[TT-15825] [BE] Address inconsistencies with use of Policy identifiers

[shults]

User description

TT-15825

Summary	[BE] Address inconsistencies with use of Policy identifiers
Type	Bug
Status	In Dev
Points	N/A
Labels	2025_long_tail, AI-Complexity-Medium, AI-Priority-High, codilime_refined, customer_bug, jira_escalated, stability_theme_auth

---

Description

Related Issue

Motivation and Context

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning why it's required
• I would like a code coverage CI quality gate exception and have explained why

---

PR Type

Bug fix, Tests, Documentation

---

Description

• Remove explicit policy ID toggle usage

• Standardize policy ID to policy.ID

• Update RPC/Dashboard loaders signatures

• Adjust tests for new behavior

---

Diagram Walkthrough

flowchart LR
  Config["Config: deprecate allow_explicit_policy_id"] -- "not used" --> Loaders["Policy loaders"]
  Loaders["Policy loaders"] -- "use policy.ID only" --> Dashboard["LoadPoliciesFromDashboard"]
  Loaders -- "use policy.ID only" --> RPC["LoadPoliciesFromRPC/parsePoliciesFromRPC"]
  API["handleAddOrUpdatePolicy"] -- "backfill ID from MID" --> Filesave["Save policy file"]
  Tests["Tests updated"] -- "drop allowExplicit param" --> Dashboard
  Tests -- "expect IDs via policy.ID" --> RPC
  Backup["RPC backup handlers"] -- "parsePoliciesFromRPC()" --> RPC

Loading

File Walkthrough

	Relevant files
Documentation	config.go Deprecate unused AllowExplicitPolicyID config                        config/config.go Mark AllowExplicitPolicyID as deprecated. Note it's unused in codebase. +2/-0
Bug fix	api.go Backfill missing policy ID from MID on save                            gateway/api.go Default newPol.ID to newPol.MID.Hex() if empty. Ensure saved filename uses resolved policy ID. +4/-0
Enhancement	policy.go Standardize ID handling and simplify loader APIs                  gateway/policy.go Remove allowExplicit parameter from loaders/parsers. Use policy.ID as key; drop MID fallback. Adjust duplicate detection to use policy.ID. Update retry path to new signatures. +8/-18    rpc_backup_handlers.go Update RPC backup to new parsing/decrypt API                          gateway/rpc_backup_handlers.go Call parsePoliciesFromRPC without allowExplicit. Use updated crypto decrypt signature. +2/-2      server.go Remove allowExplicit parameter from sync paths                      gateway/server.go Call loaders without AllowExplicitPolicyID. Keep source selection logic intact. +2/-2
Tests	policy_test.go Align tests with standardized policy ID handling                  gateway/policy_test.go Update tests to new loader signatures. Adjust expectations to lookup by policy.ID. Remove dependency on config AllowExplicitPolicyID. +28/-37

---

Ticket Details

TT-15825

Status	In Code Review
Summary	[BE] Address inconsistencies with use of Policy identifiers

Generated at: 2025-11-12 14:28:57

[buger]

I'm a bot and I 👍 this PR title. 🤖

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Possible Issue When creating or updating a policy, if the incoming policy has an empty ID, the code sets newPol.ID to newPol.MID.Hex(). Ensure MID is always populated for new policies; otherwise MID may be zero-value and .Hex() could yield an empty or invalid ID, leading to filename collisions or unexpected behavior. if newPol.ID == "" { newPol.ID = newPol.MID.Hex() } Duplicate Handling Policies fetched from the Dashboard now strictly use p.ID as the key and skip duplicates. Validate that upstream always sets ID (and uniquely) after deprecating explicit/Mongo ID switching; otherwise blank or reused IDs will cause policies to be dropped silently. if _, ok := policies[p.ID]; ok { log.WithFields(logrus.Fields{ "prefix": "policy", "policyID": p.ID, "OrgID": p.OrgID, }).Warning("--> Skipping policy, new item has a duplicate ID!") continue } policies[p.ID] = p.ToRegularPolicy() } Crypto API Change crypto.Decrypt is now called with secret (string/bytes change). Confirm the function signature expects the provided type; mismatches could cause decryption failure and policy-loading errors in backup recovery. secret := crypto.GetPaddedString(gw.GetConfig().Secret) cryptoText, err := store.GetKey(checkKey) listAsString := crypto.Decrypt(secret, cryptoText) if err != nil { return nil, errors.New("[RPC] --> Failed to get node policy backup (" + checkKey + "): " + err.Error()) } if policies, err := parsePoliciesFromRPC(listAsString); err != nil { log.WithFields(logrus.Fields{

