github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-19 11:38:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
051fdcc428129446e7c084260f837b7284279ce9
openclaw/src/security/dm-policy-channel-smoke.test.ts
Peter Steinberger 051fdcc428 fix(security): centralize dm/group allowlist auth composition
2026-02-26 16:35:33 +01:00

66 lines
2.0 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from "vitest";
import { isAllowedBlueBubblesSender } from "../../extensions/bluebubbles/src/targets.js";
import { isMattermostSenderAllowed } from "../../extensions/mattermost/src/mattermost/monitor-auth.js";
import { isSignalSenderAllowed, type SignalSender } from "../signal/identity.js";
import { resolveDmGroupAccessWithLists } from "./dm-policy-shared.js";
type ChannelSmokeCase = {
name: string;
storeAllowFrom: string[];
isSenderAllowed: (allowFrom: string[]) => boolean;
};
const signalSender: SignalSender = {
kind: "phone",
raw: "+15550001111",
e164: "+15550001111",
};
const cases: ChannelSmokeCase[] = [
{
name: "bluebubbles",
storeAllowFrom: ["attacker-user"],
isSenderAllowed: (allowFrom) =>
isAllowedBlueBubblesSender({
allowFrom,
sender: "attacker-user",
chatId: 101,
}),
},
{
name: "signal",
storeAllowFrom: [signalSender.e164],
isSenderAllowed: (allowFrom) => isSignalSenderAllowed(signalSender, allowFrom),
},
{
name: "mattermost",
storeAllowFrom: ["user:attacker-user"],
isSenderAllowed: (allowFrom) =>
isMattermostSenderAllowed({
senderId: "attacker-user",
senderName: "Attacker",
allowFrom,
}),
},
];
describe("security/dm-policy-shared channel smoke", () => {
for (const testCase of cases) {
for (const ingress of ["message", "reaction"] as const) {
it(`[${testCase.name}] blocks group ${ingress} when sender is only in pairing store`, () => {
const access = resolveDmGroupAccessWithLists({
isGroup: true,
dmPolicy: "pairing",
groupPolicy: "allowlist",
allowFrom: ["owner-user"],
groupAllowFrom: ["group-owner"],
storeAllowFrom: testCase.storeAllowFrom,
isSenderAllowed: testCase.isSenderAllowed,
});
expect(access.decision).toBe("block");
expect(access.reason).toBe("groupPolicy=allowlist (not allowlisted)");
});
}
}
});
Reference in New Issue View Git Blame Copy Permalink