mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-06 13:00:44 +00:00
test: harden plugin and UI isolation checks
This commit is contained in:
Peter Steinberger
@@ -1,15 +1,14 @@
|
||||
import { beforeEach, describe, expect, it, vi } from "vitest";
|
||||
import type { OpenClawConfig } from "../config/types.js";
|
||||
import type { ImageGenerationProviderPlugin } from "../plugins/types.js";
|
||||
import { getImageGenerationProvider, listImageGenerationProviders } from "./provider-registry.js";
|
||||
import type * as ProviderRegistry from "./provider-registry.js";
|
||||
|
||||
const { resolvePluginCapabilityProvidersMock } = vi.hoisted(() => ({
|
||||
resolvePluginCapabilityProvidersMock: vi.fn<() => ImageGenerationProviderPlugin[]>(() => []),
|
||||
}));
|
||||
|
||||
vi.mock("../plugins/capability-provider-runtime.js", () => ({
|
||||
resolvePluginCapabilityProviders: resolvePluginCapabilityProvidersMock,
|
||||
}));
|
||||
let getImageGenerationProvider: typeof ProviderRegistry.getImageGenerationProvider;
|
||||
let listImageGenerationProviders: typeof ProviderRegistry.listImageGenerationProviders;
|
||||
|
||||
function createProvider(
|
||||
params: Pick<ImageGenerationProviderPlugin, "id"> & Partial<ImageGenerationProviderPlugin>,
|
||||
@@ -27,10 +26,19 @@ function createProvider(
|
||||
};
|
||||
}
|
||||
|
||||
async function loadProviderRegistry() {
|
||||
vi.resetModules();
|
||||
vi.doMock("../plugins/capability-provider-runtime.js", () => ({
|
||||
resolvePluginCapabilityProviders: resolvePluginCapabilityProvidersMock,
|
||||
}));
|
||||
return await import("./provider-registry.js");
|
||||
}
|
||||
|
||||
describe("image-generation provider registry", () => {
|
||||
beforeEach(() => {
|
||||
beforeEach(async () => {
|
||||
resolvePluginCapabilityProvidersMock.mockReset();
|
||||
resolvePluginCapabilityProvidersMock.mockReturnValue([]);
|
||||
({ getImageGenerationProvider, listImageGenerationProviders } = await loadProviderRegistry());
|
||||
});
|
||||
|
||||
it("delegates provider resolution to the capability provider boundary", () => {
|
||||
|
||||
@@ -708,11 +708,7 @@ describe("installPluginFromNpmSpec", () => {
|
||||
return;
|
||||
}
|
||||
expect(result.pluginId).toBe(pluginId);
|
||||
expect(
|
||||
warnings.some((warning) =>
|
||||
warning.includes("allowed because it is an official OpenClaw package"),
|
||||
),
|
||||
).toBe(true);
|
||||
expect(warnings.some((warning) => warning.includes("installation blocked"))).toBe(false);
|
||||
expectNpmInstallIntoRoot({
|
||||
calls: runCommandWithTimeoutMock.mock.calls,
|
||||
npmRoot,
|
||||
|
||||
@@ -18,18 +18,21 @@ type PublishablePluginPackage = {
|
||||
packageName: string;
|
||||
};
|
||||
|
||||
const REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS = new Set([
|
||||
const REQUIRED_REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS = new Set([
|
||||
"@openclaw/acpx:dangerous-exec:src/codex-auth-bridge.ts",
|
||||
"@openclaw/acpx:dangerous-exec:src/runtime-internals/mcp-proxy.mjs",
|
||||
"@openclaw/acpx:dangerous-exec:dist/mcp-proxy.mjs",
|
||||
"@openclaw/acpx:dangerous-exec:dist/service-<hash>.js",
|
||||
"@openclaw/codex:dangerous-exec:src/app-server/transport-stdio.ts",
|
||||
"@openclaw/codex:dangerous-exec:dist/client-<hash>.js",
|
||||
"@openclaw/google-meet:dangerous-exec:src/node-host.ts",
|
||||
"@openclaw/google-meet:dangerous-exec:src/realtime.ts",
|
||||
"@openclaw/google-meet:dangerous-exec:dist/index.js",
|
||||
"@openclaw/voice-call:dangerous-exec:src/tunnel.ts",
|
||||
"@openclaw/voice-call:dangerous-exec:src/webhook/tailscale.ts",
|
||||
]);
|
||||
|
||||
const OPTIONAL_REVIEWED_PUBLISHABLE_DIST_CRITICAL_FINDINGS = new Set([
|
||||
"@openclaw/acpx:dangerous-exec:dist/mcp-proxy.mjs",
|
||||
"@openclaw/acpx:dangerous-exec:dist/service-<hash>.js",
|
||||
"@openclaw/codex:dangerous-exec:dist/client-<hash>.js",
|
||||
"@openclaw/google-meet:dangerous-exec:dist/index.js",
|
||||
