vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-01 01:40:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

test: dedupe secrets and guardrail fixtures

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-26 17:39:58 +00:00
parent d3d8e316bd
commit e7e4fbcab9
3 changed files with 220 additions and 312 deletions
Download Patch File Download Diff File Expand all files Collapse all files

208
src/secrets/runtime.integration.test.ts
View File

@@ -22,6 +22,11 @@ import {
vi.unmock("../version.js");
const OPENAI_ENV_KEY_REF = { source: "env", provider: "default", id: "OPENAI_API_KEY" } as const;
const OPENAI_FILE_KEY_REF = {
source: "file",
provider: "default",
id: "/providers/openai/apiKey",
} as const;
const allowInsecureTempSecretFile = process.platform === "win32";
function asConfig(value: unknown): OpenClawConfig {
@@ -35,6 +40,77 @@ function loadAuthStoreWithProfiles(profiles: AuthProfileStore["profiles"]): Auth
};
}
async function createOpenAIFileRuntimeFixture(home: string) {
const configDir = path.join(home, ".openclaw");
const secretFile = path.join(configDir, "secrets.json");
const agentDir = path.join(configDir, "agents", "main", "agent");
const authStorePath = path.join(agentDir, "auth-profiles.json");
await fs.mkdir(agentDir, { recursive: true });
await fs.chmod(configDir, 0o700).catch(() => {});
await fs.writeFile(
secretFile,
`${JSON.stringify({ providers: { openai: { apiKey: "sk-file-runtime" } } }, null, 2)}\n`,
{ encoding: "utf8", mode: 0o600 },
);
await fs.writeFile(
authStorePath,
`${JSON.stringify(
{
version: 1,
profiles: {
"openai:default": {
type: "api_key",
provider: "openai",
keyRef: OPENAI_FILE_KEY_REF,
},
},
},
null,
2,
)}\n`,
{ encoding: "utf8", mode: 0o600 },
);
return {
configDir,
secretFile,
agentDir,
};
}
function createOpenAIFileRuntimeConfig(secretFile: string): OpenClawConfig {
return asConfig({
secrets: {
providers: {
default: {
source: "file",
path: secretFile,
mode: "json",
...(allowInsecureTempSecretFile ? { allowInsecurePath: true } : {}),
},
},
},
models: {
providers: {
openai: {
baseUrl: "https://api.openai.com/v1",
apiKey: OPENAI_FILE_KEY_REF,
models: [],
},
},
},
});
}
function expectResolvedOpenAIRuntime(agentDir: string) {
expect(loadConfig().models?.providers?.openai?.apiKey).toBe("sk-file-runtime");
expect(ensureAuthProfileStore(agentDir).profiles["openai:default"]).toMatchObject({
type: "api_key",
key: "sk-file-runtime",
});
}
describe("secrets runtime snapshot integration", () => {
let envSnapshot: ReturnType<typeof captureEnv>;
@@ -106,68 +182,16 @@ describe("secrets runtime snapshot integration", () => {
return;
}
await withTempHome("openclaw-secrets-runtime-write-", async (home) => {
const configDir = path.join(home, ".openclaw");
const secretFile = path.join(configDir, "secrets.json");
const agentDir = path.join(configDir, "agents", "main", "agent");
const authStorePath = path.join(agentDir, "auth-profiles.json");
await fs.mkdir(agentDir, { recursive: true });
await fs.chmod(configDir, 0o700).catch(() => {});
await fs.writeFile(
secretFile,
`${JSON.stringify({ providers: { openai: { apiKey: "sk-file-runtime" } } }, null, 2)}\n`,
{ encoding: "utf8", mode: 0o600 },
);
await fs.writeFile(
authStorePath,
`${JSON.stringify(
{
version: 1,
profiles: {
"openai:default": {
type: "api_key",
provider: "openai",
keyRef: { source: "file", provider: "default", id: "/providers/openai/apiKey" },
},
},
},
null,
2,
)}\n`,
{ encoding: "utf8", mode: 0o600 },
);
const { secretFile, agentDir } = await createOpenAIFileRuntimeFixture(home);
const prepared = await prepareSecretsRuntimeSnapshot({
config: asConfig({
secrets: {
providers: {
default: {
source: "file",
path: secretFile,
