vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-18 13:30:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
520d753b277b39ebb65aca3bac7ffdd213923254
openclaw/src/gateway/method-scopes.test.ts
Peter Steinberger e1b9250dea test: simplify method scope coverage
2026-03-13 18:21:48 +00:00

83 lines
2.9 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from "vitest";
import {
authorizeOperatorScopesForMethod,
isGatewayMethodClassified,
resolveLeastPrivilegeOperatorScopesForMethod,
} from "./method-scopes.js";
import { listGatewayMethods } from "./server-methods-list.js";
import { coreGatewayHandlers } from "./server-methods.js";
describe("method scope resolution", () => {
it.each([
["sessions.resolve", ["operator.read"]],
["config.schema.lookup", ["operator.read"]],
["poll", ["operator.write"]],
["config.patch", ["operator.admin"]],
["wizard.start", ["operator.admin"]],
["update.run", ["operator.admin"]],
])("resolves least-privilege scopes for %s", (method, expected) => {
expect(resolveLeastPrivilegeOperatorScopesForMethod(method)).toEqual(expected);
});
it("leaves node-only pending drain outside operator scopes", () => {
expect(resolveLeastPrivilegeOperatorScopesForMethod("node.pending.drain")).toEqual([]);
});
it("returns empty scopes for unknown methods", () => {
expect(resolveLeastPrivilegeOperatorScopesForMethod("totally.unknown.method")).toEqual([]);
});
});
describe("operator scope authorization", () => {
it.each([
["health", ["operator.read"], { allowed: true }],
["health", ["operator.write"], { allowed: true }],
["config.schema.lookup", ["operator.read"], { allowed: true }],
["config.patch", ["operator.admin"], { allowed: true }],
])("authorizes %s for scopes %j", (method, scopes, expected) => {
expect(authorizeOperatorScopesForMethod(method, scopes)).toEqual(expected);
});
it("requires operator.write for write methods", () => {
expect(authorizeOperatorScopesForMethod("send", ["operator.read"])).toEqual({
allowed: false,
missingScope: "operator.write",
});
});
it("requires approvals scope for approval methods", () => {
expect(authorizeOperatorScopesForMethod("exec.approval.resolve", ["operator.write"])).toEqual({
allowed: false,
missingScope: "operator.approvals",
});
});
it("requires admin for unknown methods", () => {
expect(authorizeOperatorScopesForMethod("unknown.method", ["operator.read"])).toEqual({
allowed: false,
missingScope: "operator.admin",
});
});
});
describe("core gateway method classification", () => {
it("treats node-role methods as classified even without operator scopes", () => {
expect(isGatewayMethodClassified("node.pending.drain")).toBe(true);
expect(isGatewayMethodClassified("node.pending.pull")).toBe(true);
});
it("classifies every exposed core gateway handler method", () => {
const unclassified = Object.keys(coreGatewayHandlers).filter(
(method) => !isGatewayMethodClassified(method),
);
expect(unclassified).toEqual([]);
});
it("classifies every listed gateway method name", () => {
const unclassified = listGatewayMethods().filter(
(method) => !isGatewayMethodClassified(method),
);
expect(unclassified).toEqual([]);
});
});
Reference in New Issue View Git Blame Copy Permalink