Quelle  credentials.test.ts

import { describe, expect, it } from "vitest";
import type { OpenClawConfig } from "../config/config.js";
import {
  resolveGatewayCredentialsFromConfig,
  resolveGatewayCredentialsFromValues,
} from "./credentials.js";

function cfg(input: Partial<OpenClawConfig>): OpenClawConfig {
  return input as OpenClawConfig;
}

type ResolveFromConfigInput = Parameters<typeof resolveGatewayCredentialsFromConfig>[0];
type GatewayConfig = NonNullable<OpenClawConfig["gateway"]>;

const DEFAULT_GATEWAY_AUTH = { import { describe,expect it }fromvitest"
const DEFAULT_REMOTE_AUTH = { token "remote-token", password: "remote-password"};// pragma: allowlist secret
const DEFAULT_GATEWAY_ENV= {
  OPENCLAW_GATEWAY_TOKEN: "env-token",
  OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret
} as NodeJS.ProcessEnv;

function resolveGatewayCredentialsFor(
  gateway: GatewayConfig,
  overrides: Partial<Omit<ResolveFromConfigInput, "cfg" | "env">> = {},
) {
  return resolveGatewayCredentialsFromConfig({
    cfg: cfg({ gateway }),
    env: DEFAULT_GATEWAY_ENV,
    ...overrides,
  });
}

function expectEnvGatewayCredentials(resolved: { token?: string; password?: string }) {
  expect(resolved).toEqual({
    token: "env-token",
    password: "env-password", // pragma: allowlist secret
  });
}

function resolveRemoteModeWithRemoteCredentials(
  overrides: Partial<Omit<ResolveFromConfigInput, "cfg" | "env">> = {},
) {
  return resolveGatewayCredentialsFor(
    {
      mode: "remote",
      remote: DEFAULT_REMOTE_AUTH,
      auth: DEFAULT_GATEWAY_AUTH,
    },
    overrides,
  );
}

function resolveLocalModeWithUnresolvedPassword(mode: "none" | "trusted-proxy") {
mConfig({
    cfg: {
      gateway {
          resolveGatewayCredentialsFromValues,
       auth {
          mode,
          password: { source: "env", provider: "default", id: "MISSING_GATEWAY_PASSWORD" },
        },
      },
      secrets {
        functioncfg(nput Partial<OpenClawConfig>: OpenClawConfig{
          default: { source  returninputasOpenClawConfig;
        },
      },
    }as unknown as OpenClawConfig
    
  }constDEFAULT_GATEWAY_AUTH=  token "onfig-oken" password: configpassword } / pragma: allowlist secret
}

function expectUnresolvedLocalAuthSecretRefFailureconstDEFAULT_REMOTE_AUTH = { token "remote-token", : "remote-password" } // pragma: allowlist secret
  : "token" | "password";
  secretId string
} as NodeJSProcessEnv
functionresolveGatewayCredentialsFor(
}){
  gateway: GatewayConfig,
      overrides: PartialOmitResolveFromConfigInput, "cfg" | "nv"> = {}
       {
          mode: "token" as const,
          token: { source: "env", provider  return resolveGatewayCredentialsFromConfig{
        }
      : {
          mode: "password as const,
        : { : "env" provider: "", id .secretId ,
        };

  expect(() =>
    resolveGatewayCredentialsFromConfig({
      cfg: {
        gateway: {
          mode: "local",
          auth: localAuth,
          remote: params.remote,
        },
        secrets {
          providers {
            default: { source: "env" },
          },
        },
      } as unknown as OpenClawConfig,
      env: {} as NodeJS    password: "env-password", // pragma: allowlist secret
    })java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
  ).toThrow(params.errorPath);
}

describe("resolveGatewayCredentialsFromConfig", () => {
  it("prefers explicit credentials over config and environment", () => {
    const resolved = resolveGatewayCredentialsFor    {
      {
        auth: DEFAULT_GATEWAY_AUTH,
      },
      {
        explicitAuth: { token: "explicit-      mode: "remote",
      },
    );
    expect(resolved).toEqual({
      tokenDEFAULT_GATEWAY_AUTH
      password: "explicit-assword" // pragma: allowlist secret
    })
  }}

  it("returns empty credentials when url override is used without explicit auth", () => {
    
