0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
203 lines
6.2 KiB
TypeScript
203 lines
6.2 KiB
TypeScript
import crypto from 'crypto';
|
|
import fs from 'fs';
|
|
import os from 'os';
|
|
import path from 'path';
|
|
|
|
import { afterEach, describe, expect, it, vi } from 'vitest';
|
|
import {
|
|
buildOpenClawDeviceAuthPayloadV3,
|
|
buildSignedOpenClawDevice,
|
|
clearOpenClawDeviceAuthToken,
|
|
loadOpenClawDeviceAuthToken,
|
|
loadOrCreateOpenClawDeviceIdentity,
|
|
storeOpenClawDeviceAuthToken,
|
|
} from '../../src/providers/openclaw/device-auth';
|
|
|
|
describe('OpenClaw device auth', () => {
|
|
const tempDirs: string[] = [];
|
|
|
|
afterEach(() => {
|
|
vi.resetAllMocks();
|
|
for (const tempDir of tempDirs) {
|
|
fs.rmSync(tempDir, { recursive: true, force: true });
|
|
}
|
|
tempDirs.length = 0;
|
|
});
|
|
|
|
function makeTempPath(fileName: string): string {
|
|
const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'promptfoo-openclaw-'));
|
|
tempDirs.push(tempDir);
|
|
return path.join(tempDir, fileName);
|
|
}
|
|
|
|
it('should build the upstream v3 signature payload', () => {
|
|
expect(
|
|
buildOpenClawDeviceAuthPayloadV3({
|
|
deviceId: 'device-id',
|
|
clientId: 'gateway-client',
|
|
clientMode: 'cli',
|
|
role: 'operator',
|
|
scopes: ['operator.read', 'operator.write'],
|
|
signedAtMs: 123,
|
|
token: 'token',
|
|
nonce: 'nonce',
|
|
platform: 'Darwin',
|
|
deviceFamily: 'PromptFoo',
|
|
}),
|
|
).toBe(
|
|
'v3|device-id|gateway-client|cli|operator|operator.read,operator.write|123|token|nonce|darwin|promptfoo',
|
|
);
|
|
});
|
|
|
|
it('should create, persist, and reuse an Ed25519 device identity', () => {
|
|
const identityPath = makeTempPath('device-identity.json');
|
|
|
|
const firstIdentity = loadOrCreateOpenClawDeviceIdentity(identityPath);
|
|
const secondIdentity = loadOrCreateOpenClawDeviceIdentity(identityPath);
|
|
|
|
expect(secondIdentity).toEqual(firstIdentity);
|
|
expect(firstIdentity.deviceId).toMatch(/^[0-9a-f]{64}$/);
|
|
expect(firstIdentity.publicKeyPem).toContain('BEGIN PUBLIC KEY');
|
|
expect(firstIdentity.privateKeyPem).toContain('BEGIN PRIVATE KEY');
|
|
});
|
|
|
|
it('should sign a device challenge with the persisted identity', () => {
|
|
const identity = loadOrCreateOpenClawDeviceIdentity(makeTempPath('device-identity.json'));
|
|
const signedDevice = buildSignedOpenClawDevice({
|
|
identity,
|
|
clientId: 'gateway-client',
|
|
clientMode: 'cli',
|
|
role: 'operator',
|
|
scopes: ['operator.read'],
|
|
nowMs: 123,
|
|
nonce: 'challenge',
|
|
token: 'token',
|
|
platform: 'linux',
|
|
deviceFamily: 'promptfoo',
|
|
});
|
|
const payload = buildOpenClawDeviceAuthPayloadV3({
|
|
deviceId: identity.deviceId,
|
|
clientId: 'gateway-client',
|
|
clientMode: 'cli',
|
|
role: 'operator',
|
|
scopes: ['operator.read'],
|
|
signedAtMs: signedDevice.signedAt,
|
|
token: 'token',
|
|
nonce: 'challenge',
|
|
platform: 'linux',
|
|
deviceFamily: 'promptfoo',
|
|
});
|
|
|
|
expect(
|
|
crypto.verify(
|
|
null,
|
|
Buffer.from(payload),
|
|
identity.publicKeyPem,
|
|
Buffer.from(signedDevice.signature, 'base64url'),
|
|
),
|
|
).toBe(true);
|
|
});
|
|
|
|
it('should persist device tokens with normalized scopes', () => {
