mirror of
https://github.com/larksuite/cli.git
synced 2026-07-06 16:18:05 +08:00
When config.json is hand-edited, the appId field can become out of sync with the appSecret keychain reference (e.g. appId changed but appSecret.id still points to the old app). This causes silent auth failures at API call time. Add a pre-flight check in ResolveConfigFromMulti that compares the two before any keychain lookup or OAPI request, failing fast with actionable guidance. Change-Id: I74b9ab640642dde3df1ad70890b93b91ee422022
60 lines
2.0 KiB
Go
60 lines
2.0 KiB
Go
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package core
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func TestValidateSecretKeyMatch_KeychainMatches(t *testing.T) {
|
|
secret := SecretInput{Ref: &SecretRef{Source: "keychain", ID: "appsecret:cli_abc123"}}
|
|
if err := ValidateSecretKeyMatch("cli_abc123", secret); err != nil {
|
|
t.Errorf("expected no error, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateSecretKeyMatch_KeychainMismatch(t *testing.T) {
|
|
secret := SecretInput{Ref: &SecretRef{Source: "keychain", ID: "appsecret:cli_old_app"}}
|
|
err := ValidateSecretKeyMatch("cli_new_app", secret)
|
|
if err == nil {
|
|
t.Fatal("expected error for mismatched appId and keychain key")
|
|
}
|
|
// Verify the error message contains useful context
|
|
msg := err.Error()
|
|
for _, want := range []string{"cli_old_app", "cli_new_app", "appsecret:cli_new_app", "config init"} {
|
|
if !strings.Contains(msg, want) {
|
|
t.Errorf("error message missing %q: %s", want, msg)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestValidateSecretKeyMatch_PlainSecret_Skipped(t *testing.T) {
|
|
secret := PlainSecret("some-secret")
|
|
if err := ValidateSecretKeyMatch("cli_abc123", secret); err != nil {
|
|
t.Errorf("plain secret should be skipped, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateSecretKeyMatch_FileRef_Skipped(t *testing.T) {
|
|
secret := SecretInput{Ref: &SecretRef{Source: "file", ID: "/tmp/secret.txt"}}
|
|
if err := ValidateSecretKeyMatch("cli_abc123", secret); err != nil {
|
|
t.Errorf("file ref should be skipped, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateSecretKeyMatch_ZeroValue_Skipped(t *testing.T) {
|
|
if err := ValidateSecretKeyMatch("cli_abc123", SecretInput{}); err != nil {
|
|
t.Errorf("zero SecretInput should be skipped, got: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestValidateSecretKeyMatch_EmptyAppId_Mismatch(t *testing.T) {
|
|
secret := SecretInput{Ref: &SecretRef{Source: "keychain", ID: "appsecret:cli_abc123"}}
|
|
err := ValidateSecretKeyMatch("", secret)
|
|
if err == nil {
|
|
t.Fatal("expected error when appId is empty but keychain key references a real app")
|
|
}
|
|
}
|