import os from "node:os"; import path from "node:path"; import { describe, expect, test } from "vitest"; import { WebSocket } from "ws"; import { loadOrCreateDeviceIdentity, publicKeyRawBase64UrlFromPem, type DeviceIdentity, } from "../infra/device-identity.js"; import { approveDevicePairing, getPairedDevice, requestDevicePairing, rotateDeviceToken, } from "../infra/device-pairing.js"; import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES } from "../utils/message-channel.js"; import { connectOk, installGatewayTestHooks, rpcReq, startServerWithClient, trackConnectChallengeNonce, } from "./test-helpers.js"; installGatewayTestHooks({ scope: "suite" }); function resolveDeviceIdentityPath(name: string): string { const root = process.env.OPENCLAW_STATE_DIR ?? process.env.HOME ?? os.tmpdir(); return path.join(root, "test-device-identities", `${name}.json`); } function loadDeviceIdentity(name: string): { identityPath: string; identity: DeviceIdentity; publicKey: string; } { const identityPath = resolveDeviceIdentityPath(name); const identity = loadOrCreateDeviceIdentity(identityPath); return { identityPath, identity, publicKey: publicKeyRawBase64UrlFromPem(identity.publicKeyPem), }; } async function issuePairingScopedOperator(name: string): Promise<{ identityPath: string; deviceId: string; token: string; }> { const loaded = loadDeviceIdentity(name); const request = await requestDevicePairing({ deviceId: loaded.identity.deviceId, publicKey: loaded.publicKey, role: "operator", scopes: ["operator.admin"], clientId: GATEWAY_CLIENT_NAMES.TEST, clientMode: GATEWAY_CLIENT_MODES.TEST, }); await approveDevicePairing(request.request.requestId); const rotated = await rotateDeviceToken({ deviceId: loaded.identity.deviceId, role: "operator", scopes: ["operator.pairing"], }); expect(rotated.ok ? rotated.entry.token : "").toBeTruthy(); return { identityPath: loaded.identityPath, deviceId: loaded.identity.deviceId, token: rotated.ok ? rotated.entry.token : "", }; } async function openTrackedWs(port: number): Promise { const ws = new WebSocket(`ws://127.0.0.1:${port}`); trackConnectChallengeNonce(ws); await new Promise((resolve, reject) => { const timer = setTimeout(() => reject(new Error("timeout waiting for ws open")), 5_000); ws.once("open", () => { clearTimeout(timer); resolve(); }); ws.once("error", (error) => { clearTimeout(timer); reject(error); }); }); return ws; } describe("gateway device.pair.approve caller scope guard", () => { test("rejects approving device scopes above the caller session scopes", async () => { const started = await startServerWithClient("secret"); const approver = await issuePairingScopedOperator("approve-attacker"); const pending = loadDeviceIdentity("approve-target"); let pairingWs: WebSocket | undefined; try { const request = await requestDevicePairing({ deviceId: pending.identity.deviceId, publicKey: pending.publicKey, role: "operator", scopes: ["operator.admin"], clientId: GATEWAY_CLIENT_NAMES.TEST, clientMode: GATEWAY_CLIENT_MODES.TEST, }); pairingWs = await openTrackedWs(started.port); await connectOk(pairingWs, { skipDefaultAuth: true, deviceToken: approver.token, deviceIdentityPath: approver.identityPath, scopes: ["operator.pairing"], }); const approve = await rpcReq(pairingWs, "device.pair.approve", { requestId: request.request.requestId, }); expect(approve.ok).toBe(false); expect(approve.error?.message).toBe("missing scope: operator.admin"); const paired = await getPairedDevice(pending.identity.deviceId); expect(paired).toBeNull(); } finally { pairingWs?.close(); started.ws.close(); await started.server.close(); started.envSnapshot.restore(); } }); });