github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 21:34:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(security): share DM allowlist state resolver

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-18 23:58:11 +00:00
parent 2709c0ba51
commit 5c5c032f42
4 changed files with 83 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/commands/doctor-security.ts
View File

@@ -5,8 +5,7 @@ import { formatCliCommand } from "../cli/command-format.js";
import type { OpenClawConfig, GatewayBindMode } from "../config/config.js"; import type { OpenClawConfig, GatewayBindMode } from "../config/config.js";
import { resolveGatewayAuth } from "../gateway/auth.js"; import { resolveGatewayAuth } from "../gateway/auth.js";
import { isLoopbackHost, resolveGatewayBindHost } from "../gateway/net.js"; import { isLoopbackHost, resolveGatewayBindHost } from "../gateway/net.js";
import { readChannelAllowFromStore } from "../pairing/pairing-store.js"; import { resolveDmAllowState } from "../security/dm-policy-shared.js";
import { normalizeStringEntries } from "../shared/string-normalization.js";
import { note } from "../terminal/note.js"; import { note } from "../terminal/note.js";
export async function noteSecurityWarnings(cfg: OpenClawConfig) { export async function noteSecurityWarnings(cfg: OpenClawConfig) {
@@ -85,23 +84,12 @@ export async function noteSecurityWarnings(cfg: OpenClawConfig) {
}) => { }) => {
const dmPolicy = params.dmPolicy; const dmPolicy = params.dmPolicy;
const policyPath = params.policyPath ?? `${params.allowFromPath}policy`; const policyPath = params.policyPath ?? `${params.allowFromPath}policy`;
const configAllowFrom = normalizeStringEntries( const { hasWildcard, allowCount, isMultiUserDm } = await resolveDmAllowState({
Array.isArray(params.allowFrom) ? params.allowFrom : undefined, provider: params.provider,
); allowFrom: params.allowFrom,
const hasWildcard = configAllowFrom.includes("*"); normalizeEntry: params.normalizeEntry,
const storeAllowFrom = await readChannelAllowFromStore(params.provider).catch(() => []); });
const normalizedCfg = configAllowFrom
.filter((v) => v !== "*")
.map((v) => (params.normalizeEntry ? params.normalizeEntry(v) : v))
.map((v) => v.trim())
.filter(Boolean);
const normalizedStore = storeAllowFrom
.map((v) => (params.normalizeEntry ? params.normalizeEntry(v) : v))
.map((v) => v.trim())
.filter(Boolean);
const allowCount = Array.from(new Set([...normalizedCfg, ...normalizedStore])).length;
const dmScope = cfg.session?.dmScope ?? "main"; const dmScope = cfg.session?.dmScope ?? "main";
const isMultiUserDm = hasWildcard || allowCount > 1;
if (dmPolicy === "open") { if (dmPolicy === "open") {
const allowFromPath = `${params.allowFromPath}allowFrom`; const allowFromPath = `${params.allowFromPath}allowFrom`;

