mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-08 04:31:23 +00:00
914a7c5359
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 4f2c2ecef4
Co-authored-by: coygeek <65363919+coygeek@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
225 lines
7.6 KiB
TypeScript
225 lines
7.6 KiB
TypeScript
import { mkdtemp } from "node:fs/promises";
|
|
import { tmpdir } from "node:os";
|
|
import { join } from "node:path";
|
|
import { describe, expect, test } from "vitest";
|
|
import {
|
|
approveDevicePairing,
|
|
getPairedDevice,
|
|
removePairedDevice,
|
|
requestDevicePairing,
|
|
rotateDeviceToken,
|
|
verifyDeviceToken,
|
|
} from "./device-pairing.js";
|
|
|
|
async function setupPairedOperatorDevice(baseDir: string, scopes: string[]) {
|
|
const request = await requestDevicePairing(
|
|
{
|
|
deviceId: "device-1",
|
|
publicKey: "public-key-1",
|
|
role: "operator",
|
|
scopes,
|
|
},
|
|
baseDir,
|
|
);
|
|
await approveDevicePairing(request.request.requestId, baseDir);
|
|
}
|
|
|
|
function requireToken(token: string | undefined): string {
|
|
expect(typeof token).toBe("string");
|
|
if (typeof token !== "string") {
|
|
throw new Error("expected operator token to be issued");
|
|
}
|
|
return token;
|
|
}
|
|
|
|
describe("device pairing tokens", () => {
|
|
test("reuses existing pending requests for the same device", async () => {
|
|
const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
|
|
const first = await requestDevicePairing(
|
|
{
|
|
deviceId: "device-1",
|
|
publicKey: "public-key-1",
|
|
},
|
|
baseDir,
|
|
);
|
|
const second = await requestDevicePairing(
|
|
{
|
|
deviceId: "device-1",
|
|
publicKey: "public-key-1",
|
|
},
|
|
baseDir,
|
|
);
|
|
|
|
expect(first.created).toBe(true);
|
|
expect(second.created).toBe(false);
|
|
expect(second.request.requestId).toBe(first.request.requestId);
|
|
});
|
|
|
|
test("merges pending roles/scopes for the same device before approval", async () => {
|
|
const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
|
|
const first = await requestDevicePairing(
|
|
{
|
|
deviceId: "device-1",
|
|
publicKey: "public-key-1",
|
|
role: "node",
|
|
scopes: [],
|
|
},
|
|
baseDir,
|
|
);
|
|
const second = await requestDevicePairing(
|
|
{
|
|
deviceId: "device-1",
|
|
publicKey: "public-key-1",
|
|
role: "operator",
|
|
scopes: ["operator.read", "operator.write"],
|
|
},
|
|
baseDir,
|
|
);
|
|
|
|
expect(second.created).toBe(false);
|
|
expect(second.request.requestId).toBe(first.request.requestId);
|
|
expect(second.request.roles).toEqual(["node", "operator"]);
|
|
expect(second.request.scopes).toEqual(["operator.read", "operator.write"]);
|
|
|
|
await approveDevicePairing(first.request.requestId, baseDir);
|
|
const paired = await getPairedDevice("device-1", baseDir);
|
|
expect(paired?.roles).toEqual(["node", "operator"]);
|
|
expect(paired?.scopes).toEqual(["operator.read", "operator.write"]);
|
|
});
|
|
|
|
test("generates base64url device tokens with 256-bit entropy output length", async () => {
|
|
const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
|
|
await setupPairedOperatorDevice(baseDir, ["operator.admin"]);
|
|
|
|
const paired = await getPairedDevice("device-1", baseDir);
|
|
const token = requireToken(paired?.tokens?.operator?.token);
|
|
expect(token).toMatch(/^[A-Za-z0-9_-]{43}$/);
|
|
expect(Buffer.from(token, "base64url")).toHaveLength(32);
|
|
});
|
|
|
|
test("allows down-scoping from admin and preserves approved scope baseline", async () => {
|
|
const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
|
|
await setupPairedOperatorDevice(baseDir, ["operator.admin"]);
|
|
|
|
await rotateDeviceToken({
|
|
deviceId: "device-1",
|
|
role: "operator",
|
|
scopes: ["operator.read"],
|
|
baseDir,
|
|
});
|
|
let paired = await getPairedDevice("device-1", baseDir);
|
|
expect(paired?.tokens?.operator?.scopes).toEqual(["operator.read"]);
|
|
expect(paired?.scopes).toEqual(["operator.admin"]);
|
|