|
|
const authPath = makeTempPath('device-auth.json');
|
|
|
|
storeOpenClawDeviceAuthToken({
|
|
deviceId: 'device-1',
|
|
role: 'operator',
|
|
token: 'device-token',
|
|
scopes: ['operator.write'],
|
|
filePath: authPath,
|
|
});
|
|
|
|
expect(
|
|
loadOpenClawDeviceAuthToken({
|
|
deviceId: 'device-1',
|
|
role: 'operator',
|
|
filePath: authPath,
|
|
}),
|
|
).toEqual({
|
|
token: 'device-token',
|
|
role: 'operator',
|
|
scopes: ['operator.read', 'operator.write'],
|
|
updatedAtMs: expect.any(Number),
|
|
});
|
|
});
|
|
|
|
it('should clear a stored device token while preserving other roles', () => {
|
|
const authPath = makeTempPath('device-auth.json');
|
|
|
|
storeOpenClawDeviceAuthToken({
|
|
deviceId: 'device-1',
|
|
role: 'operator',
|
|
token: 'op-token',
|
|
scopes: ['operator.read'],
|
|
filePath: authPath,
|
|
});
|
|
storeOpenClawDeviceAuthToken({
|
|
deviceId: 'device-1',
|
|
role: 'admin',
|
|
token: 'admin-token',
|
|
scopes: ['operator.admin'],
|
|
filePath: authPath,
|
|
});
|
|
|
|
clearOpenClawDeviceAuthToken({
|
|
deviceId: 'device-1',
|
|
role: 'operator',
|
|
filePath: authPath,
|
|
});
|
|
|
|
expect(
|
|
loadOpenClawDeviceAuthToken({ deviceId: 'device-1', role: 'operator', filePath: authPath }),
|
|
).toBeUndefined();
|
|
expect(
|
|
loadOpenClawDeviceAuthToken({ deviceId: 'device-1', role: 'admin', filePath: authPath }),
|
|
).toEqual(expect.objectContaining({ token: 'admin-token' }));
|
|
});
|
|
|
|
it('should no-op when clearing a token for a non-existent file', () => {
|
|
const authPath = makeTempPath('missing-auth.json');
|
|
expect(() => {
|
|
clearOpenClawDeviceAuthToken({ deviceId: 'device-1', role: 'operator', filePath: authPath });
|
|
}).not.toThrow();
|
|
});
|
|
|
|
it('should no-op when clearing a token for a different device ID', () => {
|
|
const authPath = makeTempPath('device-auth.json');
|
|
storeOpenClawDeviceAuthToken({
|
|
deviceId: 'device-1',
|
|
role: 'operator',
|
|
token: 'token-1',
|
|
filePath: authPath,
|
|
});
|
|
|
|
clearOpenClawDeviceAuthToken({
|
|
deviceId: 'device-2',
|
|
role: 'operator',
|
|
filePath: authPath,
|
|
});
|
|
|
|
expect(
|
|
loadOpenClawDeviceAuthToken({ deviceId: 'device-1', role: 'operator', filePath: authPath }),
|
|
).toEqual(expect.objectContaining({ token: 'token-1' }));
|
|
});
|
|
|
|
it('should regenerate identity when existing file has invalid content', () => {
|
|
const identityPath = makeTempPath('device-identity.json');
|
|
fs.writeFileSync(identityPath, '{"deviceId":"bad","publicKeyPem":"x","privateKeyPem":"y"}');
|
|
|
|
const identity = loadOrCreateOpenClawDeviceIdentity(identityPath);
|
|
expect(identity.deviceId).toMatch(/^[0-9a-f]{64}$/);
|
|
expect(identity.publicKeyPem).toContain('BEGIN PUBLIC KEY');
|
|
});
|
|
|
|
it('should regenerate identity when existing file has malformed JSON', () => {
|
|
const identityPath = makeTempPath('device-identity.json');
|
|
fs.writeFileSync(identityPath, 'not valid json {{{');
|
|
|
|
const identity = loadOrCreateOpenClawDeviceIdentity(identityPath);
|
|
expect(identity.deviceId).toMatch(/^[0-9a-f]{64}$/);
|
|
expect(identity.publicKeyPem).toContain('BEGIN PUBLIC KEY');
|
|
});
|
|
});
|