vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-12 21:00:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
656fb80f4ac21e8b3b9f67e4aa4b9dab2849806e
openclaw/src/cli/daemon-cli/gateway-token-drift.test.ts
Josh Avant 788f56f30f Secrets: hard-fail unsupported SecretRef policy and fix gateway restart token drift (#58141) 
* Secrets: enforce C2 SecretRef policy and drift resolution

* Tests: add gateway auth startup/reload SecretRef runtime coverage

* Docs: sync C2 SecretRef policy and coverage matrix

* Config: hard-fail parent SecretRef policy writes

* Secrets: centralize unsupported SecretRef policy metadata

* Daemon: test service-env precedence for token drift refs

* Config: keep per-ref dry-run resolvability errors

* Docs: clarify config-set parent-object policy checks

* Gateway: fix drift fallback and schema-key filtering

* Gateway: align drift fallback with credential planner

* changelog

Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>

---------

Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com>
2026-03-31 02:37:31 -05:00

132 lines
3.5 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from "vitest";
import type { OpenClawConfig } from "../../config/config.js";
import { resolveGatewayTokenForDriftCheck } from "./gateway-token-drift.js";
describe("resolveGatewayTokenForDriftCheck", () => {
it("prefers persisted config token over shell env", async () => {
const token = await resolveGatewayTokenForDriftCheck({
cfg: {
gateway: {
mode: "local",
auth: {
token: "config-token",
},
},
} as OpenClawConfig,
env: {
OPENCLAW_GATEWAY_TOKEN: "env-token",
} as NodeJS.ProcessEnv,
});
expect(token).toBe("config-token");
});
it("resolves env-backed local gateway token refs from the provided env", async () => {
const token = await resolveGatewayTokenForDriftCheck({
cfg: {
secrets: {
providers: {
default: { source: "env" },
},
},
gateway: {
mode: "local",
auth: {
mode: "token",
token: { source: "env", provider: "default", id: "SERVICE_GATEWAY_TOKEN" },
},
},
} as OpenClawConfig,
env: {
SERVICE_GATEWAY_TOKEN: "service-token",
} as NodeJS.ProcessEnv,
});
expect(token).toBe("service-token");
});
it("throws when an active local token ref is unresolved", async () => {
await expect(
resolveGatewayTokenForDriftCheck({
cfg: {
secrets: {
providers: {
default: { source: "env" },
},
},
gateway: {
mode: "local",
auth: {
mode: "token",
token: { source: "env", provider: "default", id: "MISSING_LOCAL_TOKEN" },
},
remote: {
token: "remote-token",
},
},
} as OpenClawConfig,
env: {} as NodeJS.ProcessEnv,
}),
).rejects.toThrow(/gateway\.auth\.token/i);
});
it("returns undefined when token auth is disabled by mode", async () => {
const token = await resolveGatewayTokenForDriftCheck({
cfg: {
secrets: {
providers: {
default: { source: "env" },
},
},
gateway: {
auth: {
mode: "password",
token: { source: "env", provider: "default", id: "MISSING_LOCAL_TOKEN" },
},
},
} as OpenClawConfig,
env: {} as NodeJS.ProcessEnv,
});
expect(token).toBeUndefined();
});
it("returns undefined when password fallback is active with mode unset and no token candidate", async () => {
const token = await resolveGatewayTokenForDriftCheck({
cfg: {
gateway: {
auth: {
password: "config-password",
},
},
} as OpenClawConfig,
env: {
OPENCLAW_GATEWAY_PASSWORD: "env-password",
} as NodeJS.ProcessEnv,
});
expect(token).toBeUndefined();
});
it("does not skip token resolution when mode is unset and token can win", async () => {
await expect(
resolveGatewayTokenForDriftCheck({
cfg: {
secrets: {
providers: {
default: { source: "env" },
},
},
gateway: {
auth: {
token: { source: "env", provider: "default", id: "MISSING_LOCAL_TOKEN" },
},
},
} as OpenClawConfig,
env: {
OPENCLAW_GATEWAY_PASSWORD: "env-password",
} as NodeJS.ProcessEnv,
}),
).rejects.toThrow(/gateway\.auth\.token/i);
});
});
Reference in New Issue View Git Blame Copy Permalink