vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(security): centralize channel allowlist auth policy

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 13:06:27 +01:00
parent eac86c2081
commit 892a9c24b0
12 changed files with 137 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
extensions/irc/src/inbound.policy.test.ts
View File

@@ -7,6 +7,7 @@ describe("irc inbound policy", () => {
configAllowFrom: ["owner"],
configGroupAllowFrom: [],
storeAllowList: ["paired-user"],
dmPolicy: "pairing",
});
expect(resolved.effectiveAllowFrom).toEqual(["owner", "paired-user"]);
@@ -17,6 +18,7 @@ describe("irc inbound policy", () => {
configAllowFrom: ["owner"],
configGroupAllowFrom: ["group-owner"],
storeAllowList: ["paired-user"],
dmPolicy: "pairing",
});
expect(resolved.effectiveGroupAllowFrom).toEqual(["group-owner"]);
@@ -27,6 +29,7 @@ describe("irc inbound policy", () => {
configAllowFrom: ["owner"],
configGroupAllowFrom: [],
storeAllowList: ["paired-user"],
dmPolicy: "pairing",
});
expect(resolved.effectiveGroupAllowFrom).toEqual([]);

14
extensions/irc/src/inbound.ts
View File

@@ -9,6 +9,7 @@ import {
resolveOutboundMediaUrls,
resolveAllowlistProviderRuntimeGroupPolicy,
resolveDefaultGroupPolicy,
resolveEffectiveAllowFromLists,
warnMissingProviderGroupPolicyFallbackOnce,
type OutboundReplyPayload,
type OpenClawConfig,
@@ -35,13 +36,19 @@ function resolveIrcEffectiveAllowlists(params: {
configAllowFrom: string[];
configGroupAllowFrom: string[];
storeAllowList: string[];
dmPolicy: string;
}): {
effectiveAllowFrom: string[];
effectiveGroupAllowFrom: string[];
} {
const effectiveAllowFrom = [...params.configAllowFrom, ...params.storeAllowList].filter(Boolean);
// Pairing-store entries are DM approvals and must not widen group sender authorization.
const effectiveGroupAllowFrom = [...params.configGroupAllowFrom].filter(Boolean);
const { effectiveAllowFrom, effectiveGroupAllowFrom } = resolveEffectiveAllowFromLists({
allowFrom: params.configAllowFrom,
groupAllowFrom: params.configGroupAllowFrom,
storeAllowFrom: params.storeAllowList,
dmPolicy: params.dmPolicy,
// IRC intentionally requires explicit groupAllowFrom; do not fallback to allowFrom.
groupAllowFromFallbackToAllowFrom: false,
});
return { effectiveAllowFrom, effectiveGroupAllowFrom };
}
@@ -141,6 +148,7 @@ export async function handleIrcInbound(params: {
configAllowFrom,
configGroupAllowFrom,
storeAllowList,
dmPolicy,
});
const allowTextCommands = core.channel.commands.shouldHandleTextCommands({