refactor: share matched group policy evaluation

2026-04-30 21:40:20 +00:00 · 2026-03-07 23:39:04 +00:00
parent f319ec2dac
commit b0d9246768
8 changed files with 293 additions and 28 deletions
--- a/src/plugin-sdk/group-access.test.ts
+++ b/src/plugin-sdk/group-access.test.ts
@@ -1,6 +1,7 @@
 import { describe, expect, it } from "vitest";
 import {
  evaluateGroupRouteAccessForPolicy,
+  evaluateMatchedGroupAccessForPolicy,
  evaluateSenderGroupAccess,
  evaluateSenderGroupAccessForPolicy,
  resolveSenderScopedGroupPolicy,
@@ -120,6 +121,64 @@ describe("evaluateGroupRouteAccessForPolicy", () => {
  });
 });

+describe("evaluateMatchedGroupAccessForPolicy", () => {
+  it("blocks disabled policy", () => {
+    expect(
+      evaluateMatchedGroupAccessForPolicy({
+        groupPolicy: "disabled",
+        allowlistConfigured: true,
+        allowlistMatched: true,
+      }),
+    ).toEqual({
+      allowed: false,
+      groupPolicy: "disabled",
+      reason: "disabled",
+    });
+  });
+
+  it("blocks allowlist without configured entries", () => {
+    expect(
+      evaluateMatchedGroupAccessForPolicy({
+        groupPolicy: "allowlist",
+        allowlistConfigured: false,
+        allowlistMatched: false,
+      }),
+    ).toEqual({
+      allowed: false,
+      groupPolicy: "allowlist",
+      reason: "empty_allowlist",
+    });
+  });
+
+  it("blocks unmatched allowlist sender", () => {
+    expect(
+      evaluateMatchedGroupAccessForPolicy({
+        groupPolicy: "allowlist",
+        allowlistConfigured: true,
+        allowlistMatched: false,
+      }),
+    ).toEqual({
+      allowed: false,
+      groupPolicy: "allowlist",
+      reason: "not_allowlisted",
+    });
+  });
+
+  it("allows open policy", () => {
+    expect(
+      evaluateMatchedGroupAccessForPolicy({
+        groupPolicy: "open",
+        allowlistConfigured: false,
+        allowlistMatched: false,
+      }),
+    ).toEqual({
+      allowed: true,
+      groupPolicy: "open",
+      reason: "allowed",
+    });
+  });
+});
+
 describe("evaluateSenderGroupAccess", () => {
  it("defaults missing provider config to allowlist", () => {
    const decision = evaluateSenderGroupAccess({
--- a/src/plugin-sdk/group-access.ts
+++ b/src/plugin-sdk/group-access.ts
@@ -27,6 +27,18 @@ export type GroupRouteAccessDecision = {
  reason: GroupRouteAccessReason;
 };

+export type MatchedGroupAccessReason =
+  | "allowed"
+  | "disabled"
+  | "empty_allowlist"
+  | "not_allowlisted";
+
+export type MatchedGroupAccessDecision = {
+  allowed: boolean;
+  groupPolicy: GroupPolicy;
+  reason: MatchedGroupAccessReason;
+};
+
 export function resolveSenderScopedGroupPolicy(params: {
  groupPolicy: GroupPolicy;
  groupAllowFrom: string[];
@@ -83,6 +95,43 @@ export function evaluateGroupRouteAccessForPolicy(params: {
  };
 }

+export function evaluateMatchedGroupAccessForPolicy(params: {
+  groupPolicy: GroupPolicy;
+  allowlistConfigured: boolean;
+  allowlistMatched: boolean;
+}): MatchedGroupAccessDecision {
+  if (params.groupPolicy === "disabled") {
+    return {
+      allowed: false,
+      groupPolicy: params.groupPolicy,
+      reason: "disabled",
+    };
+  }
+
+  if (params.groupPolicy === "allowlist") {
+    if (!params.allowlistConfigured) {
+      return {
+        allowed: false,
+        groupPolicy: params.groupPolicy,
+        reason: "empty_allowlist",
+      };
+    }
+    if (!params.allowlistMatched) {
+      return {
+        allowed: false,
+        groupPolicy: params.groupPolicy,
+        reason: "not_allowlisted",
+      };
+    }
+  }
+
+  return {
+    allowed: true,
+    groupPolicy: params.groupPolicy,
+    reason: "allowed",
+  };
+}
+
 export function evaluateSenderGroupAccessForPolicy(params: {
  groupPolicy: GroupPolicy;
  providerMissingFallbackApplied?: boolean;
--- a/src/plugin-sdk/index.ts
+++ b/src/plugin-sdk/index.ts
@@ -280,11 +280,14 @@ export {
 } from "./allow-from.js";
 export {
  evaluateGroupRouteAccessForPolicy,
+  evaluateMatchedGroupAccessForPolicy,
  evaluateSenderGroupAccess,
  evaluateSenderGroupAccessForPolicy,
  resolveSenderScopedGroupPolicy,
  type GroupRouteAccessDecision,
  type GroupRouteAccessReason,
+  type MatchedGroupAccessDecision,
+  type MatchedGroupAccessReason,
  type SenderGroupAccessDecision,
  type SenderGroupAccessReason,
 } from "./group-access.js";
--- a/src/plugin-sdk/nextcloud-talk.ts
+++ b/src/plugin-sdk/nextcloud-talk.ts
@@ -37,6 +37,7 @@ export type { ChannelPlugin } from "../channels/plugins/types.plugin.js";
 export { createReplyPrefixOptions } from "../channels/reply-prefix.js";
 export type { OpenClawConfig } from "../config/config.js";
 export { mapAllowFromEntries } from "./channel-config-helpers.js";
+export { evaluateMatchedGroupAccessForPolicy } from "./group-access.js";
 export {
  GROUP_POLICY_BLOCKED_LABEL,
  resolveAllowlistProviderRuntimeGroupPolicy,
--- a/src/security/dm-policy-shared.test.ts
+++ b/src/security/dm-policy-shared.test.ts
@@ -388,6 +388,38 @@ describe("security/dm-policy-shared", () => {
  });

