github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 18:14:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Gateway: add SecretRef support for gateway.auth.token with auth-mode guardrails (#35094)

Browse Source
This commit is contained in:
Josh Avant
2026-03-05 12:53:56 -06:00
committed by GitHub
parent bc66a8fa81
commit 72cf9253fc
112 changed files with 5750 additions and 465 deletions
Download Patch File Download Diff File Expand all files Collapse all files

279
src/tui/gateway-chat.test.ts
View File

@@ -1,3 +1,6 @@
import fs from "node:fs/promises";
import os from "node:os";
import path from "node:path";
import { afterEach, beforeEach, describe, expect, it } from "vitest";
import {
loadConfigMock as loadConfig,
@@ -5,10 +8,19 @@ import {
pickPrimaryTailnetIPv4Mock as pickPrimaryTailnetIPv4,
resolveGatewayPortMock as resolveGatewayPort,
} from "../gateway/gateway-connection.test-mocks.js";
import { captureEnv, withEnv } from "../test-utils/env.js";
import { captureEnv, withEnvAsync } from "../test-utils/env.js";
const { resolveGatewayConnection } = await import("./gateway-chat.js");
async function fileExists(filePath: string): Promise<boolean> {
try {
await fs.access(filePath);
return true;
} catch {
return false;
}
}
describe("resolveGatewayConnection", () => {
let envSnapshot: ReturnType<typeof captureEnv>;
@@ -29,10 +41,10 @@ describe("resolveGatewayConnection", () => {
envSnapshot.restore();
});
it("throws when url override is missing explicit credentials", () => {
it("throws when url override is missing explicit credentials", async () => {
loadConfig.mockReturnValue({ gateway: { mode: "local" } });
expect(() => resolveGatewayConnection({ url: "wss://override.example/ws" })).toThrow(
await expect(resolveGatewayConnection({ url: "wss://override.example/ws" })).rejects.toThrow(
"explicit credentials",
);
});
@@ -48,10 +60,10 @@ describe("resolveGatewayConnection", () => {
auth: { password: "explicit-password" },
expected: { token: undefined, password: "explicit-password" },
},
])("uses explicit $label when url override is set", ({ auth, expected }) => {
])("uses explicit $label when url override is set", async ({ auth, expected }) => {
loadConfig.mockReturnValue({ gateway: { mode: "local" } });
const result = resolveGatewayConnection({
const result = await resolveGatewayConnection({
url: "wss://override.example/ws",
...auth,
});
@@ -73,33 +85,98 @@ describe("resolveGatewayConnection", () => {
bind: "lan",
setup: () => pickPrimaryLanIPv4.mockReturnValue("192.168.1.42"),
},
])("uses loopback host when local bind is $label", ({ bind, setup }) => {
])("uses loopback host when local bind is $label", async ({ bind, setup }) => {
loadConfig.mockReturnValue({ gateway: { mode: "local", bind } });
resolveGatewayPort.mockReturnValue(18800);
setup();
const result = resolveGatewayConnection({});
const result = await withEnvAsync({ OPENCLAW_GATEWAY_TOKEN: "env-token" }, async () => {
return await resolveGatewayConnection({});
});
expect(result.url).toBe("ws://127.0.0.1:18800");
});
it("uses OPENCLAW_GATEWAY_TOKEN for local mode", () => {
it("uses OPENCLAW_GATEWAY_TOKEN for local mode", async () => {
loadConfig.mockReturnValue({ gateway: { mode: "local" } });
withEnv({ OPENCLAW_GATEWAY_TOKEN: "env-token" }, () => {
const result = resolveGatewayConnection({});
await withEnvAsync({ OPENCLAW_GATEWAY_TOKEN: "env-token" }, async () => {
const result = await resolveGatewayConnection({});
expect(result.token).toBe("env-token");
});
});
it("falls back to config auth token when env token is missing", () => {
