mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-01 13:30:22 +00:00
feat(secrets): expand SecretRef coverage across user-supplied credentials (#29580)
* feat(secrets): expand secret target coverage and gateway tooling * docs(secrets): align gateway and CLI secret docs * chore(protocol): regenerate swift gateway models for secrets methods * fix(config): restore talk apiKey fallback and stabilize runner test * ci(windows): reduce test worker count for shard stability * ci(windows): raise node heap for test shard stability * test(feishu): make proxy env precedence assertion windows-safe * fix(gateway): resolve auth password SecretInput refs for clients * fix(gateway): resolve remote SecretInput credentials for clients * fix(secrets): skip inactive refs in command snapshot assignments * fix(secrets): scope gateway.remote refs to effective auth surfaces * fix(secrets): ignore memory defaults when enabled agents disable search * fix(secrets): honor Google Chat serviceAccountRef inheritance * fix(secrets): address tsgo errors in command and gateway collectors * fix(secrets): avoid auth-store load in providers-only configure * fix(gateway): defer local password ref resolution by precedence * fix(secrets): gate telegram webhook secret refs by webhook mode * fix(secrets): gate slack signing secret refs to http mode * fix(secrets): skip telegram botToken refs when tokenFile is set * fix(secrets): gate discord pluralkit refs by enabled flag * fix(secrets): gate discord voice tts refs by voice enabled * test(secrets): make runtime fixture modes explicit * fix(cli): resolve local qr password secret refs * fix(cli): fail when gateway leaves command refs unresolved * fix(gateway): fail when local password SecretRef is unresolved * fix(gateway): fail when required remote SecretRefs are unresolved * fix(gateway): resolve local password refs only when password can win * fix(cli): skip local password SecretRef resolution on qr token override * test(gateway): cast SecretRef fixtures to OpenClawConfig * test(secrets): activate mode-gated targets in runtime coverage fixture * fix(cron): support SecretInput webhook tokens safely * fix(bluebubbles): support SecretInput passwords across config paths * fix(msteams): make appPassword SecretInput-safe in onboarding/token paths * fix(bluebubbles): align SecretInput schema helper typing * fix(cli): clarify secrets.resolve version-skew errors * refactor(secrets): return structured inactive paths from secrets.resolve * refactor(gateway): type onboarding secret writes as SecretInput * chore(protocol): regenerate swift models for secrets.resolve * feat(secrets): expand extension credential secretref support * fix(secrets): gate web-search refs by active provider * fix(onboarding): detect SecretRef credentials in extension status * fix(onboarding): allow keeping existing ref in secret prompt * fix(onboarding): resolve gateway password SecretRefs for probe and tui * fix(onboarding): honor secret-input-mode for local gateway auth * fix(acp): resolve gateway SecretInput credentials * fix(secrets): gate gateway.remote refs to remote surfaces * test(secrets): cover pattern matching and inactive array refs * docs(secrets): clarify secrets.resolve and remote active surfaces * fix(bluebubbles): keep existing SecretRef during onboarding * fix(tests): resolve CI type errors in new SecretRef coverage * fix(extensions): replace raw fetch with SSRF-guarded fetch * test(secrets): mark gateway remote targets active in runtime coverage * test(infra): normalize home-prefix expectation across platforms * fix(cli): only resolve local qr password refs in password mode * test(cli): cover local qr token mode with unresolved password ref * docs(cli): clarify local qr password ref resolution behavior * refactor(extensions): reuse sdk SecretInput helpers * fix(wizard): resolve onboarding env-template secrets before plaintext * fix(cli): surface secrets.resolve diagnostics in memory and qr * test(secrets): repair post-rebase runtime and fixtures * fix(gateway): skip remote password ref resolution when token wins * fix(secrets): treat tailscale remote gateway refs as active * fix(gateway): allow remote password fallback when token ref is unresolved * fix(gateway): ignore stale local password refs for none and trusted-proxy * fix(gateway): skip remote secret ref resolution on local call paths * test(cli): cover qr remote tailscale secret ref resolution * fix(secrets): align gateway password active-surface with auth inference * fix(cli): resolve inferred local gateway password refs in qr * fix(gateway): prefer resolvable remote password over token ref pre-resolution * test(gateway): cover none and trusted-proxy stale password refs * docs(secrets): sync qr and gateway active-surface behavior * fix: restore stability blockers from pre-release audit * Secrets: fix collector/runtime precedence contradictions * docs: align secrets and web credential docs * fix(rebase): resolve integration regressions after main rebase * fix(node-host): resolve gateway secret refs for auth * fix(secrets): harden secretinput runtime readers * gateway: skip inactive auth secretref resolution * cli: avoid gateway preflight for inactive secret refs * extensions: allow unresolved refs in onboarding status * tests: fix qr-cli module mock hoist ordering * Security: align audit checks with SecretInput resolution * Gateway: resolve local-mode remote fallback secret refs * Node host: avoid resolving inactive password secret refs * Secrets runtime: mark Slack appToken inactive for HTTP mode * secrets: keep inactive gateway remote refs non-blocking * cli: include agent memory secret targets in runtime resolution * docs(secrets): sync docs with active-surface and web search behavior * fix(secrets): keep telegram top-level token refs active for blank account tokens * fix(daemon): resolve gateway password secret refs for probe auth * fix(secrets): skip IRC NickServ ref resolution when NickServ is disabled * fix(secrets): align token inheritance and exec timeout defaults * docs(secrets): clarify active-surface notes in cli docs * cli: require secrets.resolve gateway capability * gateway: log auth secret surface diagnostics * secrets: remove dead provider resolver module * fix(secrets): restore gateway auth precedence and fallback resolution * fix(tests): align plugin runtime mock typings --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
This commit is contained in:
Josh Avant
@@ -1,11 +1,16 @@
|
||||
import type { Command } from "commander";
|
||||
import qrcode from "qrcode-terminal";
|
||||
import { loadConfig } from "../config/config.js";
|
||||
import { resolveSecretInputRef } from "../config/types.secrets.js";
|
||||
import { resolvePairingSetupFromConfig, encodePairingSetupCode } from "../pairing/setup-code.js";
|
||||
import { runCommandWithTimeout } from "../process/exec.js";
|
||||
import { defaultRuntime } from "../runtime.js";
|
||||
import { secretRefKey } from "../secrets/ref-contract.js";
|
||||
