Files
larksuite-cli/tests/cli_e2e/core.go
sang-neo03 9ba0d15161 Feat/risk tiering (#633)
* feat(risk): implement confirmation for high-risk write operations

* feat(risk): streamline confirmation for high-risk write operations

* feat(risk): document approval protocol for high-risk write operations

* feat(risk): refine confirmation protocol for high-risk write operations

* feat(risk): remove redundant variable declaration in risk test

* feat(risk): add 'Yes' flag to various test cases for confirmation
2026-04-28 18:15:56 +08:00

464 lines
13 KiB
Go

// Copyright (c) 2026 Lark Technologies Pte. Ltd.
// SPDX-License-Identifier: MIT
// Package clie2e contains end-to-end tests for lark-cli.
package clie2e
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"os"
"os/exec"
"path/filepath"
"strings"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/tidwall/gjson"
)
const EnvBinaryPath = "LARK_CLI_BIN"
const projectRootMarkerDir = "tests"
const cliBinaryName = "lark-cli"
const CleanupTimeout = 30 * time.Second
func SkipWithoutUserToken(t *testing.T) {
t.Helper()
if os.Getenv("LARKSUITE_CLI_USER_ACCESS_TOKEN") != "" {
return
}
ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
defer cancel()
result, err := RunCmd(ctx, Request{
Args: []string{"auth", "status", "--verify"},
})
if err != nil {
t.Skipf("skipped: LARKSUITE_CLI_USER_ACCESS_TOKEN not set and failed to check local user login via `lark-cli auth status --verify`: %v", err)
}
if result.ExitCode != 0 {
t.Skipf("skipped: LARKSUITE_CLI_USER_ACCESS_TOKEN not set and local user login check failed: exit=%d stderr=%s", result.ExitCode, strings.TrimSpace(result.Stderr))
}
stdout := strings.TrimSpace(result.Stdout)
if stdout == "" {
t.Skip("skipped: LARKSUITE_CLI_USER_ACCESS_TOKEN not set and `lark-cli auth status --verify` returned empty stdout")
}
if !gjson.Valid(stdout) {
t.Skipf("skipped: LARKSUITE_CLI_USER_ACCESS_TOKEN not set and `lark-cli auth status --verify` returned non-JSON stdout: %s", stdout)
}
if identity := gjson.Get(stdout, "identity").String(); identity != "user" {
t.Skip("skipped: LARKSUITE_CLI_USER_ACCESS_TOKEN not set and local auth is not a verified user login")
}
if verified := gjson.Get(stdout, "verified"); verified.Exists() && !verified.Bool() {
verifyErr := gjson.Get(stdout, "verifyError").String()
if verifyErr != "" {
t.Skipf("skipped: LARKSUITE_CLI_USER_ACCESS_TOKEN not set and local user login verification failed: %s", verifyErr)
}
t.Skip("skipped: LARKSUITE_CLI_USER_ACCESS_TOKEN not set and local user login verification failed")
}
}
// Request describes one lark-cli invocation.
type Request struct {
// Args are required and exclude the lark-cli binary name.
Args []string
// Params is optional and becomes --params '<json>' when non-nil.
Params any
// Data is optional and becomes --data '<json>' when non-nil.
Data any
// Stdin is optional and becomes the child process stdin when non-nil.
// Use an empty slice to exercise empty-stdin behavior explicitly.
Stdin []byte
// BinaryPath is optional. Empty means: LARK_CLI_BIN, project-root ./lark-cli, then PATH.
BinaryPath string
// DefaultAs is optional and becomes --as <value> when non-empty.
DefaultAs string
// Format is optional and becomes --format <format> when non-empty.
Format string
// WorkDir is optional and becomes the child process working directory when non-empty.
WorkDir string
// Env adds or overrides environment variables for this one child process only.
Env map[string]string
// Yes confirms high-risk-write commands. When true, the runner appends
// --yes so the framework-level confirmation gate passes. Setting it on a
// non-high-risk command will fail with "unknown flag: --yes".
Yes bool
}
// Result captures process execution output.
type Result struct {
BinaryPath string
Args []string
ExitCode int
Stdout string
Stderr string
RunErr error
}
// RetryOptions configures retry behavior for flaky external API calls.
type RetryOptions struct {
Attempts int
InitialDelay time.Duration
MaxDelay time.Duration
BackoffMultiple int
ShouldRetry func(*Result) bool
}
// RunCmd executes lark-cli and captures stdout/stderr/exit code.
func RunCmd(ctx context.Context, req Request) (*Result, error) {
binaryPath, err := ResolveBinaryPath(req)
if err != nil {
return nil, err
}
args, err := BuildArgs(req)
if err != nil {
return nil, err
}
