mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-24 05:19:51 +00:00
refactor: centralize channel ingress access
This commit is contained in:
Peter Steinberger
@@ -5,17 +5,20 @@ import {
|
||||
} from "../auto-reply/command-status-builders.js";
|
||||
import type { ChannelId } from "../channels/plugins/types.public.js";
|
||||
import type { OpenClawConfig } from "../config/types.openclaw.js";
|
||||
import { resolveDmGroupAccessWithLists } from "../security/dm-policy-shared.js";
|
||||
import {
|
||||
expandAllowFromWithAccessGroups,
|
||||
type AccessGroupMembershipResolver,
|
||||
} from "./access-groups.js";
|
||||
import { resolveDmGroupAccessWithLists } from "./channel-access-compat.js";
|
||||
export {
|
||||
ACCESS_GROUP_ALLOW_FROM_PREFIX,
|
||||
expandAllowFromWithAccessGroups,
|
||||
parseAccessGroupAllowFromEntry,
|
||||
resolveAccessGroupAllowFromMatches,
|
||||
resolveAccessGroupAllowFromState,
|
||||
type AccessGroupMembershipResolver,
|
||||
type AccessGroupMembershipLookup,
|
||||
type ResolvedAccessGroupAllowFromState,
|
||||
} from "./access-groups.js";
|
||||
export { buildCommandsPaginationKeyboard } from "./telegram-command-ui.js";
|
||||
export {
|
||||
@@ -100,6 +103,7 @@ export type { ModelsProviderData } from "../auto-reply/reply/commands-models.js"
|
||||
export { resolveStoredModelOverride } from "../auto-reply/reply/stored-model-override.js";
|
||||
export type { StoredModelOverride } from "../auto-reply/reply/stored-model-override.js";
|
||||
|
||||
/** @deprecated Use `resolveChannelMessageIngress` from `openclaw/plugin-sdk/channel-ingress-runtime`. */
|
||||
export type ResolveSenderCommandAuthorizationParams = {
|
||||
cfg: OpenClawConfig;
|
||||
rawBody: string;
|
||||
@@ -114,12 +118,14 @@ export type ResolveSenderCommandAuthorizationParams = {
|
||||
resolveAccessGroupMembership?: AccessGroupMembershipResolver;
|
||||
readAllowFromStore: () => Promise<string[]>;
|
||||
shouldComputeCommandAuthorized: (rawBody: string, cfg: OpenClawConfig) => boolean;
|
||||
resolveCommandAuthorizedFromAuthorizers: (params: {
|
||||
/** @deprecated Command authorization is resolved by channel ingress. Kept for runtime injection compatibility. */
|
||||
resolveCommandAuthorizedFromAuthorizers?: (params: {
|
||||
useAccessGroups: boolean;
|
||||
authorizers: Array<{ configured: boolean; allowed: boolean }>;
|
||||
}) => boolean;
|
||||
};
|
||||
|
||||
/** @deprecated Use `resolveChannelMessageIngress` from `openclaw/plugin-sdk/channel-ingress-runtime`. */
|
||||
export type CommandAuthorizationRuntime = {
|
||||
shouldComputeCommandAuthorized: (rawBody: string, cfg: OpenClawConfig) => boolean;
|
||||
resolveCommandAuthorizedFromAuthorizers: (params: {
|
||||
@@ -128,6 +134,7 @@ export type CommandAuthorizationRuntime = {
|
||||
}) => boolean;
|
||||
};
|
||||
|
||||
/** @deprecated Use `resolveChannelMessageIngress` from `openclaw/plugin-sdk/channel-ingress-runtime`. */
|
||||
export type ResolveSenderCommandAuthorizationWithRuntimeParams = Omit<
|
||||
ResolveSenderCommandAuthorizationParams,
|
||||
"shouldComputeCommandAuthorized" | "resolveCommandAuthorizedFromAuthorizers"
|
||||
@@ -135,7 +142,7 @@ export type ResolveSenderCommandAuthorizationWithRuntimeParams = Omit<
|
||||
runtime: CommandAuthorizationRuntime;
|
||||
};
|
||||
|
||||
/** Fast-path DM command authorization when only policy and sender allowlist state matter. */
|
||||
/** @deprecated Use `resolveChannelMessageIngress` from `openclaw/plugin-sdk/channel-ingress-runtime`. */
|
||||
export function resolveDirectDmAuthorizationOutcome(params: {
|
||||
isGroup: boolean;
|
||||
dmPolicy: string;
|
||||
@@ -153,7 +160,7 @@ export function resolveDirectDmAuthorizationOutcome(params: {
|
||||
return "allowed";
|
||||
}
|
||||
|
||||
/** Runtime-backed wrapper around sender command authorization for grouped helper surfaces. */
|
||||
/** @deprecated Use `resolveChannelMessageIngress` from `openclaw/plugin-sdk/channel-ingress-runtime`. */
|
||||
export async function resolveSenderCommandAuthorizationWithRuntime(
|
||||
params: ResolveSenderCommandAuthorizationWithRuntimeParams,
|
||||
): ReturnType<typeof resolveSenderCommandAuthorization> {
|
||||
@@ -164,7 +171,7 @@ export async function resolveSenderCommandAuthorizationWithRuntime(
|
||||
});
|
||||
}
|
||||
|
||||
/** Compute effective allowlists and command authorization for one inbound sender. */
|
||||
/** @deprecated Use `resolveChannelMessageIngress` from `openclaw/plugin-sdk/channel-ingress-runtime`. */
|
||||
export async function resolveSenderCommandAuthorization(
|
||||
params: ResolveSenderCommandAuthorizationParams,
|
||||
): Promise<{
|
||||
@@ -236,13 +243,13 @@ export async function resolveSenderCommandAuthorization(
|
||||
const ownerAllowedForCommands = params.isSenderAllowed(params.senderId, effectiveAllowFrom);
|
||||
const groupAllowedForCommands = params.isSenderAllowed(params.senderId, effectiveGroupAllowFrom);
|
||||
const commandAuthorized = shouldComputeAuth
|
||||
? params.resolveCommandAuthorizedFromAuthorizers({
|
||||
? (params.resolveCommandAuthorizedFromAuthorizers?.({
|
||||
useAccessGroups,
|
||||
authorizers: [
|
||||
{ configured: effectiveAllowFrom.length > 0, allowed: ownerAllowedForCommands },
|
||||
{ configured: effectiveGroupAllowFrom.length > 0, allowed: groupAllowedForCommands },
|
||||
],
|
||||
})
|
||||
}) ?? senderAllowedForCommands)
|
||||
: undefined;
|
||||
|
||||
return {
|
||||
|
||||
Reference in New Issue
Block a user