Fix enforce error when using keyMatch4 - handle both string and table errors

Copilot · hsluoyz · Copilot · commit 733bf1b57fb0 · 2026-02-05T02:16:48.000Z
Co-authored-by: hsluoyz &lt;3787410+hsluoyz@users.noreply.github.com&gt;
diff --git a/examples/keymatch4_model.conf b/examples/keymatch4_model.conf
@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.sub, p.sub) && keyMatch4(r.obj, p.obj) && regexMatch(r.act, p.act)
diff --git a/examples/keymatch4_policy.csv b/examples/keymatch4_policy.csv
@@ -0,0 +1,4 @@
+p, alice, /parent/{id}/child/{id}, (GET)|(POST)
+p, bob, /parent/{id}/child/{another_id}, (GET)|(POST)
+g, alice, alice
+g, bob, bob
diff --git a/src/main/CoreEnforcer.lua b/src/main/CoreEnforcer.lua
@@ -446,7 +446,8 @@ function CoreEnforcer:enforceEx(...)
                 res, err = luaxp.evaluate(tExpString, context)
             end
             if err then
-                error("evaluation error: " .. err.message)
+                local errMsg = type(err) == "table" and err.message or tostring(err)
+                error("evaluation error: " .. errMsg)
             end
 
             local c = true
@@ -491,7 +492,8 @@ function CoreEnforcer:enforceEx(...)
             
         local res, err = luaxp.run(compiledExpression, context)
         if err then
-            error("evaluation error: " .. err.message)
+            local errMsg = type(err) == "table" and err.message or tostring(err)
+            error("evaluation error: " .. errMsg)
         end
 
         if res then
diff --git a/tests/main/enforcer_spec.lua b/tests/main/enforcer_spec.lua
@@ -94,6 +94,21 @@ describe("Enforcer tests", function ()
         assert.is.True(e:enforce("alice", "/alice_data2/123/using/456", "GET"))
     end)
 
+    it("keyMatch4 test", function ()
+        local model  = path .. "/examples/keymatch4_model.conf"
+        local policy  = path .. "/examples/keymatch4_policy.csv"
+
+        local e = Enforcer:new(model, policy)
+        -- Test alice with matching IDs (same placeholder value)
+        assert.is.True(e:enforce("alice", "/parent/123/child/123", "GET"))
+        assert.is.True(e:enforce("alice", "/parent/456/child/456", "POST"))
+        -- Test alice with non-matching IDs (different placeholder values)
+        assert.is.False(e:enforce("alice", "/parent/123/child/456", "GET"))
+        -- Test bob with different IDs (different placeholders, should work)
+        assert.is.True(e:enforce("bob", "/parent/123/child/456", "GET"))
+        assert.is.True(e:enforce("bob", "/parent/789/child/012", "POST"))
+    end)
+
     it("priority test", function ()
         local model  = path .. "/examples/priority_model.conf"
         local policy  = path .. "/examples/priority_policy.csv"
