mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-06 07:50:43 +00:00
37c0520a0b
* fix: restrict device pairing command access * addressing review-skill * addressing review-skill * addressing codex review * address codex review feedback * addressing codex review * addressing codex review * addressing codex review * addressing codex review * docs: add changelog entry for PR merge
82 lines
2.3 KiB
TypeScript
82 lines
2.3 KiB
TypeScript
import { describe, expect, it } from "vitest";
|
|
import { resolvePairingCommandAuthState } from "./pair-command-auth.js";
|
|
|
|
describe("device-pair pairing command auth", () => {
|
|
it("fails closed for non-gateway channels without pairing scopes", () => {
|
|
expect(
|
|
resolvePairingCommandAuthState({
|
|
channel: "telegram",
|
|
gatewayClientScopes: undefined,
|
|
}),
|
|
).toEqual({
|
|
isInternalGatewayCaller: false,
|
|
isMissingPairingPrivilege: true,
|
|
approvalCallerScopes: undefined,
|
|
});
|
|
});
|
|
|
|
it("accepts command owners on non-gateway channels", () => {
|
|
expect(
|
|
resolvePairingCommandAuthState({
|
|
channel: "telegram",
|
|
gatewayClientScopes: undefined,
|
|
senderIsOwner: true,
|
|
}),
|
|
).toEqual({
|
|
isInternalGatewayCaller: false,
|
|
isMissingPairingPrivilege: false,
|
|
approvalCallerScopes: ["operator.pairing"],
|
|
});
|
|
});
|
|
|
|
it("fails closed for webchat when scopes are absent", () => {
|
|
expect(
|
|
resolvePairingCommandAuthState({
|
|
channel: "webchat",
|
|
gatewayClientScopes: undefined,
|
|
}),
|
|
).toEqual({
|
|
isInternalGatewayCaller: true,
|
|
isMissingPairingPrivilege: true,
|
|
approvalCallerScopes: [],
|
|
});
|
|
});
|
|
|
|
it("accepts pairing and admin scopes for internal callers", () => {
|
|
expect(
|
|
resolvePairingCommandAuthState({
|
|
channel: "webchat",
|
|
gatewayClientScopes: ["operator.write", "operator.pairing"],
|
|
}),
|
|
).toEqual({
|
|
isInternalGatewayCaller: true,
|
|
isMissingPairingPrivilege: false,
|
|
approvalCallerScopes: ["operator.write", "operator.pairing"],
|
|
});
|
|
expect(
|
|
resolvePairingCommandAuthState({
|
|
channel: "webchat",
|
|
gatewayClientScopes: ["operator.admin"],
|
|
}),
|
|
).toEqual({
|
|
isInternalGatewayCaller: true,
|
|
isMissingPairingPrivilege: false,
|
|
approvalCallerScopes: ["operator.admin"],
|
|
});
|
|
});
|
|
|
|
it("preserves gateway scopes for command owners with gateway scope context", () => {
|
|
expect(
|
|
resolvePairingCommandAuthState({
|
|
channel: "telegram",
|
|
gatewayClientScopes: ["operator.write", "operator.pairing"],
|
|
senderIsOwner: true,
|
|
}),
|
|
).toEqual({
|
|
isInternalGatewayCaller: true,
|
|
isMissingPairingPrivilege: false,
|
|
approvalCallerScopes: ["operator.write", "operator.pairing"],
|
|
});
|
|
});
|
|
});
|