mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-06 05:10:44 +00:00
test: harden plugin and UI isolation checks
This commit is contained in:
Peter Steinberger
@@ -1,15 +1,14 @@
|
||||
import { beforeEach, describe, expect, it, vi } from "vitest";
|
||||
import type { OpenClawConfig } from "../config/types.js";
|
||||
import type { ImageGenerationProviderPlugin } from "../plugins/types.js";
|
||||
import { getImageGenerationProvider, listImageGenerationProviders } from "./provider-registry.js";
|
||||
import type * as ProviderRegistry from "./provider-registry.js";
|
||||
|
||||
const { resolvePluginCapabilityProvidersMock } = vi.hoisted(() => ({
|
||||
resolvePluginCapabilityProvidersMock: vi.fn<() => ImageGenerationProviderPlugin[]>(() => []),
|
||||
}));
|
||||
|
||||
vi.mock("../plugins/capability-provider-runtime.js", () => ({
|
||||
resolvePluginCapabilityProviders: resolvePluginCapabilityProvidersMock,
|
||||
}));
|
||||
let getImageGenerationProvider: typeof ProviderRegistry.getImageGenerationProvider;
|
||||
let listImageGenerationProviders: typeof ProviderRegistry.listImageGenerationProviders;
|
||||
|
||||
function createProvider(
|
||||
params: Pick<ImageGenerationProviderPlugin, "id"> & Partial<ImageGenerationProviderPlugin>,
|
||||
@@ -27,10 +26,19 @@ function createProvider(
|
||||
};
|
||||
}
|
||||
|
||||
async function loadProviderRegistry() {
|
||||
vi.resetModules();
|
||||
vi.doMock("../plugins/capability-provider-runtime.js", () => ({
|
||||
resolvePluginCapabilityProviders: resolvePluginCapabilityProvidersMock,
|
||||
}));
|
||||
return await import("./provider-registry.js");
|
||||
}
|
||||
|
||||
describe("image-generation provider registry", () => {
|
||||
beforeEach(() => {
|
||||
beforeEach(async () => {
|
||||
resolvePluginCapabilityProvidersMock.mockReset();
|
||||
resolvePluginCapabilityProvidersMock.mockReturnValue([]);
|
||||
({ getImageGenerationProvider, listImageGenerationProviders } = await loadProviderRegistry());
|
||||
});
|
||||
|
||||
it("delegates provider resolution to the capability provider boundary", () => {
|
||||
|
||||
@@ -708,11 +708,7 @@ describe("installPluginFromNpmSpec", () => {
|
||||
return;
|
||||
}
|
||||
expect(result.pluginId).toBe(pluginId);
|
||||
expect(
|
||||
warnings.some((warning) =>
|
||||
warning.includes("allowed because it is an official OpenClaw package"),
|
||||
),
|
||||
).toBe(true);
|
||||
expect(warnings.some((warning) => warning.includes("installation blocked"))).toBe(false);
|
||||
expectNpmInstallIntoRoot({
|
||||
calls: runCommandWithTimeoutMock.mock.calls,
|
||||
npmRoot,
|
||||
|
||||
@@ -18,18 +18,21 @@ type PublishablePluginPackage = {
|
||||
packageName: string;
|
||||
};
|
||||
|
||||
const REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS = new Set([
|
||||
const REQUIRED_REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS = new Set([
|
||||
"@openclaw/acpx:dangerous-exec:src/codex-auth-bridge.ts",
|
||||
"@openclaw/acpx:dangerous-exec:src/runtime-internals/mcp-proxy.mjs",
|
||||
"@openclaw/acpx:dangerous-exec:dist/mcp-proxy.mjs",
|
||||
"@openclaw/acpx:dangerous-exec:dist/service-<hash>.js",
|
||||
"@openclaw/codex:dangerous-exec:src/app-server/transport-stdio.ts",
|
||||
"@openclaw/codex:dangerous-exec:dist/client-<hash>.js",
|
||||
"@openclaw/google-meet:dangerous-exec:src/node-host.ts",
|
||||
"@openclaw/google-meet:dangerous-exec:src/realtime.ts",
|
||||
"@openclaw/google-meet:dangerous-exec:dist/index.js",
|
||||
"@openclaw/voice-call:dangerous-exec:src/tunnel.ts",
|
||||
"@openclaw/voice-call:dangerous-exec:src/webhook/tailscale.ts",
|
||||
]);
|
||||
|
||||
const OPTIONAL_REVIEWED_PUBLISHABLE_DIST_CRITICAL_FINDINGS = new Set([
|
||||
"@openclaw/acpx:dangerous-exec:dist/mcp-proxy.mjs",
|
||||
"@openclaw/acpx:dangerous-exec:dist/service-<hash>.js",
|
||||
"@openclaw/codex:dangerous-exec:dist/client-<hash>.js",
|
||||
"@openclaw/google-meet:dangerous-exec:dist/index.js",
|
