Wonk fails on '?' syntax in policies

[JonnyDaenen]

Problem

Given the following resource description:

arn:<hidden>:log-group:???-dummy:*

Wonk fails on this.

Cause

Wonk tries to use this string as a regex to find out if multiple, more specific strings, match. This happens here.

To do so, wonk replaces * with .* in order to match with regex syntax in python. The question mark, which also needs a character in front of it, is not adjusted.

Potential solution

I believe it makes sense to also replace the questionmark using the following code:

        pattern_string = item.replace("?", ".?")

If I understand the semantics of wonk correctly in this part, this should solve the error while also looking for more specific strings.

[JonnyDaenen]

My suggestion was wrong:

• the pattern string should be item.replace("?", "."), as this corresponds with the semantics of AWS IAM
• currently paths can remove each other, e.g. f**o and f*o will match each other's regex, so they will cancel each other out

To solve the latter issue, a best approach would be regex equivalence (of the subclass being used by AWS). This is not readily available, see e.g. this post and this test referenced in that post.

Another solution might be to leverage the current approach, but to create a graph of resources. Cycle detection can then make sure not all resources in a cluster are removed.

I've created PR #13 that solves the question mark problem itself, and added some new tests.