it("falls back to config auth token when env token is missing", async () => {
loadConfig.mockReturnValue({ gateway: { mode: "local", auth: { token: "config-token" } } });
const result = resolveGatewayConnection({});
const result = await resolveGatewayConnection({});
expect(result.token).toBe("config-token");
});
it("prefers OPENCLAW_GATEWAY_PASSWORD over remote password fallback", () => {
it("uses local password auth when gateway.auth.mode is unset and password-only is configured", async () => {
loadConfig.mockReturnValue({
gateway: {
mode: "local",
auth: {
password: "config-password",
},
},
});
const result = await resolveGatewayConnection({});
expect(result.password).toBe("config-password");
expect(result.token).toBeUndefined();
});
it("fails when both local token and password are configured but gateway.auth.mode is unset", async () => {
loadConfig.mockReturnValue({
gateway: {
mode: "local",
auth: {
token: "config-token",
password: "config-password",
},
},
});
await expect(resolveGatewayConnection({})).rejects.toThrow(
"gateway.auth.mode is unset. Set gateway.auth.mode to token or password.",
);
});
it("resolves env-template config auth token from referenced env var", async () => {
loadConfig.mockReturnValue({
secrets: {
providers: {
default: { source: "env" },
},
},
gateway: {
mode: "local",
auth: { token: "${CUSTOM_GATEWAY_TOKEN}" },
},
});
await withEnvAsync({ CUSTOM_GATEWAY_TOKEN: "custom-token" }, async () => {
const result = await resolveGatewayConnection({});
expect(result.token).toBe("custom-token");
});
});
it("fails with guidance when env-template config auth token is unresolved", async () => {
loadConfig.mockReturnValue({
gateway: {
mode: "local",
auth: { token: "${MISSING_GATEWAY_TOKEN}" },
},
});
await expect(resolveGatewayConnection({})).rejects.toThrow(
"gateway.auth.token SecretRef is unresolved",
);
});
it("prefers OPENCLAW_GATEWAY_PASSWORD over remote password fallback", async () => {
loadConfig.mockReturnValue({
gateway: {
mode: "remote",
@@ -107,9 +184,181 @@ describe("resolveGatewayConnection", () => {
},
});
withEnv({ OPENCLAW_GATEWAY_PASSWORD: "env-pass" }, () => {
const result = resolveGatewayConnection({});
await withEnvAsync({ OPENCLAW_GATEWAY_PASSWORD: "env-pass" }, async () => {
const result = await resolveGatewayConnection({});
expect(result.password).toBe("env-pass");
});
});
it.runIf(process.platform !== "win32")(
"resolves file-backed SecretRef token for local mode",
async () => {
const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-tui-file-secret-"));
const secretFile = path.join(tempDir, "secrets.json");
await fs.writeFile(secretFile, JSON.stringify({ gatewayToken: "file-secret-token" }), "utf8");
await fs.chmod(secretFile, 0o600);
loadConfig.mockReturnValue({
secrets: {
providers: {
fileProvider: {
source: "file",
path: secretFile,
mode: "json",
allowInsecurePath: true,
},
},
},
gateway: {
mode: "local",
auth: {
token: { source: "file", provider: "fileProvider", id: "/gatewayToken" },
},
},
});
try {
const result = await resolveGatewayConnection({});
expect(result.token).toBe("file-secret-token");
} finally {
await fs.rm(tempDir, { recursive: true, force: true });
}
},
);
it("resolves exec-backed SecretRef token for local mode", async () => {
const execProgram = [
"process.stdout.write(",
"JSON.stringify({ protocolVersion: 1, values: { EXEC_GATEWAY_TOKEN: 'exec-secret-token' } })",
");",
].join("");
loadConfig.mockReturnValue({
secrets: {
providers: {
execProvider: {
source: "exec",
command: process.execPath,
