vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-19 14:44:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
902e4807c4fbfa1f5fb8c0dfe2004e109f55cca5
openclaw/src/secrets/runtime.test.ts
Peter Steinberger a7727b1fcd test: tighten secrets runtime assertions
2026-05-09 13:18:06 +01:00

115 lines
3.6 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from "vitest";
import { asConfig, setupSecretsRuntimeSnapshotTestHooks } from "./runtime.test-support.ts";
const EMPTY_LOADABLE_PLUGIN_ORIGINS = new Map();
const { prepareSecretsRuntimeSnapshot } = setupSecretsRuntimeSnapshotTestHooks();
function expectWarning(
snapshot: Awaited<ReturnType<typeof prepareSecretsRuntimeSnapshot>>,
expected: { code: string; path: string },
): void {
const warning = snapshot.warnings.find(
(entry) => entry.code === expected.code && entry.path === expected.path,
);
expect(warning).toBeDefined();
}
describe("secrets runtime snapshot", () => {
it("resolves sandbox ssh secret refs for active ssh backends", async () => {
const snapshot = await prepareSecretsRuntimeSnapshot({
config: asConfig({
agents: {
defaults: {
sandbox: {
mode: "all",
backend: "ssh",
ssh: {
target: "peter@example.com:22",
identityData: { source: "env", provider: "default", id: "SSH_IDENTITY_DATA" },
certificateData: {
source: "env",
provider: "default",
id: "SSH_CERTIFICATE_DATA",
},
knownHostsData: {
source: "env",
provider: "default",
id: "SSH_KNOWN_HOSTS_DATA",
},
},
},
},
},
}),
env: {
SSH_IDENTITY_DATA: "PRIVATE KEY",
SSH_CERTIFICATE_DATA: "SSH CERT",
SSH_KNOWN_HOSTS_DATA: "example.com ssh-ed25519 AAAATEST",
},
includeAuthStoreRefs: false,
loadablePluginOrigins: EMPTY_LOADABLE_PLUGIN_ORIGINS,
});
const ssh = snapshot.config.agents?.defaults?.sandbox?.ssh;
expect(ssh?.identityData).toBe("PRIVATE KEY");
expect(ssh?.certificateData).toBe("SSH CERT");
expect(ssh?.knownHostsData).toBe("example.com ssh-ed25519 AAAATEST");
});
it("treats sandbox ssh secret refs as inactive when ssh backend is not selected", async () => {
const snapshot = await prepareSecretsRuntimeSnapshot({
config: asConfig({
agents: {
defaults: {
sandbox: {
mode: "all",
backend: "docker",
ssh: {
identityData: { source: "env", provider: "default", id: "SSH_IDENTITY_DATA" },
},
},
},
},
}),
env: {},
includeAuthStoreRefs: false,
loadablePluginOrigins: EMPTY_LOADABLE_PLUGIN_ORIGINS,
});
expect(snapshot.config.agents?.defaults?.sandbox?.ssh?.identityData).toEqual({
source: "env",
provider: "default",
id: "SSH_IDENTITY_DATA",
});
expectWarning(snapshot, {
code: "SECRETS_REF_IGNORED_INACTIVE_SURFACE",
path: "agents.defaults.sandbox.ssh.identityData",
});
});
it("fails when an active exec ref id contains traversal segments", async () => {
await expect(
prepareSecretsRuntimeSnapshot({
config: asConfig({
talk: {
apiKey: { source: "exec", provider: "vault", id: "a/../b" },
},
secrets: {
providers: {
vault: {
source: "exec",
command: process.execPath,
},
},
},
}),
env: {},
includeAuthStoreRefs: false,
agentDirs: ["/tmp/openclaw-agent-main"],
loadAuthStore: () => ({ version: 1, profiles: {} }),
loadablePluginOrigins: EMPTY_LOADABLE_PLUGIN_ORIGINS,
}),
).rejects.toThrow(/must not include "\." or "\.\." path segments/i);
});
});
Reference in New Issue View Git Blame Copy Permalink