github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 10:55:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

test(config): reuse fixtures for faster validation

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-02 09:45:52 +00:00
parent fcb956a0a2
commit fd4d157e45
5 changed files with 520 additions and 378 deletions
Download Patch File Download Diff File Expand all files Collapse all files

586
src/secrets/resolve.test.ts
View File

@@ -1,9 +1,8 @@
import fs from "node:fs/promises";
import os from "node:os";
import path from "node:path";
import { afterEach, describe, expect, it, vi } from "vitest";
import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
import type { OpenClawConfig } from "../config/config.js";
import type { SecretProviderConfig } from "../config/types.secrets.js";
import { resolveSecretRefString, resolveSecretRefValue } from "./resolve.js";
async function writeSecureFile(filePath: string, content: string, mode = 0o600): Promise<void> {
@@ -13,92 +12,69 @@ async function writeSecureFile(filePath: string, content: string, mode = 0o600):
}
describe("secret ref resolver", () => {
const cleanupRoots: string[] = [];
const execRef = { source: "exec", provider: "execmain", id: "openai/api-key" } as const;
const fileRef = { source: "file", provider: "filemain", id: "/providers/openai/apiKey" } as const;
let fixtureRoot = "";
let caseId = 0;
let execProtocolV1ScriptPath = "";
let execPlainScriptPath = "";
let execProtocolV2ScriptPath = "";
let execMissingIdScriptPath = "";
let execInvalidJsonScriptPath = "";
function isWindows(): boolean {
return process.platform === "win32";
}
const createCaseDir = async (label: string): Promise<string> => {
const dir = path.join(fixtureRoot, `${label}-${caseId++}`);
await fs.mkdir(dir, { recursive: true });
return dir;
};
async function createTempRoot(prefix: string): Promise<string> {
const root = await fs.mkdtemp(path.join(os.tmpdir(), prefix));
cleanupRoots.push(root);
return root;
}
beforeAll(async () => {
fixtureRoot = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-secrets-resolve-"));
const sharedExecDir = path.join(fixtureRoot, "shared-exec");
await fs.mkdir(sharedExecDir, { recursive: true });
function createProviderConfig(
providerId: string,
provider: SecretProviderConfig,
): OpenClawConfig {
return {
secrets: {
providers: {
[providerId]: provider,
},
},
};
}
async function resolveWithProvider(params: {
ref: Parameters<typeof resolveSecretRefString>[0];
providerId: string;
provider: SecretProviderConfig;
}) {
return await resolveSecretRefString(params.ref, {
config: createProviderConfig(params.providerId, params.provider),
});
}
function createExecProvider(
command: string,
overrides?: Record<string, unknown>,
): SecretProviderConfig {
return {
source: "exec",
command,
passEnv: ["PATH"],
...overrides,
} as SecretProviderConfig;
}
async function expectExecResolveRejects(
provider: SecretProviderConfig,
message: string,
): Promise<void> {
await expect(
resolveWithProvider({
ref: execRef,
providerId: "execmain",
provider,
}),
).rejects.toThrow(message);
}
async function createSymlinkedPlainExecCommand(
root: string,
targetRoot = root,
): Promise<{ scriptPath: string; symlinkPath: string }> {
const scriptPath = path.join(targetRoot, "resolver-target.mjs");
const symlinkPath = path.join(root, "resolver-link.mjs");
execProtocolV1ScriptPath = path.join(sharedExecDir, "resolver-v1.sh");
await writeSecureFile(
scriptPath,
["#!/usr/bin/env node", "process.stdout.write('plain-secret');"].join("\n"),
execProtocolV1ScriptPath,
[
"#!/bin/sh",
