mirror of https://github.com/openclaw/openclaw.git
322 lines
9.5 KiB
TypeScript
322 lines
9.5 KiB
TypeScript
import os from "node:os";
|
|
import path from "node:path";
|
|
import { describe, expect, test } from "vitest";
|
|
import { WebSocket } from "ws";
|
|
import {
|
|
loadOrCreateDeviceIdentity,
|
|
publicKeyRawBase64UrlFromPem,
|
|
type DeviceIdentity,
|
|
} from "../infra/device-identity.js";
|
|
import {
|
|
approveDevicePairing,
|
|
getPairedDevice,
|
|
requestDevicePairing,
|
|
rotateDeviceToken,
|
|
} from "../infra/device-pairing.js";
|
|
import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES } from "../utils/message-channel.js";
|
|
import { GatewayClient } from "./client.js";
|
|
import {
|
|
connectOk,
|
|
installGatewayTestHooks,
|
|
rpcReq,
|
|
startServerWithClient,
|
|
trackConnectChallengeNonce,
|
|
} from "./test-helpers.js";
|
|
|
|
installGatewayTestHooks({ scope: "suite" });
|
|
|
|
function resolveDeviceIdentityPath(name: string): string {
|
|
const root = process.env.OPENCLAW_STATE_DIR ?? process.env.HOME ?? os.tmpdir();
|
|
return path.join(root, "test-device-identities", `${name}.json`);
|
|
}
|
|
|
|
function loadDeviceIdentity(name: string): {
|
|
identityPath: string;
|
|
identity: DeviceIdentity;
|
|
publicKey: string;
|
|
} {
|
|
const identityPath = resolveDeviceIdentityPath(name);
|
|
const identity = loadOrCreateDeviceIdentity(identityPath);
|
|
return {
|
|
identityPath,
|
|
identity,
|
|
publicKey: publicKeyRawBase64UrlFromPem(identity.publicKeyPem),
|
|
};
|
|
}
|
|
|
|
async function pairDevice(params: {
|
|
name: string;
|
|
role: "node" | "operator";
|
|
scopes: string[];
|
|
clientId?: string;
|
|
clientMode?: string;
|
|
}): Promise<{
|
|
identityPath: string;
|
|
identity: DeviceIdentity;
|
|
}> {
|
|
const loaded = loadDeviceIdentity(params.name);
|
|
const request = await requestDevicePairing({
|
|
deviceId: loaded.identity.deviceId,
|
|
publicKey: loaded.publicKey,
|
|
role: params.role,
|
|
scopes: params.scopes,
|
|
clientId: params.clientId,
|
|
clientMode: params.clientMode,
|
|
});
|
|
await approveDevicePairing(request.request.requestId);
|
|
return {
|
|
identityPath: loaded.identityPath,
|
|
identity: loaded.identity,
|
|
};
|
|
}
|
|
|
|
async function issuePairingScopedTokenForAdminApprovedDevice(name: string): Promise<{
|
|
deviceId: string;
|
|
identityPath: string;
|
|
pairingToken: string;
|
|
}> {
|
|
const paired = await pairDevice({
|
|
name,
|
|
role: "operator",
|
|
scopes: ["operator.admin"],
|
|
clientId: GATEWAY_CLIENT_NAMES.TEST,
|
|
clientMode: GATEWAY_CLIENT_MODES.TEST,
|
|
});
|
|
const rotated = await rotateDeviceToken({
|
|
deviceId: paired.identity.deviceId,
|
|
role: "operator",
|
|
scopes: ["operator.pairing"],
|
|
});
|
|
expect(rotated.ok).toBe(true);
|
|
const pairingToken = rotated.ok ? rotated.entry.token : "";
|
|
expect(pairingToken).toBeTruthy();
|
|
return {
|
|
deviceId: paired.identity.deviceId,
|
|
identityPath: paired.identityPath,
|
|
pairingToken,
|
|
};
|
|
}
|
|
|
|
async function openTrackedWs(port: number): Promise<WebSocket> {
|
|
const ws = new WebSocket(`ws://127.0.0.1:${port}`);
|
|
trackConnectChallengeNonce(ws);
|
|
await new Promise<void>((resolve, reject) => {
|
|
const timer = setTimeout(() => reject(new Error("timeout waiting for ws open")), 5_000);
|
|
