negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
265367d99bc8c2dd477ef39ed4cd0ced2eb82471
openclaw/src/gateway/credential-precedence.parity.test.ts
Peter Steinberger 265367d99b fix(gateway): land #28428 from @l0cka 
Landed from contributor PR #28428 by @l0cka.

Co-authored-by: Daniel Alkurdi <danielalkurdi@gmail.com>
2026-03-07 22:51:08 +00:00

190 lines
6.4 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from "vitest";
import { resolveGatewayProbeAuth as resolveStatusGatewayProbeAuth } from "../commands/status.gateway-probe.js";
import type { OpenClawConfig } from "../config/config.js";
import { resolveGatewayAuth } from "./auth.js";
import { resolveGatewayCredentialsFromConfig } from "./credentials.js";
import { resolveGatewayProbeAuth } from "./probe-auth.js";
type ExpectedCredentialSet = {
call: { token?: string; password?: string };
probe: { token?: string; password?: string };
status: { token?: string; password?: string };
auth: { token?: string; password?: string };
};
type TestCase = {
name: string;
cfg: OpenClawConfig;
env: NodeJS.ProcessEnv;
expected: ExpectedCredentialSet;
};
const gatewayEnv = {
OPENCLAW_GATEWAY_TOKEN: "env-token", // pragma: allowlist secret
OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret
} as NodeJS.ProcessEnv;
function makeRemoteGatewayConfig(remote: { token?: string; password?: string }): OpenClawConfig {
return {
gateway: {
mode: "remote",
remote,
auth: {
token: "local-token",
password: "local-password", // pragma: allowlist secret
},
},
} as OpenClawConfig;
}
function withGatewayAuthEnv<T>(env: NodeJS.ProcessEnv, fn: () => T): T {
const keys = [
"OPENCLAW_GATEWAY_TOKEN",
"OPENCLAW_GATEWAY_PASSWORD",
"OPENCLAW_SERVICE_KIND",
"CLAWDBOT_GATEWAY_TOKEN",
"CLAWDBOT_GATEWAY_PASSWORD",
] as const;
const previous = new Map<string, string | undefined>();
for (const key of keys) {
previous.set(key, process.env[key]);
const nextValue = env[key];
if (typeof nextValue === "string") {
process.env[key] = nextValue;
} else {
delete process.env[key];
}
}
try {
return fn();
} finally {
for (const key of keys) {
const value = previous.get(key);
if (typeof value === "string") {
process.env[key] = value;
} else {
delete process.env[key];
}
}
}
}
describe("gateway credential precedence parity", () => {
const cases: TestCase[] = [
{
name: "local mode: env overrides config for call/probe/status, auth remains config-first",
cfg: {
gateway: {
mode: "local",
auth: {
token: "config-token",
password: "config-password", // pragma: allowlist secret
},
},
} as OpenClawConfig,
env: {
OPENCLAW_GATEWAY_TOKEN: "env-token", // pragma: allowlist secret
OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret
} as NodeJS.ProcessEnv,
expected: {
call: { token: "env-token", password: "env-password" }, // pragma: allowlist secret
probe: { token: "env-token", password: "env-password" }, // pragma: allowlist secret
status: { token: "env-token", password: "env-password" }, // pragma: allowlist secret
auth: { token: "config-token", password: "config-password" }, // pragma: allowlist secret
},
},
{
name: "remote mode with remote token configured",
cfg: makeRemoteGatewayConfig({
token: "remote-token",
password: "remote-password", // pragma: allowlist secret
}),
env: gatewayEnv,
expected: {
call: { token: "remote-token", password: "env-password" }, // pragma: allowlist secret
probe: { token: "remote-token", password: "env-password" }, // pragma: allowlist secret
status: { token: "remote-token", password: "env-password" }, // pragma: allowlist secret
auth: { token: "local-token", password: "local-password" }, // pragma: allowlist secret
},
},
{
name: "remote mode without remote token keeps remote probe/status strict",
cfg: makeRemoteGatewayConfig({
password: "remote-password", // pragma: allowlist secret
}),
env: gatewayEnv,
expected: {
call: { token: "env-token", password: "env-password" }, // pragma: allowlist secret
probe: { token: undefined, password: "env-password" }, // pragma: allowlist secret
status: { token: undefined, password: "env-password" }, // pragma: allowlist secret
auth: { token: "local-token", password: "local-password" }, // pragma: allowlist secret
},
},
{
name: "legacy env vars are ignored by probe/status/auth but still supported for call path",
cfg: {
gateway: {
mode: "local",
auth: {},
},
} as OpenClawConfig,
env: {
CLAWDBOT_GATEWAY_TOKEN: "legacy-token", // pragma: allowlist secret
CLAWDBOT_GATEWAY_PASSWORD: "legacy-password", // pragma: allowlist secret
} as NodeJS.ProcessEnv,
expected: {
call: { token: "legacy-token", password: "legacy-password" }, // pragma: allowlist secret
probe: { token: undefined, password: undefined },
status: { token: undefined, password: undefined },
auth: { token: undefined, password: undefined },
},
},
{
name: "local mode in gateway service runtime uses config-first token precedence",
cfg: {
gateway: {
mode: "local",
auth: {
token: "config-token",
password: "config-password",
},
},
} as OpenClawConfig,
env: {
OPENCLAW_GATEWAY_TOKEN: "env-token",
OPENCLAW_GATEWAY_PASSWORD: "env-password",
OPENCLAW_SERVICE_KIND: "gateway",
} as NodeJS.ProcessEnv,
expected: {
call: { token: "config-token", password: "env-password" },
probe: { token: "config-token", password: "env-password" },
status: { token: "config-token", password: "env-password" },
auth: { token: "config-token", password: "config-password" },
},
},
];
it.each(cases)("$name", ({ cfg, env, expected }) => {
const mode = cfg.gateway?.mode === "remote" ? "remote" : "local";
const call = resolveGatewayCredentialsFromConfig({
cfg,
env,
});
const probe = resolveGatewayProbeAuth({
cfg,
mode,
env,
});
const status = withGatewayAuthEnv(env, () => resolveStatusGatewayProbeAuth(cfg));
const auth = resolveGatewayAuth({
authConfig: cfg.gateway?.auth,
env,
});
expect(call).toEqual(expected.call);
expect(probe).toEqual(expected.probe);
expect(status).toEqual(expected.status);
expect({ token: auth.token, password: auth.password }).toEqual(expected.auth);
});
});
Reference in New Issue View Git Blame Copy Permalink