"@openclaw/voice-call:dangerous-exec:dist/runtime-entry-<hash>.js",
|
||||
]);
|
||||
|
||||
@@ -142,9 +145,18 @@ describe("publishable plugin npm package install security scan", () => {
|
||||
it("keeps npm-published plugin files clear of unexpected critical hits", async () => {
|
||||
const unexpectedCriticalFindings: string[] = [];
|
||||
const reviewedCriticalFindings = new Set<string>();
|
||||
const expectedReviewedCriticalFindings = new Set(
|
||||
REQUIRED_REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS,
|
||||
);
|
||||
|
||||
for (const plugin of collectPublishablePluginPackages()) {
|
||||
const packedFiles = collectNpmPackedFiles(plugin.packageDir, plugin.packageName);
|
||||
for (const packedFile of packedFiles) {
|
||||
const key = `${plugin.packageName}:dangerous-exec:${normalizePackedFindingPath(packedFile)}`;
|
||||
if (OPTIONAL_REVIEWED_PUBLISHABLE_DIST_CRITICAL_FINDINGS.has(key)) {
|
||||
expectedReviewedCriticalFindings.add(key);
|
||||
}
|
||||
}
|
||||
const stageDir = stageScannerRelevantPackedFiles(plugin.packageDir, packedFiles);
|
||||
const summary = await scanDirectoryWithSummary(stageDir, {
|
||||
excludeTestFiles: true,
|
||||
@@ -159,7 +171,7 @@ describe("publishable plugin npm package install security scan", () => {
|
||||
relative(stageDir, finding.file).split(sep).join("/"),
|
||||
);
|
||||
const key = `${plugin.packageName}:${finding.ruleId}:${packedPath}`;
|
||||
if (REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS.has(key)) {
|
||||
if (expectedReviewedCriticalFindings.has(key)) {
|
||||
reviewedCriticalFindings.add(key);
|
||||
continue;
|
||||
}
|
||||
@@ -169,7 +181,7 @@ describe("publishable plugin npm package install security scan", () => {
|
||||
|
||||
expect(unexpectedCriticalFindings).toEqual([]);
|
||||
expect([...reviewedCriticalFindings].toSorted()).toEqual(
|
||||
[...REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS].toSorted(),
|
||||
[...expectedReviewedCriticalFindings].toSorted(),
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
@@ -1,14 +1,13 @@
|
||||
import { beforeEach, describe, expect, it, vi } from "vitest";
|
||||
import type { VideoGenerationProviderPlugin } from "../plugins/types.js";
|
||||
import { getVideoGenerationProvider, listVideoGenerationProviders } from "./provider-registry.js";
|
||||
import type * as ProviderRegistry from "./provider-registry.js";
|
||||
|
||||
const { resolvePluginCapabilityProvidersMock } = vi.hoisted(() => ({
|
||||
resolvePluginCapabilityProvidersMock: vi.fn<() => VideoGenerationProviderPlugin[]>(() => []),
|
||||
}));
|
||||
|
||||
vi.mock("../plugins/capability-provider-runtime.js", () => ({
|
||||
resolvePluginCapabilityProviders: resolvePluginCapabilityProvidersMock,
|
||||
}));
|
||||
let getVideoGenerationProvider: typeof ProviderRegistry.getVideoGenerationProvider;
|
||||
let listVideoGenerationProviders: typeof ProviderRegistry.listVideoGenerationProviders;
|
||||
|
||||
function createProvider(
|
||||
params: Pick<VideoGenerationProviderPlugin, "id"> & Partial<VideoGenerationProviderPlugin>,
|
||||
@@ -23,10 +22,19 @@ function createProvider(
|
||||
};
|
||||
}
|
||||
|
||||
async function loadProviderRegistry() {
|
||||
vi.resetModules();
|
||||
vi.doMock("../plugins/capability-provider-runtime.js", () => ({
|
||||
resolvePluginCapabilityProviders: resolvePluginCapabilityProvidersMock,
|
||||
}));
|
||||
return await import("./provider-registry.js");
|
||||
}
|
||||
|
||||
describe("video-generation provider registry", () => {
|
||||
beforeEach(() => {
|
||||
beforeEach(async () => {
|
||||
resolvePluginCapabilityProvidersMock.mockReset();
|
||||
resolvePluginCapabilityProvidersMock.mockReturnValue([]);
|
||||
({ getVideoGenerationProvider, listVideoGenerationProviders } = await loadProviderRegistry());
|
||||
});
|
||||
|
||||
it("delegates provider resolution to the capability provider boundary", () => {
|
||||
|
||||
Reference in New Issue
Block a user