Add Volcengine Cloud Security Center service#283
Conversation
|
本次 PR 新增了一个 Volcengine Cloud Security Center 的 OctoBus 服务,包含完整的 gRPC 接口定义、服务配置、请求签名与调用逻辑及单元测试。主要变更包括:新增 proto 定义、config/secret JSON Schema、核心实现(volcengine-seccenter.js)、服务入口、测试用例,以及在父级 package.json 和 tentacles 注册表中注册该服务。 整体代码质量较高,测试覆盖较全面,签名逻辑基于 Volcengine 的 HMAC-SHA256 实现。但在 |
![monkeyscan[bot]](https://avatars.githubusercontent.com/u/231811742?s=60&v=4){kind=small}
|
本次 PR 对 Volcengine Cloud Security Center 适配器进行了三处主要修改:
整体代码逻辑正确,修复了历史缺陷,但测试中对新的 AbortController 超时链路缺少回归验证,仅检查了 signal 属性存在性,存在测试缺口。 |
|
本次变更将 |
|
本次 PR 为 Volcengine Cloud Security Center 服务大幅扩展了只读适配器 API 覆盖范围。变更内容主要包括:
所有新增 API 均为只读操作,不存在状态修改风险。proto 定义与 JS 实现之间的动作映射保持一致,未引入行为回归。整体评估为低风险的 API 覆盖面扩展,代码质量良好。 |
1 participant
Summary
seccenter) OctoBus service package.Fixes #274
Tests
npm run validate -- --service-dir volcengine__seccenternpm test -- --service-dir volcengine__seccenternpm run import:checknpm run pack:checkLive check
Using temporary environment variables only, representative read-only actions reached the Volcengine Cloud Security Center business API and returned
OperationDenied.TenantUnauthorized/tenant not foundfor the test account. This indicates the endpoint, service code, API version, and request signing path are working, but the account is not authorized/enrolled for this product tenant.Live verification status: blocked by product tenant authorization
I could not provide a successful business response for this account because the Volcengine Cloud Security Center tenant is not authorized/enrolled for the tested account. The request still reached the documented product API endpoint and returned a product-level authorization error, which verifies the endpoint, service code, API version, Action routing, and request signing path.
Reference documentation:
OperationDenied.TenantUnauthorized(%s): https://www.volcengine.com/docs/6507/1526316?lang=zh联调阻塞证据:ListAssetGroups 到达业务 API,但账号租户未授权
Request
POST https://seccenter.volcengineapi.com/?Action=ListAssetGroups&Version=2024-05-08
Authorization: HMAC-SHA256 Credential=AKLTlZjk/20260625/cn-beijing/seccenter/request, SignedHeaders=content-type;host;x-content-sha256;x-date, Signature=**
Content-Type: application/json
Host: seccenter.volcengineapi.com
X-Date: 20260625T192149Z
X-Content-Sha256: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
{}
Response HTTP/1.1 403 Forbidden
{
"ResponseMetadata": {
"RequestId": "20260626032149774A6474BDB9845F3526",
"Action": "ListAssetGroups",
"Version": "2024-05-08",
"Service": "seccenter",
"Region": "cn-beijing",
"Error": {
"Code": "OperationDenied.TenantUnauthorized%!(EXTRA string=(2121953146))",
"Message": "The request has failed due to tenant not found(2121953146)"
}
}
}
Additional entitlement checks
The same signed request path was also checked with other read-only Cloud Security Center APIs and returned the same tenant authorization block:
ListCloudPlatforms-> HTTP 403OperationDenied.TenantUnauthorizedMultiCloudAccessSyncStatus-> HTTP 403OperationDenied.TenantUnauthorizedThis is different from a signing, endpoint, or Action mismatch. If the signature, service code, API version, or endpoint were wrong, the gateway would return authentication/signature/route errors instead of a Cloud Security Center tenant authorization error with
Service: seccenterand the requestedActionechoed inResponseMetadata.Review follow-up
Addressed the adapter review feedback in follow-up commits:
Validation run for
volcengine__seccenter:npm test -- --service-dir volcengine__seccenternpm run validate -- --service-dir volcengine__seccentergit diff --checkAPI documentation coverage follow-up:
npm test -- --service-dir volcengine__seccenter,npm run validate -- --service-dir volcengine__seccenter, andgit diff --check.