cmd := exec.CommandContext(ctx, binaryPath, args...)
if req.WorkDir != "" {
cmd.Dir = req.WorkDir
}
cmd.Env = buildCommandEnv(req)
var stdout bytes.Buffer
var stderr bytes.Buffer
if req.Stdin != nil {
cmd.Stdin = bytes.NewReader(req.Stdin)
}
cmd.Stdout = &stdout
cmd.Stderr = &stderr
runErr := cmd.Run()
result := &Result{
BinaryPath: binaryPath,
Args: args,
ExitCode: exitCode(runErr),
Stdout: stdout.String(),
Stderr: stderr.String(),
RunErr: runErr,
}
return result, nil
}
func buildCommandEnv(req Request) []string {
env := append([]string{}, os.Environ()...)
overrides := map[string]string{}
for k, v := range req.Env {
overrides[k] = v
}
// Keep user-token injection scoped to user-only test commands so bot
// commands continue to use config-init credentials in the same process.
if req.DefaultAs == "user" {
if appID := os.Getenv("TEST_BOT1_APP_ID"); appID != "" {
if token := os.Getenv("TEST_USER_ACCESS_TOKEN"); token != "" {
overrides["LARKSUITE_CLI_APP_ID"] = appID
overrides["LARKSUITE_CLI_USER_ACCESS_TOKEN"] = token
}
}
}
for k, v := range overrides {
prefix := k + "="
replaced := false
for i, item := range env {
if strings.HasPrefix(item, prefix) {
env[i] = prefix + v
replaced = true
break
}
}
if !replaced {
env = append(env, prefix+v)
}
}
return env
}
// RunCmdWithRetry reruns a command when the result matches the configured retry condition.
func RunCmdWithRetry(ctx context.Context, req Request, opts RetryOptions) (*Result, error) {
if opts.Attempts <= 0 {
opts.Attempts = 4
}
if opts.InitialDelay <= 0 {
opts.InitialDelay = 1 * time.Second
}
if opts.MaxDelay <= 0 {
opts.MaxDelay = 6 * time.Second
}
if opts.BackoffMultiple <= 1 {
opts.BackoffMultiple = 2
}
if opts.ShouldRetry == nil {
opts.ShouldRetry = func(result *Result) bool {
return result != nil && result.ExitCode != 0
}
}
delay := opts.InitialDelay
var lastResult *Result
for attempt := 1; attempt <= opts.Attempts; attempt++ {
result, err := RunCmd(ctx, req)
if err != nil {
return nil, err
}
lastResult = result
if attempt == opts.Attempts || !opts.ShouldRetry(result) {
return result, nil
}
timer := time.NewTimer(delay)
select {
case <-ctx.Done():
timer.Stop()
return lastResult, nil
case <-timer.C:
}
nextDelay := delay * time.Duration(opts.BackoffMultiple)
if nextDelay > opts.MaxDelay {
delay = opts.MaxDelay
} else {
delay = nextDelay
}
}
return lastResult, nil
}
// GenerateSuffix returns a high-entropy UTC timestamp suffix suitable for remote test resource names.
func GenerateSuffix() string {
now := time.Now().UTC()
return fmt.Sprintf("%s-%09d", now.Format("20060102-150405"), now.Nanosecond())
}
// CleanupContext returns a bounded context for teardown operations so cleanup
// cannot outlive the test indefinitely when the remote API stalls.
func CleanupContext() (context.Context, context.CancelFunc) {
return context.WithTimeout(context.Background(), CleanupTimeout)
}
// ReportCleanupFailure emits a uniform cleanup error with command output.
func ReportCleanupFailure(parentT *testing.T, prefix string, result *Result, err error) {
parentT.Helper()
if err != nil {
parentT.Errorf("%s: %v", prefix, err)
return
}
if result == nil {
parentT.Errorf("%s: nil result", prefix)
return
}
if isCleanupSuppressedResult(result) {
return
}
if result.ExitCode != 0 {
parentT.Errorf("%s failed: exit=%d stdout=%s stderr=%s", prefix, result.ExitCode, result.Stdout, result.Stderr)
}
}
func isCleanupSuppressedResult(result *Result) bool {
if result == nil {
return false
}
raw := strings.TrimSpace(result.Stdout)
if raw == "" {
raw = strings.TrimSpace(result.Stderr)
}
if raw == "" {
return false
}
start := strings.LastIndex(raw, "\n{")
if start >= 0 {
start++
} else {
start = strings.Index(raw, "{")
}
if start < 0 {
return false
}
payload := raw[start:]
if !gjson.Valid(payload) {
return false
}
errType := gjson.Get(payload, "error.type").String()
errMessage := strings.ToLower(gjson.Get(payload, "error.message").String())
errDetailType := gjson.Get(payload, "error.detail.type").String()
errCode := gjson.Get(payload, "error.code").Int()
if errDetailType == "not_found" || strings.Contains(errMessage, "not found") || strings.Contains(errMessage, "http 404") {
return true
}
return errType == "api_error" && (errCode == 800004135 || strings.Contains(errMessage, " limited"))
}
// ResolveBinaryPath finds the CLI binary path using request, env, then PATH.