ws.once("open", () => {
|
|
clearTimeout(timer);
|
|
resolve();
|
|
});
|
|
ws.once("error", (error) => {
|
|
clearTimeout(timer);
|
|
reject(error);
|
|
});
|
|
});
|
|
return ws;
|
|
}
|
|
|
|
async function connectPairingScopedOperator(params: {
|
|
port: number;
|
|
identityPath: string;
|
|
deviceToken: string;
|
|
}): Promise<WebSocket> {
|
|
const ws = await openTrackedWs(params.port);
|
|
await connectOk(ws, {
|
|
skipDefaultAuth: true,
|
|
deviceToken: params.deviceToken,
|
|
deviceIdentityPath: params.identityPath,
|
|
scopes: ["operator.pairing"],
|
|
});
|
|
return ws;
|
|
}
|
|
|
|
async function connectApprovedNode(params: {
|
|
port: number;
|
|
name: string;
|
|
onInvoke: (payload: unknown) => void;
|
|
}): Promise<GatewayClient> {
|
|
const paired = await pairDevice({
|
|
name: params.name,
|
|
role: "node",
|
|
scopes: [],
|
|
clientId: GATEWAY_CLIENT_NAMES.NODE_HOST,
|
|
clientMode: GATEWAY_CLIENT_MODES.NODE,
|
|
});
|
|
|
|
let readyResolve: (() => void) | null = null;
|
|
const ready = new Promise<void>((resolve) => {
|
|
readyResolve = resolve;
|
|
});
|
|
|
|
const client = new GatewayClient({
|
|
url: `ws://127.0.0.1:${params.port}`,
|
|
connectDelayMs: 2_000,
|
|
token: "secret",
|
|
role: "node",
|
|
clientName: GATEWAY_CLIENT_NAMES.NODE_HOST,
|
|
clientVersion: "1.0.0",
|
|
platform: "linux",
|
|
mode: GATEWAY_CLIENT_MODES.NODE,
|
|
scopes: [],
|
|
commands: ["system.run"],
|
|
deviceIdentity: paired.identity,
|
|
onHelloOk: () => readyResolve?.(),
|
|
onEvent: (event) => {
|
|
if (event.event !== "node.invoke.request") {
|
|
return;
|
|
}
|
|
params.onInvoke(event.payload);
|
|
const payload = event.payload as { id?: string; nodeId?: string };
|
|
if (!payload.id || !payload.nodeId) {
|
|
return;
|
|
}
|
|
void client.request("node.invoke.result", {
|
|
id: payload.id,
|
|
nodeId: payload.nodeId,
|
|
ok: true,
|
|
payloadJSON: JSON.stringify({ ok: true }),
|
|
});
|
|
},
|
|
});
|
|
client.start();
|
|
await Promise.race([
|
|
ready,
|
|
new Promise<never>((_, reject) => {
|
|
setTimeout(() => reject(new Error("timeout waiting for node hello")), 5_000);
|
|
}),
|
|
]);
|
|
return client;
|
|
}
|
|
|
|
async function getConnectedNodeId(ws: WebSocket): Promise<string> {
|
|
const nodes = await rpcReq<{ nodes?: Array<{ nodeId: string; connected?: boolean }> }>(
|
|
ws,
|
|
"node.list",
|
|
{},
|
|
);
|
|
expect(nodes.ok).toBe(true);
|
|
const nodeId = nodes.payload?.nodes?.find((node) => node.connected)?.nodeId ?? "";
|
|
expect(nodeId).toBeTruthy();
|
|
return nodeId;
|
|
}
|
|
|
|
async function waitForMacrotasks(): Promise<void> {
|
|
await new Promise<void>((resolve) => setImmediate(resolve));
|
|
await new Promise<void>((resolve) => setImmediate(resolve));
|
|
}
|
|
|
|
describe("gateway device.token.rotate caller scope guard", () => {
|
|
test("rejects rotating an admin-approved device token above the caller session scopes", async () => {
|
|
const started = await startServerWithClient("secret");
|
|
const attacker = await issuePairingScopedTokenForAdminApprovedDevice("rotate-attacker");
|
|
|
|
let pairingWs: WebSocket | undefined;
|
|
try {
|
|
pairingWs = await connectPairingScopedOperator({
|
|
port: started.port,
|
|
identityPath: attacker.identityPath,
|
|
deviceToken: attacker.pairingToken,
|
|
});
|
|
|
|
const rotate = await rpcReq(pairingWs, "device.token.rotate", {
