mirror of
https://github.com/larksuite/cli.git
synced 2026-07-06 16:18:05 +08:00
* feat(platform): support multiple policy rules per plugin
Extend the command policy framework from single-Rule to multi-Rule
semantics. A plugin (or policy.yml) may now contribute several scoped
Rules; the engine combines them with OR -- a command is allowed when it
satisfies every axis of at least one rule. This lets one integration
apply different risk ceilings and identity restrictions to different
command groups.
The cross-plugin fail-closed boundary is preserved: two distinct plugins
both calling Restrict still aborts startup (multiple_restrict_plugins).
Single-Rule behaviour is fully backward compatible -- the rejection
reason_code / rule_name / envelope shape are byte-for-byte unchanged;
multi-rule rejection surfaces the aggregate reason_code no_matching_rule.
- engine: New keeps single-rule compat, add NewSet for OR over rules
- resolver: dedupe by owner (one plugin may contribute many rules),
return []*Rule; yaml gains a top-level rules: list
- registrar/builder/staging: Restrict may be called more than once;
retire the double_restrict error
- config policy show / config plugins show: emit a rules array
- inventory: PluginEntry.Rules is now a slice (fixes last-rule-wins
overwrite when a plugin contributes multiple rules)
* fix(platform): clone rules in Builder.Restrict and inventory snapshot
Address review feedback. Builder.Restrict stored the caller's *Rule
directly, so reusing and mutating one Rule object across multiple
Restrict calls collapsed entries to the last mutation; clone the rule and
its slices on append, mirroring the staging registrar.
BuildInventory likewise reused the source Allow/Deny/Identities slices;
copy them when building the RuleView snapshot instead of relying on
cloneInventory downstream.
Add a regression test: reusing and mutating one Rule across two Restrict
calls now yields two independent rules.
* fix(platform): skip yaml when a plugin owns policy; reject empty rules list
Two policy-config robustness fixes from review:
- A malformed ~/.lark-cli/policy.yml could abort a plugin-governed
binary. applyUserPolicyPruning read yaml before resolving, and
build.go fail-closes on any policy error when a plugin is present.
Plugin rules shadow yaml anyway, so skip reading yaml entirely when a
plugin contributed rules -- an unrelated broken file on the user's
machine can no longer lock the CLI.
- A present-but-empty "rules: []" collapsed to a single all-zero Rule
that allows every annotated command ("looks like policy, enforces
almost nothing"). yaml.Parse now distinguishes absent from
present-but-empty (Rules is a pointer) and rejects the empty list.
Add regression tests for both.
163 lines
5.2 KiB
Go
163 lines
5.2 KiB
Go
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package cmdpolicy_test
|
|
|
|
import (
|
|
"errors"
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"github.com/larksuite/cli/extension/platform"
|
|
"github.com/larksuite/cli/internal/cmdpolicy"
|
|
)
|
|
|
|
func TestResolve_singlePluginWins(t *testing.T) {
|
|
rule := &platform.Rule{Name: "secaudit"}
|
|
got, src, err := cmdpolicy.Resolve(cmdpolicy.Sources{
|
|
PluginRules: []cmdpolicy.PluginRule{{PluginName: "secaudit", Rule: rule}},
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("Resolve err: %v", err)
|
|
}
|
|
if len(got) != 1 || got[0] != rule || src.Kind != cmdpolicy.SourcePlugin || src.Name != "secaudit" {
|
|
t.Fatalf("Resolve = (%v, %+v)", got, src)
|
|
}
|
|
}
|
|
|
|
// A single plugin may contribute several rules (each a scoped grant). They
|
|
// are all returned, in registration order, under one plugin source.
|
|
func TestResolve_singlePluginMultipleRules(t *testing.T) {
|
|
r1 := &platform.Rule{Name: "docs-ro", Allow: []string{"docs/**"}, MaxRisk: "read"}
|
|
r2 := &platform.Rule{Name: "im-rw", Allow: []string{"im/**"}, MaxRisk: "write"}
|
|
got, src, err := cmdpolicy.Resolve(cmdpolicy.Sources{
|
|
PluginRules: []cmdpolicy.PluginRule{
|
|
{PluginName: "secaudit", Rule: r1},
|
|
{PluginName: "secaudit", Rule: r2},
|
|
},
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("Resolve err: %v", err)
|
|
}
|
|
if len(got) != 2 || got[0] != r1 || got[1] != r2 {
|
|
t.Fatalf("expected both rules in order, got %v", got)
|
|
}
|
|
if src.Kind != cmdpolicy.SourcePlugin || src.Name != "secaudit" {
|
|
t.Fatalf("source = %+v, want plugin:secaudit", src)
|
|
}
|
|
}
|
|
|
|
func TestResolve_pluginShadowsYaml(t *testing.T) {
|
|
pluginRule := &platform.Rule{Name: "from-plugin"}
|
|
yamlRule := &platform.Rule{Name: "from-yaml"}
|
|
got, src, err := cmdpolicy.Resolve(cmdpolicy.Sources{
|
|
PluginRules: []cmdpolicy.PluginRule{{PluginName: "secaudit", Rule: pluginRule}},
|
|
YAMLRules: []*platform.Rule{yamlRule},
|
|
YAMLPath: "/some/policy.yml",
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("Resolve err: %v", err)
|
|
}
|
|
if len(got) != 1 || got[0].Name != "from-plugin" || src.Kind != cmdpolicy.SourcePlugin {
|
|
t.Fatalf("plugin should shadow yaml, got %+v / %+v", got, src)
|
|
}
|
|
}
|
|
|
|
func TestResolve_yamlWhenNoPlugin(t *testing.T) {
|
|
yamlRule := &platform.Rule{Name: "from-yaml", MaxRisk: "read"}
|
|
got, src, err := cmdpolicy.Resolve(cmdpolicy.Sources{
|
|
YAMLRules: []*platform.Rule{yamlRule},
|
|
YAMLPath: "/some/policy.yml",
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("Resolve err: %v", err)
|
|
}
|
|
if len(got) != 1 || got[0].Name != "from-yaml" || src.Kind != cmdpolicy.SourceYAML {
|
|
t.Fatalf("yaml should win when no plugin, got %+v / %+v", got, src)
|
|
}
|
|
if src.Name != "/some/policy.yml" {
|
|
t.Errorf("yaml source Name should carry path, got %q", src.Name)
|
|
}
|
|
}
|
|
|
|
// yaml may also carry several rules under "rules:"; all are returned.