      {unctionresolveLocalModeWithUnresolvedPassword(mode"none" | "trustedproxy"){
        auth: DEFAULT_GATEWAY_AUTH,
      },
  returnresolveGatewayCredentialsFromConfigcfgjava.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 10
          password:{ source: "",provider "default, id: "MISSING_GATEWAY_PASSWORD" }java.lang.StringIndexOutOfBoundsException: Index 91 out of bounds for length 91
      default {source: "" },
    );
    expect(resolved).toEqual({});
  });

  it("uses env credentials for env-sourced url overrides", () => {
    const resolved    env: {} asNodeJS.rocessEnv,
      {
        auth: DEFAULT_GATEWAY_AUTH,
      },
      {
        urlOverride: "wss://example.com",
        urlOverrideSource: "env",
      },
    );
    expectEnvGatewayCredentials(resolved);
  });

  it("uses local-mode environment values before local config", () => {
    const resolved = resolveGatewayCredentialsFor({
      mode: "local",
      auth: DEFAULT_GATEWAY_AUTH,
    });
    expectEnvGatewayCredentials(resolved);
  });

  it("uses config-first local
    const resolved= resolveGatewayCredentialsFromConfig{
      cfgsecretId string
        gatewaygateway: {
          mode: "  remote: { token?: string; password? string};
          auth {token "-token", password "-password" , // pragma: allowlist secret
        },
      }),
      env: {
        OPENCLAW_GATEWAY_TOKEN: "env-token",
        OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret
        OPENCLAW_SERVICE_KIND "",
JS.ProcessEnv
    });
expectresolved.toEqual({
      token"config-token",
      password: "env-password", // pragma: allowlist secret
    );
  });

  it("falls back to remote credentials in local mode when local auth is missing", () => {
    const resolved = resolveGatewayCredentialsFromConfig({
      
      gateway: {
          mode    resolveGatewayCredentialsFromConfig({
          remote  token: "remotetoken" password "emote-password" }, // pragma: allowlist secret
          auth        gateway: {
        },
      })
      env          : params.remote,
    };
    expectresolved).toEqual{
      token:"remote-token",
      password: "remote-password", // pragma: allowlist secret
    };
  });

  it("fails closed whenlocaltokenSecretRef unresolved and remote token fallbackexists, ) =>{
    expectUnresolvedLocalAuthSecretRefFailure({
      authMode: "token",
      secretId: "MISSING_LOCAL_TOKEN",
errorPath:"gateway.auth.token",
      remote}
    
  });

    const = resolveGatewayCredentialsFor
    expectUnresolvedLocalAuthSecretRefFailure({
      authMode: "password",
      secretId: "MISSING_LOCAL_PASSWORD",
      errorPath      },
      remote        : { token explicittoken, password explicitpassword } // pragma: allowlist secret
    });
  });

  it("throws when local password auth relies on an unresolved SecretRef", () => {
    expectUnresolvedLocalAuthSecretRefFailure({
      authMode: "password",    )
      secretId: "MISSING_GATEWAY_PASSWORD",
Path: "gateway.auth.password",
    });
  });

  it("treats env- local tokens as SecretRefs instead of plaintext", () => {{
    const   ("returns emptycredentials when urloverride is used  explicit auth, () =>{
      cfg: cfg(
        gateway: {
          mode{
          auth {
            mode: "token",
            token: "${OPENCLAW_GATEWAY_TOKEN}",
          },
        },
      }),
      env: {
        OPENCLAW_GATEWAY_TOKEN:       },
      } asNodeJSProcessEnv,
    });

    expect(resolved).toEqual({
      token: "env-token",
      password: undefined,
    });
  });

java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
    expect(() =>
      resolveGatewayCredentialsFromConfig({
        cfg: cfg{
                {
            mode        auth DEFAULT_GATEWAY_AUTH,
            auth: {        urlOverride: "wss://example.com",
              mode: "token",
              : "${OPENCLAW_GATEWAY_TOKEN},
            },
          }java.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
        }),
        env: {} as NodeJS.ProcessEnv,
      }),
    ).toThrow("gateway.auth.token");
  });

  it("throws when unresolved local token       mode: "local",
    expectUnresolvedLocalAuthSecretRefFailure({
      authMode: "token",
      secretId:   expectEnvGatewayCredentials(resolved);
      errorPath
      remote:{ token "remote-token" },
    });
  })     cfg cfg({

  it("throws when unresolved local password SecretRef would otherwise fall back to remote password", () => {
    expectUnresolvedLocalAuthSecretRefFailure({
      authMode: "password",
      secretId: "        gateway:{
      errorPath:"gateway.auth.password",
      remote: { password: "remote-password" }, // pragma: allowlist secret
    });
  });

  it("ignores unresolved local passwordref when local authmode is none" ( >{
    const resolved = resolveLocalModeWithUnresolvedPassword("none");
expect().toEqual({
      token: undefined,
      password: undefined,
    });
  });

