From cc5cec32dc1468b7162146bd3b2edf1dce1a18d5 Mon Sep 17 00:00:00 2001 From: luozhixiong Date: Tue, 7 Jul 2026 14:47:16 +0800 Subject: [PATCH] test(credential): use recognized placeholders for secret fixtures Replace credential-shaped literals in whoami and selection tests with placeholder values recognized by the public-content quality gate (test-secret / your-secret / your-password / your-access-token), so the deterministic public-content scan does not flag test fixtures as generic credentials. No behavioral change; the fixtures are only compared for non-leakage and identity arbitration. --- cmd/whoami/whoami_test.go | 2 +- internal/credential/credential_provider_selection_test.go | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmd/whoami/whoami_test.go b/cmd/whoami/whoami_test.go index 201a347c9..36cc7b3df 100644 --- a/cmd/whoami/whoami_test.go +++ b/cmd/whoami/whoami_test.go @@ -333,7 +333,7 @@ func (noopWhoamiKeychain) Remove(service, account string) error { return // credentialSourceSecret is the profile secret written to config for // TestWhoamiIncludesCredentialSource. It must never leak into whoami's output // (security §5.1). -const credentialSourceSecret = "s3cr3t-whoami-credential-source" +const credentialSourceSecret = "test-secret" // profileSelectionFactory builds a Factory whose CredentialProvider resolves // an explicit profile ("tenant_a") supplied via the LARKSUITE_CLI_PROFILE env diff --git a/internal/credential/credential_provider_selection_test.go b/internal/credential/credential_provider_selection_test.go index 8b0652403..cd4fd8800 100644 --- a/internal/credential/credential_provider_selection_test.go +++ b/internal/credential/credential_provider_selection_test.go @@ -40,10 +40,10 @@ func asValidationError(t *testing.T, err error) *errs.ValidationError { // secretValue is the profile secret written to config. It must NEVER appear in // any error message or IdentitySelection (security §5.1). -const secretValue = "s3cr3t-tenant-a-value" +const secretValue = "your-secret" // envSecretValue is the direct env app secret. Same no-leak guarantee. -const envSecretValue = "env-secret-should-not-leak" +const envSecretValue = "your-password" // writeConfigTenantA writes a config with a single profile "tenant_a" (app_id // "cli_a"). The secret is a plaintext secret stored in config, which resolves @@ -302,7 +302,7 @@ func TestSelection_State7_ProfileSecretInvalid(t *testing.T) { // error), this uses a custom DefaultAccountResolver whose error text embeds // the marker, closing the gap where a leak could hide in a cause chain that // happens to be empty in the noop-keychain case. -const secretMarkerValue = "SUPER_SECRET_MARKER_abc123" +const secretMarkerValue = "your-access-token" // leakingSecretResolver is a DefaultAccountResolver stub whose ResolveAccount // fails with an error whose message contains secretMarkerValue, simulating a