Files
openclaw/apps/macos/Tests/OpenClawIPCTests/ConnectCommandTests.swift
Peter Steinberger 96f0983a85 fix(onboarding): skip setup for configured gateways and require inference first (#102883)
* fix(crestodian): keep onboarding RPCs restart-safe

* fix(profiles): isolate approval state migrations

* fix(crestodian): bypass configured gateway setup

* test(crestodian): type onboarding mocks

* fix(onboarding): require inference before Crestodian

* fix(onboarding): enforce verified inference handoff

* fix(macos): reset setup on gateway endpoint edits

* chore(i18n): refresh native source inventory

* fix(gateway): keep socket on request cancellation

* test(packaging): require workspace templates

* fix(onboarding): bind setup to verified inference

* fix(onboarding): align inference gate contracts

* fix(crestodian): classify concurrent policy rejection

* test(crestodian): expect registry restoration

* fix(onboarding): bind setup to configured gateways

* fix(codex): preserve startup phase deadlines

* test(crestodian): match fail-closed policy ordering

* test(onboarding): assert bound gateway handoff

* fix(codex): bind runtime resolution to spawn cwd

* test(crestodian): assert policy rejection order

* fix(cli): preserve gateway routing across restarts

* fix(macos): fail closed during gateway edits

* test(macos): cover gateway route generation races

* chore: keep release notes out of onboarding PR

* fix(ci): refresh onboarding generated checks

* style(swift): align gateway channel formatting

* fix(ci): refresh plugin SDK surface budgets

* fix(ci): resync native string inventory

* refactor(swift): split gateway channel support

* test(doctor): isolate plugin compatibility registry

* test(macos): isolate gateway onboarding fixtures

* test(macos): assert gateway lease health ordering

* fix(codex): reconcile computer-use startup changes
2026-07-11 10:25:14 -07:00

195 lines
8.3 KiB
Swift

import Foundation
import OpenClawKit
import Testing
@testable import OpenClawMacCLI
private final class CLIConnectAuthRecorder: @unchecked Sendable {
private let lock = NSLock()
private var sawConnect = false
private var sawAuth = false
func record(_ message: URLSessionWebSocketTask.Message) {
guard let params = GatewayWebSocketTestSupport.connectRequestParams(from: message) else { return }
self.lock.lock()
defer { self.lock.unlock() }
self.sawConnect = true
self.sawAuth = params["auth"] != nil
}
func snapshot() -> (sawConnect: Bool, sawAuth: Bool) {
self.lock.lock()
defer { self.lock.unlock() }
return (self.sawConnect, self.sawAuth)
}
}
@Suite(.serialized)
struct ConnectCommandTests {
@Test func `explicit URL never inherits config credentials`() throws {
var config = GatewayConfig()
config.mode = "remote"
config.token = "local-config-token" // pragma: allowlist secret
config.password = "local-config-password" // pragma: allowlist secret
config.remoteToken = "remote-config-token" // pragma: allowlist secret
config.remotePassword = "remote-config-password" // pragma: allowlist secret
let endpoint = try resolveGatewayEndpoint(
opts: ConnectOptions.parse(["--url", "wss://gateway-b.example.test"]),
config: config)
#expect(endpoint.token == nil)
#expect(endpoint.password == nil)
}
@Test func `explicit URL accepts only explicit credentials`() throws {
var config = GatewayConfig()
config.mode = "remote"
config.remoteToken = "wrong-config-token" // pragma: allowlist secret
config.remotePassword = "wrong-config-password" // pragma: allowlist secret
let endpoint = try resolveGatewayEndpoint(
opts: ConnectOptions.parse([
"--url", "wss://gateway-b.example.test",
"--token", "explicit-token", // pragma: allowlist secret
"--password", "explicit-password", // pragma: allowlist secret
]),
config: config)
#expect(endpoint.token == "explicit-token") // pragma: allowlist secret
#expect(endpoint.password == "explicit-password") // pragma: allowlist secret
}
@Test func `explicit URL owner ignores embedded credentials`() throws {
let first = try #require(URL(
string: "wss://alice:first-pass@gateway.example.test/socket?tenant=alpha&token=first-token#first"))
let rotated = try #require(URL(
string: "wss://alice:second-pass@gateway.example.test/socket?tenant=alpha&token=second-token#second"))
let otherRoute = try #require(URL(
