From 4cd71a1b31a77053217bbd8fe25866868c7f13bf Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Fri, 26 Jun 2026 11:32:08 -0400 Subject: [PATCH] fix(xtest): replace brittle per-SDK 403 regexes with shared PERMISSION_DENIED_RE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Each SDK (go, java, js) phrases KAS policy-denial errors differently, so per-test inline regexes broke whenever an SDK updated its wording — even though the behavior (correct 403 denial) was unchanged. Introduce tdfs.PERMISSION_DENIED_RE, a single compiled case-insensitive regex that covers the union of current SDK phrasings: - go: "tdf: rewrap request 403" - js: "403 for [...]; rewrap permission denied: forbidden" - gRPC: "PermissionDenied" / "permission denied" / "permission_denied" - multi-KAS aggregate: "unable to reconstruct split key" Replace the two brittle inline patterns: - test_policytypes.py decrypt_or_dont(): r"forbidden|unable to reconstruct split key" - test_abac.py rewrap_403_pattern: "tdf: rewrap request 403|403 for ..." --- xtest/tdfs.py | 12 ++++++++++++ xtest/test_abac.py | 4 +--- xtest/test_policytypes.py | 7 +------ 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/xtest/tdfs.py b/xtest/tdfs.py index 50f6e459..024c1d78 100644 --- a/xtest/tdfs.py +++ b/xtest/tdfs.py @@ -380,6 +380,18 @@ class Manifest(BaseModel): r"^(\d+)(?:\.(\d+)(?:\.(\d+))?)?(?:-([0-9a-zA-Z.-]*))?(?:\+([0-9a-zA-Z.-]*))?$" ) +# SDK-agnostic matcher for KAS 403 / policy-denial errors from any supported SDK. +# Intentionally broad and case-insensitive so SDK message tweaks don't break xtest. +# Current SDK phrasings covered: +# go: "tdf: rewrap request 403" +# js: "403 for [http://...]; rewrap permission denied: forbidden" +# gRPC: "PermissionDenied" / "permission denied" / "permission_denied" +# multi-KAS aggregate: "unable to reconstruct split key" +PERMISSION_DENIED_RE = re.compile( + r"403|forbidden|permission.?denied|unable to reconstruct split key", + re.IGNORECASE, +) + def manifest(tdf_file: Path) -> Manifest: with zipfile.ZipFile(tdf_file, "r") as tdfz: diff --git a/xtest/test_abac.py b/xtest/test_abac.py index 08b663e5..27c85cbc 100644 --- a/xtest/test_abac.py +++ b/xtest/test_abac.py @@ -11,9 +11,7 @@ from fixtures.encryption import EncryptFactory from test_policytypes import skip_rts_as_needed -rewrap_403_pattern = ( - "tdf: rewrap request 403|403 for \\[https?://[^\\]]+\\]; rewrap permission denied" -) +rewrap_403_pattern = tdfs.PERMISSION_DENIED_RE.pattern dspx1153Fails = [] diff --git a/xtest/test_policytypes.py b/xtest/test_policytypes.py index 95495434..ab77993d 100644 --- a/xtest/test_policytypes.py +++ b/xtest/test_policytypes.py @@ -1,5 +1,4 @@ import filecmp -import re import subprocess from pathlib import Path @@ -96,11 +95,7 @@ def decrypt_or_dont( assert isinstance(stderr_content, str) combined_output = output_content + stderr_content - assert re.search( - r"forbidden|unable to reconstruct split key", - combined_output, - re.IGNORECASE, - ), ( + assert tdfs.PERMISSION_DENIED_RE.search(combined_output), ( f"decrypt failed with unexpected error: {exc}\nstdout: {output_content}\nstderr: {stderr_content}" )