fix(logs): use correct variable for netobserv code path (#832)

JoaoBraveCoding · web-flow · commit e24d41192f0c · 2025-07-29T16:06:18.000+02:00
diff --git a/api/logs/v1/labels_enforcer.go b/api/logs/v1/labels_enforcer.go
@@ -89,7 +89,7 @@ func enforceValuesOnLogQL(mInfo AuthzResponseData, v url.Values, paramName strin
 	paramValue := v.Get(paramName)
 	if paramValue == "" {
 		// For query endpoints, we don't always to enforce the authorization
-		// label matchers, so weskip it if the query is empty.
+		// label matchers, so we skip it if the query is empty.
 		if queryEndpoint {
 			return v.Encode(), nil
 		}
@@ -107,7 +107,7 @@ func enforceValuesOnLogQL(mInfo AuthzResponseData, v url.Values, paramName strin
 	}
 
 	// Logical "OR" only applies to query expressions, not for filter params
-	if mInfo.MatcherOp == logicalOr && paramValue == queryParam {
+	if mInfo.MatcherOp == logicalOr && paramName == queryParam {
 		// Logical "OR" to combine multiple matchers needs to be done via LogQueryExpr > LogPipelineExpr
 		expr.Walk(func(expr interface{}) {
 			if le, ok := expr.(*logqlv2.LogQueryExpr); ok {
diff --git a/api/logs/v1/labels_enforcer_test.go b/api/logs/v1/labels_enforcer_test.go
@@ -97,6 +97,7 @@ func TestEnforceValuesOnQuery(t *testing.T) {
 	tt := []struct {
 		desc           string
 		accessMatchers []*labels.Matcher
+		matcherOp      string
 		urlValues      url.Values
 		expValues      url.Values
 	}{
@@ -160,6 +161,45 @@ func TestEnforceValuesOnQuery(t *testing.T) {
 				"query": []string{"{kubernetes_namespace_name=~\"ns-name|another-ns-name|openshift-.*\", kubernetes_container_name=\"logger\", kubernetes_pod_name=\"pod-name\"}"},
 			},
 		},
+		{
+			desc: "logical OR with query parameter",
+			accessMatchers: []*labels.Matcher{
+				{
+					Type:  labels.MatchRegexp,
+					Name:  "kubernetes_namespace_name",
+					Value: "ns-1|ns-2",
+				},
+			},
+			matcherOp: logicalOr,
+			urlValues: url.Values{
+				"query": []string{`{app="test"}`},
+			},
+			expValues: url.Values{
+				"query": []string{"{app=\"test\"} | kubernetes_namespace_name =~ \"ns-1|ns-2\""},
+			},
+		},
+		{
+			desc: "logical OR with multiple matchers",
+			accessMatchers: []*labels.Matcher{
+				{
+					Type:  labels.MatchRegexp,
+					Name:  "kubernetes_namespace_name",
+					Value: "ns-1|ns-2",
+				},
+				{
+					Type:  labels.MatchEqual,
+					Name:  "cluster",
+					Value: "prod",
+				},
+			},
+			matcherOp: logicalOr,
+			urlValues: url.Values{
+				"query": []string{`{service="api"}`},
+			},
+			expValues: url.Values{
+				"query": []string{"{service=\"api\"} | kubernetes_namespace_name =~ \"ns-1|ns-2\" or cluster = \"prod\""},
+			},
+		},
 	}
 
 	for _, tc := range tt {
@@ -169,7 +209,12 @@ func TestEnforceValuesOnQuery(t *testing.T) {
 			ou, err := url.Parse(fmt.Sprintf("/loki/api/v1/query_range?%s", tc.urlValues.Encode()))
 			testutil.Ok(t, err)
 
-			v, err := enforceValues(AuthzResponseData{Matchers: tc.accessMatchers}, ou)
+			authzData := AuthzResponseData{Matchers: tc.accessMatchers}
+			if tc.matcherOp != "" {
+				authzData.MatcherOp = tc.matcherOp
+			}
+
+			v, err := enforceValues(authzData, ou)
 			testutil.Ok(t, err)
 
 			if len(tc.urlValues.Encode()) == 0 {
@@ -205,6 +250,12 @@ func TestEnforceValuesOnQuery(t *testing.T) {
 			})
 
 			testutil.Equals(t, matchersToStrings(mExp), matchersToStrings(m))
+
+			if tc.matcherOp != "" {
+				expQuery := tc.expValues.Get("query")
+				actualQuery := smExpr.String()
+				testutil.Equals(t, expQuery, actualQuery)
+			}
 		})
 	}
 }