21
src/security/audit-channel.ts
View File

@@ -11,6 +11,7 @@ import type { OpenClawConfig } from "../config/config.js";
import { readChannelAllowFromStore } from "../pairing/pairing-store.js"; import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
import { normalizeStringEntries } from "../shared/string-normalization.js"; import { normalizeStringEntries } from "../shared/string-normalization.js";
import type { SecurityAuditFinding, SecurityAuditSeverity } from "./audit.js"; import type { SecurityAuditFinding, SecurityAuditSeverity } from "./audit.js";
import { resolveDmAllowState } from "./dm-policy-shared.js";
function normalizeAllowFromList(list: Array<string | number> | undefined | null): string[] { function normalizeAllowFromList(list: Array<string | number> | undefined | null): string[] {
return normalizeStringEntries(Array.isArray(list) ? list : undefined); return normalizeStringEntries(Array.isArray(list) ? list : undefined);
@@ -63,22 +64,12 @@ export async function collectChannelSecurityFindings(params: {
normalizeEntry?: (raw: string) => string; normalizeEntry?: (raw: string) => string;
}) => { }) => {
const policyPath = input.policyPath ?? `${input.allowFromPath}policy`; const policyPath = input.policyPath ?? `${input.allowFromPath}policy`;
const configAllowFrom = normalizeAllowFromList(input.allowFrom); const { hasWildcard, isMultiUserDm } = await resolveDmAllowState({
const hasWildcard = configAllowFrom.includes("*"); provider: input.provider,
allowFrom: input.allowFrom,
normalizeEntry: input.normalizeEntry,
});
const dmScope = params.cfg.session?.dmScope ?? "main"; const dmScope = params.cfg.session?.dmScope ?? "main";
const storeAllowFrom = await readChannelAllowFromStore(input.provider).catch(() => []);
const normalizeEntry = input.normalizeEntry ?? ((value: string) => value);
const normalizedCfg = configAllowFrom
.filter((value) => value !== "*")
.map((value) => normalizeEntry(value))
.map((value) => value.trim())
.filter(Boolean);
const normalizedStore = storeAllowFrom
.map((value) => normalizeEntry(value))
.map((value) => value.trim())
.filter(Boolean);
const allowCount = Array.from(new Set([...normalizedCfg, ...normalizedStore])).length;
const isMultiUserDm = hasWildcard || allowCount > 1;
if (input.dmPolicy === "open") { if (input.dmPolicy === "open") {
const allowFromKey = `${input.allowFromPath}allowFrom`; const allowFromKey = `${input.allowFromPath}allowFrom`;

31
src/security/dm-policy-shared.test.ts Normal file
View File

@@ -0,0 +1,31 @@
import { describe, expect, it } from "vitest";
import { resolveDmAllowState } from "./dm-policy-shared.js";
describe("security/dm-policy-shared", () => {
it("normalizes config + store allow entries and counts distinct senders", async () => {
const state = await resolveDmAllowState({
provider: "telegram",
allowFrom: [" * ", " alice ", "ALICE", "bob"],
normalizeEntry: (value) => value.toLowerCase(),
readStore: async () => [" Bob ", "carol", ""],
});
expect(state.configAllowFrom).toEqual(["*", "alice", "ALICE", "bob"]);
expect(state.hasWildcard).toBe(true);
expect(state.allowCount).toBe(3);
expect(state.isMultiUserDm).toBe(true);
});
it("handles empty allowlists and store failures", async () => {
const state = await resolveDmAllowState({
provider: "slack",
allowFrom: undefined,
readStore: async () => {
throw new Error("offline");
},
});
expect(state.configAllowFrom).toEqual([]);
expect(state.hasWildcard).toBe(false);
expect(state.allowCount).toBe(0);
expect(state.isMultiUserDm).toBe(false);
});
});

40
src/security/dm-policy-shared.ts Normal file
View File

@@ -0,0 +1,40 @@
import type { ChannelId } from "../channels/plugins/types.js";
import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
import { normalizeStringEntries } from "../shared/string-normalization.js";
export async function resolveDmAllowState(params: {
provider: ChannelId;
allowFrom?: Array<string | number> | null;
normalizeEntry?: (raw: string) => string;
readStore?: (provider: ChannelId) => Promise<string[]>;
}): Promise<{
configAllowFrom: string[];
hasWildcard: boolean;
allowCount: number;
isMultiUserDm: boolean;
}> {
const configAllowFrom = normalizeStringEntries(
Array.isArray(params.allowFrom) ? params.allowFrom : undefined,
);
const hasWildcard = configAllowFrom.includes("*");
const storeAllowFrom = await (params.readStore ?? readChannelAllowFromStore)(
params.provider,
).catch(() => []);
const normalizeEntry = params.normalizeEntry ?? ((value: string) => value);
const normalizedCfg = configAllowFrom
.filter((value) => value !== "*")
.map((value) => normalizeEntry(value))
.map((value) => value.trim())
.filter(Boolean);
const normalizedStore = storeAllowFrom
.map((value) => normalizeEntry(value))
.map((value) => value.trim())
.filter(Boolean);
const allowCount = Array.from(new Set([...normalizedCfg, ...normalizedStore])).length;
return {
configAllowFrom,
hasWildcard,
allowCount,
isMultiUserDm: hasWildcard || allowCount > 1,
};
}