mirror of
https://github.com/larksuite/cli.git
synced 2026-07-03 14:02:43 +08:00
* feat(platform): support multiple policy rules per plugin
Extend the command policy framework from single-Rule to multi-Rule
semantics. A plugin (or policy.yml) may now contribute several scoped
Rules; the engine combines them with OR -- a command is allowed when it
satisfies every axis of at least one rule. This lets one integration
apply different risk ceilings and identity restrictions to different
command groups.
The cross-plugin fail-closed boundary is preserved: two distinct plugins
both calling Restrict still aborts startup (multiple_restrict_plugins).
Single-Rule behaviour is fully backward compatible -- the rejection
reason_code / rule_name / envelope shape are byte-for-byte unchanged;
multi-rule rejection surfaces the aggregate reason_code no_matching_rule.
- engine: New keeps single-rule compat, add NewSet for OR over rules
- resolver: dedupe by owner (one plugin may contribute many rules),
return []*Rule; yaml gains a top-level rules: list
- registrar/builder/staging: Restrict may be called more than once;
retire the double_restrict error
- config policy show / config plugins show: emit a rules array
- inventory: PluginEntry.Rules is now a slice (fixes last-rule-wins
overwrite when a plugin contributes multiple rules)
* fix(platform): clone rules in Builder.Restrict and inventory snapshot
Address review feedback. Builder.Restrict stored the caller's *Rule
directly, so reusing and mutating one Rule object across multiple
Restrict calls collapsed entries to the last mutation; clone the rule and
its slices on append, mirroring the staging registrar.
BuildInventory likewise reused the source Allow/Deny/Identities slices;
copy them when building the RuleView snapshot instead of relying on
cloneInventory downstream.
Add a regression test: reusing and mutating one Rule across two Restrict
calls now yields two independent rules.
* fix(platform): skip yaml when a plugin owns policy; reject empty rules list
Two policy-config robustness fixes from review:
- A malformed ~/.lark-cli/policy.yml could abort a plugin-governed
binary. applyUserPolicyPruning read yaml before resolving, and
build.go fail-closes on any policy error when a plugin is present.
Plugin rules shadow yaml anyway, so skip reading yaml entirely when a
plugin contributed rules -- an unrelated broken file on the user's
machine can no longer lock the CLI.
- A present-but-empty "rules: []" collapsed to a single all-zero Rule
that allows every annotated command ("looks like policy, enforces
almost nothing"). yaml.Parse now distinguishes absent from
present-but-empty (Rules is a pointer) and rejects the empty list.
Add regression tests for both.
80 lines
2.1 KiB
Go
80 lines
2.1 KiB
Go
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package config
|
|
|
|
import (
|
|
"github.com/spf13/cobra"
|
|
|
|
"github.com/larksuite/cli/internal/cmdpolicy"
|
|
"github.com/larksuite/cli/internal/cmdutil"
|
|
"github.com/larksuite/cli/internal/output"
|
|
)
|
|
|
|
func NewCmdConfigPolicy(f *cmdutil.Factory) *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "policy",
|
|
Hidden: true,
|
|
Short: "Inspect the user-layer command policy",
|
|
// Override parent's RequireBuiltinCredentialProvider check; this
|
|
// group is read-only diagnostic and must work under any provider.
|
|
PersistentPreRunE: func(c *cobra.Command, _ []string) error {
|
|
c.SilenceUsage = true
|
|
return nil
|
|
},
|
|
}
|
|
cmd.AddCommand(newCmdConfigPolicyShow(f))
|
|
return cmd
|
|
}
|
|
|
|
func newCmdConfigPolicyShow(f *cmdutil.Factory) *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "show",
|
|
Hidden: true,
|
|
Short: "Show the active user-layer policy (plugin / yaml / none)",
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
return runConfigPolicyShow(f)
|
|
},
|
|
}
|
|
cmdutil.SetRisk(cmd, "read")
|
|
return cmd
|
|
}
|
|
|
|
func runConfigPolicyShow(f *cmdutil.Factory) error {
|
|
active := cmdpolicy.GetActive()
|
|
if active == nil {
|
|
output.PrintJson(f.IOStreams.Out, map[string]any{
|
|
"source": string(cmdpolicy.SourceNone),
|
|
"note": "no policy recorded; bootstrap did not run pruning",
|
|
})
|
|
return nil
|
|
}
|
|
|
|
sourceName := ""
|
|
if active.Source.Kind == cmdpolicy.SourcePlugin {
|
|
sourceName = active.Source.Name
|
|
}
|
|
out := map[string]any{
|
|
"source": string(active.Source.Kind),
|
|
"source_name": sourceName,
|
|
"denied_paths": active.DeniedPaths,
|
|
}
|
|
if len(active.Rules) > 0 {
|
|
rules := make([]map[string]any, 0, len(active.Rules))
|
|
for _, r := range active.Rules {
|
|
rules = append(rules, map[string]any{
|
|
"name": r.Name,
|
|
"description": r.Description,
|
|
"allow": r.Allow,
|
|
"deny": r.Deny,
|
|
"max_risk": r.MaxRisk,
|
|
"identities": r.Identities,
|
|
"allow_unannotated": r.AllowUnannotated,
|
|
})
|
|
}
|
|
out["rules"] = rules
|
|
}
|
|
output.PrintJson(f.IOStreams.Out, out)
|
|
return nil
|
|
}
|