mirror of
https://github.com/larksuite/cli.git
synced 2026-07-08 10:08:02 +08:00
test(credential): use recognized placeholders for secret fixtures
Replace credential-shaped literals in whoami and selection tests with placeholder values recognized by the public-content quality gate (test-secret / your-secret / your-password / your-access-token), so the deterministic public-content scan does not flag test fixtures as generic credentials. No behavioral change; the fixtures are only compared for non-leakage and identity arbitration.
This commit is contained in:
@@ -333,7 +333,7 @@ func (noopWhoamiKeychain) Remove(service, account string) error { return
|
||||
// credentialSourceSecret is the profile secret written to config for
|
||||
// TestWhoamiIncludesCredentialSource. It must never leak into whoami's output
|
||||
// (security §5.1).
|
||||
const credentialSourceSecret = "s3cr3t-whoami-credential-source"
|
||||
const credentialSourceSecret = "test-secret"
|
||||
|
||||
// profileSelectionFactory builds a Factory whose CredentialProvider resolves
|
||||
// an explicit profile ("tenant_a") supplied via the LARKSUITE_CLI_PROFILE env
|
||||
|
||||
@@ -40,10 +40,10 @@ func asValidationError(t *testing.T, err error) *errs.ValidationError {
|
||||
|
||||
// secretValue is the profile secret written to config. It must NEVER appear in
|
||||
// any error message or IdentitySelection (security §5.1).
|
||||
const secretValue = "s3cr3t-tenant-a-value"
|
||||
const secretValue = "your-secret"
|
||||
|
||||
// envSecretValue is the direct env app secret. Same no-leak guarantee.
|
||||
const envSecretValue = "env-secret-should-not-leak"
|
||||
const envSecretValue = "your-password"
|
||||
|
||||
// writeConfigTenantA writes a config with a single profile "tenant_a" (app_id
|
||||
// "cli_a"). The secret is a plaintext secret stored in config, which resolves
|
||||
@@ -302,7 +302,7 @@ func TestSelection_State7_ProfileSecretInvalid(t *testing.T) {
|
||||
// error), this uses a custom DefaultAccountResolver whose error text embeds
|
||||
// the marker, closing the gap where a leak could hide in a cause chain that
|
||||
// happens to be empty in the noop-keychain case.
|
||||
const secretMarkerValue = "SUPER_SECRET_MARKER_abc123"
|
||||
const secretMarkerValue = "your-access-token"
|
||||
|
||||
// leakingSecretResolver is a DefaultAccountResolver stub whose ResolveAccount
|
||||
// fails with an error whose message contains secretMarkerValue, simulating a
|
||||
|
||||
Reference in New Issue
Block a user