test(extensions): move channel security coverage

2026-05-06 19:20:43 +00:00 · 2026-04-20 16:39:30 +01:00
parent db2678528d
commit a73bbe4bdd
13 changed files with 569 additions and 910 deletions
--- a/extensions/slack/src/security-audit.test.ts
+++ b/extensions/slack/src/security-audit.test.ts
@@ -0,0 +1,86 @@
+import { describe, expect, it, vi } from "vitest";
+import type { ResolvedSlackAccount } from "./accounts.js";
+import type { OpenClawConfig } from "./runtime-api.js";
+import { collectSlackSecurityAuditFindings } from "./security-audit.js";
+
+const { readChannelAllowFromStoreMock } = vi.hoisted(() => ({
+  readChannelAllowFromStoreMock: vi.fn(async () => [] as string[]),
+}));
+
+vi.mock("openclaw/plugin-sdk/conversation-runtime", () => ({
+  readChannelAllowFromStore: readChannelAllowFromStoreMock,
+}));
+
+function createSlackAccount(config: NonNullable<OpenClawConfig["channels"]>["slack"]) {
+  return {
+    accountId: "default",
+    enabled: true,
+    botToken: "xoxb-test",
+    botTokenSource: "config",
+    appTokenSource: "config",
+    config,
+  } as ResolvedSlackAccount;
+}
+
+describe("Slack security audit findings", () => {
+  it("flags slash commands without a channel users allowlist", async () => {
+    const cfg: OpenClawConfig = {
+      channels: {
+        slack: {
+          enabled: true,
+          botToken: "xoxb-test",
+          appToken: "xapp-test",
+          groupPolicy: "open",
+          slashCommand: { enabled: true },
+        },
+      },
+    };
+
+    readChannelAllowFromStoreMock.mockResolvedValue([]);
+    const findings = await collectSlackSecurityAuditFindings({
+      cfg,
+      account: createSlackAccount(cfg.channels!.slack),
+      accountId: "default",
+    });
+
+    expect(findings).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({
+          checkId: "channels.slack.commands.slash.no_allowlists",
+          severity: "warn",
+        }),
+      ]),
+    );
+  });
+
+  it("flags slash commands when access-group enforcement is disabled", async () => {
+    const cfg: OpenClawConfig = {
+      commands: { useAccessGroups: false },
+      channels: {
+        slack: {
+          enabled: true,
+          botToken: "xoxb-test",
+          appToken: "xapp-test",
+          groupPolicy: "open",
+          slashCommand: { enabled: true },
+        },
+      },
+    };
+
+    readChannelAllowFromStoreMock.mockResolvedValue([]);
+    const findings = await collectSlackSecurityAuditFindings({
+      cfg,
+      account: createSlackAccount(cfg.channels!.slack),
+      accountId: "default",
+    });
+
+    expect(findings).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({
+          checkId: "channels.slack.commands.slash.useAccessGroups_off",
+          severity: "critical",
+        }),
+      ]),
+    );
+  });
+});