mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-01 04:30:21 +00:00
45 lines
1.3 KiB
TypeScript
45 lines
1.3 KiB
TypeScript
import { compileGlobPatterns, matchesAnyGlobPattern } from "./glob-pattern.js";
|
|
import type { SandboxToolPolicy } from "./sandbox/types.js";
|
|
import { expandToolGroups, normalizeToolName } from "./tool-policy.js";
|
|
|
|
function makeToolPolicyMatcher(policy: SandboxToolPolicy) {
|
|
const deny = compileGlobPatterns({
|
|
raw: expandToolGroups(policy.deny ?? []),
|
|
normalize: normalizeToolName,
|
|
});
|
|
const allow = compileGlobPatterns({
|
|
raw: expandToolGroups(policy.allow ?? []),
|
|
normalize: normalizeToolName,
|
|
});
|
|
return (name: string) => {
|
|
const normalized = normalizeToolName(name);
|
|
if (matchesAnyGlobPattern(normalized, deny)) {
|
|
return false;
|
|
}
|
|
if (allow.length === 0) {
|
|
return true;
|
|
}
|
|
if (matchesAnyGlobPattern(normalized, allow)) {
|
|
return true;
|
|
}
|
|
if (normalized === "apply_patch" && matchesAnyGlobPattern("exec", allow)) {
|
|
return true;
|
|
}
|
|
return false;
|
|
};
|
|
}
|
|
|
|
export function isToolAllowedByPolicyName(name: string, policy?: SandboxToolPolicy): boolean {
|
|
if (!policy) {
|
|
return true;
|
|
}
|
|
return makeToolPolicyMatcher(policy)(name);
|
|
}
|
|
|
|
export function isToolAllowedByPolicies(
|
|
name: string,
|
|
policies: Array<SandboxToolPolicy | undefined>,
|
|
) {
|
|
return policies.every((policy) => isToolAllowedByPolicyName(name, policy));
|
|
}
|