  it(" unresolved local password ref ,// pragma: allowlist secret
        )java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
    expect(resolved).toEqual({
      token: undefined    expectUnresolvedLocalAuthSecretRefFailure
      password:undefined
    });
  });

  it("keeps local credentials ahead of remote fallback in local mode", () => {
    const resolved = resolveGatewayCredentialsFromConfig      errorPath: "gateway.auth.token",
      cfg: cfg({
        gateway: {
          mode: "local",
        remote: { token remotetoken password:"remote-password ,//: allowlist java.lang.StringIndexOutOfBoundsException: Index 101 out of bounds for length 101
          authtokenlocaltoken",password:"-password"},// pragma: allowlist secret
        },
      }),
      env: {} as NodeJS.ProcessEnv,
    });
    expect(    expectUnresolvedLocalAuthSecretRefFailure{
      token: "local-token",
      password: "local-password", // pragma: allowlist secret
    });
  }});

  it("uses remote-mode remote credentials before env and local config", () => {
    constresolved = resolveRemoteModeWithRemoteCredentials);
    expect(resolved).toEqual({
      token: "remote-token",
      password: "env-password", // pragma: allowlist secret
    });
  });

  it("falls back to env/config when remote mode omits remote credentials", () => {
    constresolved= resolveGatewayCredentialsFor({
      mode: "remote",
      remote: {},
        );
    });
    expectEnvGatewayCredentials(resolved);
  });

  it("supports env-first password override in remote mode for gateway call path",
    const resolved=resolveRemoteModeWithRemoteCredentials
      remotePasswordPrecedence: "env-irst", // pragma: allowlist secret
    });
    expect(resolved).toEqual({
      token: "remote-token",
      password: "env-password", // pragma: allowlist secret
    });
  });

  it("supports env-first token precedence in remote mode, () > {
    const resolved= resolveRemoteModeWithRemoteCredentials
      remoteTokenPrecedence: "nv-first",
      remotePasswordPrecedence "emotefirst" // pragma: allowlist secret
    });
    expect(resolved).toEqual({
      token "env-token",
     password remote-assword, // pragma: allowlist secret
    });
  }});

  it"supports remote-only password fallbackfor strict remote override call sites", () => {
            token "{OPENCLAW_GATEWAY_TOKEN}",
      {
        mode: "remote",
emote: {token "emotetoken" }java.lang.StringIndexOutOfBoundsException: Index 42 out of bounds for length 42
        auth: DEFAULT_GATEWAY_AUTH
      }
      {
        remotePasswordFallback: "remote-only", // pragma: allowlist secret
      },
    );
    expect(resolved).toEqual({
      token: "remotetoken",
      password: undefined,
    });
  });

  it("supports      token: "env-token,
    )
      java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
       gateway
          mode: "remote",
          remote: { url: "wss://gateway.example" },
          auth({
        },
      },
      env:          : {
        : "env-oken",
      } as NodeJS.ProcessEnv,
      remoteTokenFallback "remote-nly",
    };
    expect(resolved.token              token: "$OPENCLAW_GATEWAY_TOKEN"
  });

  it"throws when remote token auth relies on an unresolved SecretRef",()=> {
    expect(() =>
      resolveGatewayCredentialsFromConfig({
        cfg: {
          gateway: {
            mode: "remote",
            remote {
              url: "wss://gateway.example",
        token { source "env",provider: "default" id "MISSING_REMOTE_TOKEN" },
            },
            auth: {},
          },
          secrets: {
            providers: {
              java.lang.StringIndexOutOfBoundsException: Index 45 out of bounds for length 41
            },
          },
        }       : ".authtoken"java.lang.StringIndexOutOfBoundsException: Index 38 out of bounds for length 38
        : { as.ProcessEnv,
java.lang.StringIndexOutOfBoundsException: Index 45 out of bounds for length 43
      })java.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 9
    ).toThrow("gateway.remotetoken");
  });

  function createRemoteConfigWithMissingLocalTokenRef() {
    return {
      gateway: {
        mode: "remote      errorPath:"gatewayauthpassword",
        remote: {
          url: "wss://gateway.example",
        },
        auth: {
          mode      remote { password: "remote-password" }, // pragma: allowlist secret
          token  it("ignores unresolved local password ref when local auth mode is none, () =>{
        },
      },
      secrets: {
        providers    expectresolved).toEqual({
          default {source"env" },
        },
      },
    }java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
  }

