vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-01 12:21:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2dd29db464255a8442571baa033fd12da3bb673b
openclaw/src/gateway/startup-auth.test.ts
Peter Steinberger 2833b27f52 test: continue vitest threads migration
2026-03-24 08:37:00 +00:00

468 lines
13 KiB
TypeScript
Raw Blame History

import { beforeEach, describe, expect, it, vi } from "vitest";
import type { OpenClawConfig } from "../config/config.js";
import { expectGeneratedTokenPersistedToGatewayAuth } from "../test-utils/auth-token-assertions.js";
const mocks = vi.hoisted(() => ({
writeConfigFile: vi.fn(async (_cfg: OpenClawConfig) => {}),
}));
vi.mock("../config/config.js", async (importOriginal) => {
const actual = await importOriginal<typeof import("../config/config.js")>();
return {
...actual,
writeConfigFile: mocks.writeConfigFile,
};
});
let assertHooksTokenSeparateFromGatewayAuth: typeof import("./startup-auth.js").assertHooksTokenSeparateFromGatewayAuth;
let ensureGatewayStartupAuth: typeof import("./startup-auth.js").ensureGatewayStartupAuth;
async function loadFreshStartupAuthModuleForTest() {
vi.resetModules();
({ assertHooksTokenSeparateFromGatewayAuth, ensureGatewayStartupAuth } =
await import("./startup-auth.js"));
}
describe("ensureGatewayStartupAuth", () => {
async function expectEphemeralGeneratedTokenWhenOverridden(cfg: OpenClawConfig) {
const result = await ensureGatewayStartupAuth({
cfg,
env: {} as NodeJS.ProcessEnv,
authOverride: { mode: "token" },
persist: true,
});
expect(result.generatedToken).toMatch(/^[0-9a-f]{48}$/);
expect(result.persistedGeneratedToken).toBe(false);
expect(result.auth.mode).toBe("token");
expect(result.auth.token).toBe(result.generatedToken);
expect(mocks.writeConfigFile).not.toHaveBeenCalled();
}
beforeEach(async () => {
vi.restoreAllMocks();
mocks.writeConfigFile.mockClear();
await loadFreshStartupAuthModuleForTest();
});
async function expectNoTokenGeneration(cfg: OpenClawConfig, mode: string) {
const result = await ensureGatewayStartupAuth({
cfg,
env: {} as NodeJS.ProcessEnv,
persist: true,
});
expect(result.generatedToken).toBeUndefined();
expect(result.persistedGeneratedToken).toBe(false);
expect(result.auth.mode).toBe(mode);
expect(mocks.writeConfigFile).not.toHaveBeenCalled();
}
async function expectResolvedToken(params: {
cfg: OpenClawConfig;
env: NodeJS.ProcessEnv;
expectedToken: string;
expectedConfiguredToken?: unknown;
}) {
const result = await ensureGatewayStartupAuth({
cfg: params.cfg,
env: params.env,
persist: true,
});
expect(result.generatedToken).toBeUndefined();
expect(result.persistedGeneratedToken).toBe(false);
expect(result.auth.mode).toBe("token");
expect(result.auth.token).toBe(params.expectedToken);
if ("expectedConfiguredToken" in params) {
expect(result.cfg.gateway?.auth?.token).toEqual(params.expectedConfiguredToken);
}
expect(mocks.writeConfigFile).not.toHaveBeenCalled();
}
function createMissingGatewayTokenSecretRefConfig(): OpenClawConfig {
return {
gateway: {
auth: {
mode: "token",
token: { source: "env", provider: "default", id: "MISSING_GW_TOKEN" },
},
},
secrets: {
providers: {
default: { source: "env" },
},
},
};
}
it("generates and persists a token when startup auth is missing", async () => {
const result = await ensureGatewayStartupAuth({
cfg: {},
env: {} as NodeJS.ProcessEnv,
persist: true,
});
expect(result.generatedToken).toMatch(/^[0-9a-f]{48}$/);
expect(result.persistedGeneratedToken).toBe(true);
expect(result.auth.mode).toBe("token");
expect(mocks.writeConfigFile).toHaveBeenCalledTimes(1);
expectGeneratedTokenPersistedToGatewayAuth({
generatedToken: result.generatedToken,
authToken: result.auth.token,
