mirror of
https://github.com/larksuite/cli.git
synced 2026-07-07 00:55:53 +08:00
* feat(apps): add openapi-key common helpers (mask/redact/config) * feat(apps): add +openapi-key-list (redacted) * feat(apps): add +openapi-key-get (redacted) * feat(apps): add +openapi-key-create (one-time raw secret) * feat(apps): add +openapi-key-update * feat(apps): add +openapi-key-enable / +openapi-key-disable * feat(apps): add +openapi-key-delete (high-risk-write) * feat(apps): add +openapi-key-reset (rotate, one-time new secret) * test(apps): assert reset surfaces raw key exactly once * feat(apps): register openapi-key shortcuts * docs(lark-apps): add openapi-key reference and routing * test(apps): update shortcut count for openapi-key commands * fix(apps): trim openapi-key update name and correct shortcut-count comment * fix(apps): use camelCase config and add scope-all/scope-api flags Replace snake_case wire keys (request_scope, is_allow_access_preview) with camelCase (requestScope, isAllowAccessPreview, allowAll, httpInfos, httpMethod, httpPath). Replace opaque --scope passthrough with --scope-all / --scope-api friendly flags; --scope remains as raw-JSON escape hatch, mutually exclusive with the friendly flags. Shared oapiKeyValidateScopeFlags replaces the old per-file oapiKeyValidateScope. * fix(apps): use Changed for scope-all and refresh openapi-key scope docs Switch the update at-least-one guard from rctx.Bool to rctx.Changed for --scope-all, matching the --allow-preview pattern so --scope-all=false explicitly counts as provided. Rewrite lark-apps-openapi-key.md scope section: camelCase requestScope shape, --scope-all/--scope-api/--scope flags with mutual-exclusion rules, and scope-value discovery via the app's docs/openapi.json. * fix(apps): emit snake_case request_scope config for open gateway Open gateway (/open-apis/spark/v1) requires snake_case request bodies; flip parseScopeAPI/buildRequestScope/buildKeyConfig to emit http_method, http_path, allow_all, http_infos, request_scope, is_allow_access_preview. Update unit tests to assert snake_case and reject camelCase keys. * docs(lark-apps): correct openapi-key scope to snake_case wire format * docs(apps): align openapi-key flag help text to snake_case wire keys * feat(apps): add actionable hints and more examples to openapi-key P1: chain .WithHint(...) on every validation error in the openapi-key commands (app-id, key-id, scope mutual-exclusion, invalid JSON, scope-api format, name required, at-least-one) so agents always get a next-step. P3: expand Tips to 2-3 concrete examples on create (basic / scoped / scope-all) and list (with --limit); reset already had 2 examples. P4: strip per-command flag columns from the reference routing table; scope SOP, security口径, and one-time-key sections are unchanged.
83 lines
3.1 KiB
Go
83 lines
3.1 KiB
Go
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package apps
|
|
|
|
import (
|
|
"context"
|
|
"strings"
|
|
|
|
"github.com/larksuite/cli/shortcuts/common"
|
|
)
|
|
|
|
// AppsOpenAPIKeyUpdate updates an open API key's name and/or config (not status).
|
|
var AppsOpenAPIKeyUpdate = common.Shortcut{
|
|
Service: appsService,
|
|
Command: "+openapi-key-update",
|
|
Description: "Update an open API key's name and/or scope",
|
|
Risk: "write",
|
|
Tips: []string{
|
|
"Example: lark-cli apps +openapi-key-update --app-id <app_id> --key-id <key_id> --name partner-prod",
|
|
},
|
|
Scopes: []string{"spark:app:write"},
|
|
AuthTypes: []string{"user"},
|
|
HasFormat: true,
|
|
Flags: []common.Flag{
|
|
{Name: "app-id", Desc: "app ID", Required: true},
|
|
{Name: "key-id", Desc: "API key ID", Required: true},
|
|
{Name: "name", Desc: "new name"},
|
|
{Name: "scope-all", Type: "bool", Desc: "grant access to all /openapi/** routes (request_scope.allow_all)"},
|
|
{Name: "scope-api", Type: "string_array", Desc: "grant one route, repeatable: 'METHOD /openapi/path' (from the app's docs/openapi.json)"},
|
|
{Name: "scope", Desc: "advanced: raw JSON for config.request_scope (mutually exclusive with --scope-all/--scope-api)"},
|
|
{Name: "allow-preview", Type: "bool", Desc: "allow preview-env access (config.is_allow_access_preview)"},
|
|
},
|
|
Validate: func(ctx context.Context, rctx *common.RuntimeContext) error {
|
|
if err := oapiKeyValidateKeyID(rctx); err != nil {
|
|
return err
|
|
}
|
|
if strings.TrimSpace(rctx.Str("name")) == "" &&
|
|
!rctx.Changed("scope-all") &&
|
|
len(rctx.StrArray("scope-api")) == 0 &&
|
|
strings.TrimSpace(rctx.Str("scope")) == "" &&
|
|
!rctx.Changed("allow-preview") {
|
|
return appsValidationParamError("--name", "at least one of --name / --scope-all / --scope-api / --scope / --allow-preview is required").
|
|
WithHint("pass at least one of --name / --scope-all / --scope-api / --scope / --allow-preview")
|
|
}
|
|
return oapiKeyValidateScopeFlags(rctx)
|
|
},
|
|
DryRun: func(ctx context.Context, rctx *common.RuntimeContext) *common.DryRunAPI {
|
|
body, _ := buildOpenAPIKeyUpdateBody(rctx)
|
|
return common.NewDryRunAPI().
|
|
PATCH(oapiKeyItemURL(rctx)).
|
|
Desc("Update open API key").
|
|
Body(body)
|
|
},
|
|
Execute: func(ctx context.Context, rctx *common.RuntimeContext) error {
|
|
body, err := buildOpenAPIKeyUpdateBody(rctx)
|
|
if err != nil {
|
|
return appsValidationParamError("--scope", "invalid scope: %v", err)
|
|
}
|
|
data, err := rctx.CallAPITyped("PATCH", oapiKeyItemURL(rctx), nil, body)
|
|
if err != nil {
|
|
return withAppsHint(err, oapiKeyNotFoundHint(rctx))
|
|
}
|
|
return outputRedactedInfo(rctx, data)
|
|
},
|
|
}
|
|
|
|
// buildOpenAPIKeyUpdateBody builds {name?, config?} with only provided fields.
|
|
func buildOpenAPIKeyUpdateBody(rctx *common.RuntimeContext) (map[string]interface{}, error) {
|
|
body := map[string]interface{}{}
|
|
if name := strings.TrimSpace(rctx.Str("name")); name != "" {
|
|
body["name"] = name
|
|
}
|
|
cfg, err := buildKeyConfig(rctx.Bool("scope-all"), rctx.StrArray("scope-api"), rctx.Str("scope"), rctx.Changed("allow-preview"), rctx.Bool("allow-preview"))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if cfg != nil {
|
|
body["config"] = cfg
|
|
}
|
|
return body, nil
|
|
}
|