[github-actions]

API Changes

--- prev.txt	2025-11-12 14:29:17.975838698 +0000
+++ current.txt	2025-11-12 14:29:07.912835015 +0000
@@ -6988,6 +6988,8 @@
 	// If you set this value to `true`, then the id parameter in a stored policy (or imported policy using the Dashboard API), will be used instead of the internal ID.
 	//
 	// This option should only be used when moving an installation to a new database.
+	//
+	// Deprecated. Is not used in codebase.
 	AllowExplicitPolicyID bool `json:"allow_explicit_policy_id"`
 	// This option only applies in OSS deployment when the `policies.policy_source` is either set
 	// to `file` or an empty string. If `policies.policy_path` is set, then Tyk will load policies
@@ -10130,11 +10132,11 @@
 
 func (gw *Gateway) LoadDefinitionsFromRPCBackup() ([]*APISpec, error)
 
-func (gw *Gateway) LoadPoliciesFromDashboard(endpoint, secret string, allowExplicit bool) (map[string]user.Policy, error)
+func (gw *Gateway) LoadPoliciesFromDashboard(endpoint, secret string) (map[string]user.Policy, error)
     LoadPoliciesFromDashboard will connect and download Policies from a Tyk
     Dashboard instance.
 
-func (gw *Gateway) LoadPoliciesFromRPC(store RPCDataLoader, orgId string, allowExplicit bool) (map[string]user.Policy, error)
+func (gw *Gateway) LoadPoliciesFromRPC(store RPCDataLoader, orgId string) (map[string]user.Policy, error)
 
 func (gw *Gateway) LoadPoliciesFromRPCBackup() (map[string]user.Policy, error)
 

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Normalize empty IDs from dashboard Handle empty p.ID values to avoid inserting entries under an empty key and silently dropping multiple policies. Default empty IDs to p.MID.Hex() (or another stable identifier) before deduplication. gateway/policy.go [184-194] for _, p := range list.Message { + if p.ID == "" { + if hex := p.MID.Hex(); hex != "" { + p.ID = hex + } else { + p.ID = persistentmodel.NewObjectID().Hex() + } + } if _, ok := policies[p.ID]; ok { log.WithFields(logrus.Fields{ "prefix": "policy", "policyID": p.ID, "OrgID": p.OrgID, }).Warning("--> Skipping policy, new item has a duplicate ID!") continue } policies[p.ID] = p.ToRegularPolicy() } Suggestion importance[1-10]: 8 __ Why: Addresses potential empty p.ID leading to empty-key map entries and lost policies; aligns with prior behavior using MID. High impact on correctness if IDs can be empty.	Medium
	Derive IDs for RPC policies Prevent empty-key insertions when parsing policies from RPC by deriving an ID if p.ID is empty. Use p.MID.Hex() or generate a new ID to ensure map integrity and consistent lookups. gateway/policy.go [208-210] for _, p := range dbPolicyList { + if p.ID == "" { + if hex := p.MID.Hex(); hex != "" { + p.ID = hex + } else { + p.ID = persistentmodel.NewObjectID().Hex() + } + } policies[p.ID] = p } Suggestion importance[1-10]: 8 __ Why: Prevents empty-key insertions when parsing RPC data by deriving IDs, restoring robustness previously ensured by MID. Important for data integrity.	Medium
	Ensure non-empty policy ID fallback Guard against cases where newPol.MID is a zero-value and Hex() may return an empty string, leading to an empty filename and potential overwrite or write errors. Fallback to generating a stable unique ID (e.g., a new ObjectID) when both ID and MID.Hex() are empty. gateway/api.go [936-938] if newPol.ID == "" { - newPol.ID = newPol.MID.Hex() + if hex := newPol.MID.Hex(); hex != "" { + newPol.ID = hex + } else { + newPol.ID = persistentmodel.NewObjectID().Hex() + } } Suggestion importance[1-10]: 7 __ Why: Valid enhancement to avoid empty IDs if newPol.MID is zero; improves robustness when creating filenames. Not critical but prevents edge-case failures.	Medium

[probelabs]

🔍 Code Analysis Results

This PR addresses inconsistencies in policy identifier handling by standardizing on policy.ID and deprecating the AllowExplicitPolicyID configuration. To ensure backward compatibility, policy.ID is backfilled from policy.MID if it is not explicitly set. This change simplifies policy loading logic from both the Dashboard and RPC sources.