import { resolveSecretRefValues } from "../secrets/resolve.js";
|
||||
import { formatDocsLink } from "../terminal/links.js";
|
||||
import { theme } from "../terminal/theme.js";
|
||||
import { resolveCommandSecretRefsViaGateway } from "./command-secret-gateway.js";
|
||||
import { getQrRemoteCommandSecretTargetIds } from "./command-secret-targets.js";
|
||||
|
||||
type QrCliOptions = {
|
||||
json?: boolean;
|
||||
@@ -35,6 +40,94 @@ function readDevicePairPublicUrlFromConfig(cfg: ReturnType<typeof loadConfig>):
|
||||
return trimmed.length > 0 ? trimmed : undefined;
|
||||
}
|
||||
|
||||
function readGatewayTokenEnv(env: NodeJS.ProcessEnv): string | undefined {
|
||||
const primary = typeof env.OPENCLAW_GATEWAY_TOKEN === "string" ? env.OPENCLAW_GATEWAY_TOKEN : "";
|
||||
if (primary.trim().length > 0) {
|
||||
return primary.trim();
|
||||
}
|
||||
const legacy = typeof env.CLAWDBOT_GATEWAY_TOKEN === "string" ? env.CLAWDBOT_GATEWAY_TOKEN : "";
|
||||
if (legacy.trim().length > 0) {
|
||||
return legacy.trim();
|
||||
}
|
||||
return undefined;
|
||||
}
|
||||
|
||||
function readGatewayPasswordEnv(env: NodeJS.ProcessEnv): string | undefined {
|
||||
const primary =
|
||||
typeof env.OPENCLAW_GATEWAY_PASSWORD === "string" ? env.OPENCLAW_GATEWAY_PASSWORD : "";
|
||||
if (primary.trim().length > 0) {
|
||||
return primary.trim();
|
||||
}
|
||||
const legacy =
|
||||
typeof env.CLAWDBOT_GATEWAY_PASSWORD === "string" ? env.CLAWDBOT_GATEWAY_PASSWORD : "";
|
||||
if (legacy.trim().length > 0) {
|
||||
return legacy.trim();
|
||||
}
|
||||
return undefined;
|
||||
}
|
||||
|
||||
function shouldResolveLocalGatewayPasswordSecret(
|
||||
cfg: ReturnType<typeof loadConfig>,
|
||||
env: NodeJS.ProcessEnv,
|
||||
): boolean {
|
||||
if (readGatewayPasswordEnv(env)) {
|
||||
return false;
|
||||
}
|
||||
const authMode = cfg.gateway?.auth?.mode;
|
||||
if (authMode === "password") {
|
||||
return true;
|
||||
}
|
||||
if (authMode === "token" || authMode === "none" || authMode === "trusted-proxy") {
|
||||
return false;
|
||||
}
|
||||
const envToken = readGatewayTokenEnv(env);
|
||||
const configToken =
|
||||
typeof cfg.gateway?.auth?.token === "string" && cfg.gateway.auth.token.trim().length > 0
|
||||
? cfg.gateway.auth.token.trim()
|
||||
: undefined;
|
||||
return !envToken && !configToken;
|
||||
}
|
||||
|
||||
async function resolveLocalGatewayPasswordSecretIfNeeded(
|
||||
cfg: ReturnType<typeof loadConfig>,
|
||||
): Promise<void> {
|
||||
const authPassword = cfg.gateway?.auth?.password;
|
||||
const { ref } = resolveSecretInputRef({
|
||||
value: authPassword,
|
||||
defaults: cfg.secrets?.defaults,
|
||||
});
|
||||
if (!ref) {
|
||||
return;
|
||||
}
|
||||
const resolved = await resolveSecretRefValues([ref], {
|
||||
config: cfg,
|
||||
env: process.env,
|
||||
});
|
||||
const value = resolved.get(secretRefKey(ref));
|
||||
if (typeof value !== "string" || value.trim().length === 0) {
|
||||
throw new Error("gateway.auth.password resolved to an empty or non-string value.");
|
||||
}
|
||||
if (!cfg.gateway?.auth) {
|
||||
return;
|
||||
}
|
||||
cfg.gateway.auth.password = value.trim();
|
||||
}
|
||||
|
||||
function emitQrSecretResolveDiagnostics(diagnostics: string[], opts: QrCliOptions): void {
|
||||
if (diagnostics.length === 0) {
|
||||
return;
|
||||
}
|
||||
const toStderr = opts.json === true || opts.setupCodeOnly === true;
|
||||
for (const entry of diagnostics) {
|
||||
const message = theme.warn(`[secrets] ${entry}`);
|
||||
if (toStderr) {
|