'printf \'{"protocolVersion":1,"values":{"openai/api-key":"value:openai/api-key"}}\'',
].join("\n"),
0o700,
);
await fs.symlink(scriptPath, symlinkPath);
return { scriptPath, symlinkPath };
}
afterEach(async () => {
vi.restoreAllMocks();
while (cleanupRoots.length > 0) {
const root = cleanupRoots.pop();
if (!root) {
continue;
}
await fs.rm(root, { recursive: true, force: true });
execPlainScriptPath = path.join(sharedExecDir, "resolver-plain.sh");
await writeSecureFile(
execPlainScriptPath,
["#!/bin/sh", "printf 'plain-secret'"].join("\n"),
0o700,
);
execProtocolV2ScriptPath = path.join(sharedExecDir, "resolver-v2.sh");
await writeSecureFile(
execProtocolV2ScriptPath,
["#!/bin/sh", 'printf \'{"protocolVersion":2,"values":{"openai/api-key":"x"}}\''].join("\n"),
0o700,
);
execMissingIdScriptPath = path.join(sharedExecDir, "resolver-missing-id.sh");
await writeSecureFile(
execMissingIdScriptPath,
["#!/bin/sh", 'printf \'{"protocolVersion":1,"values":{}}\''].join("\n"),
0o700,
);
execInvalidJsonScriptPath = path.join(sharedExecDir, "resolver-invalid-json.sh");
await writeSecureFile(
execInvalidJsonScriptPath,
["#!/bin/sh", "printf 'not-json'"].join("\n"),
0o700,
);
});
afterAll(async () => {
if (!fixtureRoot) {
return;
}
await fs.rm(fixtureRoot, { recursive: true, force: true });
});
it("resolves env refs via implicit default env provider", async () => {
@@ -114,10 +90,10 @@ describe("secret ref resolver", () => {
});
it("resolves file refs in json mode", async () => {
if (isWindows()) {
if (process.platform === "win32") {
return;
}
const root = await createTempRoot("openclaw-secrets-resolve-file-");
const root = await createCaseDir("file");
const filePath = path.join(root, "secrets.json");
await writeSecureFile(
filePath,
@@ -130,111 +106,140 @@ describe("secret ref resolver", () => {
}),
);
const value = await resolveWithProvider({
ref: fileRef,
providerId: "filemain",
provider: {
source: "file",
path: filePath,
mode: "json",
const value = await resolveSecretRefString(
{ source: "file", provider: "filemain", id: "/providers/openai/apiKey" },
{
config: {
secrets: {
providers: {
filemain: {
source: "file",
path: filePath,
mode: "json",
},
},
},
},
},
});
);
expect(value).toBe("sk-file-value");
});
it("resolves exec refs with protocolVersion 1 response", async () => {
if (isWindows()) {
if (process.platform === "win32") {
return;
}
const root = await createTempRoot("openclaw-secrets-resolve-exec-");
const scriptPath = path.join(root, "resolver.mjs");
await writeSecureFile(
scriptPath,
[
"#!/usr/bin/env node",
"import fs from 'node:fs';",
"const req = JSON.parse(fs.readFileSync(0, 'utf8'));",
"const values = Object.fromEntries((req.ids ?? []).map((id) => [id, `value:${id}`]));",
"process.stdout.write(JSON.stringify({ protocolVersion: 1, values }));",
].join("\n"),
0o700,
);
const value = await resolveWithProvider({
ref: execRef,
providerId: "execmain",
provider: {
source: "exec",
command: scriptPath,
passEnv: ["PATH"],
const value = await resolveSecretRefString(
{ source: "exec", provider: "execmain", id: "openai/api-key" },
{
config: {
secrets: {
providers: {
execmain: {
source: "exec",
command: execProtocolV1ScriptPath,
passEnv: ["PATH"],
},
},
},
},
},
});
);
expect(value).toBe("value:openai/api-key");
});
it("supports non-JSON single-value exec output when jsonOnly is false", async () => {
if (isWindows()) {
if (process.platform === "win32") {
return;
}
const root = await createTempRoot("openclaw-secrets-resolve-exec-plain-");
const scriptPath = path.join(root, "resolver-plain.mjs");
await writeSecureFile(
scriptPath,
