Files
larksuite-cli/internal/output/emit_test.go
MaxHuang22 600fa50517 feat: add configurable content-safety scanning (#606)
* feat(contentsafety): add extension interface layer with Provider, Alert, and registry

Change-Id: Ibeac6366c7201293057bc3b063f75ac34565bcd5

* feat(contentsafety): add normalize utility for JSON type conversion

Change-Id: I7d4729a5ddcab2553abc110f8f6ecc88435ae921

* feat(contentsafety): add tree walker and regex scanner

Change-Id: I215dad7cf3072711d05e45f7d384162e1f8752d4

* feat(contentsafety): add config loading with lazy creation, default rules, and allowlist matching

Change-Id: I75e10df28f1f8d4f433cb2b469a0ff317af3bf70

* feat(contentsafety): add regex provider with config-driven scanning and allowlist

Change-Id: I658889b3647cbbbde6881e0c5f7c13887a1eb1d4

* feat(contentsafety): add output core with mode parsing, path normalization, and scan orchestration

Change-Id: I1cb9df75f1a4d176d660e2e7a9561314c3787191

* feat(contentsafety): add ScanForSafety entry point and Envelope alert field

Change-Id: I5fdb311e1c8d983a35a58667970b9fd3ac729a5c

* feat(contentsafety): integrate scanning into shortcut Out() and OutFormat()

Change-Id: I33eef1dba14c8a9bd1998857311bdd611f33b916

* feat(contentsafety): integrate scanning into API/service output paths and register provider

Change-Id: Ic3981db6c546a19eadea095d82175f92f4783bec

* fix(contentsafety): emit stderr notice when lazy-creating default config

Change-Id: Ia2491f7a17caceea3125ff9fb58d750dc196d7e7

* style: gofmt factory_default and exitcode

Change-Id: I86c5afdfbbdb68d8137f0ca09ef3b5a1139f4b4e

* fix(contentsafety): vfs for config I/O, mutex for lazy-create, sort matched rules, emit warn on --output path

Change-Id: Ib4982cd54e1bfe0580a0eb03368e6ca818304e1b

* fix(contentsafety): isolate scan goroutine errOut to prevent race on timeout

Change-Id: Ia5a770d7387ba6d3b7fa318fc5f1384214ea10b7

* fix(contentsafety): deep-normalize typed slices so scanner can walk shortcut data

Change-Id: I641e89113d1a2f2285ac6109bd3d7264f5845ea7

* fix(contentsafety): file perms 0600/0700, no result mutation, timeout test, scanTimeout comment

