Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions xtest/tdfs.py
Original file line number Diff line number Diff line change
Expand Up @@ -380,6 +380,18 @@ class Manifest(BaseModel):
r"^(\d+)(?:\.(\d+)(?:\.(\d+))?)?(?:-([0-9a-zA-Z.-]*))?(?:\+([0-9a-zA-Z.-]*))?$"
)

# SDK-agnostic matcher for KAS 403 / policy-denial errors from any supported SDK.
# Intentionally broad and case-insensitive so SDK message tweaks don't break xtest.
# Current SDK phrasings covered:
# go: "tdf: rewrap request 403"
# js: "403 for [http://...]; rewrap permission denied: forbidden"
# gRPC: "PermissionDenied" / "permission denied" / "permission_denied"
# multi-KAS aggregate: "unable to reconstruct split key"
PERMISSION_DENIED_RE = re.compile(
r"403|forbidden|permission.?denied|unable to reconstruct split key",
re.IGNORECASE,
)
Comment on lines +390 to +393

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Matching the raw substring 403 without word boundaries can lead to false positives in tests. For example, if a connection fails on a port containing 403 (like 8403 or 4030), or if a log timestamp contains .403 milliseconds, the regex will match and the test will incorrectly pass.

Using word boundaries (\b403\b) ensures that 403 is matched only as a standalone number/error code.

Suggested change
PERMISSION_DENIED_RE = re.compile(
r"403|forbidden|permission.?denied|unable to reconstruct split key",
re.IGNORECASE,
)
PERMISSION_DENIED_RE = re.compile(
r"\b403\b|forbidden|permission.?denied|unable to reconstruct split key",
re.IGNORECASE,
)



def manifest(tdf_file: Path) -> Manifest:
with zipfile.ZipFile(tdf_file, "r") as tdfz:
Expand Down
4 changes: 1 addition & 3 deletions xtest/test_abac.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,7 @@
from fixtures.encryption import EncryptFactory
from test_policytypes import skip_rts_as_needed

rewrap_403_pattern = (
"tdf: rewrap request 403|403 for \\[https?://[^\\]]+\\]; rewrap permission denied"
)
rewrap_403_pattern = tdfs.PERMISSION_DENIED_RE.pattern


dspx1153Fails = []
Expand Down
7 changes: 1 addition & 6 deletions xtest/test_policytypes.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
import filecmp
import re
import subprocess
from pathlib import Path

Expand Down Expand Up @@ -96,11 +95,7 @@ def decrypt_or_dont(
assert isinstance(stderr_content, str)

combined_output = output_content + stderr_content
assert re.search(
r"forbidden|unable to reconstruct split key",
combined_output,
re.IGNORECASE,
), (
assert tdfs.PERMISSION_DENIED_RE.search(combined_output), (
f"decrypt failed with unexpected error: {exc}\nstdout: {output_content}\nstderr: {stderr_content}"
)

Expand Down
Loading