fix(xtest): replace brittle per-SDK 403 regexes with shared PERMISSION_DENIED_RE#539
fix(xtest): replace brittle per-SDK 403 regexes with shared PERMISSION_DENIED_RE#539dmihalcik-virtru wants to merge 2 commits into
Conversation
…N_DENIED_RE Each SDK (go, java, js) phrases KAS policy-denial errors differently, so per-test inline regexes broke whenever an SDK updated its wording — even though the behavior (correct 403 denial) was unchanged. Introduce tdfs.PERMISSION_DENIED_RE, a single compiled case-insensitive regex that covers the union of current SDK phrasings: - go: "tdf: rewrap request 403" - js: "403 for [...]; rewrap permission denied: forbidden" - gRPC: "PermissionDenied" / "permission denied" / "permission_denied" - multi-KAS aggregate: "unable to reconstruct split key" Replace the two brittle inline patterns: - test_policytypes.py decrypt_or_dont(): r"forbidden|unable to reconstruct split key" - test_abac.py rewrap_403_pattern: "tdf: rewrap request 403|403 for ..."
|
Warning Review limit reached
More reviews will be available in 4 minutes and 48 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request centralizes the matching of permission-denied and 403 errors across different SDKs by introducing a shared regular expression (PERMISSION_DENIED_RE) in xtest/tdfs.py and refactoring xtest/test_abac.py and xtest/test_policytypes.py to use it. Feedback suggests adding word boundaries to the 403 pattern (i.e., \b403\b) to prevent false positives from matching port numbers or timestamps containing the substring.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| PERMISSION_DENIED_RE = re.compile( | ||
| r"403|forbidden|permission.?denied|unable to reconstruct split key", | ||
| re.IGNORECASE, | ||
| ) |
There was a problem hiding this comment.
Matching the raw substring 403 without word boundaries can lead to false positives in tests. For example, if a connection fails on a port containing 403 (like 8403 or 4030), or if a log timestamp contains .403 milliseconds, the regex will match and the test will incorrectly pass.
Using word boundaries (\b403\b) ensures that 403 is matched only as a standalone number/error code.
| PERMISSION_DENIED_RE = re.compile( | |
| r"403|forbidden|permission.?denied|unable to reconstruct split key", | |
| re.IGNORECASE, | |
| ) | |
| PERMISSION_DENIED_RE = re.compile( | |
| r"\b403\b|forbidden|permission.?denied|unable to reconstruct split key", | |
| re.IGNORECASE, | |
| ) |
|
This addresses a problem found while i was working on opentdf/web-sdk#956 |
|



Problem
Several negative-decrypt tests assert on the exact wording of KAS 403 / policy-denial errors. Because each SDK (go, java, js) phrases the error differently, these regexes broke whenever an SDK updated its message — even though the behavior (correct policy denial) was unchanged.
Recent concrete example: the JS SDK changed its rewrap error message, breaking
test_policytypesandtest_obligations_not_entitledpurely on wording.Brittle patterns replaced:
test_policytypes.pydecrypt_or_dont()r"forbidden|unable to reconstruct split key"test_abac.pyrewrap_403_pattern, used in 3 tests"tdf: rewrap request 403|403 for \\[https?://[^\\]]+\\]; rewrap permission denied"Solution
Add
PERMISSION_DENIED_REtotdfs.py(already imported by every test file) — a single compiled, case-insensitive regex covering the union of current SDK phrasings:Pattern coverage:
tdf: rewrap request 403(go)403403 for [http://localhost:8484]; rewrap permission denied: forbidden(js)403,forbidden,permission.?denieddesc = forbiddenforbiddenunable to reconstruct split key(multi-KAS aggregate)PermissionDenied(gRPC)permission.?denied(0-char separator)permission denied/permission_deniedpermission.?deniedChanges
xtest/tdfs.py: addPERMISSION_DENIED_REcompiled regex constantxtest/test_policytypes.py: removeimport re, replace inline regex withtdfs.PERMISSION_DENIED_RE.search()xtest/test_abac.py: replacerewrap_403_patternstring literal withtdfs.PERMISSION_DENIED_RE.pattern(the three call sites are unchanged)No new dependencies. No test structure changes. Assertions still require a
CalledProcessError(non-zero exit) before the pattern is checked — the change only makes the denial recognition tolerant of SDK wording differences.