mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-28 13:33:43 +00:00
77d9ac30bb
* refactor: share talk event metric extraction * refactor: reuse shared coercion helpers * refactor: reuse shared primitive guards * refactor: reuse shared record guard * refactor: reuse shared primitive helpers * refactor: reuse shared string guards * refactor: reuse shared non-empty string guard * refactor: share plugin primitive coercion helpers * refactor: reuse plugin coercion helpers * refactor: reuse plugin coercion helpers in more plugins * refactor: reuse channel coercion helpers * refactor: reuse monitor coercion helpers * refactor: reuse provider coercion helpers * refactor: reuse core coercion helpers * refactor: reuse runtime coercion helpers * refactor: reuse helper coercion in codex paths * refactor: reuse helper coercion in runtime paths * refactor: reuse codex app-server coercion helpers * refactor: reuse codex record helpers * refactor: reuse migration and qa record helpers * refactor: reuse feishu and core helper guards * refactor: reuse browser and policy coercion helpers * refactor: reuse memory wiki record helper * refactor: share boolean coercion helpers * refactor: reuse finite number coercion * refactor: reuse trimmed string list helpers * refactor: reuse string list normalization * refactor: reuse remaining string list helpers * refactor: reuse string entry normalizer * refactor: share sorted string helpers * refactor: share string list normalization * test: preserve command registry browser imports * refactor: reuse trimmed list helpers * refactor: reuse string dedupe helpers * refactor: reuse local dedupe helpers * refactor: reuse more string dedupe helpers * refactor: reuse command string dedupe helpers * refactor: dedupe memory path lists with helper * refactor: expose string dedupe helpers to plugins * refactor: reuse core string dedupe helpers * refactor: reuse shared unique value helpers * refactor: reuse unique helpers in agent utilities * refactor: reuse unique helpers in config plumbing * refactor: reuse unique helpers in extensions * refactor: reuse unique helpers in core utilities * refactor: reuse unique helpers in qa plugins * refactor: reuse unique helpers in memory plugins * refactor: reuse unique helpers in channel plugins * refactor: reuse unique helpers in core tails * refactor: reuse unique helper in comfy workflow * refactor: reuse unique helpers in test utilities * refactor: expose unique value helper to plugins * refactor: reuse unique helpers for numeric lists * refactor: replace index dedupe filters * refactor: reuse string entry normalization * refactor: reuse string normalization in plugin helpers * refactor: reuse string normalization in extension helpers * refactor: reuse string normalization in channel parsers * refactor: reuse string normalization in memory search * refactor: reuse string normalization in provider parsers * refactor: reuse string normalization in qa helpers * refactor: reuse string normalization in infra parsers * refactor: reuse string normalization in messaging parsers * refactor: reuse string normalization in core parsers * refactor: reuse string normalization in extension parsers * refactor: reuse string normalization in remaining parsers * refactor: reuse string normalization in final parser spots * refactor: reuse string normalization in qa media helpers * refactor: reuse normalization in provider and media lists * refactor: reuse normalization for remaining set filters * refactor: reuse normalization in policy allowlists * refactor: reuse normalization in session and owner lists * refactor: centralize primitive string lists * refactor: reuse lowercase entry helpers * refactor: reuse sorted string helpers * refactor: reuse unique trimmed helpers * refactor: reuse string normalization helpers * refactor: reuse catalog string helpers * refactor: reuse remaining string helpers * refactor: simplify remaining list normalization * refactor: reuse codex auth order normalization * chore: refresh plugin sdk api baseline * fix: make shared string sorting deterministic * chore: refresh plugin sdk api baseline * fix: align host env security ordering
183 lines
5.2 KiB
TypeScript
183 lines
5.2 KiB
TypeScript
import {
|
|
ACCESS_GROUP_ALLOW_FROM_PREFIX,
|
|
parseAccessGroupAllowFromEntry,
|
|
} from "../channels/allow-from.js";
|
|
import type { ChannelId } from "../channels/plugins/types.public.js";
|
|
import type { AccessGroupConfig } from "../config/types.access-groups.js";
|
|
import type { OpenClawConfig } from "../config/types.openclaw.js";
|
|
import { uniqueStrings } from "../shared/string-normalization.js";
|
|
|
|
export { ACCESS_GROUP_ALLOW_FROM_PREFIX, parseAccessGroupAllowFromEntry };
|
|
|
|
export type AccessGroupMembershipResolver = (params: {
|
|
cfg: OpenClawConfig;
|
|
name: string;
|
|
group: AccessGroupConfig;
