vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 07:50:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

perf(test): merge system run plan matrix tests

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-20 19:09:46 +01:00
parent 02a6e78531
commit 85c1ff6ea4
1 changed files with 111 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

205
src/node-host/invoke-system-run-plan.test.ts
View File

@@ -222,6 +222,14 @@ const DENIED_RUNTIME_APPROVAL = {
message: "SYSTEM_RUN_DENIED: approval cannot safely bind this interpreter/runtime command",
} as const;
function runNamedCase(name: string, run: () => void) {
try {
run();
} catch (error) {
throw new Error(`case failed: ${name}`, { cause: error });
}
}
function expectRuntimeApprovalDenied(command: string[], cwd: string) {
const prepared = buildSystemRunApprovalPlan({ command, cwd });
expect(prepared).toEqual(DENIED_RUNTIME_APPROVAL);
@@ -473,63 +481,67 @@ describe("hardenApprovedExecutionPaths", () => {
},
];
it.runIf(process.platform !== "win32").each(cases)("$name", (testCase) => {
const tmp = createFixtureDir("openclaw-approval-hardening-");
const oldPath = process.env.PATH;
let pathToken: PathTokenSetup | null = null;
if (testCase.withPathToken) {
const binDir = path.join(tmp, "bin");
fs.mkdirSync(binDir, { recursive: true });
const link = path.join(binDir, "poccmd");
fs.symlinkSync("/bin/echo", link);
pathToken = { expected: fs.realpathSync(link) };
process.env.PATH = `${binDir}${path.delimiter}${oldPath ?? ""}`;
}
try {
if (testCase.mode === "build-plan") {
const prepared = buildSystemRunApprovalPlan({
command: testCase.argv,
cwd: tmp,
});
expect(prepared.ok).toBe(true);
if (!prepared.ok) {
throw new Error("unreachable");
it.runIf(process.platform !== "win32")("handles approval hardening cases", () => {
for (const testCase of cases) {
runNamedCase(testCase.name, () => {
const tmp = createFixtureDir("openclaw-approval-hardening-");
const oldPath = process.env.PATH;
let pathToken: PathTokenSetup | null = null;
if (testCase.withPathToken) {
const binDir = path.join(tmp, "bin");
fs.mkdirSync(binDir, { recursive: true });
const link = path.join(binDir, "poccmd");
fs.symlinkSync("/bin/echo", link);
pathToken = { expected: fs.realpathSync(link) };
process.env.PATH = `${binDir}${path.delimiter}${oldPath ?? ""}`;
}
expect(prepared.plan.argv).toEqual(testCase.expectedArgv({ pathToken }));
if (testCase.expectedCmdText) {
expect(prepared.plan.commandText).toBe(testCase.expectedCmdText);
}
if (testCase.checkRawCommandMatchesArgv) {
expect(prepared.plan.commandText).toBe(formatExecCommand(prepared.plan.argv));
}
if ("expectedCommandPreview" in testCase) {
expect(prepared.plan.commandPreview ?? null).toBe(testCase.expectedCommandPreview);
}
return;
}
try {
if (testCase.mode === "build-plan") {
const prepared = buildSystemRunApprovalPlan({
command: testCase.argv,
cwd: tmp,
});
expect(prepared.ok).toBe(true);
if (!prepared.ok) {
throw new Error("unreachable");
}
expect(prepared.plan.argv).toEqual(testCase.expectedArgv({ pathToken }));
if (testCase.expectedCmdText) {
expect(prepared.plan.commandText).toBe(testCase.expectedCmdText);
}
if (testCase.checkRawCommandMatchesArgv) {
expect(prepared.plan.commandText).toBe(formatExecCommand(prepared.plan.argv));
}
if ("expectedCommandPreview" in testCase) {
expect(prepared.plan.commandPreview ?? null).toBe(testCase.expectedCommandPreview);
}
return;
}
const hardened = hardenApprovedExecutionPaths({
approvedByAsk: true,
argv: testCase.argv,
shellCommand: testCase.shellCommand ?? null,
cwd: tmp,
});
expect(hardened.ok).toBe(true);
