Wildcard modifier to prevent matches across separator character

[gtaws]

Can we add a function or operator in Cedar to support the modfying the wildcard matcher to limit pattern matches to anything before a designated separator character, similar to the regex negative classifier modifier? For example - [^.]* in an FQDN pattern matcher such as my-service-[^.]*.example.com will match my-service-zonea.example.com and my-service-zoneb.example.com but not my-service-zonec.exfildomain.example.com. This function can also help support scoping down URL path matching such as "/api/resourceA/[^/]*/". Other possible proposals for the function could include a new like operator, such as like_sep("my-service-*.example.com", "."). Currently the policy language requires explicitly knowledge of possible permutations ahead of time that shouldn't be matched that can circumvent the intended preventative control.

[adpaco-aws]

Hi @gtaws , this function/operator can be added as long as the operation itself is analyzable through SMT. I don't expect analyzability issues with this in principle since it's a negative match, but that's just my thinking without having done any research/prototype.

Are there any other URL-related operations that would make your life easier?

[benkehoe]

I had a discussion about exactly this with @emina, and the problems she pointed out with it is what led to me proposing a path type in #103. A path type would do what you're looking for but requires you to pre-parse the string contents into a sequence of strings, and then you get the full range of Cedar matching options on each element.

[philhassey]

A pattern that also works is to have a hierarchy of entities representing the folders in the file system.

Path::"/a/b/c" in Path::"/a/b" in Path::"/a" in Path::"/"