|
|
channel: ChannelId;
|
|
accountId: string;
|
|
senderId: string;
|
|
}) => boolean | Promise<boolean>;
|
|
|
|
export type AccessGroupMembershipLookup = (params: {
|
|
name: string;
|
|
group: AccessGroupConfig;
|
|
channel: ChannelId;
|
|
accountId: string;
|
|
senderId: string;
|
|
}) => boolean | Promise<boolean>;
|
|
|
|
export type ResolvedAccessGroupAllowFromState = {
|
|
referenced: string[];
|
|
matched: string[];
|
|
missing: string[];
|
|
unsupported: string[];
|
|
failed: string[];
|
|
matchedAllowFromEntries: string[];
|
|
hasReferences: boolean;
|
|
hasMatch: boolean;
|
|
};
|
|
|
|
function resolveMessageSenderGroupEntries(params: {
|
|
group: AccessGroupConfig;
|
|
channel: ChannelId;
|
|
}): string[] {
|
|
if (params.group.type !== "message.senders") {
|
|
return [];
|
|
}
|
|
return [...(params.group.members["*"] ?? []), ...(params.group.members[params.channel] ?? [])];
|
|
}
|
|
|
|
export async function resolveAccessGroupAllowFromState(params: {
|
|
accessGroups?: Record<string, AccessGroupConfig>;
|
|
allowFrom: Array<string | number> | null | undefined;
|
|
channel: ChannelId;
|
|
accountId: string;
|
|
senderId: string;
|
|
isSenderAllowed?: (senderId: string, allowFrom: string[]) => boolean;
|
|
resolveMembership?: AccessGroupMembershipLookup;
|
|
}): Promise<ResolvedAccessGroupAllowFromState> {
|
|
const names = Array.from(
|
|
new Set(
|
|
(params.allowFrom ?? [])
|
|
.map((entry) => parseAccessGroupAllowFromEntry(String(entry)))
|
|
.filter((entry): entry is string => entry != null),
|
|
),
|
|
);
|
|
const state: ResolvedAccessGroupAllowFromState = {
|
|
referenced: names,
|
|
matched: [],
|
|
missing: [],
|
|
unsupported: [],
|
|
failed: [],
|
|
matchedAllowFromEntries: [],
|
|
hasReferences: names.length > 0,
|
|
hasMatch: false,
|
|
};
|
|
const groups = params.accessGroups;
|
|
for (const name of names) {
|
|
const group = groups?.[name];
|
|
if (!group) {
|
|
state.missing.push(name);
|
|
continue;
|
|
}
|
|
|
|
const senderEntries = resolveMessageSenderGroupEntries({
|
|
group,
|
|
channel: params.channel,
|
|
});
|
|
if (
|
|
senderEntries.length > 0 &&
|
|
params.isSenderAllowed?.(params.senderId, senderEntries) === true
|
|
) {
|
|
state.matched.push(name);
|
|
continue;
|
|
}
|
|
|
|
if (!params.resolveMembership) {
|
|
if (group.type !== "message.senders") {
|
|
state.unsupported.push(name);
|
|
}
|
|
continue;
|
|
}
|
|
|
|
let allowed = false;
|
|
try {
|
|
allowed = await params.resolveMembership({
|
|
name,
|
|
group,
|
|
channel: params.channel,
|
|
accountId: params.accountId,
|
|
senderId: params.senderId,
|
|
});
|
|
} catch {
|
|
state.failed.push(name);
|
|
continue;
|
|
}
|
|
if (allowed) {
|
|
state.matched.push(name);
|
|
}
|
|
}
|
|
state.matchedAllowFromEntries = state.matched.map(
|
|
(name) => `${ACCESS_GROUP_ALLOW_FROM_PREFIX}${name}`,
|
|
);
|
|
state.hasMatch = state.matchedAllowFromEntries.length > 0;
|
|
return state;
|
|
}
|
|
|
|
export async function resolveAccessGroupAllowFromMatches(params: {
|
|
cfg?: OpenClawConfig;
|
|
allowFrom: Array<string | number> | null | undefined;
|
|
channel: ChannelId;
|
|
accountId: string;
|
|
senderId: string;
|
|
isSenderAllowed?: (senderId: string, allowFrom: string[]) => boolean;
|
|
resolveMembership?: AccessGroupMembershipResolver;
|
|
}): Promise<string[]> {
|
|
const cfg = params.cfg;
|
|
const resolveMembership = params.resolveMembership;
|
|
const state = await resolveAccessGroupAllowFromState({
|
|
accessGroups: cfg?.accessGroups,
|
|
allowFrom: params.allowFrom,
|
|
channel: params.channel,
|
|
accountId: params.accountId,
|
|
senderId: params.senderId,
|
|
isSenderAllowed: params.isSenderAllowed,
|
|
resolveMembership:
|
|
resolveMembership && cfg
|
|
? async (lookupParams) =>
|
|
await resolveMembership({
|
|
cfg,
|
|
...lookupParams,
|
|
})
|
|
: undefined,
|
|
});
|
|
return state.matchedAllowFromEntries;
|
|
}
|
|
|
|
export async function expandAllowFromWithAccessGroups(params: {
|
|
cfg?: OpenClawConfig;
|
|
allowFrom: Array<string | number> | null | undefined;
|
|
channel: ChannelId;
|
|
accountId: string;
|
|
senderId: string;
|
|
senderAllowEntry?: string;
|
|
isSenderAllowed?: (senderId: string, allowFrom: string[]) => boolean;
|
|
resolveMembership?: AccessGroupMembershipResolver;
|
|
}): Promise<string[]> {
|
|
const allowFrom = (params.allowFrom ?? []).map(String);
|
|
const matched = await resolveAccessGroupAllowFromMatches({
|
|
cfg: params.cfg,
|
|
allowFrom,
|
|
channel: params.channel,
|
|
accountId: params.accountId,
|
|
senderId: params.senderId,
|
|
isSenderAllowed: params.isSenderAllowed,
|
|
resolveMembership: params.resolveMembership,
|
|
});
|
|
if (matched.length === 0) {
|
|
return allowFrom;
|
|
}
|
|
const senderEntry = params.senderAllowEntry ?? params.senderId;
|
|
return uniqueStrings([...allowFrom, senderEntry]);
|
|
}
|