Skip to content

Commit bb5a226

Browse files
giodl73-repogiodl73-repo
committed
fix(policy): cover request bearer token secrets
1 parent f5111bb commit bb5a226

2 files changed

Lines changed: 81 additions & 1 deletion

File tree

extensions/policy/src/doctor/register.test.ts

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1607,6 +1607,10 @@ describe("registerPolicyDoctorChecks", () => {
16071607
providers: {
16081608
openai: {
16091609
request: {
1610+
auth: {
1611+
mode: "authorization-bearer",
1612+
token: { source: "exec", provider: "rogue", id: "openai/bearer-token" },
1613+
},
16101614
tls: {
16111615
passphrase: { source: "exec", provider: "rogue", id: "tls/passphrase" },
16121616
},
@@ -1624,12 +1628,36 @@ describe("registerPolicyDoctorChecks", () => {
16241628
models: [
16251629
{
16261630
request: {
1631+
auth: {
1632+
mode: "authorization-bearer",
1633+
token: { source: "exec", provider: "rogue", id: "media/shared-token" },
1634+
},
16271635
tls: {
16281636
key: { source: "exec", provider: "rogue", id: "media/tls/key" },
16291637
},
16301638
},
16311639
},
16321640
],
1641+
audio: {
1642+
request: {
1643+
auth: {
1644+
mode: "authorization-bearer",
1645+
token: { source: "exec", provider: "rogue", id: "media/audio-token" },
1646+
},
1647+
},
1648+
},
1649+
image: {
1650+
models: [
1651+
{
1652+
request: {
1653+
auth: {
1654+
mode: "authorization-bearer",
1655+
token: { source: "exec", provider: "rogue", id: "media/image-token" },
1656+
},
1657+
},
1658+
},
1659+
],
1660+
},
16331661
},
16341662
},
16351663
plugins: {
@@ -1668,6 +1696,13 @@ describe("registerPolicyDoctorChecks", () => {
16681696

16691697
expect(evidence.secrets).toEqual(
16701698
expect.arrayContaining([
1699+
expect.objectContaining({
1700+
kind: "input",
1701+
provenance: "secretRef",
1702+
refSource: "exec",
1703+
refProvider: "rogue",
1704+
source: "oc://openclaw.config/models/providers/openai/request/auth/token",
1705+
}),
16711706
expect.objectContaining({
16721707
kind: "input",
16731708
provenance: "secretRef",
@@ -1690,17 +1725,46 @@ describe("registerPolicyDoctorChecks", () => {
16901725
source:
16911726
"oc://openclaw.config/plugins/entries/acpx/config/mcpServers/github/env/GITHUB_TOKEN",
16921727
}),
1728+
expect.objectContaining({
1729+
kind: "input",
1730+
provenance: "secretRef",
1731+
refSource: "exec",
1732+
refProvider: "rogue",
1733+
source: "oc://openclaw.config/tools/media/models/#0/request/auth/token",
1734+
}),
16931735
expect.objectContaining({
16941736
kind: "input",
16951737
provenance: "secretRef",
16961738
refSource: "exec",
16971739
refProvider: "rogue",
16981740
source: "oc://openclaw.config/tools/media/models/#0/request/tls/key",
16991741
}),
1742+
expect.objectContaining({
1743+
kind: "input",
1744+
provenance: "secretRef",
1745+
refSource: "exec",
1746+
refProvider: "rogue",
1747+
source: "oc://openclaw.config/tools/media/audio/request/auth/token",
1748+
}),
1749+
expect.objectContaining({
1750+
kind: "input",
1751+
provenance: "secretRef",
1752+
refSource: "exec",
1753+
refProvider: "rogue",
1754+
source: "oc://openclaw.config/tools/media/image/models/#0/request/auth/token",
1755+
}),
17001756
]),
17011757
);
17021758
expect(result.findings).toEqual(
17031759
expect.arrayContaining([
1760+
expect.objectContaining({
1761+
checkId: "policy/secrets-unmanaged-provider",
1762+
ocPath: "oc://openclaw.config/models/providers/openai/request/auth/token",
1763+
}),
1764+
expect.objectContaining({
1765+
checkId: "policy/secrets-denied-provider-source",
1766+
ocPath: "oc://openclaw.config/models/providers/openai/request/auth/token",
1767+
}),
17041768
expect.objectContaining({
17051769
checkId: "policy/secrets-unmanaged-provider",
17061770
ocPath: "oc://openclaw.config/models/providers/openai/request/tls/passphrase",
@@ -1718,6 +1782,18 @@ describe("registerPolicyDoctorChecks", () => {
17181782
ocPath:
17191783
"oc://openclaw.config/plugins/entries/acpx/config/mcpServers/github/env/GITHUB_TOKEN",
17201784
}),
1785+
expect.objectContaining({
1786+
checkId: "policy/secrets-unmanaged-provider",
1787+
ocPath: "oc://openclaw.config/tools/media/models/#0/request/auth/token",
1788+
}),
1789+
expect.objectContaining({
1790+
checkId: "policy/secrets-denied-provider-source",
1791+
ocPath: "oc://openclaw.config/tools/media/audio/request/auth/token",
1792+
}),
1793+
expect.objectContaining({
1794+
checkId: "policy/secrets-unmanaged-provider",
1795+
ocPath: "oc://openclaw.config/tools/media/image/models/#0/request/auth/token",
1796+
}),
17211797
expect.objectContaining({
17221798
checkId: "policy/secrets-unmanaged-provider",
17231799
ocPath: "oc://openclaw.config/tools/media/models/#0/request/tls/key",

extensions/policy/src/policy-state.ts

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -479,7 +479,7 @@ function isConfiguredProviderRequestSecretPath(
479479
if (suffix.length === 2 && suffix[0] === "headers") {
480480
return true;
481481
}
482-
if (suffix.length === 2 && suffix[0] === "auth" && suffix[1] === "value") {
482+
if (suffix.length === 2 && suffix[0] === "auth" && isConfiguredProviderAuthSecretKey(suffix[1])) {
483483
return true;
484484
}
485485
if (suffix.length === 2 && suffix[0] === "tls" && isConfiguredProviderTlsSecretKey(suffix[1])) {
@@ -517,6 +517,10 @@ function isConfiguredProviderTlsSecretKey(key: string | undefined): boolean {
517517
return key === "ca" || key === "cert" || key === "key" || key === "passphrase";
518518
}
519519

520+
function isConfiguredProviderAuthSecretKey(key: string | undefined): boolean {
521+
return key === "token" || key === "value";
522+
}
523+
520524
function isSecretInputKey(key: string): boolean {
521525
const normalized = key.toLowerCase();
522526
return (

0 commit comments

Comments
 (0)