github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 14:34:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden gateway control-plane restart protections

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 14:29:44 +01:00
parent 14b4c7fd56
commit ff74d89e86
11 changed files with 523 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
src/gateway/server-methods.control-plane-rate-limit.test.ts Normal file
View File

@@ -0,0 +1,124 @@
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
import type { GatewayRequestHandler } from "./server-methods/types.js";
import { __testing as controlPlaneRateLimitTesting } from "./control-plane-rate-limit.js";
import { handleGatewayRequest } from "./server-methods.js";
const noWebchat = () => false;
describe("gateway control-plane write rate limit", () => {
beforeEach(() => {
controlPlaneRateLimitTesting.resetControlPlaneRateLimitState();
vi.useFakeTimers();
vi.setSystemTime(new Date("2026-02-19T00:00:00.000Z"));
});
afterEach(() => {
vi.useRealTimers();
controlPlaneRateLimitTesting.resetControlPlaneRateLimitState();
});
function buildContext(logWarn = vi.fn()) {
return {
logGateway: {
warn: logWarn,
},
} as unknown as Parameters<typeof handleGatewayRequest>[0]["context"];
}
function buildClient() {
return {
connect: {
role: "operator",
scopes: ["operator.admin"],
client: {
id: "openclaw-control-ui",
version: "1.0.0",
platform: "darwin",
mode: "ui",
},
minProtocol: 1,
maxProtocol: 1,
},
connId: "conn-1",
clientIp: "10.0.0.5",
} as Parameters<typeof handleGatewayRequest>[0]["client"];
}
async function runRequest(params: {
method: string;
context: Parameters<typeof handleGatewayRequest>[0]["context"];
client: Parameters<typeof handleGatewayRequest>[0]["client"];
handler: GatewayRequestHandler;
}) {
const respond = vi.fn();
await handleGatewayRequest({
req: {
type: "req",
id: crypto.randomUUID(),
method: params.method,
},
respond,
client: params.client,
isWebchatConnect: noWebchat,
context: params.context,
extraHandlers: {
[params.method]: params.handler,
},
});
return respond;
}
it("allows 3 control-plane writes and blocks the 4th in the same minute", async () => {
const handlerCalls = vi.fn();
const handler: GatewayRequestHandler = (opts) => {
handlerCalls(opts);
opts.respond(true, undefined, undefined);
};
const logWarn = vi.fn();
const context = buildContext(logWarn);
const client = buildClient();
await runRequest({ method: "config.patch", context, client, handler });
await runRequest({ method: "config.patch", context, client, handler });
await runRequest({ method: "config.patch", context, client, handler });
const blocked = await runRequest({ method: "config.patch", context, client, handler });
expect(handlerCalls).toHaveBeenCalledTimes(3);
expect(blocked).toHaveBeenCalledWith(
false,
undefined,
expect.objectContaining({
code: "UNAVAILABLE",
retryable: true,
}),
);
expect(logWarn).toHaveBeenCalledTimes(1);
});
it("resets the control-plane write budget after 60 seconds", async () => {
const handlerCalls = vi.fn();
const handler: GatewayRequestHandler = (opts) => {
handlerCalls(opts);
opts.respond(true, undefined, undefined);
};
const context = buildContext();
const client = buildClient();
await runRequest({ method: "update.run", context, client, handler });
await runRequest({ method: "update.run", context, client, handler });
await runRequest({ method: "update.run", context, client, handler });
const blocked = await runRequest({ method: "update.run", context, client, handler });
expect(blocked).toHaveBeenCalledWith(
false,
undefined,
expect.objectContaining({ code: "UNAVAILABLE" }),
);
vi.advanceTimersByTime(60_001);
const allowed = await runRequest({ method: "update.run", context, client, handler });
expect(allowed).toHaveBeenCalledWith(true, undefined, undefined);
expect(handlerCalls).toHaveBeenCalledTimes(4);
});
});