["#!/usr/bin/env node", "process.stdout.write('plain-secret');"].join("\n"),
0o700,
);
const value = await resolveWithProvider({
ref: execRef,
providerId: "execmain",
provider: {
source: "exec",
command: scriptPath,
passEnv: ["PATH"],
jsonOnly: false,
const value = await resolveSecretRefString(
{ source: "exec", provider: "execmain", id: "openai/api-key" },
{
config: {
secrets: {
providers: {
execmain: {
source: "exec",
command: execPlainScriptPath,
passEnv: ["PATH"],
jsonOnly: false,
},
},
},
},
},
});
);
expect(value).toBe("plain-secret");
});
it("rejects symlink command paths unless allowSymlinkCommand is enabled", async () => {
if (isWindows()) {
if (process.platform === "win32") {
return;
}
const root = await createTempRoot("openclaw-secrets-resolve-exec-link-");
const { symlinkPath } = await createSymlinkedPlainExecCommand(root);
await expectExecResolveRejects(
createExecProvider(symlinkPath, { jsonOnly: false }),
"must not be a symlink",
);
const root = await createCaseDir("exec-link-reject");
const symlinkPath = path.join(root, "resolver-link.mjs");
await fs.symlink(execPlainScriptPath, symlinkPath);
await expect(
resolveSecretRefString(
{ source: "exec", provider: "execmain", id: "openai/api-key" },
{
config: {
secrets: {
providers: {
execmain: {
source: "exec",
command: symlinkPath,
passEnv: ["PATH"],
jsonOnly: false,
},
},
},
},
},
),
).rejects.toThrow("must not be a symlink");
});
it("allows symlink command paths when allowSymlinkCommand is enabled", async () => {
if (isWindows()) {
if (process.platform === "win32") {
return;
}
const root = await createTempRoot("openclaw-secrets-resolve-exec-link-");
const { symlinkPath } = await createSymlinkedPlainExecCommand(root);
const trustedRoot = await fs.realpath(root);
const root = await createCaseDir("exec-link-allow");
const symlinkPath = path.join(root, "resolver-link.mjs");
await fs.symlink(execPlainScriptPath, symlinkPath);
const trustedRoot = await fs.realpath(fixtureRoot);
const value = await resolveWithProvider({
ref: execRef,
providerId: "execmain",
provider: createExecProvider(symlinkPath, {
jsonOnly: false,
allowSymlinkCommand: true,
trustedDirs: [trustedRoot],
}),
});
const value = await resolveSecretRefString(
{ source: "exec", provider: "execmain", id: "openai/api-key" },
{
config: {
secrets: {
providers: {
execmain: {
source: "exec",
command: symlinkPath,
passEnv: ["PATH"],
jsonOnly: false,
allowSymlinkCommand: true,
trustedDirs: [trustedRoot],
},
},
},
},
},
);
expect(value).toBe("plain-secret");
});
it("handles Homebrew-style symlinked exec commands with args only when explicitly allowed", async () => {
if (isWindows()) {
if (process.platform === "win32") {
return;
}
const root = await createTempRoot("openclaw-secrets-resolve-homebrew-");
const root = await createCaseDir("homebrew");
const binDir = path.join(root, "opt", "homebrew", "bin");
const cellarDir = path.join(root, "opt", "homebrew", "Cellar", "node", "25.0.0", "bin");
await fs.mkdir(binDir, { recursive: true });
@@ -245,12 +250,9 @@ describe("secret ref resolver", () => {
await writeSecureFile(
targetCommand,
[
`#!${process.execPath}`,
"import fs from 'node:fs';",
"const req = JSON.parse(fs.readFileSync(0, 'utf8'));",
"const suffix = process.argv[2] ?? 'missing';",
"const values = Object.fromEntries((req.ids ?? []).map((id) => [id, `${suffix}:${id}`]));",
"process.stdout.write(JSON.stringify({ protocolVersion: 1, values }));",
"#!/bin/sh",
'suffix="${1:-missing}"',
'printf \'{"protocolVersion":1,"values":{"openai/api-key":"%s:openai/api-key"}}\' "$suffix"',
].join("\n"),
0o700,
);
@@ -258,139 +260,182 @@ describe("secret ref resolver", () => {
