vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-31 03:41:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Secrets: fix Matrix default-account password activity

Browse Source
This commit is contained in:
Gustavo Madeira Santana
2026-03-28 01:08:22 -04:00
parent 38c65b4096
commit e2a2492248
2 changed files with 97 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/secrets/runtime-config-collectors-channels.ts
View File

@@ -1,6 +1,7 @@
import type { OpenClawConfig } from "../config/config.js";
import { coerceSecretRef, resolveSecretInputRef } from "../config/types.secrets.js";
import { getMatrixScopedEnvVarNames } from "../plugin-sdk/matrix.js";
import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/account-id.js";
import { collectTtsApiKeyAssignments } from "./runtime-config-collectors-tts.js";
import {
collectSecretInputAssignment,
@@ -625,6 +626,11 @@ function collectMatrixAssignments(params: {
normalizeSecretStringValue(
params.context.env[getMatrixScopedEnvVarNames("default").accessToken],
).length > 0;
const defaultAccountAccessTokenConfigured = surface.accounts.some(
({ accountId, account }) =>
normalizeAccountId(accountId) === DEFAULT_ACCOUNT_ID &&
hasConfiguredSecretInputValue(account.accessToken, params.defaults),
);
const baseAccessTokenConfigured = hasConfiguredSecretInputValue(
matrix.accessToken,
params.defaults,
@@ -652,9 +658,11 @@ function collectMatrixAssignments(params: {
!(
baseAccessTokenConfigured ||
envAccessTokenConfigured ||
defaultScopedAccessTokenConfigured
defaultScopedAccessTokenConfigured ||
defaultAccountAccessTokenConfigured
),
inactiveReason: "Matrix channel is disabled or a top-level accessToken is configured.",
inactiveReason:
"Matrix channel is disabled or access-token auth is configured for the default Matrix account.",
apply: (value) => {
matrix.password = value;
},
@@ -689,7 +697,8 @@ function collectMatrixAssignments(params: {
params.context.env[getMatrixScopedEnvVarNames(accountId).accessToken],
).length > 0;
const inheritedDefaultAccountAccessTokenConfigured =
accountId === "default" && (baseAccessTokenConfigured || envAccessTokenConfigured);
normalizeAccountId(accountId) === DEFAULT_ACCOUNT_ID &&
(baseAccessTokenConfigured || envAccessTokenConfigured);
collectSecretInputAssignment({
value: account.password,
path: `channels.matrix.accounts.${accountId}.password`,

85
src/secrets/runtime.test.ts
View File

@@ -396,6 +396,91 @@ describe("secrets runtime snapshot", () => {
);
});
it.each([
{
name: "channels.matrix.accounts.default.accessToken config",
config: {
channels: {
matrix: {
password: {
source: "env",
provider: "default",
id: "MATRIX_PASSWORD",
},
accounts: {
default: {
accessToken: "default-token",
},
},
},
},
},
env: {},
},
{
name: "channels.matrix.accounts.default.accessToken SecretRef config",
config: {
channels: {
matrix: {
password: {
source: "env",
provider: "default",
id: "MATRIX_PASSWORD",
},
accounts: {
default: {
accessToken: {
source: "env",
provider: "default",
id: "MATRIX_DEFAULT_ACCESS_TOKEN_REF",
},
},
},
},
},
},
env: {
MATRIX_DEFAULT_ACCESS_TOKEN_REF: "default-token",
},
},
{
name: "MATRIX_DEFAULT_ACCESS_TOKEN env auth",
config: {
channels: {
matrix: {
password: {
source: "env",
provider: "default",
id: "MATRIX_PASSWORD",
},
},
},
},
env: {
MATRIX_DEFAULT_ACCESS_TOKEN: "default-token",
},
},
])("ignores top-level Matrix password refs shadowed by $name", async ({ config, env }) => {
const snapshot = await prepareSecretsRuntimeSnapshot({
config: asConfig(config),
env,
agentDirs: ["/tmp/openclaw-agent-main"],
loadAuthStore: () => ({ version: 1, profiles: {} }),
});
expect(snapshot.config.channels?.matrix?.password).toEqual({
source: "env",
provider: "default",
id: "MATRIX_PASSWORD",
});
expect(snapshot.warnings).toContainEqual(
expect.objectContaining({
code: "SECRETS_REF_IGNORED_INACTIVE_SURFACE",
path: "channels.matrix.password",
}),
);
});
it.each([
{
name: "top-level Matrix accessToken config",