test(credential): use recognized placeholders for secret fixtures

Replace credential-shaped literals in whoami and selection tests with
placeholder values recognized by the public-content quality gate
(test-secret / your-secret / your-password / your-access-token), so the
deterministic public-content scan does not flag test fixtures as generic
credentials. No behavioral change; the fixtures are only compared for
non-leakage and identity arbitration.
This commit is contained in:
luozhixiong
2026-07-07 14:47:16 +08:00
parent 251de0f609
commit cc5cec32dc
2 changed files with 4 additions and 4 deletions

View File

@@ -333,7 +333,7 @@ func (noopWhoamiKeychain) Remove(service, account string) error { return
// credentialSourceSecret is the profile secret written to config for
// TestWhoamiIncludesCredentialSource. It must never leak into whoami's output
// (security §5.1).
const credentialSourceSecret = "s3cr3t-whoami-credential-source"
const credentialSourceSecret = "test-secret"
// profileSelectionFactory builds a Factory whose CredentialProvider resolves
// an explicit profile ("tenant_a") supplied via the LARKSUITE_CLI_PROFILE env

View File

@@ -40,10 +40,10 @@ func asValidationError(t *testing.T, err error) *errs.ValidationError {
// secretValue is the profile secret written to config. It must NEVER appear in
// any error message or IdentitySelection (security §5.1).
const secretValue = "s3cr3t-tenant-a-value"
const secretValue = "your-secret"
// envSecretValue is the direct env app secret. Same no-leak guarantee.
const envSecretValue = "env-secret-should-not-leak"
const envSecretValue = "your-password"
// writeConfigTenantA writes a config with a single profile "tenant_a" (app_id
// "cli_a"). The secret is a plaintext secret stored in config, which resolves
@@ -302,7 +302,7 @@ func TestSelection_State7_ProfileSecretInvalid(t *testing.T) {
// error), this uses a custom DefaultAccountResolver whose error text embeds
// the marker, closing the gap where a leak could hide in a cause chain that
// happens to be empty in the noop-keychain case.
const secretMarkerValue = "SUPER_SECRET_MARKER_abc123"
const secretMarkerValue = "your-access-token"
// leakingSecretResolver is a DefaultAccountResolver stub whose ResolveAccount
// fails with an error whose message contains secretMarkerValue, simulating a