||||
"@openclaw/voice-call:dangerous-exec:dist/runtime-entry-<hash>.js",
|
||||
]);
|
||||
|
||||
@@ -142,9 +145,18 @@ describe("publishable plugin npm package install security scan", () => {
|
||||
it("keeps npm-published plugin files clear of unexpected critical hits", async () => {
|
||||
const unexpectedCriticalFindings: string[] = [];
|
||||
const reviewedCriticalFindings = new Set<string>();
|
||||
const expectedReviewedCriticalFindings = new Set(
|
||||
REQUIRED_REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS,
|
||||
);
|
||||
|
||||
for (const plugin of collectPublishablePluginPackages()) {
|
||||
const packedFiles = collectNpmPackedFiles(plugin.packageDir, plugin.packageName);
|
||||
for (const packedFile of packedFiles) {
|
||||
const key = `${plugin.packageName}:dangerous-exec:${normalizePackedFindingPath(packedFile)}`;
|
||||
if (OPTIONAL_REVIEWED_PUBLISHABLE_DIST_CRITICAL_FINDINGS.has(key)) {
|
||||
expectedReviewedCriticalFindings.add(key);
|
||||
}
|
||||
}
|
||||
const stageDir = stageScannerRelevantPackedFiles(plugin.packageDir, packedFiles);
|
||||
const summary = await scanDirectoryWithSummary(stageDir, {
|
||||
excludeTestFiles: true,
|
||||
@@ -159,7 +171,7 @@ describe("publishable plugin npm package install security scan", () => {
|
||||
relative(stageDir, finding.file).split(sep).join("/"),
|
||||
);
|
||||
const key = `${plugin.packageName}:${finding.ruleId}:${packedPath}`;
|
||||
if (REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS.has(key)) {
|
||||
if (expectedReviewedCriticalFindings.has(key)) {
|
||||
reviewedCriticalFindings.add(key);
|
||||
continue;
|
||||
}
|
||||
@@ -169,7 +181,7 @@ describe("publishable plugin npm package install security scan", () => {
|
||||
|
||||
expect(unexpectedCriticalFindings).toEqual([]);
|
||||
expect([...reviewedCriticalFindings].toSorted()).toEqual(
|
||||
[...REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS].toSorted(),
|
||||
[...expectedReviewedCriticalFindings].toSorted(),
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
@@ -1,14 +1,13 @@
|
||||
import { beforeEach, describe, expect, it, vi } from "vitest";
|
||||
import type { VideoGenerationProviderPlugin } from "../plugins/types.js";
|
||||
import { getVideoGenerationProvider, listVideoGenerationProviders } from "./provider-registry.js";
|
||||
import type * as ProviderRegistry from "./provider-registry.js";
|
||||
|
||||
const { resolvePluginCapabilityProvidersMock } = vi.hoisted(() => ({
|
||||
resolvePluginCapabilityProvidersMock: vi.fn<() => VideoGenerationProviderPlugin[]>(() => []),
|
||||
}));
|
||||
|
||||
vi.mock("../plugins/capability-provider-runtime.js", () => ({
|
||||
resolvePluginCapabilityProviders: resolvePluginCapabilityProvidersMock,
|
||||
}));
|
||||
let getVideoGenerationProvider: typeof ProviderRegistry.getVideoGenerationProvider;
|
||||
let listVideoGenerationProviders: typeof ProviderRegistry.listVideoGenerationProviders;
|
||||
|
||||
function createProvider(
|
||||
params: Pick<VideoGenerationProviderPlugin, "id"> & Partial<VideoGenerationProviderPlugin>,
|
||||
@@ -23,10 +22,19 @@ function createProvider(
|
||||
};
|
||||
}
|
||||
|
||||
async function loadProviderRegistry() {
|
||||
vi.resetModules();
|
||||
vi.doMock("../plugins/capability-provider-runtime.js", () => ({
|
||||
resolvePluginCapabilityProviders: resolvePluginCapabilityProvidersMock,
|
||||
}));
|
||||
return await import("./provider-registry.js");
|
||||
}
|
||||
|
||||
describe("video-generation provider registry", () => {
|
||||
beforeEach(() => {
|
||||
beforeEach(async () => {
|
||||
resolvePluginCapabilityProvidersMock.mockReset();
|
||||
resolvePluginCapabilityProvidersMock.mockReturnValue([]);
|
||||
({ getVideoGenerationProvider, listVideoGenerationProviders } = await loadProviderRegistry());
|
||||
});
|
||||
|
||||
it("delegates provider resolution to the capability provider boundary", () => {
|
||||
|
||||
