mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-17 11:11:37 +00:00
* fix(crestodian): keep onboarding RPCs restart-safe * fix(profiles): isolate approval state migrations * fix(crestodian): bypass configured gateway setup * test(crestodian): type onboarding mocks * fix(onboarding): require inference before Crestodian * fix(onboarding): enforce verified inference handoff * fix(macos): reset setup on gateway endpoint edits * chore(i18n): refresh native source inventory * fix(gateway): keep socket on request cancellation * test(packaging): require workspace templates * fix(onboarding): bind setup to verified inference * fix(onboarding): align inference gate contracts * fix(crestodian): classify concurrent policy rejection * test(crestodian): expect registry restoration * fix(onboarding): bind setup to configured gateways * fix(codex): preserve startup phase deadlines * test(crestodian): match fail-closed policy ordering * test(onboarding): assert bound gateway handoff * fix(codex): bind runtime resolution to spawn cwd * test(crestodian): assert policy rejection order * fix(cli): preserve gateway routing across restarts * fix(macos): fail closed during gateway edits * test(macos): cover gateway route generation races * chore: keep release notes out of onboarding PR * fix(ci): refresh onboarding generated checks * style(swift): align gateway channel formatting * fix(ci): refresh plugin SDK surface budgets * fix(ci): resync native string inventory * refactor(swift): split gateway channel support * test(doctor): isolate plugin compatibility registry * test(macos): isolate gateway onboarding fixtures * test(macos): assert gateway lease health ordering * fix(codex): reconcile computer-use startup changes
195 lines
8.3 KiB
Swift
195 lines
8.3 KiB
Swift
import Foundation
|
|
import OpenClawKit
|
|
import Testing
|
|
@testable import OpenClawMacCLI
|
|
|
|
private final class CLIConnectAuthRecorder: @unchecked Sendable {
|
|
private let lock = NSLock()
|
|
private var sawConnect = false
|
|
private var sawAuth = false
|
|
|
|
func record(_ message: URLSessionWebSocketTask.Message) {
|
|
guard let params = GatewayWebSocketTestSupport.connectRequestParams(from: message) else { return }
|
|
self.lock.lock()
|
|
defer { self.lock.unlock() }
|
|
self.sawConnect = true
|
|
self.sawAuth = params["auth"] != nil
|
|
}
|
|
|
|
func snapshot() -> (sawConnect: Bool, sawAuth: Bool) {
|
|
self.lock.lock()
|
|
defer { self.lock.unlock() }
|
|
return (self.sawConnect, self.sawAuth)
|
|
}
|
|
}
|
|
|
|
@Suite(.serialized)
|
|
struct ConnectCommandTests {
|
|
@Test func `explicit URL never inherits config credentials`() throws {
|
|
var config = GatewayConfig()
|
|
config.mode = "remote"
|
|
config.token = "local-config-token" // pragma: allowlist secret
|
|
config.password = "local-config-password" // pragma: allowlist secret
|
|
config.remoteToken = "remote-config-token" // pragma: allowlist secret
|
|
config.remotePassword = "remote-config-password" // pragma: allowlist secret
|
|
|
|
let endpoint = try resolveGatewayEndpoint(
|
|
opts: ConnectOptions.parse(["--url", "wss://gateway-b.example.test"]),
|
|
config: config)
|
|
|
|
#expect(endpoint.token == nil)
|
|
#expect(endpoint.password == nil)
|
|
}
|
|
|
|
@Test func `explicit URL accepts only explicit credentials`() throws {
|
|
var config = GatewayConfig()
|
|
config.mode = "remote"
|
|
config.remoteToken = "wrong-config-token" // pragma: allowlist secret
|
|
config.remotePassword = "wrong-config-password" // pragma: allowlist secret
|
|
|
|
let endpoint = try resolveGatewayEndpoint(
|
|
opts: ConnectOptions.parse([
|
|
"--url", "wss://gateway-b.example.test",
|
|
"--token", "explicit-token", // pragma: allowlist secret
|
|
"--password", "explicit-password", // pragma: allowlist secret
|
|
]),
|
|
config: config)
|
|
|
|
#expect(endpoint.token == "explicit-token") // pragma: allowlist secret
|
|
#expect(endpoint.password == "explicit-password") // pragma: allowlist secret
|
|
}
|
|
|
|
@Test func `explicit URL owner ignores embedded credentials`() throws {
|
|
let first = try #require(URL(
|
|
string: "wss://alice:first-pass@gateway.example.test/socket?tenant=alpha&token=first-token#first"))
|
|
let rotated = try #require(URL(
|
|
string: "wss://alice:second-pass@gateway.example.test/socket?tenant=alpha&token=second-token#second"))
|
|
let otherRoute = try #require(URL(
|
|
string: "wss://gateway.example.test/socket?tenant=beta&token=second-token"))
|
|
|
|
let firstOwner = gatewayURLDeviceAuthOwner(first, mode: "remote")
|
|
