nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

test: simplify method scope coverage

This commit is contained in:
Peter Steinberger 2026-03-13 18:21:48 +00:00
parent 5aa79f1ba4
commit e1b9250dea
1 changed files with 21 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
src/gateway/method-scopes.test.ts
View File

@ -8,14 +8,15 @@ import { listGatewayMethods } from "./server-methods-list.js";
import { coreGatewayHandlers } from "./server-methods.js"; import { coreGatewayHandlers } from "./server-methods.js";
describe("method scope resolution", () => { describe("method scope resolution", () => {
it("classifies sessions.resolve + config.schema.lookup as read and poll as write", () => { it.each([
expect(resolveLeastPrivilegeOperatorScopesForMethod("sessions.resolve")).toEqual([ ["sessions.resolve", ["operator.read"]],
"operator.read", ["config.schema.lookup", ["operator.read"]],
]); ["poll", ["operator.write"]],
expect(resolveLeastPrivilegeOperatorScopesForMethod("config.schema.lookup")).toEqual([ ["config.patch", ["operator.admin"]],
"operator.read", ["wizard.start", ["operator.admin"]],
]); ["update.run", ["operator.admin"]],
expect(resolveLeastPrivilegeOperatorScopesForMethod("poll")).toEqual(["operator.write"]); ])("resolves least-privilege scopes for %s", (method, expected) => {
expect(resolveLeastPrivilegeOperatorScopesForMethod(method)).toEqual(expected);
}); });
it("leaves node-only pending drain outside operator scopes", () => { it("leaves node-only pending drain outside operator scopes", () => {
@ -28,16 +29,13 @@ describe("method scope resolution", () => {
}); });
describe("operator scope authorization", () => { describe("operator scope authorization", () => {
it("allows read methods with operator.read or operator.write", () => { it.each([
expect(authorizeOperatorScopesForMethod("health", ["operator.read"])).toEqual({ ["health", ["operator.read"], { allowed: true }],
allowed: true, ["health", ["operator.write"], { allowed: true }],
}); ["config.schema.lookup", ["operator.read"], { allowed: true }],
expect(authorizeOperatorScopesForMethod("health", ["operator.write"])).toEqual({ ["config.patch", ["operator.admin"], { allowed: true }],
allowed: true, ])("authorizes %s for scopes %j", (method, scopes, expected) => {
}); expect(authorizeOperatorScopesForMethod(method, scopes)).toEqual(expected);
expect(authorizeOperatorScopesForMethod("config.schema.lookup", ["operator.read"])).toEqual({
allowed: true,
});
}); });
it("requires operator.write for write methods", () => { it("requires operator.write for write methods", () => {
@ -63,6 +61,11 @@ describe("operator scope authorization", () => {
}); });
describe("core gateway method classification", () => { describe("core gateway method classification", () => {
it("treats node-role methods as classified even without operator scopes", () => {
expect(isGatewayMethodClassified("node.pending.drain")).toBe(true);
expect(isGatewayMethodClassified("node.pending.pull")).toBe(true);
});
it("classifies every exposed core gateway handler method", () => { it("classifies every exposed core gateway handler method", () => {
const unclassified = Object.keys(coreGatewayHandlers).filter( const unclassified = Object.keys(coreGatewayHandlers).filter(
(method) => !isGatewayMethodClassified(method), (method) => !isGatewayMethodClassified(method),