vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-18 04:31:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
58d7df7985f8bdd0bb2055f2e017864c3370094c
openclaw/src/security/audit-gateway-http-auth.test.ts
Peter Steinberger f1b6b97df3 perf(test): split security audit coverage
2026-04-06 13:05:39 +01:00

89 lines
2.9 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from "vitest";
import type { OpenClawConfig } from "../config/config.js";
import {
collectGatewayHttpNoAuthFindings,
collectGatewayHttpSessionKeyOverrideFindings,
} from "./audit-extra.sync.js";
describe("security audit gateway HTTP auth findings", () => {
it.each([
{
name: "scores loopback gateway HTTP no-auth as warn",
cfg: {
gateway: {
bind: "loopback",
auth: { mode: "none" },
http: { endpoints: { chatCompletions: { enabled: true } } },
},
} satisfies OpenClawConfig,
expectedFinding: { checkId: "gateway.http.no_auth", severity: "warn" as const },
detailIncludes: ["/tools/invoke", "/v1/chat/completions"],
env: {} as NodeJS.ProcessEnv,
},
{
name: "scores remote gateway HTTP no-auth as critical",
cfg: {
gateway: {
bind: "lan",
auth: { mode: "none" },
http: { endpoints: { responses: { enabled: true } } },
},
} satisfies OpenClawConfig,
expectedFinding: { checkId: "gateway.http.no_auth", severity: "critical" as const },
env: {} as NodeJS.ProcessEnv,
},
{
name: "does not report gateway.http.no_auth when auth mode is token",
cfg: {
gateway: {
bind: "loopback",
auth: { mode: "token", token: "secret" },
http: {
endpoints: {
chatCompletions: { enabled: true },
responses: { enabled: true },
},
},
},
} satisfies OpenClawConfig,
expectedNoFinding: "gateway.http.no_auth",
env: {} as NodeJS.ProcessEnv,
},
{
name: "reports HTTP API session-key override surfaces when enabled",
cfg: {
gateway: {
http: {
endpoints: {
chatCompletions: { enabled: true },
responses: { enabled: true },
},
},
},
} satisfies OpenClawConfig,
expectedFinding: {
checkId: "gateway.http.session_key_override_enabled",
severity: "info" as const,
},
},
])("$name", ({ cfg, expectedFinding, expectedNoFinding, detailIncludes, env }) => {
const findings = [
...collectGatewayHttpNoAuthFindings(cfg, env ?? process.env),
...collectGatewayHttpSessionKeyOverrideFindings(cfg),
];
if (expectedFinding) {
expect(findings).toEqual(expect.arrayContaining([expect.objectContaining(expectedFinding)]));
if (detailIncludes) {
const finding = findings.find((entry) => entry.checkId === expectedFinding.checkId);
for (const text of detailIncludes) {
expect(finding?.detail, `${expectedFinding.checkId}:${text}`).toContain(text);
}
}
}
if (expectedNoFinding) {
expect(findings.some((entry) => entry.checkId === expectedNoFinding)).toBe(false);
}
});
});
Reference in New Issue View Git Blame Copy Permalink