Improve permission regexp matching

Now handles multiple values in any of APIGroups, Resources, or Verbs.
Adds small utility function for trimming and splitting those values into
a string slice.

Signed-off-by: Tayler Geiger <[email protected]>

Author: trgeiger

internal/operator-controller/authorization/rbac.go

@@ -563,7 +563,7 @@ func parseEscalationErrorForMissingRules(ecError error) ([]rbacv1.PolicyRule, er
 	// Group 2: Optional resolution errors
 	errRegex := regexp.MustCompile(`(?s)^user ".*" \(groups=.*\) is attempting to grant RBAC permissions not currently held: (.*)(?:; resolution errors: (.*))?$`)
 	// permRegex extracts the details (APIGroups, Resources, Verbs) of individual permissions listed within the error message
-	permRegex := regexp.MustCompile(`{APIGroups:\[("[^"]*")], Resources:\[("[^"]*")], Verbs:\[("[^"]*")]}`)
+	permRegex := regexp.MustCompile(`{APIGroups:\[([^\]]*)\], Resources:\[([^\]]*)\], Verbs:\[([^\]]*)\]}`)
 
 	errString := ecError.Error()
 	errMatches := errRegex.FindStringSubmatch(errString) // Use FindStringSubmatch for single match expected
@@ -587,9 +587,9 @@ func parseEscalationErrorForMissingRules(ecError error) ([]rbacv1.PolicyRule, er
 			continue // Skip malformed permission strings
 		}
 		permissions = append(permissions, rbacv1.PolicyRule{
-			APIGroups: []string{strings.Trim(match[1], `"`)},
-			Resources: []string{strings.Trim(match[2], `"`)},
-			Verbs:     []string{strings.Trim(match[3], `"`)},
+			APIGroups: splitAndTrim(match[1]),
+			Resources: splitAndTrim(match[2]),
+			Verbs:     splitAndTrim(match[3]),
 		})
 	}
 
@@ -603,6 +603,18 @@ func parseEscalationErrorForMissingRules(ecError error) ([]rbacv1.PolicyRule, er
 	return permissions, errors.New(errMsg)
 }
 
+func splitAndTrim(input string) []string {
+	parts := strings.Split(input, ",")
+
+	output := make([]string, 0, len(parts))
+	for _, part := range parts {
+		trimmed := strings.TrimSpace(part)
+		trimmed = strings.Trim(trimmed, `"`)
+		output = append(output, trimmed)
+	}
+	return output
+}
+
 func hasAggregationRule(clusterRole *rbacv1.ClusterRole) bool {
 	// Currently, an aggregation rule is considered present only if it has one or more selectors.
 	// An empty slice of ClusterRoleSelectors means no selectors were provided,