feat(secrets): expand SecretRef coverage across user-supplied credentials (#29580)
* feat(secrets): expand secret target coverage and gateway tooling * docs(secrets): align gateway and CLI secret docs * chore(protocol): regenerate swift gateway models for secrets methods * fix(config): restore talk apiKey fallback and stabilize runner test * ci(windows): reduce test worker count for shard stability * ci(windows): raise node heap for test shard stability * test(feishu): make proxy env precedence assertion windows-safe * fix(gateway): resolve auth password SecretInput refs for clients * fix(gateway): resolve remote SecretInput credentials for clients * fix(secrets): skip inactive refs in command snapshot assignments * fix(secrets): scope gateway.remote refs to effective auth surfaces * fix(secrets): ignore memory defaults when enabled agents disable search * fix(secrets): honor Google Chat serviceAccountRef inheritance * fix(secrets): address tsgo errors in command and gateway collectors * fix(secrets): avoid auth-store load in providers-only configure * fix(gateway): defer local password ref resolution by precedence * fix(secrets): gate telegram webhook secret refs by webhook mode * fix(secrets): gate slack signing secret refs to http mode * fix(secrets): skip telegram botToken refs when tokenFile is set * fix(secrets): gate discord pluralkit refs by enabled flag * fix(secrets): gate discord voice tts refs by voice enabled * test(secrets): make runtime fixture modes explicit * fix(cli): resolve local qr password secret refs * fix(cli): fail when gateway leaves command refs unresolved * fix(gateway): fail when local password SecretRef is unresolved * fix(gateway): fail when required remote SecretRefs are unresolved * fix(gateway): resolve local password refs only when password can win * fix(cli): skip local password SecretRef resolution on qr token override * test(gateway): cast SecretRef fixtures to OpenClawConfig * test(secrets): activate mode-gated targets in runtime coverage fixture * fix(cron): support SecretInput webhook tokens safely * fix(bluebubbles): support SecretInput passwords across config paths * fix(msteams): make appPassword SecretInput-safe in onboarding/token paths * fix(bluebubbles): align SecretInput schema helper typing * fix(cli): clarify secrets.resolve version-skew errors * refactor(secrets): return structured inactive paths from secrets.resolve * refactor(gateway): type onboarding secret writes as SecretInput * chore(protocol): regenerate swift models for secrets.resolve * feat(secrets): expand extension credential secretref support * fix(secrets): gate web-search refs by active provider * fix(onboarding): detect SecretRef credentials in extension status * fix(onboarding): allow keeping existing ref in secret prompt * fix(onboarding): resolve gateway password SecretRefs for probe and tui * fix(onboarding): honor secret-input-mode for local gateway auth * fix(acp): resolve gateway SecretInput credentials * fix(secrets): gate gateway.remote refs to remote surfaces * test(secrets): cover pattern matching and inactive array refs * docs(secrets): clarify secrets.resolve and remote active surfaces * fix(bluebubbles): keep existing SecretRef during onboarding * fix(tests): resolve CI type errors in new SecretRef coverage * fix(extensions): replace raw fetch with SSRF-guarded fetch * test(secrets): mark gateway remote targets active in runtime coverage * test(infra): normalize home-prefix expectation across platforms * fix(cli): only resolve local qr password refs in password mode * test(cli): cover local qr token mode with unresolved password ref * docs(cli): clarify local qr password ref resolution behavior * refactor(extensions): reuse sdk SecretInput helpers * fix(wizard): resolve onboarding env-template secrets before plaintext * fix(cli): surface secrets.resolve diagnostics in memory and qr * test(secrets): repair post-rebase runtime and fixtures * fix(gateway): skip remote password ref resolution when token wins * fix(secrets): treat tailscale remote gateway refs as active * fix(gateway): allow remote password fallback when token ref is unresolved * fix(gateway): ignore stale local password refs for none and trusted-proxy * fix(gateway): skip remote secret ref resolution on local call paths * test(cli): cover qr remote tailscale secret ref resolution * fix(secrets): align gateway password active-surface with auth inference * fix(cli): resolve inferred local gateway password refs in qr * fix(gateway): prefer resolvable remote password over token ref pre-resolution * test(gateway): cover none and trusted-proxy stale password refs * docs(secrets): sync qr and gateway active-surface behavior * fix: restore stability blockers from pre-release audit * Secrets: fix collector/runtime precedence contradictions * docs: align secrets and web credential docs * fix(rebase): resolve integration regressions after main rebase * fix(node-host): resolve gateway secret refs for auth * fix(secrets): harden secretinput runtime readers * gateway: skip inactive auth secretref resolution * cli: avoid gateway preflight for inactive secret refs * extensions: allow unresolved refs in onboarding status * tests: fix qr-cli module mock hoist ordering * Security: align audit checks with SecretInput resolution * Gateway: resolve local-mode remote fallback secret refs * Node host: avoid resolving inactive password secret refs * Secrets runtime: mark Slack appToken inactive for HTTP mode * secrets: keep inactive gateway remote refs non-blocking * cli: include agent memory secret targets in runtime resolution * docs(secrets): sync docs with active-surface and web search behavior * fix(secrets): keep telegram top-level token refs active for blank account tokens * fix(daemon): resolve gateway password secret refs for probe auth * fix(secrets): skip IRC NickServ ref resolution when NickServ is disabled * fix(secrets): align token inheritance and exec timeout defaults * docs(secrets): clarify active-surface notes in cli docs * cli: require secrets.resolve gateway capability * gateway: log auth secret surface diagnostics * secrets: remove dead provider resolver module * fix(secrets): restore gateway auth precedence and fallback resolution * fix(tests): align plugin runtime mock typings --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
This commit is contained in:
Josh Avant
119
src/node-host/runner.credentials.test.ts
Normal file
119
src/node-host/runner.credentials.test.ts
Normal file
@@ -0,0 +1,119 @@
|
||||
import { describe, expect, it } from "vitest";
|
||||
import type { OpenClawConfig } from "../config/config.js";
|
||||
import { withEnvAsync } from "../test-utils/env.js";
|
||||
import { resolveNodeHostGatewayCredentials } from "./runner.js";
|
||||
|
||||
describe("resolveNodeHostGatewayCredentials", () => {
|
||||
it("resolves remote token SecretRef values", async () => {
|
||||
const config = {
|
||||
secrets: {
|
||||
providers: {
|
||||
default: { source: "env" },
|
||||
},
|
||||
},
|
||||
gateway: {
|
||||
mode: "remote",
|
||||
remote: {
|
||||
token: { source: "env", provider: "default", id: "REMOTE_GATEWAY_TOKEN" },
|
||||
},
|
||||
},
|
||||
} as OpenClawConfig;
|
||||
|
||||
await withEnvAsync(
|
||||
{
|
||||
OPENCLAW_GATEWAY_TOKEN: undefined,
|
||||
REMOTE_GATEWAY_TOKEN: "token-from-ref",
|
||||
},
|
||||
async () => {
|
||||
const credentials = await resolveNodeHostGatewayCredentials({ config });
|
||||
expect(credentials.token).toBe("token-from-ref");
|
||||
},
|
||||
);
|
||||
});
|
||||
|
||||
it("prefers OPENCLAW_GATEWAY_TOKEN over configured refs", async () => {
|
||||
const config = {
|
||||
secrets: {
|
||||
providers: {
|
||||
default: { source: "env" },
|
||||
},
|
||||
},
|
||||
gateway: {
|
||||
mode: "remote",
|
||||
remote: {
|
||||
token: { source: "env", provider: "default", id: "REMOTE_GATEWAY_TOKEN" },
|
||||
},
|
||||
},
|
||||
} as OpenClawConfig;
|
||||
|
||||
await withEnvAsync(
|
||||
{
|
||||
OPENCLAW_GATEWAY_TOKEN: "token-from-env",
|
||||
REMOTE_GATEWAY_TOKEN: "token-from-ref",
|
||||
},
|
||||
async () => {
|
||||
const credentials = await resolveNodeHostGatewayCredentials({ config });
|
||||
expect(credentials.token).toBe("token-from-env");
|
||||
},
|
||||
);
|
||||
});
|
||||
|
||||
it("throws when a configured remote token ref cannot resolve", async () => {
|
||||
const config = {
|
||||
secrets: {
|
||||
providers: {
|
||||
default: { source: "env" },
|
||||
},
|
||||
},
|
||||
gateway: {
|
||||
mode: "remote",
|
||||
remote: {
|
||||
token: { source: "env", provider: "default", id: "MISSING_REMOTE_GATEWAY_TOKEN" },
|
||||
},
|
||||
},
|
||||
} as OpenClawConfig;
|
||||
|
||||
await withEnvAsync(
|
||||
{
|
||||
OPENCLAW_GATEWAY_TOKEN: undefined,
|
||||
MISSING_REMOTE_GATEWAY_TOKEN: undefined,
|
||||
},
|
||||
async () => {
|
||||
