Skip to content

fix: guard create rules on 2xx instead of name fallbacks#680

Open
ecv wants to merge 1 commit into
mainfrom
fix/activitypolicy-create-2xx-guard
Open

fix: guard create rules on 2xx instead of name fallbacks#680
ecv wants to merge 1 commit into
mainfrom
fix/activitypolicy-create-2xx-guard

Conversation

@ecv

@ecv ecv commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What

Follow-up to #672. Replace the has()-chained summary fallbacks with a
success guard on the six ActivityPolicy create rules.

Why

Per Scot's review on milo-os/billing#69: guard write rules to only trigger on successful requests, rather than defensively dereferencing fields that a rejected create never populates.

Rejected creates (the DLQ-leak source, milo-os/activity#212) return 4xx. Guarding the match on 2xx means they match no rule and never deref an absent responseObject.metadata.name — root-cause fix vs the has() band-aid #672 shipped.

Fix

  • Add audit.responseStatus.code >= 200 && audit.responseStatus.code < 300 to the create match in group / role / serviceaccount (iam + identity) / organization / project policies
  • Revert create summaries to the simple link(audit.responseObject.metadata.name, audit.objectRef) form; a 2xx create always has that field

Failed creates emit no "created" activity by design; they remain queryable via responseStatus.code >= 400 in audit query.

Related

Follow-up to #672. Replace the has()-chained summary fallbacks with a
success guard on the create match. Rejected creates (the DLQ-leak
source) return 4xx, so they now match no rule and never deref an absent
responseObject.metadata.name.

Key changes:
- Add audit.responseStatus.code >= 200 && < 300 to the create match in
  the six group/role/serviceaccount/organization/project policies
- Revert create summaries to the simple link() form; a 2xx create always
  has responseObject.metadata.name

Failed creates emit no "created" activity by design; they remain
queryable via responseStatus.code >= 400 in audit query.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant