Files
promptfoo--promptfoo/test/providers/openclaw-device-auth.test.ts
wehub-resource-sync 0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:24:08 +08:00

203 lines
6.2 KiB
TypeScript

import crypto from 'crypto';
import fs from 'fs';
import os from 'os';
import path from 'path';
import { afterEach, describe, expect, it, vi } from 'vitest';
import {
buildOpenClawDeviceAuthPayloadV3,
buildSignedOpenClawDevice,
clearOpenClawDeviceAuthToken,
loadOpenClawDeviceAuthToken,
loadOrCreateOpenClawDeviceIdentity,
storeOpenClawDeviceAuthToken,
} from '../../src/providers/openclaw/device-auth';
describe('OpenClaw device auth', () => {
const tempDirs: string[] = [];
afterEach(() => {
vi.resetAllMocks();
for (const tempDir of tempDirs) {
fs.rmSync(tempDir, { recursive: true, force: true });
}
tempDirs.length = 0;
});
function makeTempPath(fileName: string): string {
const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'promptfoo-openclaw-'));
tempDirs.push(tempDir);
return path.join(tempDir, fileName);
}
it('should build the upstream v3 signature payload', () => {
expect(
buildOpenClawDeviceAuthPayloadV3({
deviceId: 'device-id',
clientId: 'gateway-client',
clientMode: 'cli',
role: 'operator',
scopes: ['operator.read', 'operator.write'],
signedAtMs: 123,
token: 'token',
nonce: 'nonce',
platform: 'Darwin',
deviceFamily: 'PromptFoo',
}),
).toBe(
'v3|device-id|gateway-client|cli|operator|operator.read,operator.write|123|token|nonce|darwin|promptfoo',
);
});
it('should create, persist, and reuse an Ed25519 device identity', () => {
const identityPath = makeTempPath('device-identity.json');
const firstIdentity = loadOrCreateOpenClawDeviceIdentity(identityPath);
const secondIdentity = loadOrCreateOpenClawDeviceIdentity(identityPath);
expect(secondIdentity).toEqual(firstIdentity);
expect(firstIdentity.deviceId).toMatch(/^[0-9a-f]{64}$/);
expect(firstIdentity.publicKeyPem).toContain('BEGIN PUBLIC KEY');
expect(firstIdentity.privateKeyPem).toContain('BEGIN PRIVATE KEY');
});
it('should sign a device challenge with the persisted identity', () => {
const identity = loadOrCreateOpenClawDeviceIdentity(makeTempPath('device-identity.json'));
const signedDevice = buildSignedOpenClawDevice({
identity,
clientId: 'gateway-client',
clientMode: 'cli',
role: 'operator',
scopes: ['operator.read'],
nowMs: 123,
nonce: 'challenge',
token: 'token',
platform: 'linux',
deviceFamily: 'promptfoo',
});
const payload = buildOpenClawDeviceAuthPayloadV3({
deviceId: identity.deviceId,
clientId: 'gateway-client',
clientMode: 'cli',
role: 'operator',
scopes: ['operator.read'],
signedAtMs: signedDevice.signedAt,
token: 'token',
nonce: 'challenge',
platform: 'linux',
deviceFamily: 'promptfoo',
});
expect(
crypto.verify(
null,
Buffer.from(payload),
identity.publicKeyPem,
Buffer.from(signedDevice.signature, 'base64url'),
),
).toBe(true);
});
it('should persist device tokens with normalized scopes', () => {
const authPath = makeTempPath('device-auth.json');
storeOpenClawDeviceAuthToken({
deviceId: 'device-1',
role: 'operator',
token: 'device-token',
scopes: ['operator.write'],
filePath: authPath,
});
expect(
loadOpenClawDeviceAuthToken({
deviceId: 'device-1',
role: 'operator',
filePath: authPath,
}),
).toEqual({
token: 'device-token',
role: 'operator',
scopes: ['operator.read', 'operator.write'],
updatedAtMs: expect.any(Number),
});
});
it('should clear a stored device token while preserving other roles', () => {
const authPath = makeTempPath('device-auth.json');
storeOpenClawDeviceAuthToken({
deviceId: 'device-1',
role: 'operator',
token: 'op-token',
scopes: ['operator.read'],
filePath: authPath,
});
storeOpenClawDeviceAuthToken({
deviceId: 'device-1',
role: 'admin',
token: 'admin-token',
scopes: ['operator.admin'],
filePath: authPath,
});
clearOpenClawDeviceAuthToken({
deviceId: 'device-1',
role: 'operator',
filePath: authPath,
});
expect(
loadOpenClawDeviceAuthToken({ deviceId: 'device-1', role: 'operator', filePath: authPath }),
).toBeUndefined();
expect(
loadOpenClawDeviceAuthToken({ deviceId: 'device-1', role: 'admin', filePath: authPath }),
).toEqual(expect.objectContaining({ token: 'admin-token' }));
});
it('should no-op when clearing a token for a non-existent file', () => {
const authPath = makeTempPath('missing-auth.json');
expect(() => {
clearOpenClawDeviceAuthToken({ deviceId: 'device-1', role: 'operator', filePath: authPath });
}).not.toThrow();
});
it('should no-op when clearing a token for a different device ID', () => {
const authPath = makeTempPath('device-auth.json');
storeOpenClawDeviceAuthToken({
deviceId: 'device-1',
role: 'operator',
token: 'token-1',
filePath: authPath,
});
clearOpenClawDeviceAuthToken({
deviceId: 'device-2',
role: 'operator',
filePath: authPath,
});
expect(
loadOpenClawDeviceAuthToken({ deviceId: 'device-1', role: 'operator', filePath: authPath }),
).toEqual(expect.objectContaining({ token: 'token-1' }));
});
it('should regenerate identity when existing file has invalid content', () => {
const identityPath = makeTempPath('device-identity.json');
fs.writeFileSync(identityPath, '{"deviceId":"bad","publicKeyPem":"x","privateKeyPem":"y"}');
const identity = loadOrCreateOpenClawDeviceIdentity(identityPath);
expect(identity.deviceId).toMatch(/^[0-9a-f]{64}$/);
expect(identity.publicKeyPem).toContain('BEGIN PUBLIC KEY');
});
it('should regenerate identity when existing file has malformed JSON', () => {
const identityPath = makeTempPath('device-identity.json');
fs.writeFileSync(identityPath, 'not valid json {{{');
const identity = loadOrCreateOpenClawDeviceIdentity(identityPath);
expect(identity.deviceId).toMatch(/^[0-9a-f]{64}$/);
expect(identity.publicKeyPem).toContain('BEGIN PUBLIC KEY');
});
});