let rotatedOwner = gatewayURLDeviceAuthOwner(rotated, mode: "remote")
|
|
let otherOwner = gatewayURLDeviceAuthOwner(otherRoute, mode: "remote")
|
|
|
|
#expect(firstOwner == rotatedOwner)
|
|
#expect(firstOwner != otherOwner)
|
|
#expect(!firstOwner.contains("first-pass"))
|
|
#expect(!firstOwner.contains("first-token"))
|
|
}
|
|
|
|
@Test func `explicit URL sends neither legacy nor scoped stored token`() async throws {
|
|
let tempDir = FileManager.default.temporaryDirectory
|
|
.appendingPathComponent(UUID().uuidString, isDirectory: true)
|
|
try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true)
|
|
defer { try? FileManager.default.removeItem(at: tempDir) }
|
|
|
|
try await TestIsolation.withEnvValues(["OPENCLAW_STATE_DIR": tempDir.path]) {
|
|
var config = GatewayConfig()
|
|
config.mode = "remote"
|
|
config.remoteToken = "gateway-a-config-token" // pragma: allowlist secret
|
|
let opts = ConnectOptions.parse(["--url", "wss://gateway-b.example.test"])
|
|
let endpoint = try resolveGatewayEndpoint(opts: opts, config: config)
|
|
let connectOptions = makeGatewayConnectOptions(
|
|
opts: opts,
|
|
endpoint: endpoint,
|
|
displayName: "CLI Test")
|
|
let owner = try #require(connectOptions.deviceAuthGatewayID)
|
|
let identity = DeviceIdentityStore.loadOrCreate()
|
|
_ = DeviceAuthStore.storeToken(
|
|
deviceId: identity.deviceId,
|
|
role: "operator",
|
|
token: "legacy-device-token") // pragma: allowlist secret
|
|
_ = DeviceAuthStore.storeToken(
|
|
deviceId: identity.deviceId,
|
|
role: "operator",
|
|
token: "same-route-device-token", // pragma: allowlist secret
|
|
gatewayID: owner)
|
|
|
|
let recorder = CLIConnectAuthRecorder()
|
|
let session = GatewayTestWebSocketSession(taskFactory: {
|
|
GatewayTestWebSocketTask(sendHook: { _, message, sendIndex in
|
|
if sendIndex == 0 {
|
|
recorder.record(message)
|
|
}
|
|
})
|
|
})
|
|
let channel = GatewayChannelActor(
|
|
url: endpoint.url,
|
|
token: endpoint.token,
|
|
password: endpoint.password,
|
|
session: WebSocketSessionBox(session: session),
|
|
connectOptions: connectOptions)
|
|
|
|
try await channel.connect()
|
|
let captured = recorder.snapshot()
|
|
#expect(captured.sawConnect)
|
|
#expect(!captured.sawAuth)
|
|
#expect(!connectOptions.allowStoredDeviceAuth)
|
|
await channel.shutdown()
|
|
}
|
|
}
|
|
|
|
@Test func `config URL sends neither legacy nor another route stored token`() async throws {
|
|
let tempDir = FileManager.default.temporaryDirectory
|
|
.appendingPathComponent(UUID().uuidString, isDirectory: true)
|
|
try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true)
|
|
defer { try? FileManager.default.removeItem(at: tempDir) }
|
|
|
|
try await TestIsolation.withEnvValues(["OPENCLAW_STATE_DIR": tempDir.path]) {
|
|
var configA = GatewayConfig()
|
|
configA.mode = "remote"
|
|
configA.remoteUrl = "wss://gateway-a.example.test"
|
|
let opts = ConnectOptions.parse([])
|
|
let endpointA = try resolveGatewayEndpoint(opts: opts, config: configA)
|
|
let optionsA = makeGatewayConnectOptions(
|
|
opts: opts,
|
|
endpoint: endpointA,
|
|
displayName: "CLI Test")
|
|
|
|
var configB = configA
|
|
configB.remoteUrl = "wss://gateway-b.example.test"
|
|
let endpointB = try resolveGatewayEndpoint(opts: opts, config: configB)
|
|
let optionsB = makeGatewayConnectOptions(
|
|
opts: opts,
|
|
endpoint: endpointB,
|
|
displayName: "CLI Test")
|
|
let ownerA = try #require(optionsA.deviceAuthGatewayID)
|
|
let ownerB = try #require(optionsB.deviceAuthGatewayID)
|
|
#expect(ownerA != ownerB)
|
|
#expect(optionsB.allowStoredDeviceAuth)
|
|
|
|
let identity = DeviceIdentityStore.loadOrCreate()
|
|
_ = DeviceAuthStore.storeToken(
|
|
deviceId: identity.deviceId,
|
|
role: "operator",
|
|
token: "legacy-device-token") // pragma: allowlist secret
|
|
_ = DeviceAuthStore.storeToken(
|
|
deviceId: identity.deviceId,
|
|
role: "operator",
|
|
token: "route-a-device-token", // pragma: allowlist secret
|
|
gatewayID: ownerA)
|
|
|
|
let recorder = CLIConnectAuthRecorder()
|
|
let session = GatewayTestWebSocketSession(taskFactory: {
|
|
GatewayTestWebSocketTask(sendHook: { _, message, sendIndex in
|
|
if sendIndex == 0 {
|
|
recorder.record(message)
|
|
}
|
|
})
|
|
})
|
|
let channel = GatewayChannelActor(
|
|
url: endpointB.url,
|
|
token: endpointB.token,
|
|
password: endpointB.password,
|
|
session: WebSocketSessionBox(session: session),
|
|
connectOptions: optionsB)
|
|
|
|
try await channel.connect()
|
|
let captured = recorder.snapshot()
|
|
#expect(captured.sawConnect)
|
|
#expect(!captured.sawAuth)
|
|
await channel.shutdown()
|
|
}
|
|
}
|
|
}
|