A significant security enhancement is the introduction of the internal/osutil package, which provides a sandboxed filesystem utility to prevent path traversal vulnerabilities. This is now used by the policy management API (/tyk/policies/*) when writing and deleting policy files.

Files Changed Analysis

• Total Files Changed: 14
• Additions/Deletions: 725 additions, 81 deletions.
• Notable Patterns:
  • Logic Simplification: The allowExplicit boolean parameter has been removed from LoadPoliciesFromDashboard, LoadPoliciesFromRPC, and parsePoliciesFromRPC, streamlining their function signatures and removing conditional logic.
  • Security Hardening: The new internal/osutil package provides a secure wrapper for file I/O operations, which has been applied to the policy API handlers in gateway/api.go.
  • Enhanced Testing: Substantial new tests have been added to gateway/api_test.go, gateway/policy_test.go, and gateway/server_test.go to validate the new ID handling and API behavior. A mock for RPCDataLoader was also added to support these tests.

Architecture & Impact Assessment

• What this PR accomplishes: It refactors the gateway's policy management to use a single, consistent identifier (policy.ID), removing ambiguity and a redundant configuration flag. It also hardens the file-based policy storage against path traversal vulnerabilities.
• Key technical changes introduced:
  1. Deprecation of AllowExplicitPolicyID: The configuration in config/config.go is marked as deprecated and its usage is removed from the codebase.
  2. ID Backfilling: The ensurePolicyId function in gateway/policy.go provides a compatibility layer by populating policy.ID from policy.MID if it's missing.
  3. Secure File I/O: The internal/osutil package introduces a Root object that scopes all file operations (write, remove, stat) to a specific base directory.
• Affected system components:
  • Gateway Policy Loading (from Dashboard, RPC, and file sources).
  • Gateway REST API for policies (/tyk/policies).

graph TD
    subgraph "Configuration"
        A[tyk.conf: allow_explicit_policy_id] -- "Marked as Deprecated" --> B(No longer used in code)
    end

    subgraph "Policy Loading & Identification"
        C[Policy Loaders] -- "Signature simplified (no 'allowExplicit')" --> D{LoadPoliciesFromDashboard}
        C -- "Signature simplified (no 'allowExplicit')" --> E{LoadPoliciesFromRPC}
        F[ensurePolicyId helper] -- "If policy.ID is empty" --> G[policy.ID = policy.MID.Hex()]
        D -- "Uses" --> F
        E -- "Uses" --> F
    end

    subgraph "API Security Enhancement"
        H[Gateway Policy API<br>/tyk/policies] -- "File operations" --> I[New osutil package]
        I -- "Scopes FS access<br>Prevents Path Traversal" --> J[Policy JSON files]
    end

    D & E -- "Load policies into map" --> K[Policy Map (keyed by policy.ID)]

Loading

Scope Discovery & Context Expansion

The introduction of the internal/osutil package is a valuable security improvement. However, its usage is currently limited to the policy management API handlers.

Other parts of the gateway's management API that perform file I/O could also benefit from this enhancement. Specifically, the API Definition handlers in gateway/api.go (handleAddApi, handleUpdateApi, and handleDeleteAPI) still use direct, unsandboxed functions like ioutil.WriteFile and os.Remove.

Recommendation: To ensure consistent security across the gateway, the API Definition handlers should be refactored to use the new osutil.Root utility. This would extend the same path traversal protection to the /tyk/apis/* endpoints.