await expect(resolveNodeHostGatewayCredentials({ config })).rejects.toThrow(
|
||||
"gateway.remote.token",
|
||||
);
|
||||
},
|
||||
);
|
||||
});
|
||||
|
||||
it("does not resolve remote password refs when token auth is already available", async () => {
|
||||
const config = {
|
||||
secrets: {
|
||||
providers: {
|
||||
default: { source: "env" },
|
||||
},
|
||||
},
|
||||
gateway: {
|
||||
mode: "remote",
|
||||
remote: {
|
||||
token: { source: "env", provider: "default", id: "REMOTE_GATEWAY_TOKEN" },
|
||||
password: { source: "env", provider: "default", id: "MISSING_REMOTE_GATEWAY_PASSWORD" },
|
||||
},
|
||||
},
|
||||
} as OpenClawConfig;
|
||||
|
||||
await withEnvAsync(
|
||||
{
|
||||
OPENCLAW_GATEWAY_TOKEN: undefined,
|
||||
OPENCLAW_GATEWAY_PASSWORD: undefined,
|
||||
REMOTE_GATEWAY_TOKEN: "token-from-ref",
|
||||
MISSING_REMOTE_GATEWAY_PASSWORD: undefined,
|
||||
},
|
||||
async () => {
|
||||
const credentials = await resolveNodeHostGatewayCredentials({ config });
|
||||
expect(credentials.token).toBe("token-from-ref");
|
||||
expect(credentials.password).toBeUndefined();
|
||||
},
|
||||
);
|
||||
});
|
||||
});
|
||||
@@ -1,5 +1,6 @@
|
||||
import { resolveBrowserConfig } from "../browser/config.js";
|
||||
import { loadConfig } from "../config/config.js";
|
||||
import { loadConfig, type OpenClawConfig } from "../config/config.js";
|
||||
import { normalizeSecretInputString, resolveSecretInputRef } from "../config/types.secrets.js";
|
||||
import { GatewayClient } from "../gateway/client.js";
|
||||
import { loadOrCreateDeviceIdentity } from "../infra/device-identity.js";
|
||||
import type { SkillBinTrustEntry } from "../infra/exec-approvals.js";
|
||||
@@ -11,6 +12,8 @@ import {
|
||||
NODE_SYSTEM_RUN_COMMANDS,
|
||||
} from "../infra/node-commands.js";
|
||||
import { ensureOpenClawCliOnPath } from "../infra/path-env.js";
|
||||
import { secretRefKey } from "../secrets/ref-contract.js";
|
||||
import { resolveSecretRefValues } from "../secrets/resolve.js";
|
||||
import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES } from "../utils/message-channel.js";
|
||||
import { VERSION } from "../version.js";
|
||||
import { ensureNodeHostConfig, saveNodeHostConfig, type NodeHostGatewayConfig } from "./config.js";
|
||||
@@ -108,6 +111,85 @@ function ensureNodePathEnv(): string {
|
||||
return DEFAULT_NODE_PATH;
|
||||
}
|
||||
|
||||
async function resolveNodeHostSecretInputString(params: {
|
||||
config: OpenClawConfig;
|
||||
value: unknown;
|
||||
path: string;
|
||||
env: NodeJS.ProcessEnv;
|
||||
}): Promise<string | undefined> {
|
||||
const defaults = params.config.secrets?.defaults;
|
||||
const { ref } = resolveSecretInputRef({
|
||||
value: params.value,
|
||||
defaults,
|
||||
});
|
||||
if (!ref) {
|
||||
return normalizeSecretInputString(params.value);
|
||||
}
|
||||
let resolved: Map<string, unknown>;
|
||||
try {
|
||||
resolved = await resolveSecretRefValues([ref], {
|
||||
config: params.config,
|
||||
env: params.env,
|
||||
});
|
||||
} catch (error) {
|
||||
const detail = error instanceof Error ? error.message : String(error);
|
||||
throw new Error(`${params.path} secret reference could not be resolved: ${detail}`, {
|
||||
cause: error,
|
||||
});
|
||||
}
|
||||
const resolvedValue = normalizeSecretInputString(resolved.get(secretRefKey(ref)));
|
||||
if (!resolvedValue) {
|
||||
throw new Error(`${params.path} resolved to an empty or non-string value.`);
|
||||
}
|
||||
return resolvedValue;
|
||||
}
|
||||
|
||||
export async function resolveNodeHostGatewayCredentials(params: {
|
||||
config: OpenClawConfig;
|
||||
env?: NodeJS.ProcessEnv;
|
||||
}): Promise<{ token?: string; password?: string }> {
|
||||
const env = params.env ?? process.env;
|
||||
const isRemoteMode = params.config.gateway?.mode === "remote";
|
||||
const authMode = params.config.gateway?.auth?.mode;
|
||||
const tokenPath = isRemoteMode ? "gateway.remote.token" : "gateway.auth.token";
|
||||
const passwordPath = isRemoteMode ? "gateway.remote.password" : "gateway.auth.password";
|
||||
const configuredToken = isRemoteMode
|
||||
? params.config.gateway?.remote?.token
|
||||
: params.config.gateway?.auth?.token;
|
||||
const configuredPassword = isRemoteMode
|
||||
? params.config.gateway?.remote?.password
|
||||
: params.config.gateway?.auth?.password;
|
||||
|
||||
const token =
|
||||
normalizeSecretInputString(env.OPENCLAW_GATEWAY_TOKEN) ??