const trustedRoot = await fs.realpath(root);
await expect(
resolveWithProvider({
ref: execRef,
providerId: "execmain",
provider: {
source: "exec",
command: symlinkCommand,
args: ["brew"],
passEnv: ["PATH"],
resolveSecretRefString(
{ source: "exec", provider: "execmain", id: "openai/api-key" },
{
config: {
secrets: {
providers: {
execmain: {
source: "exec",
command: symlinkCommand,
args: ["brew"],
passEnv: ["PATH"],
},
},
},
},
},
}),
),
).rejects.toThrow("must not be a symlink");
const value = await resolveWithProvider({
ref: execRef,
providerId: "execmain",
provider: {
source: "exec",
command: symlinkCommand,
args: ["brew"],
allowSymlinkCommand: true,
trustedDirs: [trustedRoot],
const value = await resolveSecretRefString(
{ source: "exec", provider: "execmain", id: "openai/api-key" },
{
config: {
secrets: {
providers: {
execmain: {
source: "exec",
command: symlinkCommand,
args: ["brew"],
allowSymlinkCommand: true,
trustedDirs: [trustedRoot],
},
},
},
},
},
});
);
expect(value).toBe("brew:openai/api-key");
});
it("checks trustedDirs against resolved symlink target", async () => {
if (isWindows()) {
if (process.platform === "win32") {
return;
}
const root = await createTempRoot("openclaw-secrets-resolve-exec-link-");
const outside = await createTempRoot("openclaw-secrets-resolve-exec-out-");
const { symlinkPath } = await createSymlinkedPlainExecCommand(root, outside);
await expectExecResolveRejects(
createExecProvider(symlinkPath, {
jsonOnly: false,
allowSymlinkCommand: true,
trustedDirs: [root],
}),
"outside trustedDirs",
);
const root = await createCaseDir("exec-link-trusted");
const symlinkPath = path.join(root, "resolver-link.mjs");
await fs.symlink(execPlainScriptPath, symlinkPath);
await expect(
resolveSecretRefString(
{ source: "exec", provider: "execmain", id: "openai/api-key" },
{
config: {
secrets: {
providers: {
execmain: {
source: "exec",
command: symlinkPath,
passEnv: ["PATH"],
jsonOnly: false,
allowSymlinkCommand: true,
trustedDirs: [root],
},
},
},
},
},
),
).rejects.toThrow("outside trustedDirs");
});
it("rejects exec refs when protocolVersion is not 1", async () => {
if (isWindows()) {
if (process.platform === "win32") {
return;
}
const root = await createTempRoot("openclaw-secrets-resolve-exec-protocol-");
const scriptPath = path.join(root, "resolver-protocol.mjs");
await writeSecureFile(
scriptPath,
[
"#!/usr/bin/env node",
"process.stdout.write(JSON.stringify({ protocolVersion: 2, values: { 'openai/api-key': 'x' } }));",
].join("\n"),
0o700,
);
await expectExecResolveRejects(createExecProvider(scriptPath), "protocolVersion must be 1");
await expect(
resolveSecretRefString(
{ source: "exec", provider: "execmain", id: "openai/api-key" },
{
config: {
secrets: {
providers: {
execmain: {
source: "exec",
command: execProtocolV2ScriptPath,
passEnv: ["PATH"],
},
},
},
},
},
),
).rejects.toThrow("protocolVersion must be 1");
});
it("rejects exec refs when response omits requested id", async () => {
if (isWindows()) {
if (process.platform === "win32") {
return;
}
const root = await createTempRoot("openclaw-secrets-resolve-exec-id-");
const scriptPath = path.join(root, "resolver-missing-id.mjs");
await writeSecureFile(
scriptPath,
[
"#!/usr/bin/env node",
"process.stdout.write(JSON.stringify({ protocolVersion: 1, values: {} }));",
].join("\n"),
0o700,
);
await expectExecResolveRejects(
createExecProvider(scriptPath),
'response missing id "openai/api-key"',
);
await expect(
resolveSecretRefString(
{ source: "exec", provider: "execmain", id: "openai/api-key" },
{
config: {
secrets: {
providers: {
