mirror of https://github.com/openclaw/openclaw.git
206 lines
6.6 KiB
TypeScript
206 lines
6.6 KiB
TypeScript
import path from "node:path";
|
|
import {
|
|
normalizeDeviceBootstrapProfile,
|
|
PAIRING_SETUP_BOOTSTRAP_PROFILE,
|
|
sameDeviceBootstrapProfile,
|
|
type DeviceBootstrapProfile,
|
|
type DeviceBootstrapProfileInput,
|
|
} from "../shared/device-bootstrap-profile.js";
|
|
import { resolvePairingPaths } from "./pairing-files.js";
|
|
import {
|
|
createAsyncLock,
|
|
pruneExpiredPending,
|
|
readJsonFile,
|
|
writeJsonAtomic,
|
|
} from "./pairing-files.js";
|
|
import { generatePairingToken, verifyPairingToken } from "./pairing-token.js";
|
|
|
|
export const DEVICE_BOOTSTRAP_TOKEN_TTL_MS = 10 * 60 * 1000;
|
|
|
|
export type DeviceBootstrapTokenRecord = {
|
|
token: string;
|
|
ts: number;
|
|
deviceId?: string;
|
|
publicKey?: string;
|
|
profile?: DeviceBootstrapProfile;
|
|
roles?: string[];
|
|
scopes?: string[];
|
|
issuedAtMs: number;
|
|
lastUsedAtMs?: number;
|
|
};
|
|
|
|
type DeviceBootstrapStateFile = Record<string, DeviceBootstrapTokenRecord>;
|
|
|
|
const withLock = createAsyncLock();
|
|
|
|
function resolveBootstrapPath(baseDir?: string): string {
|
|
return path.join(resolvePairingPaths(baseDir, "devices").dir, "bootstrap.json");
|
|
}
|
|
|
|
function resolvePersistedBootstrapProfile(
|
|
record: Partial<DeviceBootstrapTokenRecord>,
|
|
): DeviceBootstrapProfile {
|
|
return normalizeDeviceBootstrapProfile(record.profile ?? record);
|
|
}
|
|
|
|
function resolveIssuedBootstrapProfile(params: {
|
|
profile?: DeviceBootstrapProfileInput;
|
|
roles?: readonly string[];
|
|
scopes?: readonly string[];
|
|
}): DeviceBootstrapProfile {
|
|
if (params.profile) {
|
|
return normalizeDeviceBootstrapProfile(params.profile);
|
|
}
|
|
if (params.roles || params.scopes) {
|
|
return normalizeDeviceBootstrapProfile({
|
|
roles: params.roles,
|
|
scopes: params.scopes,
|
|
});
|
|
}
|
|
return PAIRING_SETUP_BOOTSTRAP_PROFILE;
|
|
}
|
|
|
|
async function loadState(baseDir?: string): Promise<DeviceBootstrapStateFile> {
|
|
const bootstrapPath = resolveBootstrapPath(baseDir);
|
|
const rawState = (await readJsonFile<DeviceBootstrapStateFile>(bootstrapPath)) ?? {};
|
|
const state: DeviceBootstrapStateFile = {};
|
|
if (!rawState || typeof rawState !== "object" || Array.isArray(rawState)) {
|
|
return state;
|
|
}
|
|
for (const [tokenKey, entry] of Object.entries(rawState)) {
|
|
if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
|
|
continue;
|
|
}
|
|
const record = entry as Partial<DeviceBootstrapTokenRecord>;
|
|
const token =
|
|
typeof record.token === "string" && record.token.trim().length > 0 ? record.token : tokenKey;
|
|
const issuedAtMs = typeof record.issuedAtMs === "number" ? record.issuedAtMs : 0;
|
|
const profile = resolvePersistedBootstrapProfile(record);
|
|
state[tokenKey] = {
|
|
token,
|
|
profile,
|
|
deviceId: typeof record.deviceId === "string" ? record.deviceId : undefined,
|
|
publicKey: typeof record.publicKey === "string" ? record.publicKey : undefined,
|
|
issuedAtMs,
|
|
ts: typeof record.ts === "number" ? record.ts : issuedAtMs,
|
|
lastUsedAtMs: typeof record.lastUsedAtMs === "number" ? record.lastUsedAtMs : undefined,
|
|
};
|
|
}
|
|
pruneExpiredPending(state, Date.now(), DEVICE_BOOTSTRAP_TOKEN_TTL_MS);
|
|
return state;
|
|
}
|
|
|
|
async function persistState(state: DeviceBootstrapStateFile, baseDir?: string): Promise<void> {
|
|
const bootstrapPath = resolveBootstrapPath(baseDir);
|
|
await writeJsonAtomic(bootstrapPath, state);
|
|
}
|
|
|
|
export async function issueDeviceBootstrapToken(
|
|
params: {
|
|
baseDir?: string;
|
|
profile?: DeviceBootstrapProfileInput;
|
|
roles?: readonly string[];
|
|
scopes?: readonly string[];
|
|
} = {},
|
|
): Promise<{ token: string; expiresAtMs: number }> {
|
|
return await withLock(async () => {
|
|
const state = await loadState(params.baseDir);
|
|
const token = generatePairingToken();
|
|
const issuedAtMs = Date.now();
|
|
const profile = resolveIssuedBootstrapProfile(params);
|
|
state[token] = {
|
|
token,
|
|
ts: issuedAtMs,
|
|
profile,
|
|
issuedAtMs,
|
|
};
|
|
await persistState(state, params.baseDir);
|
|
return { token, expiresAtMs: issuedAtMs + DEVICE_BOOTSTRAP_TOKEN_TTL_MS };
|
|
});
|
|
}
|
|
|
|
export async function clearDeviceBootstrapTokens(
|
|
params: {
|
|
baseDir?: string;
|
|
} = {},
|
|
): Promise<{ removed: number }> {
|
|
return await withLock(async () => {
|
|
const state = await loadState(params.baseDir);
|
|
const removed = Object.keys(state).length;
|
|
await persistState({}, params.baseDir);
|
|
return { removed };
|
|
});
|
|
}
|
|
|
|
export async function revokeDeviceBootstrapToken(params: {
|
|
token: string;
|
|
baseDir?: string;
|
|
}): Promise<{ removed: boolean }> {
|
|
return await withLock(async () => {
|
|
const providedToken = params.token.trim();
|
|
if (!providedToken) {
|
|
return { removed: false };
|
|
}
|
|
const state = await loadState(params.baseDir);
|
|
const found = Object.entries(state).find(([, candidate]) =>
|
|
verifyPairingToken(providedToken, candidate.token),
|
|
);
|
|
if (!found) {
|
|
return { removed: false };
|
|
}
|
|
delete state[found[0]];
|
|
await persistState(state, params.baseDir);
|
|
return { removed: true };
|
|
});
|
|
}
|
|
|
|
export async function verifyDeviceBootstrapToken(params: {
|
|
token: string;
|
|
deviceId: string;
|
|
publicKey: string;
|
|
role: string;
|
|
scopes: readonly string[];
|
|
baseDir?: string;
|
|
}): Promise<{ ok: true } | { ok: false; reason: string }> {
|
|
return await withLock(async () => {
|
|
const state = await loadState(params.baseDir);
|
|
const providedToken = params.token.trim();
|
|
if (!providedToken) {
|
|
return { ok: false, reason: "bootstrap_token_invalid" };
|
|
}
|
|
const found = Object.entries(state).find(([, candidate]) =>
|
|
verifyPairingToken(providedToken, candidate.token),
|
|
);
|
|
if (!found) {
|
|
return { ok: false, reason: "bootstrap_token_invalid" };
|
|
}
|
|
const [tokenKey, record] = found;
|
|
|
|
const deviceId = params.deviceId.trim();
|
|
const publicKey = params.publicKey.trim();
|
|
const role = params.role.trim();
|
|
if (!deviceId || !publicKey || !role) {
|
|
return { ok: false, reason: "bootstrap_token_invalid" };
|
|
}
|
|
const requestedProfile = normalizeDeviceBootstrapProfile({
|
|
roles: [role],
|
|
scopes: params.scopes,
|
|
});
|
|
const allowedProfile = resolvePersistedBootstrapProfile(record);
|
|
// Fail closed for unbound legacy setup codes and for any attempt to redeem
|
|
// the token outside the exact role/scope profile it was issued for.
|
|
if (
|
|
allowedProfile.roles.length === 0 ||
|
|
!sameDeviceBootstrapProfile(requestedProfile, allowedProfile)
|
|
) {
|
|
return { ok: false, reason: "bootstrap_token_invalid" };
|
|
}
|
|
|
|
// Bootstrap setup codes are single-use. Consume the record before returning
|
|
// success so the same token cannot be replayed to mutate a pending request.
|
|
delete state[tokenKey];
|
|
await persistState(state, params.baseDir);
|
|
return { ok: true };
|
|
});
|
|
}
|