From 85c1ff6ea499b68458bd8a691597cc6ebea67e26 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Mon, 20 Apr 2026 19:09:46 +0100 Subject: [PATCH] perf(test): merge system run plan matrix tests --- src/node-host/invoke-system-run-plan.test.ts | 205 ++++++++++--------- 1 file changed, 111 insertions(+), 94 deletions(-) diff --git a/src/node-host/invoke-system-run-plan.test.ts b/src/node-host/invoke-system-run-plan.test.ts index 04da21e1d5a..7a6bd52d4e9 100644 --- a/src/node-host/invoke-system-run-plan.test.ts +++ b/src/node-host/invoke-system-run-plan.test.ts @@ -222,6 +222,14 @@ const DENIED_RUNTIME_APPROVAL = { message: "SYSTEM_RUN_DENIED: approval cannot safely bind this interpreter/runtime command", } as const; +function runNamedCase(name: string, run: () => void) { + try { + run(); + } catch (error) { + throw new Error(`case failed: ${name}`, { cause: error }); + } +} + function expectRuntimeApprovalDenied(command: string[], cwd: string) { const prepared = buildSystemRunApprovalPlan({ command, cwd }); expect(prepared).toEqual(DENIED_RUNTIME_APPROVAL); @@ -473,63 +481,67 @@ describe("hardenApprovedExecutionPaths", () => { }, ]; - it.runIf(process.platform !== "win32").each(cases)("$name", (testCase) => { - const tmp = createFixtureDir("openclaw-approval-hardening-"); - const oldPath = process.env.PATH; - let pathToken: PathTokenSetup | null = null; - if (testCase.withPathToken) { - const binDir = path.join(tmp, "bin"); - fs.mkdirSync(binDir, { recursive: true }); - const link = path.join(binDir, "poccmd"); - fs.symlinkSync("/bin/echo", link); - pathToken = { expected: fs.realpathSync(link) }; - process.env.PATH = `${binDir}${path.delimiter}${oldPath ?? ""}`; - } - try { - if (testCase.mode === "build-plan") { - const prepared = buildSystemRunApprovalPlan({ - command: testCase.argv, - cwd: tmp, - }); - expect(prepared.ok).toBe(true); - if (!prepared.ok) { - throw new Error("unreachable"); + it.runIf(process.platform !== "win32")("handles approval hardening cases", () => { + for (const testCase of cases) { + runNamedCase(testCase.name, () => { + const tmp = createFixtureDir("openclaw-approval-hardening-"); + const oldPath = process.env.PATH; + let pathToken: PathTokenSetup | null = null; + if (testCase.withPathToken) { + const binDir = path.join(tmp, "bin"); + fs.mkdirSync(binDir, { recursive: true }); + const link = path.join(binDir, "poccmd"); + fs.symlinkSync("/bin/echo", link); + pathToken = { expected: fs.realpathSync(link) }; + process.env.PATH = `${binDir}${path.delimiter}${oldPath ?? ""}`; } - expect(prepared.plan.argv).toEqual(testCase.expectedArgv({ pathToken })); - if (testCase.expectedCmdText) { - expect(prepared.plan.commandText).toBe(testCase.expectedCmdText); - } - if (testCase.checkRawCommandMatchesArgv) { - expect(prepared.plan.commandText).toBe(formatExecCommand(prepared.plan.argv)); - } - if ("expectedCommandPreview" in testCase) { - expect(prepared.plan.commandPreview ?? null).toBe(testCase.expectedCommandPreview); - } - return; - } + try { + if (testCase.mode === "build-plan") { + const prepared = buildSystemRunApprovalPlan({ + command: testCase.argv, + cwd: tmp, + }); + expect(prepared.ok).toBe(true); + if (!prepared.ok) { + throw new Error("unreachable"); + } + expect(prepared.plan.argv).toEqual(testCase.expectedArgv({ pathToken })); + if (testCase.expectedCmdText) { + expect(prepared.plan.commandText).toBe(testCase.expectedCmdText); + } + if (testCase.checkRawCommandMatchesArgv) { + expect(prepared.plan.commandText).toBe(formatExecCommand(prepared.plan.argv)); + } + if ("expectedCommandPreview" in testCase) { + expect(prepared.plan.commandPreview ?? null).toBe(testCase.expectedCommandPreview); + } + return; + } - const hardened = hardenApprovedExecutionPaths({ - approvedByAsk: true, - argv: testCase.argv, - shellCommand: testCase.shellCommand ?? null, - cwd: tmp, - }); - expect(hardened.ok).toBe(true); - if (!hardened.ok) { - throw new Error("unreachable"); - } - expect(hardened.argv).toEqual(testCase.expectedArgv({ pathToken })); - if (typeof testCase.expectedArgvChanged === "boolean") { - expect(hardened.argvChanged).toBe(testCase.expectedArgvChanged); - } - } finally { - if (testCase.withPathToken) { - if (oldPath === undefined) { - delete process.env.PATH; - } else { - process.env.PATH = oldPath; + const hardened = hardenApprovedExecutionPaths({ + approvedByAsk: true, + argv: testCase.argv, + shellCommand: testCase.shellCommand ?? null, + cwd: tmp, + }); + expect(hardened.ok).toBe(true); + if (!hardened.ok) { + throw new Error("unreachable"); + } + expect(hardened.argv).toEqual(testCase.expectedArgv({ pathToken })); + if (typeof testCase.expectedArgvChanged === "boolean") { + expect(hardened.argvChanged).toBe(testCase.expectedArgvChanged); + } + } finally { + if (testCase.withPathToken) { + if (oldPath === undefined) { + delete process.env.PATH; + } else { + process.env.PATH = oldPath; + } + } } - } + }); } }); @@ -776,39 +788,40 @@ describe("hardenApprovedExecutionPaths", () => { }, ]; - it.each(mutableOperandCases)( - "captures mutable $name operands in approval plans", - (runtimeCase) => { - if (runtimeCase.skipOnWin32 && process.platform === "win32") { - return; - } - const binNames = - runtimeCase.binNames ?? - (runtimeCase.binName ? [runtimeCase.binName] : ["bunx", "pnpm", "npm", "npx", "tsx"]); - withFakeRuntimeBins({ - binNames, - run: () => { - withScriptOperandPlanFixture( - { - tmpPrefix: "openclaw-approval-script-plan-", - fixture: runtimeCase, - afterWrite: (fixture, tmp) => { - const executablePath = fixture.command[0]; - if (executablePath?.endsWith("pnpm.js")) { - const shimPath = path.join(tmp, "pnpm.js"); - fs.writeFileSync(shimPath, "#!/usr/bin/env node\nconsole.log('shim')\n"); - fs.chmodSync(shimPath, 0o755); - } + it("captures mutable runtime operands in approval plans", () => { + for (const runtimeCase of mutableOperandCases) { + runNamedCase(runtimeCase.name, () => { + if (runtimeCase.skipOnWin32 && process.platform === "win32") { + return; + } + const binNames = + runtimeCase.binNames ?? + (runtimeCase.binName ? [runtimeCase.binName] : ["bunx", "pnpm", "npm", "npx", "tsx"]); + withFakeRuntimeBins({ + binNames, + run: () => { + withScriptOperandPlanFixture( + { + tmpPrefix: "openclaw-approval-script-plan-", + fixture: runtimeCase, + afterWrite: (fixture, tmp) => { + const executablePath = fixture.command[0]; + if (executablePath?.endsWith("pnpm.js")) { + const shimPath = path.join(tmp, "pnpm.js"); + fs.writeFileSync(shimPath, "#!/usr/bin/env node\nconsole.log('shim')\n"); + fs.chmodSync(shimPath, 0o755); + } + }, }, - }, - (fixture, tmp) => { - expectMutableFileOperandApprovalPlan(fixture, tmp); - }, - ); - }, + (fixture, tmp) => { + expectMutableFileOperandApprovalPlan(fixture, tmp); + }, + ); + }, + }); }); - }, - ); + } + }); it("captures mutable shell script operands in approval plans", () => { withScriptOperandPlanFixture( @@ -980,15 +993,19 @@ describe("hardenApprovedExecutionPaths", () => { } }); - it.each(unsafeRuntimeInvocationCases)("$name", (testCase) => { - withFakeRuntimeBin({ - binName: testCase.binName, - run: () => { - const tmp = createFixtureDir(testCase.tmpPrefix); - testCase.setup?.(tmp); - expectRuntimeApprovalDenied(testCase.command, tmp); - }, - }); + it("rejects unsafe runtime invocation forms", () => { + for (const testCase of unsafeRuntimeInvocationCases) { + runNamedCase(testCase.name, () => { + withFakeRuntimeBin({ + binName: testCase.binName, + run: () => { + const tmp = createFixtureDir(testCase.tmpPrefix); + testCase.setup?.(tmp); + expectRuntimeApprovalDenied(testCase.command, tmp); + }, + }); + }); + } }); it("detects rewritten script operands for pnpm dlx approval plans", () => {