42e3d8d693
* Secrets: add inline allowlist review set * Secrets: narrow detect-secrets file exclusions * Secrets: exclude Docker fingerprint false positive * Secrets: allowlist test and docs false positives * Secrets: refresh baseline after allowlist updates * Secrets: fix gateway chat fixture pragma * Secrets: format pre-commit config * Android: keep talk mode fixture JSON valid * Feishu: rely on client timeout injection * Secrets: allowlist provider auth test fixtures * Secrets: allowlist onboard search fixtures * Secrets: allowlist onboard mode fixture * Secrets: allowlist gateway auth mode fixture * Secrets: allowlist APNS wake test key * Secrets: allowlist gateway reload fixtures * Secrets: allowlist moonshot video fixture * Secrets: allowlist auto audio fixture * Secrets: allowlist tiny audio fixture * Secrets: allowlist embeddings fixtures * Secrets: allowlist resolve fixtures * Secrets: allowlist target registry pattern fixtures * Secrets: allowlist gateway chat env fixture * Secrets: refresh baseline after fixture allowlists * Secrets: reapply gateway chat env allowlist * Secrets: reapply gateway chat env allowlist * Secrets: stabilize gateway chat env allowlist * Secrets: allowlist runtime snapshot save fixture * Secrets: allowlist oauth profile fixtures * Secrets: allowlist compaction identifier fixture * Secrets: allowlist model auth fixture * Secrets: allowlist model status fixtures * Secrets: allowlist custom onboarding fixture * Secrets: allowlist mattermost token summary fixtures * Secrets: allowlist gateway auth suite fixtures * Secrets: allowlist channel summary fixture * Secrets: allowlist provider usage auth fixtures * Secrets: allowlist media proxy fixture * Secrets: allowlist secrets audit fixtures * Secrets: refresh baseline after final fixture allowlists * Feishu: prefer explicit client timeout * Feishu: test direct timeout precedence
85 lines
2.3 KiB
TypeScript
85 lines
2.3 KiB
TypeScript
import type { PluginRuntime, RuntimeEnv } from "openclaw/plugin-sdk/nextcloud-talk";
|
|
import { describe, expect, it, vi } from "vitest";
|
|
import type { ResolvedNextcloudTalkAccount } from "./accounts.js";
|
|
import { handleNextcloudTalkInbound } from "./inbound.js";
|
|
import { setNextcloudTalkRuntime } from "./runtime.js";
|
|
import type { CoreConfig, NextcloudTalkInboundMessage } from "./types.js";
|
|
|
|
describe("nextcloud-talk inbound authz", () => {
|
|
it("does not treat DM pairing-store entries as group allowlist entries", async () => {
|
|
const readAllowFromStore = vi.fn(async () => ["attacker"]);
|
|
const buildMentionRegexes = vi.fn(() => [/@openclaw/i]);
|
|
|
|
setNextcloudTalkRuntime({
|
|
channel: {
|
|
pairing: {
|
|
readAllowFromStore,
|
|
},
|
|
commands: {
|
|
shouldHandleTextCommands: () => false,
|
|
},
|
|
text: {
|
|
hasControlCommand: () => false,
|
|
},
|
|
mentions: {
|
|
buildMentionRegexes,
|
|
matchesMentionPatterns: () => false,
|
|
},
|
|
},
|
|
} as unknown as PluginRuntime);
|
|
|
|
const message: NextcloudTalkInboundMessage = {
|
|
messageId: "m-1",
|
|
roomToken: "room-1",
|
|
roomName: "Room 1",
|
|
senderId: "attacker",
|
|
senderName: "Attacker",
|
|
text: "hello",
|
|
mediaType: "text/plain",
|
|
timestamp: Date.now(),
|
|
isGroupChat: true,
|
|
};
|
|
|
|
const account: ResolvedNextcloudTalkAccount = {
|
|
accountId: "default",
|
|
enabled: true,
|
|
baseUrl: "",
|
|
secret: "",
|
|
secretSource: "none", // pragma: allowlist secret
|
|
config: {
|
|
dmPolicy: "pairing",
|
|
allowFrom: [],
|
|
groupPolicy: "allowlist",
|
|
groupAllowFrom: [],
|
|
},
|
|
};
|
|
|
|
const config: CoreConfig = {
|
|
channels: {
|
|
"nextcloud-talk": {
|
|
dmPolicy: "pairing",
|
|
allowFrom: [],
|
|
groupPolicy: "allowlist",
|
|
groupAllowFrom: [],
|
|
},
|
|
},
|
|
};
|
|
|
|
await handleNextcloudTalkInbound({
|
|
message,
|
|
account,
|
|
config,
|
|
runtime: {
|
|
log: vi.fn(),
|
|
error: vi.fn(),
|
|
} as unknown as RuntimeEnv,
|
|
});
|
|
|
|
expect(readAllowFromStore).toHaveBeenCalledWith({
|
|
channel: "nextcloud-talk",
|
|
accountId: "default",
|
|
});
|
|
expect(buildMentionRegexes).not.toHaveBeenCalled();
|
|
});
|
|
});
|