func ResolveBinaryPath(req Request) (string, error) {
if req.BinaryPath != "" {
return normalizeBinaryPath(req.BinaryPath)
}
if envPath := strings.TrimSpace(os.Getenv(EnvBinaryPath)); envPath != "" {
return normalizeBinaryPath(envPath)
}
if rootDir, err := findProjectRootDir(); err == nil {
projectBinary := filepath.Join(rootDir, cliBinaryName)
if _, statErr := os.Stat(projectBinary); statErr == nil {
return normalizeBinaryPath(projectBinary)
}
}
path, err := exec.LookPath(cliBinaryName)
if err == nil {
return normalizeBinaryPath(path)
}
return "", fmt.Errorf("resolve lark-cli binary: not found via request.BinaryPath, %s, project-root ./%s, PATH:%s", EnvBinaryPath, cliBinaryName, cliBinaryName)
}
func normalizeBinaryPath(path string) (string, error) {
if strings.TrimSpace(path) == "" {
return "", errors.New("binary path is empty")
}
absPath, err := filepath.Abs(path)
if err != nil {
return "", fmt.Errorf("resolve absolute binary path %q: %w", path, err)
}
info, err := os.Stat(absPath)
if err != nil {
return "", fmt.Errorf("stat binary path %q: %w", absPath, err)
}
if info.IsDir() {
return "", fmt.Errorf("binary path %q is a directory", absPath)
}
if info.Mode()&0o111 == 0 {
return "", fmt.Errorf("binary path %q is not executable", absPath)
}
return absPath, nil
}
// BuildArgs converts a request into CLI arguments.
func BuildArgs(req Request) ([]string, error) {
args := append([]string{}, req.Args...)
if len(args) == 0 {
return nil, errors.New("request args are required")
}
if req.DefaultAs != "" {
args = append(args, "--as", req.DefaultAs)
}
if req.Format != "" {
args = append(args, "--format", req.Format)
}
if req.Yes {
args = append(args, "--yes")
}
if req.Params != nil {
paramsBytes, err := json.Marshal(req.Params)
if err != nil {
return nil, fmt.Errorf("marshal lark-cli params: %w", err)
}
args = append(args, "--params", string(paramsBytes))
}
if req.Data != nil {
dataBytes, err := json.Marshal(req.Data)
if err != nil {
return nil, fmt.Errorf("marshal lark-cli data: %w", err)
}
args = append(args, "--data", string(dataBytes))
}
return args, nil
}
func findProjectRootDir() (string, error) {
currentDir, err := os.Getwd()
if err != nil {
return "", fmt.Errorf("get working directory: %w", err)
}
for {
markerPath := filepath.Join(currentDir, projectRootMarkerDir)
fileInfo, statErr := os.Stat(markerPath)
if statErr == nil && fileInfo.IsDir() {
return currentDir, nil
}
parentDir := filepath.Dir(currentDir)
if parentDir == "" || parentDir == currentDir {
break
}
currentDir = parentDir
}
return "", fmt.Errorf("project root not found from cwd using marker %q", projectRootMarkerDir)
}
func exitCode(err error) int {
if err == nil {
return 0
}
var exitErr *exec.ExitError
if errors.As(err, &exitErr) {
return exitErr.ExitCode()
}
return -1
}
// StdoutJSON decodes stdout as JSON.
func (r *Result) StdoutJSON(t *testing.T) any {
t.Helper()
return mustParseJSON(t, "stdout", r.Stdout)
}
// StderrJSON decodes stderr as JSON.
func (r *Result) StderrJSON(t *testing.T) any {
t.Helper()
return mustParseJSON(t, "stderr", r.Stderr)
}
func mustParseJSON(t *testing.T, stream string, raw string) any {
t.Helper()
if strings.TrimSpace(raw) == "" {
t.Fatalf("%s is empty", stream)
}
var value any
if err := json.Unmarshal([]byte(raw), &value); err != nil {
t.Fatalf("parse %s as JSON: %v\n%s:\n%s", stream, err, stream, raw)
}
return value
}
// AssertExitCode asserts the exit code.
func (r *Result) AssertExitCode(t *testing.T, code int) {
t.Helper()
assert.Equal(t, code, r.ExitCode, "stdout:\n%s\nstderr:\n%s", r.Stdout, r.Stderr)
}
// AssertStdoutStatus asserts stdout JSON status using either {"ok": ...} or {"code": ...}.
// This intentionally keeps one shared assertion entrypoint for CLI E2E call sites,
// so tests can stay uniform across shortcut-style {"ok": ...} responses and
// service-style {"code": ...} responses without branching on response shape.
func (r *Result) AssertStdoutStatus(t *testing.T, expected any) {
t.Helper()
if okResult := gjson.Get(r.Stdout, "ok"); okResult.Exists() {
assert.Equal(t, expected, okResult.Bool(), "stdout:\n%s", r.Stdout)
return
}
if codeResult := gjson.Get(r.Stdout, "code"); codeResult.Exists() {
assert.Equal(t, expected, int(codeResult.Int()), "stdout:\n%s", r.Stdout)
return
}
assert.Fail(t, "stdout status key not found; expected ok or code", "stdout:\n%s", r.Stdout)
}