mirror of
https://github.com/openclaw/openclaw.git
synced 2026-06-06 05:51:15 +08:00
test: reset gateway token env per case
This commit is contained in:
Shakker
@@ -1,6 +1,7 @@
|
||||
// Non-interactive gateway config tests cover port, bind, auth token, and SecretRef preservation behavior.
|
||||
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
|
||||
import { beforeEach, describe, expect, it, vi } from "vitest";
|
||||
import type { OpenClawConfig } from "../../../config/types.openclaw.js";
|
||||
import { withEnv } from "../../../test-utils/env.js";
|
||||
import type { OnboardOptions } from "../../onboard-types.js";
|
||||
import { applyNonInteractiveGatewayConfig } from "./gateway-config.js";
|
||||
|
||||
@@ -44,40 +45,33 @@ function applyGatewayConfig({
|
||||
nextConfig = {} as OpenClawConfig,
|
||||
opts = baseOpts,
|
||||
runtime = createRuntime(),
|
||||
env = {},
|
||||
}: {
|
||||
nextConfig?: OpenClawConfig;
|
||||
opts?: OnboardOptions;
|
||||
runtime?: ReturnType<typeof createRuntime>;
|
||||
env?: Record<string, string | undefined>;
|
||||
} = {}) {
|
||||
return applyNonInteractiveGatewayConfig({
|
||||
nextConfig,
|
||||
opts,
|
||||
runtime: runtime as never,
|
||||
defaultPort: 18789,
|
||||
});
|
||||
return withEnv(
|
||||
{
|
||||
OPENCLAW_GATEWAY_TOKEN: undefined,
|
||||
[SAMPLE_SECRET_REF.id]: undefined,
|
||||
...env,
|
||||
},
|
||||
() => {
|
||||
return applyNonInteractiveGatewayConfig({
|
||||
nextConfig,
|
||||
opts,
|
||||
runtime: runtime as never,
|
||||
defaultPort: 18789,
|
||||
});
|
||||
},
|
||||
);
|
||||
}
|
||||
|
||||
describe("applyNonInteractiveGatewayConfig token resolution chain", () => {
|
||||
const originalEnvToken = process.env.OPENCLAW_GATEWAY_TOKEN;
|
||||
const originalRefValue = process.env[SAMPLE_SECRET_REF.id];
|
||||
|
||||
beforeEach(() => {
|
||||
vi.clearAllMocks();
|
||||
delete process.env.OPENCLAW_GATEWAY_TOKEN;
|
||||
delete process.env[SAMPLE_SECRET_REF.id];
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
if (originalEnvToken === undefined) {
|
||||
delete process.env.OPENCLAW_GATEWAY_TOKEN;
|
||||
} else {
|
||||
process.env.OPENCLAW_GATEWAY_TOKEN = originalEnvToken;
|
||||
}
|
||||
if (originalRefValue === undefined) {
|
||||
delete process.env[SAMPLE_SECRET_REF.id];
|
||||
} else {
|
||||
process.env[SAMPLE_SECRET_REF.id] = originalRefValue;
|
||||
}
|
||||
});
|
||||
|
||||
// --- Plaintext preservation (the original regression) ---
|
||||
@@ -94,10 +88,12 @@ describe("applyNonInteractiveGatewayConfig token resolution chain", () => {
|
||||
it("prefers existing plaintext token over ambient OPENCLAW_GATEWAY_TOKEN on re-onboard", () => {
|
||||
// A stale shell/launchd OPENCLAW_GATEWAY_TOKEN must not rotate a
|
||||
// persisted token — that would break already-paired clients.
|
||||
process.env.OPENCLAW_GATEWAY_TOKEN = "stale-env-token";
|
||||
const nextConfig = createTokenConfig("existing-user-token");
|
||||
|
||||
const result = applyGatewayConfig({ nextConfig });
|
||||
const result = applyGatewayConfig({
|
||||
nextConfig,
|
||||
env: { OPENCLAW_GATEWAY_TOKEN: "stale-env-token" },
|
||||
});
|
||||
|
||||
expect(result?.nextConfig.gateway?.auth?.token).toBe("existing-user-token");
|
||||
expect(randomToken).not.toHaveBeenCalled();
|
||||
@@ -116,9 +112,7 @@ describe("applyNonInteractiveGatewayConfig token resolution chain", () => {
|
||||
});
|
||||
|
||||
it("uses OPENCLAW_GATEWAY_TOKEN to fill an empty config on first-run", () => {
|
||||
process.env.OPENCLAW_GATEWAY_TOKEN = "env-token";
|
||||
|
||||
const result = applyGatewayConfig();
|
||||
const result = applyGatewayConfig({ env: { OPENCLAW_GATEWAY_TOKEN: "env-token" } });
|
||||
|
||||
expect(result?.nextConfig.gateway?.auth?.token).toBe("env-token");
|
||||
expect(randomToken).not.toHaveBeenCalled();
|
||||
@@ -144,20 +138,24 @@ describe("applyNonInteractiveGatewayConfig token resolution chain", () => {
|
||||
|
||||
it("preserves an existing SecretRef even when ambient OPENCLAW_GATEWAY_TOKEN is set", () => {
|
||||
// A stale ambient env must not declassify a configured SecretRef.