args: ["-e", execProgram],
allowInsecurePath: true,
},
},
},
gateway: {
mode: "local",
auth: {
token: { source: "exec", provider: "execProvider", id: "EXEC_GATEWAY_TOKEN" },
},
},
});
const result = await resolveGatewayConnection({});
expect(result.token).toBe("exec-secret-token");
});
it("resolves only token SecretRef when gateway.auth.mode is token", async () => {
const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-tui-mode-token-"));
const tokenMarker = path.join(tempDir, "token-provider-ran");
const passwordMarker = path.join(tempDir, "password-provider-ran");
const tokenExecProgram = [
"const fs=require('node:fs');",
`fs.writeFileSync(${JSON.stringify(tokenMarker)},'1');`,
"process.stdout.write(JSON.stringify({ protocolVersion: 1, values: { TOKEN_SECRET: 'token-from-exec' } }));",
].join("");
const passwordExecProgram = [
"const fs=require('node:fs');",
`fs.writeFileSync(${JSON.stringify(passwordMarker)},'1');`,
"process.stdout.write(JSON.stringify({ protocolVersion: 1, values: { PASSWORD_SECRET: 'password-from-exec' } }));",
].join("");
loadConfig.mockReturnValue({
secrets: {
providers: {
tokenProvider: {
source: "exec",
command: process.execPath,
args: ["-e", tokenExecProgram],
allowInsecurePath: true,
},
passwordProvider: {
source: "exec",
command: process.execPath,
args: ["-e", passwordExecProgram],
allowInsecurePath: true,
},
},
},
gateway: {
mode: "local",
auth: {
mode: "token",
token: { source: "exec", provider: "tokenProvider", id: "TOKEN_SECRET" },
password: { source: "exec", provider: "passwordProvider", id: "PASSWORD_SECRET" },
},
},
});
try {
const result = await resolveGatewayConnection({});
expect(result.token).toBe("token-from-exec");
expect(result.password).toBeUndefined();
expect(await fileExists(tokenMarker)).toBe(true);
expect(await fileExists(passwordMarker)).toBe(false);
} finally {
await fs.rm(tempDir, { recursive: true, force: true });
}
});
it("resolves only password SecretRef when gateway.auth.mode is password", async () => {
const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-tui-mode-password-"));
const tokenMarker = path.join(tempDir, "token-provider-ran");
const passwordMarker = path.join(tempDir, "password-provider-ran");
const tokenExecProgram = [
"const fs=require('node:fs');",
`fs.writeFileSync(${JSON.stringify(tokenMarker)},'1');`,
"process.stdout.write(JSON.stringify({ protocolVersion: 1, values: { TOKEN_SECRET: 'token-from-exec' } }));",
].join("");
const passwordExecProgram = [
"const fs=require('node:fs');",
`fs.writeFileSync(${JSON.stringify(passwordMarker)},'1');`,
"process.stdout.write(JSON.stringify({ protocolVersion: 1, values: { PASSWORD_SECRET: 'password-from-exec' } }));",
].join("");
loadConfig.mockReturnValue({
secrets: {
providers: {
tokenProvider: {
source: "exec",
command: process.execPath,
args: ["-e", tokenExecProgram],
allowInsecurePath: true,
},
passwordProvider: {
source: "exec",
command: process.execPath,
args: ["-e", passwordExecProgram],
allowInsecurePath: true,
},
},
},
gateway: {
mode: "local",
auth: {
mode: "password",
token: { source: "exec", provider: "tokenProvider", id: "TOKEN_SECRET" },
password: { source: "exec", provider: "passwordProvider", id: "PASSWORD_SECRET" },
},
},
});
try {
const result = await resolveGatewayConnection({});
expect(result.password).toBe("password-from-exec");
expect(result.token).toBeUndefined();
expect(await fileExists(tokenMarker)).toBe(false);
expect(await fileExists(passwordMarker)).toBe(true);
} finally {
await fs.rm(tempDir, { recursive: true, force: true });
}
});
});