| import { describe, expect, it } from "vitest"; |
| import type { OpenClawConfig } from "../config/config.js"; |
| import { evaluateGatewayAuthSurfaceStates } from "./runtime-gateway-auth-surfaces.js"; |
|
|
| const EMPTY_ENV = {} as NodeJS.ProcessEnv; |
|
|
| function envRef(id: string) { |
| return { source: "env", provider: "default", id } as const; |
| } |
|
|
| function evaluate(config: OpenClawConfig, env: NodeJS.ProcessEnv = EMPTY_ENV) { |
| return evaluateGatewayAuthSurfaceStates({ |
| config, |
| env, |
| }); |
| } |
|
|
| describe("evaluateGatewayAuthSurfaceStates", () => { |
| it("marks gateway.auth.token active when token mode is explicit", () => { |
| const states = evaluate({ |
| gateway: { |
| auth: { |
| mode: "token", |
| token: envRef("GW_AUTH_TOKEN"), |
| }, |
| }, |
| } as OpenClawConfig); |
|
|
| expect(states["gateway.auth.token"]).toMatchObject({ |
| hasSecretRef: true, |
| active: true, |
| reason: 'gateway.auth.mode is "token".', |
| }); |
| }); |
|
|
| it("marks gateway.auth.token inactive when env token is configured", () => { |
| const states = evaluate( |
| { |
| gateway: { |
| auth: { |
| mode: "token", |
| token: envRef("GW_AUTH_TOKEN"), |
| }, |
| }, |
| } as OpenClawConfig, |
| { OPENCLAW_GATEWAY_TOKEN: "env-token" } as NodeJS.ProcessEnv, |
| ); |
|
|
| expect(states["gateway.auth.token"]).toMatchObject({ |
| hasSecretRef: true, |
| active: false, |
| reason: "gateway token env var is configured.", |
| }); |
| }); |
|
|
| it("marks gateway.auth.token inactive when password mode is explicit", () => { |
| const states = evaluate({ |
| gateway: { |
| auth: { |
| mode: "password", |
| token: envRef("GW_AUTH_TOKEN"), |
| }, |
| }, |
| } as OpenClawConfig); |
|
|
| expect(states["gateway.auth.token"]).toMatchObject({ |
| hasSecretRef: true, |
| active: false, |
| reason: 'gateway.auth.mode is "password".', |
| }); |
| }); |
|
|
| it("marks gateway.auth.password active when password mode is explicit", () => { |
| const states = evaluate({ |
| gateway: { |
| auth: { |
| mode: "password", |
| password: envRef("GW_AUTH_PASSWORD"), |
| }, |
| }, |
| } as OpenClawConfig); |
|
|
| expect(states["gateway.auth.password"]).toMatchObject({ |
| hasSecretRef: true, |
| active: true, |
| reason: 'gateway.auth.mode is "password".', |
| }); |
| }); |
|
|
| it("marks gateway.auth.password inactive when env token is configured", () => { |
| const states = evaluate( |
| { |
| gateway: { |
| auth: { |
| password: envRef("GW_AUTH_PASSWORD"), |
| }, |
| }, |
| } as OpenClawConfig, |
| { OPENCLAW_GATEWAY_TOKEN: "env-token" } as NodeJS.ProcessEnv, |
| ); |
|
|
| expect(states["gateway.auth.password"]).toMatchObject({ |
| hasSecretRef: true, |
| active: false, |
| reason: "gateway token env var is configured.", |
| }); |
| }); |
|
|
| it("marks gateway.remote.token active when remote token fallback is active", () => { |
| const states = evaluate({ |
| gateway: { |
| mode: "local", |
| remote: { |
| token: envRef("GW_REMOTE_TOKEN"), |
| }, |
| }, |
| } as OpenClawConfig); |
|
|
| expect(states["gateway.remote.token"]).toMatchObject({ |
| hasSecretRef: true, |
| active: true, |
| reason: "local token auth can win and no env/auth token is configured.", |
| }); |
| }); |
|
|
| it("marks gateway.remote.token inactive when token auth cannot win", () => { |
| const states = evaluate({ |
| gateway: { |
| auth: { |
| mode: "password", |
| }, |
| remote: { |
| token: envRef("GW_REMOTE_TOKEN"), |
| }, |
| }, |
| } as OpenClawConfig); |
|
|
| expect(states["gateway.remote.token"]).toMatchObject({ |
| hasSecretRef: true, |
| active: false, |
| reason: 'token auth cannot win with gateway.auth.mode="password".', |
| }); |
| }); |
|
|
| it("marks gateway.remote.token inactive when local token SecretRef is configured", () => { |
| const states = evaluate({ |
| gateway: { |
| mode: "local", |
| auth: { |
| mode: "token", |
| token: envRef("GW_AUTH_TOKEN"), |
| }, |
| remote: { |
| token: envRef("GW_REMOTE_TOKEN"), |
| }, |
| }, |
| } as OpenClawConfig); |
|
|
| expect(states["gateway.remote.token"]).toMatchObject({ |
| hasSecretRef: true, |
| active: false, |
| reason: "gateway.auth.token is configured.", |
| }); |
| }); |
|
|
| it("marks gateway.remote.password active when remote url is configured", () => { |
| const states = evaluate({ |
| gateway: { |
| remote: { |
| url: "wss://gateway.example.com", |
| password: envRef("GW_REMOTE_PASSWORD"), |
| }, |
| }, |
| } as OpenClawConfig); |
|
|
| expect(states["gateway.remote.password"].hasSecretRef).toBe(true); |
| expect(states["gateway.remote.password"].active).toBe(true); |
| expect(states["gateway.remote.password"].reason).toContain("remote surface is active:"); |
| expect(states["gateway.remote.password"].reason).toContain("gateway.remote.url is configured"); |
| }); |
|
|
| it("marks gateway.remote.password inactive when password auth cannot win", () => { |
| const states = evaluate({ |
| gateway: { |
| auth: { |
| mode: "token", |
| }, |
| remote: { |
| password: envRef("GW_REMOTE_PASSWORD"), |
| }, |
| }, |
| } as OpenClawConfig); |
|
|
| expect(states["gateway.remote.password"]).toMatchObject({ |
| hasSecretRef: true, |
| active: false, |
| reason: 'password auth cannot win with gateway.auth.mode="token".', |
| }); |
| }); |
| }); |
|
|
