test: tighten sandbox create arg assertions

2026-05-11 21:00:42 +00:00 · 2026-05-09 19:09:23 +01:00
parent 5d8ce65a8e
commit 34d040644d
1 changed files with 51 additions and 75 deletions
--- a/src/agents/sandbox-create-args.test.ts
+++ b/src/agents/sandbox-create-args.test.ts
@@ -38,6 +38,26 @@ describe("buildSandboxCreateArgs", () => {
    ).toThrow(expectedMessage);
  }

+  function valuesForFlag(args: string[], flag: string): string[] {
+    const values: string[] = [];
+    for (let i = 0; i < args.length; i += 1) {
+      if (args[i] === flag) {
+        const value = args[i + 1];
+        if (value) {
+          values.push(value);
+        }
+      }
+    }
+    return values;
+  }
+
+  function expectFlagValues(args: string[], flag: string, expectedValues: string[]): void {
+    const values = valuesForFlag(args, flag);
+    for (const value of expectedValues) {
+      expect(values).toContain(value);
+    }
+  }
+
  it("includes hardening and resource flags", () => {
    const cfg: SandboxDockerConfig = {
      image: "openclaw-sandbox:bookworm-slim",
@@ -72,69 +92,32 @@ describe("buildSandboxCreateArgs", () => {
      labels: { "openclaw.sandboxBrowser": "1" },
    });

-    expect(args).toEqual(
-      expect.arrayContaining([
-        "create",
-        "--name",
-        "openclaw-sbx-test",
-        "--label",
-        "openclaw.sandbox=1",
-        "--label",
-        "openclaw.sessionKey=main",
-        "--label",
-        "openclaw.createdAtMs=1700000000000",
-        "--label",
-        "openclaw.sandboxBrowser=1",
-        "--read-only",
-        "--tmpfs",
-        "/tmp",
-        "--network",
-        "none",
-        "--user",
-        "1000:1000",
-        "--cap-drop",
-        "ALL",
-        "--security-opt",
-        "no-new-privileges",
-        "--security-opt",
-        "seccomp=/tmp/seccomp.json",
-        "--security-opt",
-        "apparmor=openclaw-sandbox",
-        "--dns",
-        "1.1.1.1",
-        "--add-host",
-        "internal.service:10.0.0.5",
-        "--pids-limit",
-        "256",
-        "--memory",
-        "512m",
-        "--memory-swap",
-        "1024",
-        "--cpus",
-        "1.5",
-      ]),
-    );
-    expect(args).toEqual(
-      expect.arrayContaining([
-        "--env",
-        "LANG=C.UTF-8",
-        "--env",
-        `OPENCLAW_CLI=${OPENCLAW_CLI_ENV_VALUE}`,
-      ]),
-    );
-
-    const ulimitValues: string[] = [];
-    for (let i = 0; i < args.length; i += 1) {
-      if (args[i] === "--ulimit") {
-        const value = args[i + 1];
-        if (value) {
-          ulimitValues.push(value);
-        }
-      }
-    }
-    expect(ulimitValues).toEqual(
-      expect.arrayContaining(["nofile=1024:2048", "nproc=128", "core=0"]),
-    );
+    expect(args[0]).toBe("create");
+    expectFlagValues(args, "--name", ["openclaw-sbx-test"]);
+    expectFlagValues(args, "--label", [
+      "openclaw.sandbox=1",
+      "openclaw.sessionKey=main",
+      "openclaw.createdAtMs=1700000000000",
+      "openclaw.sandboxBrowser=1",
+    ]);
+    expect(args).toContain("--read-only");
+    expectFlagValues(args, "--tmpfs", ["/tmp"]);
+    expectFlagValues(args, "--network", ["none"]);
+    expectFlagValues(args, "--user", ["1000:1000"]);
+    expectFlagValues(args, "--cap-drop", ["ALL"]);
+    expectFlagValues(args, "--security-opt", [
+      "no-new-privileges",
+      "seccomp=/tmp/seccomp.json",
+      "apparmor=openclaw-sandbox",
+    ]);
+    expectFlagValues(args, "--dns", ["1.1.1.1"]);
+    expectFlagValues(args, "--add-host", ["internal.service:10.0.0.5"]);
+    expectFlagValues(args, "--pids-limit", ["256"]);
+    expectFlagValues(args, "--memory", ["512m"]);
+    expectFlagValues(args, "--memory-swap", ["1024"]);
+    expectFlagValues(args, "--cpus", ["1.5"]);
+    expectFlagValues(args, "--env", ["LANG=C.UTF-8", `OPENCLAW_CLI=${OPENCLAW_CLI_ENV_VALUE}`]);
+    expectFlagValues(args, "--ulimit", ["nofile=1024:2048", "nproc=128", "core=0"]);
  });

  it("preserves the OpenClaw exec marker when strict env sanitization is enabled", () => {
@@ -154,14 +137,7 @@ describe("buildSandboxCreateArgs", () => {
      },
    });

-    expect(args).toEqual(
-      expect.arrayContaining([
-        "--env",
-        "NODE_ENV=test",
-        "--env",
-        `OPENCLAW_CLI=${OPENCLAW_CLI_ENV_VALUE}`,
-      ]),
-    );
+    expectFlagValues(args, "--env", ["NODE_ENV=test", `OPENCLAW_CLI=${OPENCLAW_CLI_ENV_VALUE}`]);
  });

  it("emits Docker GPU passthrough as a separate argument", () => {
@@ -176,7 +152,7 @@ describe("buildSandboxCreateArgs", () => {
      createdAtMs: 1700000000000,
    });

-    expect(args).toEqual(expect.arrayContaining(["--gpus", "device=GPU-123"]));
+    expectFlagValues(args, "--gpus", ["device=GPU-123"]);
  });

  it("emits -v flags for safe custom binds", () => {
@@ -308,7 +284,7 @@ describe("buildSandboxCreateArgs", () => {
      bindSourceRoots: ["/tmp/workspace", "/tmp/agent"],
      allowSourcesOutsideAllowedRoots: true,
    });
-    expect(args).toEqual(expect.arrayContaining(["-v", "/opt/external:/data:rw"]));
+    expectFlagValues(args, "-v", ["/opt/external:/data:rw"]);
  });

  it("blocks reserved /workspace target bind mounts by default", () => {
@@ -325,7 +301,7 @@ describe("buildSandboxCreateArgs", () => {
      createdAtMs: 1700000000000,
      allowReservedContainerTargets: true,
    });
-    expect(args).toEqual(expect.arrayContaining(["-v", "/tmp/override:/workspace:rw"]));
+    expectFlagValues(args, "-v", ["/tmp/override:/workspace:rw"]);
  });

  it("allows container namespace join with explicit dangerous override", () => {
@@ -339,6 +315,6 @@ describe("buildSandboxCreateArgs", () => {
      scopeKey: "main",
      createdAtMs: 1700000000000,
    });
-    expect(args).toEqual(expect.arrayContaining(["--network", "container:peer"]));
+    expectFlagValues(args, "--network", ["container:peer"]);
  });
 });