if (!hardened.ok) {
throw new Error("unreachable");
}
expect(hardened.argv).toEqual(testCase.expectedArgv({ pathToken }));
if (typeof testCase.expectedArgvChanged === "boolean") {
expect(hardened.argvChanged).toBe(testCase.expectedArgvChanged);
}
} finally {
if (testCase.withPathToken) {
if (oldPath === undefined) {
delete process.env.PATH;
} else {
process.env.PATH = oldPath;
const hardened = hardenApprovedExecutionPaths({
approvedByAsk: true,
argv: testCase.argv,
shellCommand: testCase.shellCommand ?? null,
cwd: tmp,
});
expect(hardened.ok).toBe(true);
if (!hardened.ok) {
throw new Error("unreachable");
}
expect(hardened.argv).toEqual(testCase.expectedArgv({ pathToken }));
if (typeof testCase.expectedArgvChanged === "boolean") {
expect(hardened.argvChanged).toBe(testCase.expectedArgvChanged);
}
} finally {
if (testCase.withPathToken) {
if (oldPath === undefined) {
delete process.env.PATH;
} else {
process.env.PATH = oldPath;
}
}
}
}
});
}
});
@@ -776,39 +788,40 @@ describe("hardenApprovedExecutionPaths", () => {
},
];
it.each(mutableOperandCases)(
"captures mutable $name operands in approval plans",
(runtimeCase) => {
if (runtimeCase.skipOnWin32 && process.platform === "win32") {
return;
}
const binNames =
runtimeCase.binNames ??
(runtimeCase.binName ? [runtimeCase.binName] : ["bunx", "pnpm", "npm", "npx", "tsx"]);
withFakeRuntimeBins({
binNames,
run: () => {
withScriptOperandPlanFixture(
{
tmpPrefix: "openclaw-approval-script-plan-",
fixture: runtimeCase,
afterWrite: (fixture, tmp) => {
const executablePath = fixture.command[0];
if (executablePath?.endsWith("pnpm.js")) {
const shimPath = path.join(tmp, "pnpm.js");
fs.writeFileSync(shimPath, "#!/usr/bin/env node\nconsole.log('shim')\n");
fs.chmodSync(shimPath, 0o755);
}
it("captures mutable runtime operands in approval plans", () => {
for (const runtimeCase of mutableOperandCases) {
runNamedCase(runtimeCase.name, () => {
if (runtimeCase.skipOnWin32 && process.platform === "win32") {
return;
}
const binNames =
runtimeCase.binNames ??
(runtimeCase.binName ? [runtimeCase.binName] : ["bunx", "pnpm", "npm", "npx", "tsx"]);
withFakeRuntimeBins({
binNames,
run: () => {
withScriptOperandPlanFixture(
{
tmpPrefix: "openclaw-approval-script-plan-",
fixture: runtimeCase,
afterWrite: (fixture, tmp) => {
const executablePath = fixture.command[0];
if (executablePath?.endsWith("pnpm.js")) {
const shimPath = path.join(tmp, "pnpm.js");
fs.writeFileSync(shimPath, "#!/usr/bin/env node\nconsole.log('shim')\n");
fs.chmodSync(shimPath, 0o755);
}
},
},
},
(fixture, tmp) => {
expectMutableFileOperandApprovalPlan(fixture, tmp);
},
);
},
(fixture, tmp) => {
expectMutableFileOperandApprovalPlan(fixture, tmp);
},
);
},
});
});
},
);
}
});
it("captures mutable shell script operands in approval plans", () => {
withScriptOperandPlanFixture(
@@ -980,15 +993,19 @@ describe("hardenApprovedExecutionPaths", () => {
}
});
it.each(unsafeRuntimeInvocationCases)("$name", (testCase) => {
withFakeRuntimeBin({
binName: testCase.binName,
run: () => {
const tmp = createFixtureDir(testCase.tmpPrefix);
testCase.setup?.(tmp);
expectRuntimeApprovalDenied(testCase.command, tmp);
},
});
it("rejects unsafe runtime invocation forms", () => {
for (const testCase of unsafeRuntimeInvocationCases) {
runNamedCase(testCase.name, () => {
withFakeRuntimeBin({
binName: testCase.binName,
run: () => {
const tmp = createFixtureDir(testCase.tmpPrefix);
testCase.setup?.(tmp);
expectRuntimeApprovalDenied(testCase.command, tmp);
},
});
});
}
});
it("detects rewritten script operands for pnpm dlx approval plans", () => {