forked from openclaw/openclaw
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcommand-auth.ts
More file actions
72 lines (69 loc) · 2.71 KB
/
command-auth.ts
File metadata and controls
72 lines (69 loc) · 2.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
import type { OpenClawConfig } from "../config/config.js";
import { resolveDmGroupAccessWithLists } from "../security/dm-policy-shared.js";
export type ResolveSenderCommandAuthorizationParams = {
cfg: OpenClawConfig;
rawBody: string;
isGroup: boolean;
dmPolicy: string;
configuredAllowFrom: string[];
configuredGroupAllowFrom?: string[];
senderId: string;
isSenderAllowed: (senderId: string, allowFrom: string[]) => boolean;
readAllowFromStore: () => Promise<string[]>;
shouldComputeCommandAuthorized: (rawBody: string, cfg: OpenClawConfig) => boolean;
resolveCommandAuthorizedFromAuthorizers: (params: {
useAccessGroups: boolean;
authorizers: Array<{ configured: boolean; allowed: boolean }>;
}) => boolean;
};
export async function resolveSenderCommandAuthorization(
params: ResolveSenderCommandAuthorizationParams,
): Promise<{
shouldComputeAuth: boolean;
effectiveAllowFrom: string[];
effectiveGroupAllowFrom: string[];
senderAllowedForCommands: boolean;
commandAuthorized: boolean | undefined;
}> {
const shouldComputeAuth = params.shouldComputeCommandAuthorized(params.rawBody, params.cfg);
const storeAllowFrom =
!params.isGroup &&
params.dmPolicy !== "allowlist" &&
(params.dmPolicy !== "open" || shouldComputeAuth)
? await params.readAllowFromStore().catch(() => [])
: [];
const access = resolveDmGroupAccessWithLists({
isGroup: params.isGroup,
dmPolicy: params.dmPolicy,
groupPolicy: "allowlist",
allowFrom: params.configuredAllowFrom,
groupAllowFrom: params.configuredGroupAllowFrom ?? [],
storeAllowFrom,
isSenderAllowed: (allowFrom) => params.isSenderAllowed(params.senderId, allowFrom),
});
const effectiveAllowFrom = access.effectiveAllowFrom;
const effectiveGroupAllowFrom = access.effectiveGroupAllowFrom;
const useAccessGroups = params.cfg.commands?.useAccessGroups !== false;
const senderAllowedForCommands = params.isSenderAllowed(
params.senderId,
params.isGroup ? effectiveGroupAllowFrom : effectiveAllowFrom,
);
const ownerAllowedForCommands = params.isSenderAllowed(params.senderId, effectiveAllowFrom);
const groupAllowedForCommands = params.isSenderAllowed(params.senderId, effectiveGroupAllowFrom);
const commandAuthorized = shouldComputeAuth
? params.resolveCommandAuthorizedFromAuthorizers({
useAccessGroups,
authorizers: [
{ configured: effectiveAllowFrom.length > 0, allowed: ownerAllowedForCommands },
{ configured: effectiveGroupAllowFrom.length > 0, allowed: groupAllowedForCommands },
],
})
: undefined;
return {
shouldComputeAuth,
effectiveAllowFrom,
effectiveGroupAllowFrom,
senderAllowedForCommands,
commandAuthorized,
};
}