Change-Id: Ie45a2e365ee7098e214e94f8871026cc12029d83
2026-04-23 17:18:29 +08:00

150 lines
4.3 KiB
Go

// Copyright (c) 2026 Lark Technologies Pte. Ltd.
// SPDX-License-Identifier: MIT
package output
import (
"bytes"
"context"
"errors"
"strings"
"testing"
"time"
extcs "github.com/larksuite/cli/extension/contentsafety"
)
// mockProvider is a test provider that returns a configurable alert.
type mockProvider struct {
name string
alert *extcs.Alert
err error
}
func (m *mockProvider) Name() string { return m.name }
func (m *mockProvider) Scan(_ context.Context, _ extcs.ScanRequest) (*extcs.Alert, error) {
return m.alert, m.err
}
func TestScanForSafety_ModeOff(t *testing.T) {
t.Setenv("LARKSUITE_CLI_CONTENT_SAFETY_MODE", "off")
var buf bytes.Buffer
result := ScanForSafety("lark-cli im +messages-search", map[string]any{"text": "inject"}, &buf)
if result.Alert != nil || result.Blocked {
t.Error("mode=off should produce zero ScanResult")
}
}
func TestScanForSafety_ModeWarn_WithAlert(t *testing.T) {
t.Setenv("LARKSUITE_CLI_CONTENT_SAFETY_MODE", "warn")
alert := &extcs.Alert{Provider: "mock", MatchedRules: []string{"r1"}}
mp := &mockProvider{name: "mock", alert: alert}
// Register mock provider (save and restore)
extcs.Register(mp)
defer extcs.Register(nil)
var buf bytes.Buffer
result := ScanForSafety("lark-cli im +test", map[string]any{}, &buf)
if result.Alert == nil {
t.Fatal("expected non-nil alert in warn mode")
}
if result.Blocked {
t.Error("warn mode should not block")
}
if result.BlockErr != nil {
t.Error("warn mode should not have BlockErr")
}
}
func TestScanForSafety_ModeBlock_WithAlert(t *testing.T) {
t.Setenv("LARKSUITE_CLI_CONTENT_SAFETY_MODE", "block")
alert := &extcs.Alert{Provider: "mock", MatchedRules: []string{"r1"}}
mp := &mockProvider{name: "mock", alert: alert}
extcs.Register(mp)
defer extcs.Register(nil)
var buf bytes.Buffer
result := ScanForSafety("lark-cli im +test", map[string]any{}, &buf)
if !result.Blocked {
t.Error("block mode with alert should set Blocked=true")
}
if result.BlockErr == nil {
t.Error("block mode with alert should have BlockErr")
}
var exitErr *ExitError
if !errors.As(result.BlockErr, &exitErr) {
t.Fatalf("BlockErr should be *ExitError, got %T", result.BlockErr)
}
if exitErr.Code != ExitContentSafety {
t.Errorf("exit code = %d, want %d", exitErr.Code, ExitContentSafety)
}
}
func TestScanForSafety_NoProvider(t *testing.T) {
t.Setenv("LARKSUITE_CLI_CONTENT_SAFETY_MODE", "warn")
extcs.Register(nil)
var buf bytes.Buffer
result := ScanForSafety("lark-cli im +test", map[string]any{}, &buf)
if result.Alert != nil || result.Blocked {
t.Error("no provider should produce zero ScanResult")
}
}
func TestScanForSafety_ScanError_FailOpen(t *testing.T) {
t.Setenv("LARKSUITE_CLI_CONTENT_SAFETY_MODE", "block")
mp := &mockProvider{name: "mock", err: errors.New("scan broke")}
extcs.Register(mp)
defer extcs.Register(nil)
var buf bytes.Buffer
result := ScanForSafety("lark-cli im +test", map[string]any{}, &buf)
if result.Blocked {
t.Error("scan error should fail-open, not block")
}
if !strings.Contains(buf.String(), "scan error") {
t.Errorf("expected warning on stderr, got: %s", buf.String())
}
}
func TestScanForSafety_SlowProvider_Timeout_FailOpen(t *testing.T) {
t.Setenv("LARKSUITE_CLI_CONTENT_SAFETY_MODE", "block")
slow := &slowProvider{}
extcs.Register(slow)
defer extcs.Register(nil)
var buf bytes.Buffer
result := ScanForSafety("lark-cli im +test", map[string]any{}, &buf)
if result.Blocked {
t.Error("slow provider should fail-open on timeout, not block")
}
if result.Alert != nil {
t.Error("slow provider should return nil alert on timeout")
}
}
// slowProvider blocks for longer than scanTimeout to trigger the timeout path.
type slowProvider struct{}
func (s *slowProvider) Name() string { return "slow" }
func (s *slowProvider) Scan(ctx context.Context, _ extcs.ScanRequest) (*extcs.Alert, error) {
select {
case <-ctx.Done():
return nil, ctx.Err()
case <-time.After(200 * time.Millisecond):
return &extcs.Alert{Provider: "slow", MatchedRules: []string{"never"}}, nil
}
}
func TestWriteAlertWarning(t *testing.T) {
alert := &extcs.Alert{Provider: "regex", MatchedRules: []string{"r1", "r2"}}
var buf bytes.Buffer
WriteAlertWarning(&buf, alert)
got := buf.String()
if !strings.Contains(got, "r1") || !strings.Contains(got, "r2") {
t.Errorf("warning should contain rule IDs, got: %s", got)
}
}