string: "wss://gateway.example.test/socket?tenant=beta&token=second-token"))
let firstOwner = gatewayURLDeviceAuthOwner(first, mode: "remote")
let rotatedOwner = gatewayURLDeviceAuthOwner(rotated, mode: "remote")
let otherOwner = gatewayURLDeviceAuthOwner(otherRoute, mode: "remote")
#expect(firstOwner == rotatedOwner)
#expect(firstOwner != otherOwner)
#expect(!firstOwner.contains("first-pass"))
#expect(!firstOwner.contains("first-token"))
}
@Test func `explicit URL sends neither legacy nor scoped stored token`() async throws {
let tempDir = FileManager.default.temporaryDirectory
.appendingPathComponent(UUID().uuidString, isDirectory: true)
try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true)
defer { try? FileManager.default.removeItem(at: tempDir) }
try await TestIsolation.withEnvValues(["OPENCLAW_STATE_DIR": tempDir.path]) {
var config = GatewayConfig()
config.mode = "remote"
config.remoteToken = "gateway-a-config-token" // pragma: allowlist secret
let opts = ConnectOptions.parse(["--url", "wss://gateway-b.example.test"])
let endpoint = try resolveGatewayEndpoint(opts: opts, config: config)
let connectOptions = makeGatewayConnectOptions(
opts: opts,
endpoint: endpoint,
displayName: "CLI Test")
let owner = try #require(connectOptions.deviceAuthGatewayID)
let identity = DeviceIdentityStore.loadOrCreate()
_ = DeviceAuthStore.storeToken(
deviceId: identity.deviceId,
role: "operator",
token: "legacy-device-token") // pragma: allowlist secret
_ = DeviceAuthStore.storeToken(
deviceId: identity.deviceId,
role: "operator",
token: "same-route-device-token", // pragma: allowlist secret
gatewayID: owner)
let recorder = CLIConnectAuthRecorder()
let session = GatewayTestWebSocketSession(taskFactory: {
GatewayTestWebSocketTask(sendHook: { _, message, sendIndex in
if sendIndex == 0 {
recorder.record(message)
}
})
})
let channel = GatewayChannelActor(
url: endpoint.url,
token: endpoint.token,
password: endpoint.password,
session: WebSocketSessionBox(session: session),
connectOptions: connectOptions)
try await channel.connect()
let captured = recorder.snapshot()
#expect(captured.sawConnect)
#expect(!captured.sawAuth)
#expect(!connectOptions.allowStoredDeviceAuth)
await channel.shutdown()
}
}
@Test func `config URL sends neither legacy nor another route stored token`() async throws {
let tempDir = FileManager.default.temporaryDirectory
.appendingPathComponent(UUID().uuidString, isDirectory: true)
try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true)
defer { try? FileManager.default.removeItem(at: tempDir) }
try await TestIsolation.withEnvValues(["OPENCLAW_STATE_DIR": tempDir.path]) {
var configA = GatewayConfig()
configA.mode = "remote"
configA.remoteUrl = "wss://gateway-a.example.test"
let opts = ConnectOptions.parse([])
let endpointA = try resolveGatewayEndpoint(opts: opts, config: configA)
let optionsA = makeGatewayConnectOptions(
opts: opts,
endpoint: endpointA,
displayName: "CLI Test")
var configB = configA
configB.remoteUrl = "wss://gateway-b.example.test"
let endpointB = try resolveGatewayEndpoint(opts: opts, config: configB)
let optionsB = makeGatewayConnectOptions(
opts: opts,
endpoint: endpointB,
displayName: "CLI Test")
let ownerA = try #require(optionsA.deviceAuthGatewayID)
let ownerB = try #require(optionsB.deviceAuthGatewayID)
#expect(ownerA != ownerB)
#expect(optionsB.allowStoredDeviceAuth)
let identity = DeviceIdentityStore.loadOrCreate()
_ = DeviceAuthStore.storeToken(
deviceId: identity.deviceId,
role: "operator",
token: "legacy-device-token") // pragma: allowlist secret
_ = DeviceAuthStore.storeToken(
deviceId: identity.deviceId,
role: "operator",
token: "route-a-device-token", // pragma: allowlist secret
gatewayID: ownerA)
let recorder = CLIConnectAuthRecorder()
let session = GatewayTestWebSocketSession(taskFactory: {
GatewayTestWebSocketTask(sendHook: { _, message, sendIndex in
if sendIndex == 0 {
recorder.record(message)
}
})
})
let channel = GatewayChannelActor(
url: endpointB.url,
token: endpointB.token,
password: endpointB.password,
session: WebSocketSessionBox(session: session),
connectOptions: optionsB)
try await channel.connect()
let captured = recorder.snapshot()
#expect(captured.sawConnect)
#expect(!captured.sawAuth)
await channel.shutdown()
}
}
}