@@ -550,10 +550,14 @@ export function setTabFromRoute(host: SettingsHost, next: Tab) {
|
||||
}
|
||||
|
||||
function updateBrowserHistory(url: URL, replace: boolean) {
|
||||
if (replace) {
|
||||
return window.history.replaceState({}, "", url.toString());
|
||||
const history = typeof window === "undefined" ? undefined : window.history;
|
||||
if (!history) {
|
||||
return;
|
||||
}
|
||||
return window.history.pushState({}, "", url.toString());
|
||||
if (replace) {
|
||||
return history.replaceState({}, "", url.toString());
|
||||
}
|
||||
return history.pushState({}, "", url.toString());
|
||||
}
|
||||
|
||||
function applyTabSelection(
|
||||
@@ -592,12 +596,14 @@ function applyTabSelection(
|
||||
}
|
||||
|
||||
export function syncUrlWithTab(host: SettingsHost, tab: Tab, replace: boolean) {
|
||||
if (typeof window === "undefined") {
|
||||
const href = typeof window === "undefined" ? undefined : window.location?.href;
|
||||
const pathname = typeof window === "undefined" ? undefined : window.location?.pathname;
|
||||
if (!href || !pathname) {
|
||||
return;
|
||||
}
|
||||
const targetPath = normalizePath(pathForTab(tab, host.basePath));
|
||||
const currentPath = normalizePath(window.location.pathname);
|
||||
const url = new URL(window.location.href);
|
||||
const currentPath = normalizePath(pathname);
|
||||
const url = new URL(href);
|
||||
|
||||
if (tab === "chat" && host.sessionKey) {
|
||||
url.searchParams.set("session", host.sessionKey);
|
||||
|
||||
@@ -2,33 +2,14 @@
|
||||
|
||||
import { beforeEach, describe, expect, it, vi } from "vitest";
|
||||
|
||||
const { realtimeTalkCtor, startMock, stopMock } = vi.hoisted(() => ({
|
||||
realtimeTalkCtor: vi.fn(),
|
||||
startMock: vi.fn(),
|
||||
stopMock: vi.fn(),
|
||||
}));
|
||||
|
||||
vi.mock("./chat/realtime-talk.ts", () => ({
|
||||
RealtimeTalkSession: realtimeTalkCtor,
|
||||
}));
|
||||
|
||||
describe("OpenClawApp Talk controls", () => {
|
||||
beforeEach(() => {
|
||||
realtimeTalkCtor.mockReset();
|
||||
startMock.mockReset();
|
||||
stopMock.mockReset();
|
||||
realtimeTalkCtor.mockImplementation(
|
||||
function MockRealtimeTalkSession(this: { start: typeof startMock; stop: typeof stopMock }) {
|
||||
this.start = startMock;
|
||||
this.stop = stopMock;
|
||||
},
|
||||
);
|
||||
startMock.mockResolvedValue(undefined);
|
||||
vi.restoreAllMocks();
|
||||
});
|
||||
|
||||
it("retries Talk immediately when the previous session is already in error state", async () => {
|
||||
const { OpenClawApp } = await import("./app.ts");
|
||||
const app = new OpenClawApp() as unknown as {
|
||||
await import("./app.ts");
|
||||
const app = document.createElement("openclaw-app") as unknown as {
|
||||
client: unknown;
|
||||
connected: boolean;
|
||||
realtimeTalkActive: boolean;
|
||||
@@ -38,7 +19,8 @@ describe("OpenClawApp Talk controls", () => {
|
||||
toggleRealtimeTalk(): Promise<void>;
|
||||
};
|
||||
const staleStop = vi.fn();
|
||||
app.client = { request: vi.fn() } as never;
|
||||
const request = vi.fn().mockRejectedValue(new Error("session unavailable"));
|
||||
app.client = { request } as never;
|
||||
app.connected = true;
|
||||
app.sessionKey = "main";
|
||||
app.realtimeTalkActive = true;
|
||||
@@ -48,10 +30,9 @@ describe("OpenClawApp Talk controls", () => {
|
||||
await app.toggleRealtimeTalk();
|
||||
|
||||
expect(staleStop).toHaveBeenCalledOnce();
|
||||
expect(realtimeTalkCtor).toHaveBeenCalledOnce();
|
||||
expect(startMock).toHaveBeenCalledOnce();
|
||||
expect(stopMock).not.toHaveBeenCalled();
|
||||
expect(app.realtimeTalkStatus).toBe("connecting");
|
||||
expect(app.realtimeTalkSession).not.toBeNull();
|
||||
expect(request).toHaveBeenCalledOnce();
|
||||
expect(request).toHaveBeenCalledWith("talk.realtime.session", { sessionKey: "main" });
|
||||
expect(app.realtimeTalkStatus).toBe("error");
|
||||
expect(app.realtimeTalkSession).toBeNull();
|
||||
});
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user