mirror of
http://192.168.0.88:13333/lywsvip/openclaw-zero-token.git
synced 2026-05-31 22:20:40 +08:00
571e14a236
Major upgrade from e26988a38 to upstream v2026.3.28 (f9b107928).
Key changes:
- Upstream src/, ui/, extensions/ (89 bundled extensions)
- Zero-token web providers preserved in src/zero-token/
- AskOnce plugin restored and registered as CLI command
- Added missing packages: @anthropic-ai/vertex-sdk, @modelcontextprotocol/sdk
- Fixed tsconfig rootDir, skipLibCheck for plugin-sdk DTS build
- Added askonce to bundled plugin metadata and package.json exports
- Fixed AskOnce CLI command registration (missing commands metadata)
- Restored AskOnce adapter imports (correct 5-level relative paths)
- Removed stale migration artifacts from root directory
154 lines
4.1 KiB
TypeScript
154 lines
4.1 KiB
TypeScript
import { describe, expect, it } from "vitest";
|
|
import { resolveMissingRequestedScope, roleScopesAllow } from "./operator-scope-compat.js";
|
|
|
|
describe("roleScopesAllow", () => {
|
|
it("allows empty requested scope lists regardless of granted scopes", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: [],
|
|
allowedScopes: [],
|
|
}),
|
|
).toBe(true);
|
|
});
|
|
|
|
it("treats operator.read as satisfied by read/write/admin scopes", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.read"],
|
|
allowedScopes: ["operator.read"],
|
|
}),
|
|
).toBe(true);
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.read"],
|
|
allowedScopes: ["operator.write"],
|
|
}),
|
|
).toBe(true);
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.read"],
|
|
allowedScopes: ["operator.admin"],
|
|
}),
|
|
).toBe(true);
|
|
});
|
|
|
|
it("treats operator.write as satisfied by write/admin scopes", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.write"],
|
|
allowedScopes: ["operator.write"],
|
|
}),
|
|
).toBe(true);
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.write"],
|
|
allowedScopes: ["operator.admin"],
|
|
}),
|
|
).toBe(true);
|
|
});
|
|
|
|
it("treats operator.approvals/operator.pairing as satisfied by operator.admin", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.approvals"],
|
|
allowedScopes: ["operator.admin"],
|
|
}),
|
|
).toBe(true);
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.pairing"],
|
|
allowedScopes: ["operator.admin"],
|
|
}),
|
|
).toBe(true);
|
|
});
|
|
|
|
it("does not treat operator.admin as satisfying non-operator scopes", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["system.run"],
|
|
allowedScopes: ["operator.admin"],
|
|
}),
|
|
).toBe(false);
|
|
});
|
|
|
|
it("uses strict matching for non-operator roles", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "node",
|
|
requestedScopes: ["system.run"],
|
|
allowedScopes: ["operator.admin", "system.run"],
|
|
}),
|
|
).toBe(true);
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "node",
|
|
requestedScopes: ["system.run"],
|
|
allowedScopes: ["operator.admin"],
|
|
}),
|
|
).toBe(false);
|
|
expect(
|
|
roleScopesAllow({
|
|
role: " node ",
|
|
requestedScopes: [" system.run ", "system.run", " "],
|
|
allowedScopes: ["system.run", "operator.admin"],
|
|
}),
|
|
).toBe(true);
|
|
});
|
|
|
|
it("normalizes blank and duplicate scopes before evaluating", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: " operator ",
|
|
requestedScopes: [" operator.read ", "operator.read", " "],
|
|
allowedScopes: [" operator.write ", "operator.write", ""],
|
|
}),
|
|
).toBe(true);
|
|
});
|
|
|
|
it("rejects unsatisfied operator write scopes and empty allowed scopes", () => {
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.write"],
|
|
allowedScopes: ["operator.read"],
|
|
}),
|
|
).toBe(false);
|
|
expect(
|
|
roleScopesAllow({
|
|
role: "operator",
|
|
requestedScopes: ["operator.read"],
|
|
allowedScopes: [" "],
|
|
}),
|
|
).toBe(false);
|
|
});
|
|
|
|
it("returns the first missing requested scope with operator compatibility", () => {
|
|
expect(
|
|
resolveMissingRequestedScope({
|
|
role: "operator",
|
|
requestedScopes: ["operator.read", "operator.write", "operator.approvals"],
|
|
allowedScopes: ["operator.write"],
|
|
}),
|
|
).toBe("operator.approvals");
|
|
});
|
|
|
|
it("returns null when all requested scopes are satisfied", () => {
|
|
expect(
|
|
resolveMissingRequestedScope({
|
|
role: "node",
|
|
requestedScopes: ["system.run"],
|
|
allowedScopes: ["system.run", "operator.admin"],
|
|
}),
|
|
).toBeNull();
|
|
});
|
|
});
|