|
|
deviceId: attacker.deviceId,
|
|
role: "operator",
|
|
scopes: ["operator.admin"],
|
|
});
|
|
expect(rotate.ok).toBe(false);
|
|
expect(rotate.error?.message).toBe("device token rotation denied");
|
|
|
|
const paired = await getPairedDevice(attacker.deviceId);
|
|
expect(paired?.tokens?.operator?.scopes).toEqual(["operator.pairing"]);
|
|
expect(paired?.approvedScopes).toEqual(["operator.admin"]);
|
|
} finally {
|
|
pairingWs?.close();
|
|
started.ws.close();
|
|
await started.server.close();
|
|
started.envSnapshot.restore();
|
|
}
|
|
});
|
|
|
|
test("blocks the pairing-token to admin-node-invoke escalation chain", async () => {
|
|
const started = await startServerWithClient("secret");
|
|
const attacker = await issuePairingScopedTokenForAdminApprovedDevice("rotate-rce-attacker");
|
|
|
|
let sawInvoke = false;
|
|
let pairingWs: WebSocket | undefined;
|
|
let nodeClient: GatewayClient | undefined;
|
|
|
|
try {
|
|
await connectOk(started.ws);
|
|
nodeClient = await connectApprovedNode({
|
|
port: started.port,
|
|
name: "rotate-rce-node",
|
|
onInvoke: () => {
|
|
sawInvoke = true;
|
|
},
|
|
});
|
|
await getConnectedNodeId(started.ws);
|
|
|
|
pairingWs = await connectPairingScopedOperator({
|
|
port: started.port,
|
|
identityPath: attacker.identityPath,
|
|
deviceToken: attacker.pairingToken,
|
|
});
|
|
|
|
const rotate = await rpcReq<{ token?: string }>(pairingWs, "device.token.rotate", {
|
|
deviceId: attacker.deviceId,
|
|
role: "operator",
|
|
scopes: ["operator.admin"],
|
|
});
|
|
|
|
expect(rotate.ok).toBe(false);
|
|
expect(rotate.error?.message).toBe("device token rotation denied");
|
|
await waitForMacrotasks();
|
|
expect(sawInvoke).toBe(false);
|
|
|
|
const paired = await getPairedDevice(attacker.deviceId);
|
|
expect(paired?.tokens?.operator?.scopes).toEqual(["operator.pairing"]);
|
|
expect(paired?.tokens?.operator?.token).toBe(attacker.pairingToken);
|
|
} finally {
|
|
pairingWs?.close();
|
|
nodeClient?.stop();
|
|
started.ws.close();
|
|
await started.server.close();
|
|
started.envSnapshot.restore();
|
|
}
|
|
});
|
|
|
|
test("returns the same public deny for unknown devices and caller scope failures", async () => {
|
|
const started = await startServerWithClient("secret");
|
|
const attacker = await issuePairingScopedTokenForAdminApprovedDevice("rotate-deny-shape");
|
|
|
|
let pairingWs: WebSocket | undefined;
|
|
try {
|
|
pairingWs = await connectPairingScopedOperator({
|
|
port: started.port,
|
|
identityPath: attacker.identityPath,
|
|
deviceToken: attacker.pairingToken,
|
|
});
|
|
|
|
const missingScope = await rpcReq(pairingWs, "device.token.rotate", {
|
|
deviceId: attacker.deviceId,
|
|
role: "operator",
|
|
scopes: ["operator.admin"],
|
|
});
|
|
const unknownDevice = await rpcReq(pairingWs, "device.token.rotate", {
|
|
deviceId: "missing-device",
|
|
role: "operator",
|
|
scopes: ["operator.pairing"],
|
|
});
|
|
|
|
expect(missingScope.ok).toBe(false);
|
|
expect(unknownDevice.ok).toBe(false);
|
|
expect(missingScope.error?.message).toBe("device token rotation denied");
|
|
expect(unknownDevice.error?.message).toBe("device token rotation denied");
|
|
} finally {
|
|
pairingWs?.close();
|
|
started.ws.close();
|
|
await started.server.close();
|
|
started.envSnapshot.restore();
|
|
}
|
|
});
|
|
});
|