mirror of
https://github.com/openclaw/openclaw.git
synced 2026-04-17 04:01:05 +00:00
156 lines
5.2 KiB
TypeScript
156 lines
5.2 KiB
TypeScript
import { describe, expect, it, vi } from "vitest";
|
|
|
|
const REGISTRY_IDS = [
|
|
"agents.defaults.memorySearch.remote.apiKey",
|
|
"agents.list[].memorySearch.remote.apiKey",
|
|
"channels.discord.token",
|
|
"channels.discord.accounts.ops.token",
|
|
"channels.discord.accounts.chat.token",
|
|
"channels.telegram.botToken",
|
|
"gateway.auth.token",
|
|
"gateway.auth.password",
|
|
"gateway.remote.token",
|
|
"gateway.remote.password",
|
|
"models.providers.openai.apiKey",
|
|
"messages.tts.providers.openai.apiKey",
|
|
"plugins.entries.firecrawl.config.webFetch.apiKey",
|
|
"skills.entries.demo.apiKey",
|
|
"tools.web.search.apiKey",
|
|
] as const;
|
|
|
|
vi.mock("../secrets/target-registry.js", () => ({
|
|
listSecretTargetRegistryEntries: vi.fn(() =>
|
|
REGISTRY_IDS.map((id) => ({
|
|
id,
|
|
})),
|
|
),
|
|
discoverConfigSecretTargetsByIds: vi.fn((config: unknown, targetIds?: Iterable<string>) => {
|
|
const allowed = targetIds ? new Set(targetIds) : null;
|
|
const out: Array<{ path: string; pathSegments: string[] }> = [];
|
|
const record = (path: string) => {
|
|
if (allowed && !allowed.has(path)) {
|
|
return;
|
|
}
|
|
out.push({ path, pathSegments: path.split(".") });
|
|
};
|
|
|
|
const channels = (config as { channels?: Record<string, unknown> } | undefined)?.channels;
|
|
const discord = channels?.discord as
|
|
| { token?: unknown; accounts?: Record<string, { token?: unknown }> }
|
|
| undefined;
|
|
|
|
if (discord?.token !== undefined) {
|
|
record("channels.discord.token");
|
|
}
|
|
for (const [accountId, account] of Object.entries(discord?.accounts ?? {})) {
|
|
if (account?.token !== undefined) {
|
|
record(`channels.discord.accounts.${accountId}.token`);
|
|
}
|
|
}
|
|
return out;
|
|
}),
|
|
}));
|
|
|
|
import {
|
|
getAgentRuntimeCommandSecretTargetIds,
|
|
getScopedChannelsCommandSecretTargets,
|
|
getSecurityAuditCommandSecretTargetIds,
|
|
} from "./command-secret-targets.js";
|
|
|
|
describe("command secret target ids", () => {
|
|
it("includes memorySearch remote targets for agent runtime commands", () => {
|
|
const ids = getAgentRuntimeCommandSecretTargetIds();
|
|
expect(ids.has("agents.defaults.memorySearch.remote.apiKey")).toBe(true);
|
|
expect(ids.has("agents.list[].memorySearch.remote.apiKey")).toBe(true);
|
|
expect(ids.has("plugins.entries.firecrawl.config.webFetch.apiKey")).toBe(true);
|
|
});
|
|
|
|
it("includes gateway auth and channel targets for security audit", () => {
|
|
const ids = getSecurityAuditCommandSecretTargetIds();
|
|
expect(ids.has("channels.discord.token")).toBe(true);
|
|
expect(ids.has("gateway.auth.token")).toBe(true);
|
|
expect(ids.has("gateway.auth.password")).toBe(true);
|
|
expect(ids.has("gateway.remote.token")).toBe(true);
|
|
expect(ids.has("gateway.remote.password")).toBe(true);
|
|
});
|
|
|
|
it("scopes channel targets to the requested channel", () => {
|
|
const scoped = getScopedChannelsCommandSecretTargets({
|
|
config: {} as never,
|
|
channel: "discord",
|
|
});
|
|
|
|
expect(scoped.targetIds.size).toBeGreaterThan(0);
|
|
expect([...scoped.targetIds].every((id) => id.startsWith("channels.discord."))).toBe(true);
|
|
expect([...scoped.targetIds].some((id) => id.startsWith("channels.telegram."))).toBe(false);
|
|
});
|
|
|
|
it("does not coerce missing accountId to default when channel is scoped", () => {
|
|
const scoped = getScopedChannelsCommandSecretTargets({
|
|
config: {
|
|
channels: {
|
|
discord: {
|
|
defaultAccount: "ops",
|
|
accounts: {
|
|
ops: {
|
|
token: { source: "env", provider: "default", id: "DISCORD_OPS" },
|
|
},
|
|
},
|
|
},
|
|
},
|
|
} as never,
|
|
channel: "discord",
|
|
});
|
|
|
|
expect(scoped.allowedPaths).toBeUndefined();
|
|
expect(scoped.targetIds.size).toBeGreaterThan(0);
|
|
expect([...scoped.targetIds].every((id) => id.startsWith("channels.discord."))).toBe(true);
|
|
});
|
|
|
|
it("scopes allowed paths to channel globals + selected account", () => {
|
|
const scoped = getScopedChannelsCommandSecretTargets({
|
|
config: {
|
|
channels: {
|
|
discord: {
|
|
token: { source: "env", provider: "default", id: "DISCORD_DEFAULT" },
|
|
accounts: {
|
|
ops: {
|
|
token: { source: "env", provider: "default", id: "DISCORD_OPS" },
|
|
},
|
|
chat: {
|
|
token: { source: "env", provider: "default", id: "DISCORD_CHAT" },
|
|
},
|
|
},
|
|
},
|
|
},
|
|
} as never,
|
|
channel: "discord",
|
|
accountId: "ops",
|
|
});
|
|
|
|
expect(scoped.allowedPaths).toBeDefined();
|
|
expect(scoped.allowedPaths?.has("channels.discord.token")).toBe(true);
|
|
expect(scoped.allowedPaths?.has("channels.discord.accounts.ops.token")).toBe(true);
|
|
expect(scoped.allowedPaths?.has("channels.discord.accounts.chat.token")).toBe(false);
|
|
});
|
|
|
|
it("keeps account-scoped allowedPaths as an empty set when scoped target paths are absent", () => {
|
|
const scoped = getScopedChannelsCommandSecretTargets({
|
|
config: {
|
|
channels: {
|
|
discord: {
|
|
accounts: {
|
|
ops: { enabled: true },
|
|
},
|
|
},
|
|
},
|
|
} as never,
|
|
channel: "custom-plugin-channel-without-secret-targets",
|
|
accountId: "ops",
|
|
});
|
|
|
|
expect(scoped.allowedPaths).toBeDefined();
|
|
expect(scoped.allowedPaths?.size).toBe(0);
|
|
});
|
|
});
|