mirror of
https://github.com/openclaw/openclaw.git
synced 2026-04-20 13:41:30 +00:00
144 lines
5.0 KiB
TypeScript
144 lines
5.0 KiB
TypeScript
import { describe, expect, it } from "vitest";
|
|
import type { OpenClawConfig } from "../../config/config.js";
|
|
import {
|
|
createAgentToAgentPolicy,
|
|
createSessionVisibilityGuard,
|
|
resolveEffectiveSessionToolsVisibility,
|
|
resolveSandboxSessionToolsVisibility,
|
|
resolveSandboxedSessionToolContext,
|
|
resolveSessionToolsVisibility,
|
|
} from "./sessions-access.js";
|
|
|
|
describe("resolveSessionToolsVisibility", () => {
|
|
it("defaults to tree when unset or invalid", () => {
|
|
expect(resolveSessionToolsVisibility({} as unknown as OpenClawConfig)).toBe("tree");
|
|
expect(
|
|
resolveSessionToolsVisibility({
|
|
tools: { sessions: { visibility: "invalid" } },
|
|
} as unknown as OpenClawConfig),
|
|
).toBe("tree");
|
|
});
|
|
|
|
it("accepts known visibility values case-insensitively", () => {
|
|
expect(
|
|
resolveSessionToolsVisibility({
|
|
tools: { sessions: { visibility: "ALL" } },
|
|
} as unknown as OpenClawConfig),
|
|
).toBe("all");
|
|
});
|
|
});
|
|
|
|
describe("resolveEffectiveSessionToolsVisibility", () => {
|
|
it("clamps to tree in sandbox when sandbox visibility is spawned", () => {
|
|
const cfg = {
|
|
tools: { sessions: { visibility: "all" } },
|
|
agents: { defaults: { sandbox: { sessionToolsVisibility: "spawned" } } },
|
|
} as unknown as OpenClawConfig;
|
|
expect(resolveEffectiveSessionToolsVisibility({ cfg, sandboxed: true })).toBe("tree");
|
|
});
|
|
|
|
it("preserves visibility when sandbox clamp is all", () => {
|
|
const cfg = {
|
|
tools: { sessions: { visibility: "all" } },
|
|
agents: { defaults: { sandbox: { sessionToolsVisibility: "all" } } },
|
|
} as unknown as OpenClawConfig;
|
|
expect(resolveEffectiveSessionToolsVisibility({ cfg, sandboxed: true })).toBe("all");
|
|
});
|
|
});
|
|
|
|
describe("sandbox session-tools context", () => {
|
|
it("defaults sandbox visibility clamp to spawned", () => {
|
|
expect(resolveSandboxSessionToolsVisibility({} as unknown as OpenClawConfig)).toBe("spawned");
|
|
});
|
|
|
|
it("restricts non-subagent sandboxed sessions to spawned visibility", () => {
|
|
const cfg = {
|
|
tools: { sessions: { visibility: "all" } },
|
|
agents: { defaults: { sandbox: { sessionToolsVisibility: "spawned" } } },
|
|
} as unknown as OpenClawConfig;
|
|
const context = resolveSandboxedSessionToolContext({
|
|
cfg,
|
|
agentSessionKey: "agent:main:main",
|
|
sandboxed: true,
|
|
});
|
|
|
|
expect(context.restrictToSpawned).toBe(true);
|
|
expect(context.requesterInternalKey).toBe("agent:main:main");
|
|
expect(context.effectiveRequesterKey).toBe("agent:main:main");
|
|
});
|
|
|
|
it("does not restrict subagent sessions in sandboxed mode", () => {
|
|
const cfg = {
|
|
tools: { sessions: { visibility: "all" } },
|
|
agents: { defaults: { sandbox: { sessionToolsVisibility: "spawned" } } },
|
|
} as unknown as OpenClawConfig;
|
|
const context = resolveSandboxedSessionToolContext({
|
|
cfg,
|
|
agentSessionKey: "agent:main:subagent:abc",
|
|
sandboxed: true,
|
|
});
|
|
|
|
expect(context.restrictToSpawned).toBe(false);
|
|
expect(context.requesterInternalKey).toBe("agent:main:subagent:abc");
|
|
});
|
|
});
|
|
|
|
describe("createAgentToAgentPolicy", () => {
|
|
it("denies cross-agent access when disabled", () => {
|
|
const policy = createAgentToAgentPolicy({} as unknown as OpenClawConfig);
|
|
expect(policy.enabled).toBe(false);
|
|
expect(policy.isAllowed("main", "main")).toBe(true);
|
|
expect(policy.isAllowed("main", "ops")).toBe(false);
|
|
});
|
|
|
|
it("honors allow patterns when enabled", () => {
|
|
const policy = createAgentToAgentPolicy({
|
|
tools: {
|
|
agentToAgent: {
|
|
enabled: true,
|
|
allow: ["ops-*", "main"],
|
|
},
|
|
},
|
|
} as unknown as OpenClawConfig);
|
|
|
|
expect(policy.isAllowed("ops-a", "ops-b")).toBe(true);
|
|
expect(policy.isAllowed("main", "ops-a")).toBe(true);
|
|
expect(policy.isAllowed("guest", "ops-a")).toBe(false);
|
|
});
|
|
});
|
|
|
|
describe("createSessionVisibilityGuard", () => {
|
|
it("blocks cross-agent send when agent-to-agent is disabled", async () => {
|
|
const guard = await createSessionVisibilityGuard({
|
|
action: "send",
|
|
requesterSessionKey: "agent:main:main",
|
|
visibility: "all",
|
|
a2aPolicy: createAgentToAgentPolicy({} as unknown as OpenClawConfig),
|
|
});
|
|
|
|
expect(guard.check("agent:ops:main")).toEqual({
|
|
allowed: false,
|
|
status: "forbidden",
|
|
error:
|
|
"Agent-to-agent messaging is disabled. Set tools.agentToAgent.enabled=true to allow cross-agent sends.",
|
|
});
|
|
});
|
|
|
|
it("enforces self visibility for same-agent sessions", async () => {
|
|
const guard = await createSessionVisibilityGuard({
|
|
action: "history",
|
|
requesterSessionKey: "agent:main:main",
|
|
visibility: "self",
|
|
a2aPolicy: createAgentToAgentPolicy({} as unknown as OpenClawConfig),
|
|
});
|
|
|
|
expect(guard.check("agent:main:main")).toEqual({ allowed: true });
|
|
expect(guard.check("agent:main:telegram:group:1")).toEqual({
|
|
allowed: false,
|
|
status: "forbidden",
|
|
error:
|
|
"Session history visibility is restricted to the current session (tools.sessions.visibility=self).",
|
|
});
|
|
});
|
|
});
|