|
|
func TestResolve_yamlMultipleRules(t *testing.T) {
|
|
r1 := &platform.Rule{Name: "a", MaxRisk: "read"}
|
|
r2 := &platform.Rule{Name: "b", MaxRisk: "write"}
|
|
got, src, err := cmdpolicy.Resolve(cmdpolicy.Sources{
|
|
YAMLRules: []*platform.Rule{r1, r2},
|
|
YAMLPath: "/some/policy.yml",
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("Resolve err: %v", err)
|
|
}
|
|
if len(got) != 2 || src.Kind != cmdpolicy.SourceYAML {
|
|
t.Fatalf("expected both yaml rules, got %v / %+v", got, src)
|
|
}
|
|
}
|
|
|
|
func TestResolve_emptyEverythingIsNone(t *testing.T) {
|
|
got, src, err := cmdpolicy.Resolve(cmdpolicy.Sources{})
|
|
if err != nil {
|
|
t.Fatalf("Resolve err: %v", err)
|
|
}
|
|
if len(got) != 0 || src.Kind != cmdpolicy.SourceNone {
|
|
t.Fatalf("expected (empty, SourceNone), got (%v, %+v)", got, src)
|
|
}
|
|
}
|
|
|
|
// Two DISTINCT plugins both contributing a Rule must produce the typed
|
|
// error so the bootstrap pipeline aborts (single-owner invariant): one
|
|
// plugin cannot silently widen another plugin's policy.
|
|
func TestResolve_multipleRestrictPluginsIsError(t *testing.T) {
|
|
_, _, err := cmdpolicy.Resolve(cmdpolicy.Sources{
|
|
PluginRules: []cmdpolicy.PluginRule{
|
|
{PluginName: "a", Rule: &platform.Rule{Name: "a"}},
|
|
{PluginName: "b", Rule: &platform.Rule{Name: "b"}},
|
|
},
|
|
})
|
|
if !errors.Is(err, cmdpolicy.ErrMultipleRestricts) {
|
|
t.Fatalf("err = %v, want ErrMultipleRestricts", err)
|
|
}
|
|
}
|
|
|
|
// LoadYAMLPolicy: missing file returns (nil, nil) silently so callers
|
|
// can pass the result straight into Sources.YAMLRules without special-
|
|
// casing not-exist.
|
|
func TestLoadYAMLPolicy_missingIsSilent(t *testing.T) {
|
|
missing := filepath.Join(t.TempDir(), "absent-policy.yml")
|
|
rules, err := cmdpolicy.LoadYAMLPolicy(missing)
|
|
if err != nil {
|
|
t.Fatalf("missing yaml should not error, got %v", err)
|
|
}
|
|
if rules != nil {
|
|
t.Fatalf("missing yaml should return nil rules, got %+v", rules)
|
|
}
|
|
}
|
|
|
|
func TestLoadYAMLPolicy_emptyPathIsNoop(t *testing.T) {
|
|
rules, err := cmdpolicy.LoadYAMLPolicy("")
|
|
if err != nil {
|
|
t.Fatalf("empty path should not error, got %v", err)
|
|
}
|
|
if rules != nil {
|
|
t.Fatalf("empty path should return nil rules, got %+v", rules)
|
|
}
|
|
}
|
|
|
|
func TestLoadYAMLPolicy_parsesValid(t *testing.T) {
|
|
dir := t.TempDir()
|
|
yamlPath := filepath.Join(dir, "policy.yml")
|
|
if err := os.WriteFile(yamlPath, []byte("name: from-yaml\nmax_risk: read\n"), 0o644); err != nil {
|
|
t.Fatalf("write yaml: %v", err)
|
|
}
|
|
rules, err := cmdpolicy.LoadYAMLPolicy(yamlPath)
|
|
if err != nil {
|
|
t.Fatalf("LoadYAMLPolicy err: %v", err)
|
|
}
|
|
if len(rules) != 1 || rules[0].Name != "from-yaml" {
|
|
t.Fatalf("expected one rule with name=from-yaml, got %+v", rules)
|
|
}
|
|
}
|