persistedConfig: mocks.writeConfigFile.mock.calls[0]?.[0],
});
});
it("does not generate when token already exists", async () => {
await expectResolvedToken({
cfg: {
gateway: {
auth: {
mode: "token",
token: "configured-token",
},
},
},
env: {} as NodeJS.ProcessEnv,
expectedToken: "configured-token",
});
});
it("does not generate in password mode", async () => {
await expectNoTokenGeneration(
{
gateway: {
auth: {
mode: "password",
},
},
},
"password",
);
});
it("resolves gateway.auth.password SecretRef before startup auth checks", async () => {
const result = await ensureGatewayStartupAuth({
cfg: {
gateway: {
auth: {
mode: "password",
password: { source: "env", provider: "default", id: "GW_PASSWORD" },
},
},
secrets: {
providers: {
default: { source: "env" },
},
},
},
env: {
GW_PASSWORD: "resolved-password", // pragma: allowlist secret
} as NodeJS.ProcessEnv,
persist: true,
});
expect(result.generatedToken).toBeUndefined();
expect(result.auth.mode).toBe("password");
expect(result.auth.password).toBe("resolved-password");
expect(result.cfg.gateway?.auth?.password).toEqual({
source: "env",
provider: "default",
id: "GW_PASSWORD",
});
});
it("resolves gateway.auth.token SecretRef before startup auth checks", async () => {
await expectResolvedToken({
cfg: {
gateway: {
auth: {
mode: "token",
token: { source: "env", provider: "default", id: "GW_TOKEN" },
},
},
secrets: {
providers: {
default: { source: "env" },
},
},
},
env: {
GW_TOKEN: "resolved-token",
} as NodeJS.ProcessEnv,
expectedToken: "resolved-token",
expectedConfiguredToken: {
source: "env",
provider: "default",
id: "GW_TOKEN",
},
});
});
it("resolves env-template gateway.auth.token before env-token short-circuiting", async () => {
await expectResolvedToken({
cfg: {
gateway: {
auth: {
mode: "token",
token: "${OPENCLAW_GATEWAY_TOKEN}",
},
},
},
env: {
OPENCLAW_GATEWAY_TOKEN: "resolved-token",
} as NodeJS.ProcessEnv,
expectedToken: "resolved-token",
expectedConfiguredToken: "${OPENCLAW_GATEWAY_TOKEN}",
});
});
it("uses OPENCLAW_GATEWAY_TOKEN without resolving configured token SecretRef", async () => {
await expectResolvedToken({
cfg: createMissingGatewayTokenSecretRefConfig(),
env: {
OPENCLAW_GATEWAY_TOKEN: "token-from-env",
} as NodeJS.ProcessEnv,
expectedToken: "token-from-env",
});
});
it("fails when gateway.auth.token SecretRef is active and unresolved", async () => {
await expect(
ensureGatewayStartupAuth({
cfg: createMissingGatewayTokenSecretRefConfig(),
env: {} as NodeJS.ProcessEnv,
persist: true,
}),
).rejects.toThrow(/MISSING_GW_TOKEN/i);
expect(mocks.writeConfigFile).not.toHaveBeenCalled();
});
it("requires explicit gateway.auth.mode when token and password are both configured", async () => {
await expect(
ensureGatewayStartupAuth({
cfg: {
gateway: {
auth: {
token: "configured-token",
password: "configured-password", // pragma: allowlist secret
},
},
},
env: {} as NodeJS.ProcessEnv,
persist: true,
}),
).rejects.toThrow(/gateway\.auth\.mode is unset/i);
expect(mocks.writeConfigFile).not.toHaveBeenCalled();
});
it("uses OPENCLAW_GATEWAY_PASSWORD without resolving configured password SecretRef", async () => {
const result = await ensureGatewayStartupAuth({
cfg: {
gateway: {
auth: {
mode: "password",
password: { source: "env", provider: "default", id: "MISSING_GW_PASSWORD" },
},
},
secrets: {
providers: {
default: { source: "env" },
},
},
},
env: {
OPENCLAW_GATEWAY_PASSWORD: "password-from-env", // pragma: allowlist secret
} as NodeJS.ProcessEnv,
persist: true,
});
expect(result.generatedToken).toBeUndefined();
expect(result.auth.mode).toBe("password");
expect(result.auth.password).toBe("password-from-env");
});