expect(paired?.approvedScopes).toEqual(["operator.admin"]);
|
|
|
|
await rotateDeviceToken({
|
|
deviceId: "device-1",
|
|
role: "operator",
|
|
baseDir,
|
|
});
|
|
paired = await getPairedDevice("device-1", baseDir);
|
|
expect(paired?.tokens?.operator?.scopes).toEqual(["operator.read"]);
|
|
});
|
|
|
|
test("rejects scope escalation when rotating a token and leaves state unchanged", async () => {
|
|
const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
|
|
await setupPairedOperatorDevice(baseDir, ["operator.read"]);
|
|
const before = await getPairedDevice("device-1", baseDir);
|
|
|
|
const rotated = await rotateDeviceToken({
|
|
deviceId: "device-1",
|
|
role: "operator",
|
|
scopes: ["operator.admin"],
|
|
baseDir,
|
|
});
|
|
expect(rotated).toBeNull();
|
|
|
|
const after = await getPairedDevice("device-1", baseDir);
|
|
expect(after?.tokens?.operator?.token).toEqual(before?.tokens?.operator?.token);
|
|
expect(after?.tokens?.operator?.scopes).toEqual(["operator.read"]);
|
|
expect(after?.scopes).toEqual(["operator.read"]);
|
|
expect(after?.approvedScopes).toEqual(["operator.read"]);
|
|
});
|
|
|
|
test("verifies token and rejects mismatches", async () => {
|
|
const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
|
|
await setupPairedOperatorDevice(baseDir, ["operator.read"]);
|
|
const paired = await getPairedDevice("device-1", baseDir);
|
|
const token = requireToken(paired?.tokens?.operator?.token);
|
|
|
|
const ok = await verifyDeviceToken({
|
|
deviceId: "device-1",
|
|
token,
|
|
role: "operator",
|
|
scopes: ["operator.read"],
|
|
baseDir,
|
|
});
|
|
expect(ok.ok).toBe(true);
|
|
|
|
const mismatch = await verifyDeviceToken({
|
|
deviceId: "device-1",
|
|
token: "x".repeat(token.length),
|
|
role: "operator",
|
|
scopes: ["operator.read"],
|
|
baseDir,
|
|
});
|
|
expect(mismatch.ok).toBe(false);
|
|
expect(mismatch.reason).toBe("token-mismatch");
|
|
});
|
|
|
|
test("accepts operator.read requests with an operator.admin token scope", async () => {
|
|
const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
|
|
await setupPairedOperatorDevice(baseDir, ["operator.admin"]);
|
|
const paired = await getPairedDevice("device-1", baseDir);
|
|
const token = requireToken(paired?.tokens?.operator?.token);
|
|
|
|
const readOk = await verifyDeviceToken({
|
|
deviceId: "device-1",
|
|
token,
|
|
role: "operator",
|
|
scopes: ["operator.read"],
|
|
baseDir,
|
|
});
|
|
expect(readOk.ok).toBe(true);
|
|
|
|
const writeMismatch = await verifyDeviceToken({
|
|
deviceId: "device-1",
|
|
token,
|
|
role: "operator",
|
|
scopes: ["operator.write"],
|
|
baseDir,
|
|
});
|
|
expect(writeMismatch).toEqual({ ok: false, reason: "scope-mismatch" });
|
|
});
|
|
|
|
test("treats multibyte same-length token input as mismatch without throwing", async () => {
|
|
const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
|
|
await setupPairedOperatorDevice(baseDir, ["operator.read"]);
|
|
const paired = await getPairedDevice("device-1", baseDir);
|
|
const token = requireToken(paired?.tokens?.operator?.token);
|
|
const multibyteToken = "é".repeat(token.length);
|
|
expect(Buffer.from(multibyteToken).length).not.toBe(Buffer.from(token).length);
|
|
|
|
await expect(
|
|
verifyDeviceToken({
|
|
deviceId: "device-1",
|
|
token: multibyteToken,
|
|
role: "operator",
|
|
scopes: ["operator.read"],
|
|
baseDir,
|
|
}),
|
|
).resolves.toEqual({ ok: false, reason: "token-mismatch" });
|
|
});
|
|
|
|
test("removes paired devices by device id", async () => {
|
|
const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
|
|
await setupPairedOperatorDevice(baseDir, ["operator.read"]);
|
|
|
|
const removed = await removePairedDevice("device-1", baseDir);
|
|
expect(removed).toEqual({ deviceId: "device-1" });
|
|
await expect(getPairedDevice("device-1", baseDir)).resolves.toBeNull();
|
|
|
|
await expect(removePairedDevice("device-1", baseDir)).resolves.toBeNull();
|
|
});
|
|
});
|