execmain: {
source: "exec",
command: execMissingIdScriptPath,
passEnv: ["PATH"],
},
},
},
},
},
),
).rejects.toThrow('response missing id "openai/api-key"');
});
it("rejects exec refs with invalid JSON when jsonOnly is true", async () => {
if (isWindows()) {
if (process.platform === "win32") {
return;
}
const root = await createTempRoot("openclaw-secrets-resolve-exec-json-");
const scriptPath = path.join(root, "resolver-invalid-json.mjs");
await writeSecureFile(
scriptPath,
["#!/usr/bin/env node", "process.stdout.write('not-json');"].join("\n"),
0o700,
);
await expect(
resolveWithProvider({
ref: execRef,
providerId: "execmain",
provider: {
source: "exec",
command: scriptPath,
passEnv: ["PATH"],
jsonOnly: true,
resolveSecretRefString(
{ source: "exec", provider: "execmain", id: "openai/api-key" },
{
config: {
secrets: {
providers: {
execmain: {
source: "exec",
command: execInvalidJsonScriptPath,
passEnv: ["PATH"],
jsonOnly: true,
},
},
},
},
},
}),
),
).rejects.toThrow("returned invalid JSON");
});
it("supports file singleValue mode with id=value", async () => {
if (isWindows()) {
if (process.platform === "win32") {
return;
}
const root = await createTempRoot("openclaw-secrets-resolve-single-value-");
const root = await createCaseDir("file-single-value");
const filePath = path.join(root, "token.txt");
await writeSecureFile(filePath, "raw-token-value\n");
const value = await resolveWithProvider({
ref: { source: "file", provider: "rawfile", id: "value" },
providerId: "rawfile",
provider: {
source: "file",
path: filePath,
mode: "singleValue",
const value = await resolveSecretRefString(
{ source: "file", provider: "rawfile", id: "value" },
{
config: {
secrets: {
providers: {
rawfile: {
source: "file",
path: filePath,
mode: "singleValue",
},
},
},
},
},
});
);
expect(value).toBe("raw-token-value");
});
it("times out file provider reads when timeoutMs elapses", async () => {
if (isWindows()) {
if (process.platform === "win32") {
return;
}
const root = await createTempRoot("openclaw-secrets-resolve-timeout-");
const root = await createCaseDir("file-timeout");
const filePath = path.join(root, "secrets.json");
await writeSecureFile(
filePath,
@@ -404,7 +449,7 @@ describe("secret ref resolver", () => {
);
const originalReadFile = fs.readFile.bind(fs);
vi.spyOn(fs, "readFile").mockImplementation(((
const readFileSpy = vi.spyOn(fs, "readFile").mockImplementation(((
targetPath: Parameters<typeof fs.readFile>[0],
options?: Parameters<typeof fs.readFile>[1],
) => {
@@ -414,18 +459,29 @@ describe("secret ref resolver", () => {
return originalReadFile(targetPath, options);
}) as typeof fs.readFile);
await expect(
resolveWithProvider({
ref: fileRef,
providerId: "filemain",
provider: {
source: "file",
path: filePath,
mode: "json",
timeoutMs: 5,
},
}),
).rejects.toThrow('File provider "filemain" timed out');
try {
await expect(
resolveSecretRefString(
{ source: "file", provider: "filemain", id: "/providers/openai/apiKey" },
{
config: {
secrets: {
providers: {
filemain: {
source: "file",
path: filePath,
mode: "json",
timeoutMs: 5,
},
},
},
},
},
),
).rejects.toThrow('File provider "filemain" timed out');
} finally {
readFileSpy.mockRestore();
}
});
it("rejects misconfigured provider source mismatches", async () => {
@@ -433,7 +489,15 @@ describe("secret ref resolver", () => {
resolveSecretRefValue(
{ source: "exec", provider: "default", id: "abc" },
{
config: createProviderConfig("default", { source: "env" }),
config: {
secrets: {
providers: {
default: {
source: "env",
},
},
},
},
},
),
).rejects.toThrow('has source "env" but ref requests "exec"');