Skip to content

fix matching of resource ARNs whose relative-id contains a colon#2638

Open
delthas wants to merge 2 commits into
development/8.4from
bugfix/ARSN-591/colon-relative-id-match
Open

fix matching of resource ARNs whose relative-id contains a colon#2638
delthas wants to merge 2 commits into
development/8.4from
bugfix/ARSN-591/colon-relative-id-match

Conversation

@delthas

@delthas delthas commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

A policy Resource ARN whose relative-id contains ':' (legal in S3 object keys, e.g. bucket/data:2024/report.csv) never matched any request — not even a byte-identical ARN. checkArnMatch anchors each ':'-split portion individually (^…$) and then re-joins the relative-id portions, producing an unsatisfiable pattern like ^bucket/data$:^2024/….$ ($ = end-of-input, so a required ':' after it can never match). The request side already re-joins split portions correctly; only the policy side was broken.

Fix: wildcard-translate the joined relative-id as one unit, yielding a single anchored pattern. Six-portion ARNs compile to byte-identical patterns — no behavior change for them (all pre-existing tests pass unchanged); ARNs with fewer than six portions keep their previous behavior.

Behavior change: policy statements on colon-containing resources that were silently dead start applying after upgrade — Allow statements start granting (as their authors intended) and Deny statements start denying (they previously failed open).

Issue: ARSN-591

@bert-e

bert-e commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Hello delthas,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options
name description privileged authored
/after_pull_request Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval Bypass the pull request author's approval
/bypass_build_status Bypass the build and test status
/bypass_commit_size Bypass the check on the size of the changeset TBA
/bypass_incompatible_branch Bypass the check on the source branch prefix
/bypass_jira_check Bypass the Jira issue check
/bypass_peer_approval Bypass the pull request peers' approval
/bypass_leader_approval Bypass the pull request leaders' approval
/approve Instruct Bert-E that the author has approved the pull request. ✍️
/create_pull_requests Allow the creation of integration pull requests.
/create_integration_branches Allow the creation of integration branches.
/no_octopus Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity Change review acceptance criteria from one reviewer at least to all reviewers
/wait Instruct Bert-E not to run until further notice.
Available commands
name description privileged
/help Print Bert-E's manual in the pull request.
/status Print Bert-E's current status in the pull request TBA
/clear Remove all comments from Bert-E from the history TBA
/retry Re-start a fresh build TBA
/build Re-start a fresh build TBA
/force_reset Delete integration branches & pull requests, and restart merge process from the beginning.
/reset Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

@bert-e

bert-e commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • 2 peers

@codecov

codecov Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.92%. Comparing base (6a5ee64) to head (53bafdc).
⚠️ Report is 3 commits behind head on development/8.4.

Additional details and impacted files 
@@               Coverage Diff                @@
##           development/8.4    #2638   +/-   ##
================================================
  Coverage            73.92%   73.92%           
================================================
  Files                  229      229           
  Lines                18480    18480           
  Branches              3822     3820    -2     
================================================
  Hits                 13661    13661           
  Misses                4814     4814           
  Partials                 5        5

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@delthas delthas force-pushed the bugfix/ARSN-591/colon-relative-id-match branch 2 times, most recently from de98726 to 62570e0 Compare June 10, 2026 15:01
@delthas delthas marked this pull request as ready for review June 10, 2026 15:01
@delthas
run prettier on policy evaluator wildcard matching files
2712e8d 
Formatting only, no functional change.

Issue: ARSN-591
@delthas delthas force-pushed the bugfix/ARSN-591/colon-relative-id-match branch from 62570e0 to 625960d Compare June 10, 2026 15:23
@scality scality deleted a comment from claude Bot Jun 10, 2026
@scality scality deleted a comment from claude Bot Jun 10, 2026
@delthas delthas requested review from a team, SylvainSenechal and benzekrimaha June 10, 2026 15:27
SylvainSenechal
SylvainSenechal reviewed Jun 10, 2026
View reviewed changes
Comment thread lib/policyEvaluator/utils/wildcards.ts Outdated
SylvainSenechal
SylvainSenechal approved these changes Jun 10, 2026
View reviewed changes

@SylvainSenechal SylvainSenechal left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice catch, hopefully we don't get RDs with client suddenly having issues with their policies 🌚

@delthas
fix matching of resource ARNs whose relative-id contains a colon
53bafdc 
checkArnMatch splits the policy ARN on ':' and anchors each portion
individually before re-joining the relative-id portions, so a policy ARN
whose relative-id contains ':' (legal in S3 object keys, e.g.
bucket/data:2024/report.csv) compiled to an unsatisfiable pattern like
'^bucket/data$:^2024/\.\.\.$' and never matched any request - not even a
byte-identical ARN. Allow statements on such resources silently granted
nothing and Deny statements silently failed to deny. The request side
already handles colons by re-joining the split portions.

Wildcard-translate the joined relative-id as one unit instead, producing a
single anchored pattern. Six-portion ARNs compile to byte-identical
patterns (no behavior change); ARNs with fewer than six portions keep
their previous behavior.

Issue: ARSN-591
@delthas delthas force-pushed the bugfix/ARSN-591/colon-relative-id-match branch from 625960d to 53bafdc Compare June 11, 2026 07:56
@claude

claude Bot commented Jun 11, 2026

Copy link
Copy Markdown

LGTM

Review by Claude Code

@scality scality deleted a comment from claude Bot Jun 11, 2026
@scality scality deleted a comment from bert-e Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SylvainSenechal SylvainSenechal SylvainSenechal approved these changes

@benzekrimaha benzekrimaha Awaiting requested review from benzekrimaha benzekrimaha was automatically assigned from scality/raving-robots

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@delthas @bert-e @SylvainSenechal