||||
defaultRuntime.error(message);
|
||||
} else {
|
||||
defaultRuntime.log(message);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
export function registerQrCli(program: Command) {
|
||||
program
|
||||
.command("qr")
|
||||
@@ -61,7 +154,33 @@ export function registerQrCli(program: Command) {
|
||||
throw new Error("Use either --token or --password, not both.");
|
||||
}
|
||||
|
||||
const loaded = loadConfig();
|
||||
const token = typeof opts.token === "string" ? opts.token.trim() : "";
|
||||
const password = typeof opts.password === "string" ? opts.password.trim() : "";
|
||||
const wantsRemote = opts.remote === true;
|
||||
|
||||
const loadedRaw = loadConfig();
|
||||
if (wantsRemote && !opts.url && !opts.publicUrl) {
|
||||
const tailscaleMode = loadedRaw.gateway?.tailscale?.mode ?? "off";
|
||||
const remoteUrl = loadedRaw.gateway?.remote?.url;
|
||||
const hasRemoteUrl = typeof remoteUrl === "string" && remoteUrl.trim().length > 0;
|
||||
const hasTailscaleServe = tailscaleMode === "serve" || tailscaleMode === "funnel";
|
||||
if (!hasRemoteUrl && !hasTailscaleServe) {
|
||||
throw new Error(
|
||||
"qr --remote requires gateway.remote.url (or gateway.tailscale.mode=serve/funnel).",
|
||||
);
|
||||
}
|
||||
}
|
||||
let loaded = loadedRaw;
|
||||
let remoteDiagnostics: string[] = [];
|
||||
if (wantsRemote && !token && !password) {
|
||||
const resolvedRemote = await resolveCommandSecretRefsViaGateway({
|
||||
config: loadedRaw,
|
||||
commandName: "qr --remote",
|
||||
targetIds: getQrRemoteCommandSecretTargetIds(),
|
||||
});
|
||||
loaded = resolvedRemote.resolvedConfig;
|
||||
remoteDiagnostics = resolvedRemote.diagnostics;
|
||||
}
|
||||
const cfg = {
|
||||
...loaded,
|
||||
gateway: {
|
||||
@@ -71,17 +190,17 @@ export function registerQrCli(program: Command) {
|
||||
},
|
||||
},
|
||||
};
|
||||
emitQrSecretResolveDiagnostics(remoteDiagnostics, opts);
|
||||
|
||||
const token = typeof opts.token === "string" ? opts.token.trim() : "";
|
||||
const password = typeof opts.password === "string" ? opts.password.trim() : "";
|
||||
const wantsRemote = opts.remote === true;
|
||||
if (token) {
|
||||
cfg.gateway.auth.mode = "token";
|
||||
cfg.gateway.auth.token = token;
|
||||
cfg.gateway.auth.password = undefined;
|
||||
}
|
||||
if (password) {
|
||||
cfg.gateway.auth.mode = "password";
|
||||
cfg.gateway.auth.password = password;
|
||||
cfg.gateway.auth.token = undefined;
|
||||
}
|
||||
if (wantsRemote && !token && !password) {
|
||||
const remoteToken =
|
||||
@@ -100,16 +219,13 @@ export function registerQrCli(program: Command) {
|
||||
cfg.gateway.auth.token = undefined;
|
||||
}
|
||||
}
|
||||
if (wantsRemote && !opts.url && !opts.publicUrl) {
|
||||
const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
|
||||
const remoteUrl = cfg.gateway?.remote?.url;
|
||||
const hasRemoteUrl = typeof remoteUrl === "string" && remoteUrl.trim().length > 0;
|
||||
const hasTailscaleServe = tailscaleMode === "serve" || tailscaleMode === "funnel";
|
||||
if (!hasRemoteUrl && !hasTailscaleServe) {
|
||||
throw new Error(
|
||||
"qr --remote requires gateway.remote.url (or gateway.tailscale.mode=serve/funnel).",
|
||||
);
|
||||
}
|
||||
if (
|
||||
!wantsRemote &&
|
||||
!password &&
|
||||
!token &&
|
||||
shouldResolveLocalGatewayPasswordSecret(cfg, process.env)
|
||||
) {
|
||||
await resolveLocalGatewayPasswordSecretIfNeeded(cfg);
|
||||
}
|
||||
|
||||
const explicitUrl =
|
||||
|
||||
Reference in New Issue
Block a user