mode: "json",
...(allowInsecureTempSecretFile ? { allowInsecurePath: true } : {}),
},
},
},
models: {
providers: {
openai: {
baseUrl: "https://api.openai.com/v1",
apiKey: { source: "file", provider: "default", id: "/providers/openai/apiKey" },
models: [],
},
},
},
}),
config: createOpenAIFileRuntimeConfig(secretFile),
agentDirs: [agentDir],
});
activateSecretsRuntimeSnapshot(prepared);
expect(loadConfig().models?.providers?.openai?.apiKey).toBe("sk-file-runtime");
expect(ensureAuthProfileStore(agentDir).profiles["openai:default"]).toMatchObject({
type: "api_key",
key: "sk-file-runtime",
});
expectResolvedOpenAIRuntime(agentDir);
await writeConfigFile({
...loadConfig(),
@@ -175,11 +199,7 @@ describe("secrets runtime snapshot integration", () => {
});
expect(loadConfig().gateway?.auth).toEqual({ mode: "token" });
expect(loadConfig().models?.providers?.openai?.apiKey).toBe("sk-file-runtime");
expect(ensureAuthProfileStore(agentDir).profiles["openai:default"]).toMatchObject({
type: "api_key",
key: "sk-file-runtime",
});
expectResolvedOpenAIRuntime(agentDir);
});
});
@@ -188,35 +208,7 @@ describe("secrets runtime snapshot integration", () => {
return;
}
await withTempHome("openclaw-secrets-runtime-refresh-fail-", async (home) => {
const configDir = path.join(home, ".openclaw");
const secretFile = path.join(configDir, "secrets.json");
const agentDir = path.join(configDir, "agents", "main", "agent");
const authStorePath = path.join(agentDir, "auth-profiles.json");
await fs.mkdir(agentDir, { recursive: true });
await fs.chmod(configDir, 0o700).catch(() => {});
await fs.writeFile(
secretFile,
`${JSON.stringify({ providers: { openai: { apiKey: "sk-file-runtime" } } }, null, 2)}\n`,
{ encoding: "utf8", mode: 0o600 },
);
await fs.writeFile(
authStorePath,
`${JSON.stringify(
{
version: 1,
profiles: {
"openai:default": {
type: "api_key",
provider: "openai",
keyRef: { source: "file", provider: "default", id: "/providers/openai/apiKey" },
},
},
},
null,
2,
)}\n`,
{ encoding: "utf8", mode: 0o600 },
);
const { secretFile, agentDir } = await createOpenAIFileRuntimeFixture(home);
let loadAuthStoreCalls = 0;
const loadAuthStore = () => {
@@ -228,33 +220,13 @@ describe("secrets runtime snapshot integration", () => {
"openai:default": {
type: "api_key",
provider: "openai",
keyRef: { source: "file", provider: "default", id: "/providers/openai/apiKey" },
keyRef: OPENAI_FILE_KEY_REF,
},
});
};
const prepared = await prepareSecretsRuntimeSnapshot({
config: asConfig({
secrets: {
providers: {
default: {
source: "file",
path: secretFile,
mode: "json",
...(allowInsecureTempSecretFile ? { allowInsecurePath: true } : {}),
},
},
},
models: {
providers: {
openai: {
baseUrl: "https://api.openai.com/v1",
apiKey: { source: "file", provider: "default", id: "/providers/openai/apiKey" },
models: [],
},
},
},
}),
config: createOpenAIFileRuntimeConfig(secretFile),
agentDirs: [agentDir],
loadAuthStore,
});
@@ -273,16 +245,10 @@ describe("secrets runtime snapshot integration", () => {
const activeAfterFailure = getActiveSecretsRuntimeSnapshot();
expect(activeAfterFailure).not.toBeNull();
expect(loadConfig().gateway?.auth).toBeUndefined();
expect(loadConfig().models?.providers?.openai?.apiKey).toBe("sk-file-runtime");
expect(activeAfterFailure?.sourceConfig.models?.providers?.openai?.apiKey).toEqual({
source: "file",
provider: "default",
id: "/providers/openai/apiKey",
});
expect(ensureAuthProfileStore(agentDir).profiles["openai:default"]).toMatchObject({
type: "api_key",
key: "sk-file-runtime",
});
expectResolvedOpenAIRuntime(agentDir);
expect(activeAfterFailure?.sourceConfig.models?.providers?.openai?.apiKey).toEqual(
OPENAI_FILE_KEY_REF,
);
});
});