(t *testing.T)
| 215 | } |
| 216 | |
| 217 | func TestProxyHandler_IdentityNotAllowed(t *testing.T) { |
| 218 | key := []byte("test-key") |
| 219 | h := newTestHandler(key) |
| 220 | // Restrict to bot only |
| 221 | h.allowedIDs = map[string]bool{sidecar.IdentityBot: true} |
| 222 | |
| 223 | req := signedReq(t, key, "GET", "https://open.feishu.cn", "/open-apis/test", nil) |
| 224 | req.Header.Set(sidecar.HeaderProxyIdentity, sidecar.IdentityUser) |
| 225 | resign(t, key, req, nil) // identity is signed; must re-sign after mutation |
| 226 | w := httptest.NewRecorder() |
| 227 | h.ServeHTTP(w, req) |
| 228 | if w.Code != http.StatusForbidden { |
| 229 | t.Errorf("expected 403 for disallowed identity, got %d", w.Code) |
| 230 | } |
| 231 | } |
| 232 | |
| 233 | // TestParseTarget covers the per-shape rejections directly, without the |
| 234 | // surrounding HTTP plumbing. |
nothing calls this directly
no test coverage detected