  for (const channel of channels) {
+    it(`[${channel}] blocks groups when group allowlist is empty`, () => {
+      const decision = resolveDmGroupAccessDecision({
+        isGroup: true,
+        dmPolicy: "pairing",
+        groupPolicy: "allowlist",
+        effectiveAllowFrom: ["owner"],
+        effectiveGroupAllowFrom: [],
+        isSenderAllowed: () => false,
+      });
+      expect(decision).toEqual({
+        decision: "block",
+        reasonCode: DM_GROUP_ACCESS_REASON.GROUP_POLICY_EMPTY_ALLOWLIST,
+        reason: "groupPolicy=allowlist (empty allowlist)",
+      });
+    });
+
+    it(`[${channel}] allows groups when group policy is open`, () => {
+      const decision = resolveDmGroupAccessDecision({
+        isGroup: true,
+        dmPolicy: "pairing",
+        groupPolicy: "open",
+        effectiveAllowFrom: ["owner"],
+        effectiveGroupAllowFrom: [],
+        isSenderAllowed: () => false,
+      });
+      expect(decision).toEqual({
+        decision: "allow",
+        reasonCode: DM_GROUP_ACCESS_REASON.GROUP_POLICY_ALLOWED,
+        reason: "groupPolicy=open",
+      });
+    });
+
    it(`[${channel}] blocks DM allowlist mode when allowlist is empty`, () => {
      const decision = resolveDmGroupAccessDecision({
        isGroup: false,
--- a/src/security/dm-policy-shared.ts
+++ b/src/security/dm-policy-shared.ts
@@ -2,6 +2,7 @@ import { mergeDmAllowFromSources, resolveGroupAllowFromSources } from "../channe
 import { resolveControlCommandGate } from "../channels/command-gating.js";
 import type { ChannelId } from "../channels/plugins/types.js";
 import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
+import { evaluateMatchedGroupAccessForPolicy } from "../plugin-sdk/group-access.js";
 import { normalizeStringEntries } from "../shared/string-normalization.js";

 export function resolvePinnedMainDmOwnerFromAllowlist(params: {
@@ -118,22 +119,28 @@ export function resolveDmGroupAccessDecision(params: {
  const effectiveGroupAllowFrom = normalizeStringEntries(params.effectiveGroupAllowFrom);

  if (params.isGroup) {
-    if (groupPolicy === "disabled") {
-      return {
-        decision: "block",
-        reasonCode: DM_GROUP_ACCESS_REASON.GROUP_POLICY_DISABLED,
-        reason: "groupPolicy=disabled",
-      };
-    }
-    if (groupPolicy === "allowlist") {
-      if (effectiveGroupAllowFrom.length === 0) {
+    const groupAccess = evaluateMatchedGroupAccessForPolicy({
+      groupPolicy,
+      allowlistConfigured: effectiveGroupAllowFrom.length > 0,
+      allowlistMatched: params.isSenderAllowed(effectiveGroupAllowFrom),
+    });
+
+    if (!groupAccess.allowed) {
+      if (groupAccess.reason === "disabled") {
+        return {
+          decision: "block",
+          reasonCode: DM_GROUP_ACCESS_REASON.GROUP_POLICY_DISABLED,
+          reason: "groupPolicy=disabled",
+        };
+      }
+      if (groupAccess.reason === "empty_allowlist") {
        return {
          decision: "block",
          reasonCode: DM_GROUP_ACCESS_REASON.GROUP_POLICY_EMPTY_ALLOWLIST,
          reason: "groupPolicy=allowlist (empty allowlist)",
        };
      }
-      if (!params.isSenderAllowed(effectiveGroupAllowFrom)) {
+      if (groupAccess.reason === "not_allowlisted") {
        return {
          decision: "block",
          reasonCode: DM_GROUP_ACCESS_REASON.GROUP_POLICY_NOT_ALLOWLISTED,
@@ -141,6 +148,7 @@ export function resolveDmGroupAccessDecision(params: {
        };
      }
    }
+
    return {
      decision: "allow",
      reasonCode: DM_GROUP_ACCESS_REASON.GROUP_POLICY_ALLOWED,