Round 8 closers: _axis_hits helper, asymmetric-wildcard test, defensive guards

anniegracehu · anniegracehu · commit 46271ba51ba7 · 2026-04-15T11:59:44.000-07:00
- Extract _axis_hits(mr_values_set, cell_value) — collapses the three
  '*' in mr_X / val in mr_X callsites in _split_rule_after_revoke.
  Semantically asymmetric (only the revoke side honors '*'); distinct
  from _dim_matches which is symmetric.
- Defensive: skip URL-branch cells when mr['nonResourceURLs'] is empty —
  today unreachable (matcher gates non-empty), but harder to break later.
- _strip_to_set docstring.
- 2 new unit tests: _axis_hits wildcard semantics; asymmetric-wildcard
  revoke where only one dimension carries '*' (regression guard for the
  prior per-cell filter bug).
diff --git a/provider-kubeconfig.py b/provider-kubeconfig.py
@@ -254,9 +254,14 @@ def _rule_matches_revoke(self, existing_norm, revoke_norm_rule):
                 return True
 
         def _strip_to_set(self, existing_verbs, revoke_verbs):
+                """Verbs remaining after revoke, as a set; empty set means cell is dropped."""
                 stripped = self._strip_verbs(existing_verbs, revoke_verbs)
                 return set(stripped) if stripped else set()
 
+        def _axis_hits(self, mr_values_set, cell_value):
+                """Does a revoke rule's axis set target this cell? '*' in the set matches anything."""
+                return "*" in mr_values_set or cell_value in mr_values_set
+
         def _normalize_rule_list(self, rules):
                 normalized = [self._normalize_rule(r) for r in rules]
                 # Sort deterministically by all tuple fields for stable diffs.
@@ -834,10 +839,11 @@ def _split_rule_after_revoke(self, rule, matched_revoke_rules, retained_keys):
                         cell_verbs = {url: set(existing_verbs) for url in existing_urls}
                         for mr in matched_revoke_rules:
                                 mr_urls = set(mr["nonResourceURLs"])
-                                mr_urls_wild = "*" in mr_urls
+                                if not mr_urls:
+                                        continue
                                 mr_verbs = mr["verbs"]
                                 for url in cell_verbs:
-                                        if not mr_urls_wild and url not in mr_urls:
+                                        if not self._axis_hits(mr_urls, url):
                                                 continue
                                         cell_verbs[url] = self._strip_to_set(cell_verbs[url], mr_verbs)
                         out_rules = []
@@ -868,17 +874,15 @@ def _split_rule_after_revoke(self, rule, matched_revoke_rules, retained_keys):
                 for mr in matched_revoke_rules:
                         mr_apis = set(mr["apiGroups"])
                         mr_ress = set(mr["resources"])
-                        mr_apis_wild = "*" in mr_apis
-                        mr_ress_wild = "*" in mr_ress
-                        mr_names = set(mr["resourceNames"]) if mr["resourceNames"] else None
-                        mr_verbs = mr["verbs"]
                         if not mr_apis or not mr_ress:
                                 continue
+                        mr_names = set(mr["resourceNames"]) if mr["resourceNames"] else None
+                        mr_verbs = mr["verbs"]
                         for cell in cell_verbs:
                                 ag, res, rn = cell
-                                if not mr_apis_wild and ag not in mr_apis:
+                                if not self._axis_hits(mr_apis, ag):
                                         continue
-                                if not mr_ress_wild and res not in mr_ress:
+                                if not self._axis_hits(mr_ress, res):
                                         continue
                                 if mr_names is not None and rn not in mr_names:
                                         continue
diff --git a/tests/test_provider_kubeconfig.py b/tests/test_provider_kubeconfig.py
@@ -428,6 +428,27 @@ def test_split_rule_url_path_output_ordering_deterministic(self):
             [(sorted(r["verbs"]), sorted(r["nonResourceURLs"])) for r in out_b],
         )
 
+    def test_axis_hits_wildcard_semantics(self):
+        self.assertTrue(self.generator._axis_hits({"*"}, "anything"))
+        self.assertTrue(self.generator._axis_hits({"pods"}, "pods"))
+        self.assertFalse(self.generator._axis_hits({"pods"}, "services"))
+        self.assertFalse(self.generator._axis_hits(set(), "pods"))
+
+    def test_split_rule_asymmetric_wildcard_revoke(self):
+        """Revoke wildcards one dimension only — existing rules on the specific dim trim."""
+        rule = {
+            "apiGroups": [""],
+            "resources": ["pods", "configmaps"],
+            "verbs": ["get", "delete"],
+        }
+        matched = [self.generator._normalize_rule(
+            {"apiGroups": ["*"], "resources": ["pods"], "verbs": ["delete"]}
+        )]
+        result = self.generator._split_rule_after_revoke(rule, matched, set())
+        by_res = {tuple(r["resources"]): sorted(r["verbs"]) for r in result}
+        self.assertEqual(by_res[("pods",)], ["get"])
+        self.assertEqual(by_res[("configmaps",)], ["delete", "get"])
+
     def test_permission_fixture_files_parse_json_and_yaml(self):
         """Fixture files in tests/permission_files should load and parse via script helpers."""
         fixture_dir = os.path.join(ROOT, "tests", "permission_files")
