diff --git a/xtest/tdfs.py b/xtest/tdfs.py index d09ca470..0081b0a2 100644 --- a/xtest/tdfs.py +++ b/xtest/tdfs.py @@ -380,6 +380,18 @@ class Manifest(BaseModel): r"^(\d+)(?:\.(\d+)(?:\.(\d+))?)?(?:-([0-9a-zA-Z.-]*))?(?:\+([0-9a-zA-Z.-]*))?$" ) +# SDK-agnostic matcher for KAS 403 / policy-denial errors from any supported SDK. +# Intentionally broad and case-insensitive so SDK message tweaks don't break xtest. +# Current SDK phrasings covered: +# go: "tdf: rewrap request 403" +# js: "403 for [http://...]; rewrap permission denied: forbidden" +# gRPC: "PermissionDenied" / "permission denied" / "permission_denied" +# multi-KAS aggregate: "unable to reconstruct split key" +PERMISSION_DENIED_RE = re.compile( + r"403|forbidden|permission.?denied|unable to reconstruct split key", + re.IGNORECASE, +) + def manifest(tdf_file: Path) -> Manifest: with zipfile.ZipFile(tdf_file, "r") as tdfz: diff --git a/xtest/test_abac.py b/xtest/test_abac.py index 08b663e5..27c85cbc 100644 --- a/xtest/test_abac.py +++ b/xtest/test_abac.py @@ -11,9 +11,7 @@ from fixtures.encryption import EncryptFactory from test_policytypes import skip_rts_as_needed -rewrap_403_pattern = ( - "tdf: rewrap request 403|403 for \\[https?://[^\\]]+\\]; rewrap permission denied" -) +rewrap_403_pattern = tdfs.PERMISSION_DENIED_RE.pattern dspx1153Fails = [] diff --git a/xtest/test_policytypes.py b/xtest/test_policytypes.py index 95495434..ab77993d 100644 --- a/xtest/test_policytypes.py +++ b/xtest/test_policytypes.py @@ -1,5 +1,4 @@ import filecmp -import re import subprocess from pathlib import Path @@ -96,11 +95,7 @@ def decrypt_or_dont( assert isinstance(stderr_content, str) combined_output = output_content + stderr_content - assert re.search( - r"forbidden|unable to reconstruct split key", - combined_output, - re.IGNORECASE, - ), ( + assert tdfs.PERMISSION_DENIED_RE.search(combined_output), ( f"decrypt failed with unexpected error: {exc}\nstdout: {output_content}\nstderr: {stderr_content}" )