Metadata

• Review Effort: 4 / 5
• Primary Label: bug

---

Powered by Visor from Probelabs

Last updated: 2025-11-12T14:32:34.531Z | Triggered by: synchronize | Commit: 3d1d1b0

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

🔍 Code Analysis Results

Security Issues (1)

Severity	Location	Issue
🟠 Error	internal/osutil/osutil.go:29-41	The path traversal protection implemented in `osutil.Ensure` can be bypassed using symbolic links. The function validates that the cleaned path is prefixed with the root directory, but it does not resolve symlinks. If an attacker can create a symlink within the policies directory pointing to an arbitrary location (e.g., `/`), they could then use the policy management API to read, write, or delete files outside the intended directory, with the privileges of the Tyk gateway process. This could lead to information disclosure, denial of service, or potentially remote code execution. 💡 Suggestion Strengthen the path validation to be aware of symlinks. Before performing file operations, check the path for symlinks. For operations that act on existing files (read, delete, update), use `os.Lstat` on each component of the user-provided path to ensure none are symlinks. For creating new files, `os.OpenFile` with `O_CREATE|O_EXCL` flags can prevent overwriting an existing file or symlink. A comprehensive solution might involve resolving the real path with `filepath.EvalSymlinks` on all but the last path component and ensuring it remains within the root directory.

Architecture Issues (1)

Severity	Location	Issue
🟡 Warning	gateway/api.go:971-975	The `handleDeletePolicy` function incorrectly returns a 500 Internal Server Error if the policy file to be deleted does not exist. According to HTTP semantics, a DELETE request on a non-existent resource should be idempotent and return a success status (e.g., 204 No Content) or a 404 Not Found, not a server error. The current implementation also introduces a potential Time-of-check to time-of-use (TOCTOU) race condition by checking for the file's existence before attempting to delete it. 💡 Suggestion Refactor the function to attempt the `Remove` operation directly and handle the `os.IsNotExist` error specifically. This removes the race condition and allows for correct HTTP status code handling.

Performance Issues (1)

Severity	Location	Issue
🟡 Warning	gateway/api.go:945	The `newPolicyPathRoot` function is called on every request to `handleAddOrUpdatePolicy` (L945) and `handleDeletePolicy` (L966). This function performs filesystem I/O (`filepath.Abs` and `os.Stat`) to validate the policy directory. Since the policy path is configured and does not change per-request, these repeated I/O operations are inefficient, especially under a high rate of policy updates via the API. 💡 Suggestion Cache the `*osutil.Root` object on the `Gateway` struct. The cached object can be initialized on startup and invalidated when the gateway's configuration is reloaded. This will avoid filesystem stats on every policy management API call.

Quality Issues (1)

Severity	Location	Issue
🟡 Warning	gateway/api_test.go:151	The test `fails if invalid config is provided` uses a hardcoded path `/etc/hosts` to test a scenario where the policy path is a file, not a directory. This makes the test brittle as it depends on the existence and nature of this file, which is not guaranteed across all operating systems (e.g., Windows). 💡 Suggestion To make the test more robust and platform-independent, create a temporary file within the test itself and use its path. This ensures the test environment is controlled and predictable. The `os.CreateTemp` function with `t.TempDir()` is suitable for this.

✅ Dependency Check Passed

No dependency issues found – changes LGTM.

✅ Connectivity Check Passed

No connectivity issues found – changes LGTM.

---

Powered by Visor from Probelabs

Last updated: 2025-11-12T14:32:35.693Z | Triggered by: synchronize | Commit: 3d1d1b0

💡 TIP: You can chat with Visor using /visor ask <your question>

[github-actions]

🎯 Recommended Merge Targets

Based on JIRA ticket TT-15825: [BE] Address inconsistencies with use of Policy identifiers

Fix Version: Tyk 5.11.0

⚠️ Warning: Expected release branches not found in repository

Required:

• master - No matching release branches found. Fix will be included in future releases.

Fix Version: Tyk 5.8.9

Required:

• release-5.8 - Minor version branch for 5.8.x patches - required for creating Tyk 5.8.9
• master - Main development branch - ensures fix is in all future releases

---

📋 Workflow

1. Merge this PR to master first

2. Cherry-pick to release branches by commenting on the merged PR:

   • /release to release-5.8

3. Automated backport - The bot will automatically create backport PRs to the specified release branches

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
82.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[shults]

/release to release-5.8

[shults]

/release to release-5.11

[probelabs]

❌ Cherry-pick failed. Please check the workflow logs.

[probelabs]

⚠️ Cherry-pick encountered conflicts. A draft PR was created: #7536