|
||||
(await resolveNodeHostSecretInputString({
|
||||
config: params.config,
|
||||
value: configuredToken,
|
||||
path: tokenPath,
|
||||
env,
|
||||
}));
|
||||
const tokenCanWin = Boolean(token);
|
||||
const localPasswordCanWin =
|
||||
authMode === "password" ||
|
||||
(authMode !== "token" && authMode !== "none" && authMode !== "trusted-proxy" && !tokenCanWin);
|
||||
const shouldResolveConfiguredPassword =
|
||||
!normalizeSecretInputString(env.OPENCLAW_GATEWAY_PASSWORD) &&
|
||||
!tokenCanWin &&
|
||||
(isRemoteMode || localPasswordCanWin);
|
||||
const password =
|
||||
normalizeSecretInputString(env.OPENCLAW_GATEWAY_PASSWORD) ??
|
||||
(shouldResolveConfiguredPassword
|
||||
? await resolveNodeHostSecretInputString({
|
||||
config: params.config,
|
||||
value: configuredPassword,
|
||||
path: passwordPath,
|
||||
env,
|
||||
})
|
||||
: normalizeSecretInputString(configuredPassword));
|
||||
|
||||
return { token, password };
|
||||
}
|
||||
|
||||
export async function runNodeHost(opts: NodeHostRunOptions): Promise<void> {
|
||||
const config = await ensureNodeHostConfig();
|
||||
const nodeId = opts.nodeId?.trim() || config.nodeId;
|
||||
@@ -131,13 +213,10 @@ export async function runNodeHost(opts: NodeHostRunOptions): Promise<void> {
|
||||
const resolvedBrowser = resolveBrowserConfig(cfg.browser, cfg);
|
||||
const browserProxyEnabled =
|
||||
cfg.nodeHost?.browserProxy?.enabled !== false && resolvedBrowser.enabled;
|
||||
const isRemoteMode = cfg.gateway?.mode === "remote";
|
||||
const token =
|
||||
process.env.OPENCLAW_GATEWAY_TOKEN?.trim() ||
|
||||
(isRemoteMode ? cfg.gateway?.remote?.token : cfg.gateway?.auth?.token);
|
||||
const password =
|
||||
process.env.OPENCLAW_GATEWAY_PASSWORD?.trim() ||
|
||||
(isRemoteMode ? cfg.gateway?.remote?.password : cfg.gateway?.auth?.password);
|
||||
const { token, password } = await resolveNodeHostGatewayCredentials({
|
||||
config: cfg,
|
||||
env: process.env,
|
||||
});
|
||||
|
||||
const host = gateway.host ?? "127.0.0.1";
|
||||
const port = gateway.port ?? 18789;
|
||||
@@ -149,8 +228,8 @@ export async function runNodeHost(opts: NodeHostRunOptions): Promise<void> {
|
||||
|
||||
const client = new GatewayClient({
|
||||
url,
|
||||
token: token?.trim() || undefined,
|
||||
password: password?.trim() || undefined,
|
||||
token: token || undefined,
|
||||
password: password || undefined,
|
||||
instanceId: nodeId,
|
||||
clientName: GATEWAY_CLIENT_NAMES.NODE_HOST,
|
||||
clientDisplayName: displayName,
|
||||
|
||||
Reference in New Issue
Block a user