mirror of
https://github.com/larksuite/cli.git
synced 2026-07-07 00:55:53 +08:00
* feat(sidecar): add sidecar proxy for sandbox credential isolation
Keep real secrets (app_secret, access_token) out of sandbox environments.
CLI instances inside sandboxes connect to a trusted sidecar process via
HTTP; the sidecar verifies HMAC-signed requests and injects real tokens
before forwarding to the Lark API.
Key components:
- `auth proxy` subcommand to start the sidecar server (build tag: authsidecar)
- Noop credential provider returns sentinel tokens in sidecar mode
- Transport interceptor rewrites requests to sidecar with HMAC signature
- Env provider yields to sidecar provider when AUTH_PROXY is set
- Supports both feishu and lark brand endpoints
* feat(sidecar): implement priority ordering for credential providers
* feat(sidecar): strip client-supplied auth headers and improve shutdown logging
* feat(sidecar): buffer request body to prevent HMAC mismatches on read errors
* feat(sidecar): fix CI
* refactor(sidecar): publish protocol package and move server to reference demo
The sidecar server is no longer shipped as a `lark-cli auth proxy`
subcommand. Instead, the CLI provides only the standard sidecar *client*
(via `-tags authsidecar`), while the wire-protocol utilities are exposed
as a public package for integrators to implement their own server.
Changes:
- Move `internal/sidecar/` → `sidecar/` so external integrators can
import HMAC signing, headers, sentinels and address validators.
- Remove `cmd/auth/proxy.go`, `proxy_stub.go`, `proxy_test.go` and the
conditional registration in `cmd/auth/auth.go`.
- Add `sidecar/server-demo/` — a reference server implementation behind
the `authsidecar_demo` build tag. It reuses the lark-cli credential
pipeline for local development; production integrators are expected
to replace the credential layer with their own secrets source.
- Update all internal imports from `internal/sidecar` to `sidecar`.
Rationale:
- Each integrator has different secrets management / HA / multi-tenant
requirements, so a one-size-fits-all server doesn't belong in the
shipped CLI.
- Keeping the client in-tree guarantees all sandbox-side code stays
protocol-compatible without a second repo to sync.
- The public `sidecar/` package pins the wire protocol as a stable
contract third-party servers must conform to.
Build matrix after this change:
- `go build` → standard CLI, no sidecar code
- `go build -tags authsidecar` → CLI + sidecar client
- `go build -tags authsidecar_demo \
./sidecar/server-demo/` → reference server binary
No production users are affected today because the server was not yet
released; existing sidecar-client users are unchanged.
* feat(sidecar): close 5 pre-release security gaps
- Server: enforce https-only target (no path/query/userinfo), pin
forwardURL to https:// — blocks cleartext token leak
- Protocol v1: canonical now covers version/identity/auth-header,
blocks identity-flip replay within drift window
- Client: ValidateProxyAddr requires loopback or same-host alias,
rejects userinfo and https (interceptor is http-only); cross-machine
is out of scope
- Build: non-authsidecar builds exit(2) when AUTH_PROXY is set,
preventing silent fallback to env credentials
- Demo: whitelist auth-header to Authorization / X-Lark-MCP-{UAT,TAT},
blocks token injection into Cookie / UA / X-Forwarded-For exfil paths
81 lines
2.0 KiB
Go
81 lines
2.0 KiB
Go
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package credential
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
)
|
|
|
|
type stubProvider struct{ name string }
|
|
|
|
func (s *stubProvider) Name() string { return s.name }
|
|
func (s *stubProvider) ResolveAccount(ctx context.Context) (*Account, error) {
|
|
return &Account{AppID: s.name}, nil
|
|
}
|
|
func (s *stubProvider) ResolveToken(ctx context.Context, req TokenSpec) (*Token, error) {
|
|
return &Token{Value: "tok-" + s.name, Source: s.name}, nil
|
|
}
|
|
|
|
func TestRegisterAndProviders(t *testing.T) {
|
|
mu.Lock()
|
|
old := providers
|
|
providers = nil
|
|
mu.Unlock()
|
|
defer func() { mu.Lock(); providers = old; mu.Unlock() }()
|
|
|
|
Register(&stubProvider{name: "a"})
|
|
Register(&stubProvider{name: "b"})
|
|
|
|
got := Providers()
|
|
if len(got) != 2 {
|
|
t.Fatalf("expected 2, got %d", len(got))
|
|
}
|
|
if got[0].Name() != "a" || got[1].Name() != "b" {
|
|
t.Errorf("unexpected order: %s, %s", got[0].Name(), got[1].Name())
|
|
}
|
|
}
|
|
|
|
type priorityProvider struct {
|
|
stubProvider
|
|
priority int
|
|
}
|
|
|
|
func (p *priorityProvider) Priority() int { return p.priority }
|
|
|
|
func TestRegister_PriorityOrder(t *testing.T) {
|
|
mu.Lock()
|
|
old := providers
|
|
providers = nil
|
|
mu.Unlock()
|
|
defer func() { mu.Lock(); providers = old; mu.Unlock() }()
|
|
|
|
Register(&stubProvider{name: "env"}) // priority 10 (default)
|
|
Register(&priorityProvider{stubProvider: stubProvider{name: "sidecar"}, priority: 0}) // priority 0 (first)
|
|
|
|
got := Providers()
|
|
if len(got) != 2 {
|
|
t.Fatalf("expected 2, got %d", len(got))
|
|
}
|
|
if got[0].Name() != "sidecar" || got[1].Name() != "env" {
|
|
t.Errorf("expected sidecar before env, got %s, %s", got[0].Name(), got[1].Name())
|
|
}
|
|
}
|
|
|
|
func TestProviders_ReturnsSnapshot(t *testing.T) {
|
|
mu.Lock()
|
|
old := providers
|
|
providers = nil
|
|
mu.Unlock()
|
|
defer func() { mu.Lock(); providers = old; mu.Unlock() }()
|
|
|
|
Register(&stubProvider{name: "x"})
|
|
snap := Providers()
|
|
Register(&stubProvider{name: "y"})
|
|
|
|
if len(snap) != 1 {
|
|
t.Fatalf("snapshot should not be affected, got %d", len(snap))
|
|
}
|
|
}
|