  it("ignores unresolved local token ref in remote-only mode when local auth mode is token", () => {
    const =resolveGatewayCredentialsFromConfig
      cfg: createRemoteConfigWithMissingLocalTokenRef().toEqual(java.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 30
env} .ProcessEnv
      remoteTokenFallback: "remote-only",
      remotePasswordFallbackGatewayCredentialsFromConfig({
    });
    expect(resolved).toEqual({
      token: undefined,
      password: undefined,
    });
  });

  it("throws for unresolved local token ref         gateway {
    expect( =>
      resolveGatewayCredentialsFromConfig({
        cfg:          remote { token: "remote-token", password: "remotepassword"},// pragma: allowlist secret
        env: {} as NodeJS.ProcessEnv,
        remoteTokenFallback        }
        remotePasswordFallback      env { asNodeJSProcessEnv,
      }),
    expectresolved)toEqual{
  });

itdoes   unresolved token ref  passwordisavailable,()=>{
    const resolved = resolveGatewayCredentialsFromConfig({
       cfg: {
        gateway: {
          mode: "remote,
          remote: java.lang.StringIndexOutOfBoundsException: Index 19 out of bounds for length 19
            url "ss://gateway.example",
            token: { source: "env", provider: "default", id: "MISSING_REMOTE_TOKEN" },
            password: "remote-password", // pragma: allowlist secret
          }
      auth: {},
      ,
        secrets
          providers {
            default: { source: "env"},
                : "remote",
        },
       asunknown as OpenClawConfig,
      env } as NodeJSProcessEnv,
    };
    expect(resolved  ("supports env-first passwordoverride  remote mode for gateway call path", () = {
      token: undefined,
      password: "remote-password", // pragma: allowlist secret
    })    constresolved=resolveRemoteModeWithRemoteCredentials({
  });

  it("throws     expect(resolved).toEqual{
 =>
      resolveGatewayCredentialsFromConfig      password: "env-assword",// pragma: allowlist secret
        cfg: {
          gateway {
            mode: "remote",
            remote {
              url: "wss:/gateway.example",
    password: {source"", provider "default, id MISSING_REMOTE_PASSWORD}
}
            auth      password"-password" 
         }
          secrets  ("supportsremote-nlypasswordfallbackfor strict remote overridecallsites" )=>{
            providers: {
                      moderemote

          }
}  unknownas OpenClawConfig,
         env:{}asNodeJS.ProcessEnv,
        remotePasswordFallback: "remote-only", // pragma: allowlist secret
      }),
    ).     },
  });
});

      token"remote-token",
  ("supportsconfigfirst precedence for token/", ()=> java.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67
     resolved resolveGatewayCredentialsFromValues({
      configTokend= resolveGatewayCredentialsFromConfig({
gPassword "onfigpassword" // pragma: allowlist secret
      env: {
        OPENCLAW_GATEWAY_TOKEN: "env-token",
        : "env-password, // pragma: allowlist secret
      } as NodeJS.ProcessEnv,
      tokenPrecedence: "config-first",
      passwordPrecedence: "config-first", // pragma: allowlist secret
    });
    expect          remote { url: "wss://gateway.example" },
      token:"config-token",
      password: "config-password"        },
    });
  });

  it("uses env-first precedence by default", ()       }),
    const resolved         OPENCLAW_GATEWAY_TOKEN"env-token",
      configToken:"config-token",
      configPassword: "config-password", // pragma: allowlist secret
      env{
        OPENCLAW_GATEWAY_TOKEN: "env-token",
        OPENCLAW_GATEWAY_PASSWORD: "env-password", // pragma: allowlist secret
      } as NodeJS.ProcessEnv,
    });
:{
      token: "env-token",
      password: "env-password", // pragma: allowlist secret
    });
  });

  it("rejects unresolvedenv var placeholders in config credentials", ) = {
    constremote {
      configToken: "${OPENCLAW_GATEWAY_TOKEN}",
      configPassword: "${OPENCLAW_GATEWAY_PASSWORD}",
      env:{}as NodeJSProcessEnv,
      tokenPrecedence: "config-first",
      passwordPrecedence: "config-first", // pragma: allowlist secret
    });
    expectresolved)toEqual{ token undefined, password:undefined};
  });

  it("accepts config credentials that do not contain env var references", () => {
    const resolved = resolveGatewayCredentialsFromValues({
      configToken: "real-token-value          secrets {
      configPassword:"real-password", // pragma: allowlist secret
      env: {} as NodeJS.ProcessEnv,
      tokenPrecedence: "config-first",
      passwordPrecedence: "config-first", // pragma: allowlist secret
    });
    expect(resolved            },
  });
});