it("does not resolve gateway.auth.password SecretRef when token mode is explicit", async () => {
const cfg: OpenClawConfig = {
gateway: {
auth: {
mode: "token",
token: "configured-token",
password: { source: "env", provider: "missing", id: "GW_PASSWORD" },
},
},
secrets: {
providers: {
default: { source: "env" },
},
},
};
const result = await ensureGatewayStartupAuth({
cfg,
env: {} as NodeJS.ProcessEnv,
persist: true,
});
expect(result.generatedToken).toBeUndefined();
expect(result.auth.mode).toBe("token");
expect(result.auth.token).toBe("configured-token");
});
it("does not generate in trusted-proxy mode", async () => {
await expectNoTokenGeneration(
{
gateway: {
auth: {
mode: "trusted-proxy",
trustedProxy: { userHeader: "x-forwarded-user" },
},
},
},
"trusted-proxy",
);
});
it("does not generate in explicit none mode", async () => {
await expectNoTokenGeneration(
{
gateway: {
auth: {
mode: "none",
},
},
},
"none",
);
});
it("treats undefined token override as no override", async () => {
const cfg: OpenClawConfig = {
gateway: {
auth: {
mode: "token",
token: "from-config",
},
},
};
const result = await ensureGatewayStartupAuth({
cfg,
env: {} as NodeJS.ProcessEnv,
authOverride: { mode: "token", token: undefined },
persist: true,
});
expect(result.generatedToken).toBeUndefined();
expect(result.persistedGeneratedToken).toBe(false);
expect(result.auth.mode).toBe("token");
expect(result.auth.token).toBe("from-config");
expect(mocks.writeConfigFile).not.toHaveBeenCalled();
});
it("keeps generated token ephemeral when runtime override flips explicit non-token mode", async () => {
await expectEphemeralGeneratedTokenWhenOverridden({
gateway: {
auth: {
mode: "password",
},
},
});
});
it("keeps generated token ephemeral when runtime override flips explicit none mode", async () => {
await expectEphemeralGeneratedTokenWhenOverridden({
gateway: {
auth: {
mode: "none",
},
},
});
});
it("keeps generated token ephemeral when runtime override flips implicit password mode", async () => {
await expectEphemeralGeneratedTokenWhenOverridden({
gateway: {
auth: {
password: "configured-password", // pragma: allowlist secret
},
},
});
});
it("throws when hooks token reuses gateway token resolved from env", async () => {
await expect(
ensureGatewayStartupAuth({
cfg: {
hooks: {
enabled: true,
token: "shared-gateway-token-1234567890",
},
},
env: {
OPENCLAW_GATEWAY_TOKEN: "shared-gateway-token-1234567890",
} as NodeJS.ProcessEnv,
}),
).rejects.toThrow(/hooks\.token must not match gateway auth token/i);
});
});
describe("assertHooksTokenSeparateFromGatewayAuth", () => {
it("throws when hooks token reuses gateway token auth", () => {
expect(() =>
assertHooksTokenSeparateFromGatewayAuth({
cfg: {
hooks: {
enabled: true,
token: "shared-gateway-token-1234567890",
},
},
auth: {
mode: "token",
modeSource: "config",
token: "shared-gateway-token-1234567890",
allowTailscale: false,
},
}),
).toThrow(/hooks\.token must not match gateway auth token/i);
});
it("allows hooks token when gateway auth is not token mode", () => {
expect(() =>
assertHooksTokenSeparateFromGatewayAuth({
cfg: {
hooks: {
enabled: true,
token: "shared-gateway-token-1234567890",
},
},
auth: {
mode: "password",
modeSource: "config",
password: "pw", // pragma: allowlist secret
allowTailscale: false,
},
}),
).not.toThrow();
});
it("allows matching values when hooks are disabled", () => {
expect(() =>
assertHooksTokenSeparateFromGatewayAuth({
cfg: {
hooks: {
enabled: false,
token: "shared-gateway-token-1234567890",
},
},
auth: {
mode: "token",
modeSource: "config",
token: "shared-gateway-token-1234567890",
allowTailscale: false,
},
}),
).not.toThrow();
});
});
Reference in New Issue View Git Blame Copy Permalink