|
||||
process.env.OPENCLAW_GATEWAY_TOKEN = "stale-env-token";
|
||||
const nextConfig = createTokenConfig(SAMPLE_SECRET_REF);
|
||||
|
||||
const result = applyGatewayConfig({ nextConfig });
|
||||
const result = applyGatewayConfig({
|
||||
nextConfig,
|
||||
env: { OPENCLAW_GATEWAY_TOKEN: "stale-env-token" },
|
||||
});
|
||||
|
||||
expect(result?.nextConfig.gateway?.auth?.token).toEqual(SAMPLE_SECRET_REF);
|
||||
expect(randomToken).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it("leaves env-source SecretRef resolution to the health probe path", () => {
|
||||
process.env[SAMPLE_SECRET_REF.id] = "resolved-secret-value";
|
||||
const nextConfig = createTokenConfig(SAMPLE_SECRET_REF);
|
||||
|
||||
const result = applyGatewayConfig({ nextConfig });
|
||||
const result = applyGatewayConfig({
|
||||
nextConfig,
|
||||
env: { [SAMPLE_SECRET_REF.id]: "resolved-secret-value" },
|
||||
});
|
||||
|
||||
expect(result?.nextConfig.gateway?.auth?.token).toEqual(SAMPLE_SECRET_REF);
|
||||
expect(randomToken).not.toHaveBeenCalled();
|
||||
@@ -177,25 +175,21 @@ describe("applyNonInteractiveGatewayConfig token resolution chain", () => {
|
||||
|
||||
it("overrides an existing SecretRef when --gateway-token-ref-env is provided", () => {
|
||||
const newRefId = "OPENCLAW_GATEWAY_TOKEN_NEW_REF";
|
||||
process.env[newRefId] = "resolved-new-ref-value";
|
||||
try {
|
||||
const nextConfig = createTokenConfig(SAMPLE_SECRET_REF);
|
||||
const nextConfig = createTokenConfig(SAMPLE_SECRET_REF);
|
||||
|
||||
const result = applyGatewayConfig({
|
||||
nextConfig,
|
||||
opts: { gatewayTokenRefEnv: newRefId } as OnboardOptions,
|
||||
});
|
||||
const result = applyGatewayConfig({
|
||||
nextConfig,
|
||||
opts: { gatewayTokenRefEnv: newRefId } as OnboardOptions,
|
||||
env: { [newRefId]: "resolved-new-ref-value" },
|
||||
});
|
||||
|
||||
const newToken = result?.nextConfig.gateway?.auth?.token;
|
||||
expect(typeof newToken).toBe("object");
|
||||
const newTokenRef = typeof newToken === "object" && newToken !== null ? newToken : undefined;
|
||||
expect(newTokenRef?.source).toBe("env");
|
||||
expect(newTokenRef?.id).toBe(newRefId);
|
||||
expect(newToken).not.toEqual(SAMPLE_SECRET_REF);
|
||||
expect(randomToken).not.toHaveBeenCalled();
|
||||
} finally {
|
||||
delete process.env[newRefId];
|
||||
}
|
||||
const newToken = result?.nextConfig.gateway?.auth?.token;
|
||||
expect(typeof newToken).toBe("object");
|
||||
const newTokenRef = typeof newToken === "object" && newToken !== null ? newToken : undefined;
|
||||
expect(newTokenRef?.source).toBe("env");
|
||||
expect(newTokenRef?.id).toBe(newRefId);
|
||||
expect(newToken).not.toEqual(SAMPLE_SECRET_REF);
|
||||
expect(randomToken).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it("fails when --gateway-token-ref-env points to a missing env var", () => {
|
||||
|
||||
Reference in New Issue
Block a user