Intentionally broad and case-insensitive so SDK message tweaks don't break xtest.
PERMISSION_DENIED_RE = re.compile(
    r"403|forbidden|permission.?denied|unable to reconstruct split key",
    re.IGNORECASE,
)

Pattern coverage:

Sample string Matched by
tdf: rewrap request 403 (go) 403
403 for [http://localhost:8484]; rewrap permission denied: forbidden (js) 403, forbidden, permission.?denied
desc = forbidden forbidden
unable to reconstruct split key (multi-KAS aggregate) literal
PermissionDenied (gRPC) permission.?denied (0-char separator)
permission denied / permission_denied permission.?denied

Changes

  • xtest/tdfs.py: add PERMISSION_DENIED_RE compiled regex constant
  • xtest/test_policytypes.py: remove import re, replace inline regex with tdfs.PERMISSION_DENIED_RE.search()
  • xtest/test_abac.py: replace rewrap_403_pattern string literal with tdfs.PERMISSION_DENIED_RE.pattern (the three call sites are unchanged)

No new dependencies. No test structure changes. Assertions still require a CalledProcessError (non-zero exit) before the pattern is checked — the change only makes the denial recognition tolerant of SDK wording differences.

…N_DENIED_RE

Each SDK (go, java, js) phrases KAS policy-denial errors differently, so
per-test inline regexes broke whenever an SDK updated its wording — even
though the behavior (correct 403 denial) was unchanged.

Introduce tdfs.PERMISSION_DENIED_RE, a single compiled case-insensitive
regex that covers the union of current SDK phrasings:
  - go:    "tdf: rewrap request 403"
  - js:    "403 for [...]; rewrap permission denied: forbidden"
  - gRPC:  "PermissionDenied" / "permission denied" / "permission_denied"
  - multi-KAS aggregate: "unable to reconstruct split key"

Replace the two brittle inline patterns:
  - test_policytypes.py decrypt_or_dont(): r"forbidden|unable to reconstruct split key"
  - test_abac.py rewrap_403_pattern: "tdf: rewrap request 403|403 for ..."
@dmihalcik-virtru dmihalcik-virtru requested review from a team as code owners June 26, 2026 15:33
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@dmihalcik-virtru, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 4 minutes and 48 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fa1036c4-8b57-48a5-b3bb-8e6dd919cc1d

📥 Commits

Reviewing files that changed from the base of the PR and between fb1ca61 and d042ce8.

📒 Files selected for processing (3)
  • xtest/tdfs.py
  • xtest/test_abac.py
  • xtest/test_policytypes.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/simplify-errcode-text-check

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request centralizes the matching of permission-denied and 403 errors across different SDKs by introducing a shared regular expression (PERMISSION_DENIED_RE) in xtest/tdfs.py and refactoring xtest/test_abac.py and xtest/test_policytypes.py to use it. Feedback suggests adding word boundaries to the 403 pattern (i.e., \b403\b) to prevent false positives from matching port numbers or timestamps containing the substring.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread xtest/tdfs.py
Comment on lines +390 to +393
PERMISSION_DENIED_RE = re.compile(
r"403|forbidden|permission.?denied|unable to reconstruct split key",
re.IGNORECASE,
)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Matching the raw substring 403 without word boundaries can lead to false positives in tests. For example, if a connection fails on a port containing 403 (like 8403 or 4030), or if a log timestamp contains .403 milliseconds, the regex will match and the test will incorrectly pass.

Using word boundaries (\b403\b) ensures that 403 is matched only as a standalone number/error code.

Suggested change
PERMISSION_DENIED_RE = re.compile(
r"403|forbidden|permission.?denied|unable to reconstruct split key",
re.IGNORECASE,
)
PERMISSION_DENIED_RE = re.compile(
r"\b403\b|forbidden|permission.?denied|unable to reconstruct split key",
re.IGNORECASE,
)

@dmihalcik-virtru

Copy link
Copy Markdown
Member Author

This addresses a problem found while i was working on opentdf/web-sdk#956

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant