openclaw/extensions/nextcloud-talk/src/inbound.authz.test.ts

import type { PluginRuntime, RuntimeEnv } from "openclaw/plugin-sdk/nextcloud-talk";
import { describe, expect, it, vi } from "vitest";
import type { ResolvedNextcloudTalkAccount } from "./accounts.js";
import { handleNextcloudTalkInbound } from "./inbound.js";
import { setNextcloudTalkRuntime } from "./runtime.js";
import type { CoreConfig, NextcloudTalkInboundMessage } from "./types.js";

describe("nextcloud-talk inbound authz", () => {
  it("does not treat DM pairing-store entries as group allowlist entries", async () => {
    const readAllowFromStore = vi.fn(async () => ["attacker"]);
    const buildMentionRegexes = vi.fn(() => [/@openclaw/i]);

    setNextcloudTalkRuntime({
      channel: {
        pairing: {
          readAllowFromStore,
        },
        commands: {
          shouldHandleTextCommands: () => false,
        },
        text: {
          hasControlCommand: () => false,
        },
        mentions: {
          buildMentionRegexes,
          matchesMentionPatterns: () => false,
        },
      },
    } as unknown as PluginRuntime);

    const message: NextcloudTalkInboundMessage = {
      messageId: "m-1",
      roomToken: "room-1",
      roomName: "Room 1",
      senderId: "attacker",
      senderName: "Attacker",
      text: "hello",
      mediaType: "text/plain",
      timestamp: Date.now(),
      isGroupChat: true,
    };

    const account: ResolvedNextcloudTalkAccount = {
      accountId: "default",
      enabled: true,
      baseUrl: "",
      secret: "",
      secretSource: "none", // pragma: allowlist secret
      config: {
        dmPolicy: "pairing",
        allowFrom: [],
        groupPolicy: "allowlist",
        groupAllowFrom: [],
      },
    };

    const config: CoreConfig = {
      channels: {
        "nextcloud-talk": {
          dmPolicy: "pairing",
          allowFrom: [],
          groupPolicy: "allowlist",
          groupAllowFrom: [],
        },
      },
    };

    await handleNextcloudTalkInbound({
      message,
      account,
      config,
      runtime: {
        log: vi.fn(),
        error: vi.fn(),
      } as unknown as RuntimeEnv,
    });

    expect(readAllowFromStore).toHaveBeenCalledWith({
      channel: "nextcloud-talk",
      accountId: "default",
    });
    expect(buildMentionRegexes).not.toHaveBeenCalled();
  });
});
Plugins/nextcloud-talk: migrate to scoped plugin-sdk imports 2026-03-04 02:33:08 -05:00			`import type { PluginRuntime, RuntimeEnv } from "openclaw/plugin-sdk/nextcloud-talk";`
security(nextcloud-talk): isolate group allowlist from pairing-store entries 2026-02-24 21:35:31 -07:00			`import { describe, expect, it, vi } from "vitest";`
			`import type { ResolvedNextcloudTalkAccount } from "./accounts.js";`
			`import { handleNextcloudTalkInbound } from "./inbound.js";`
			`import { setNextcloudTalkRuntime } from "./runtime.js";`
			`import type { CoreConfig, NextcloudTalkInboundMessage } from "./types.js";`

			`describe("nextcloud-talk inbound authz", () => {`
			`it("does not treat DM pairing-store entries as group allowlist entries", async () => {`
			`const readAllowFromStore = vi.fn(async () => ["attacker"]);`
			`const buildMentionRegexes = vi.fn(() => [/@openclaw/i]);`

			`setNextcloudTalkRuntime({`
			`channel: {`
			`pairing: {`
			`readAllowFromStore,`
			`},`
			`commands: {`
			`shouldHandleTextCommands: () => false,`
			`},`
			`text: {`
			`hasControlCommand: () => false,`
			`},`
			`mentions: {`
			`buildMentionRegexes,`
			`matchesMentionPatterns: () => false,`
			`},`
			`},`
			`} as unknown as PluginRuntime);`

			`const message: NextcloudTalkInboundMessage = {`
			`messageId: "m-1",`
			`roomToken: "room-1",`
			`roomName: "Room 1",`
			`senderId: "attacker",`
			`senderName: "Attacker",`
			`text: "hello",`
			`mediaType: "text/plain",`
			`timestamp: Date.now(),`
			`isGroupChat: true,`
			`};`

			`const account: ResolvedNextcloudTalkAccount = {`
			`accountId: "default",`
			`enabled: true,`
			`baseUrl: "",`
			`secret: "",`
Secrets: add inline allowlist review set (#38314) * Secrets: add inline allowlist review set * Secrets: narrow detect-secrets file exclusions * Secrets: exclude Docker fingerprint false positive * Secrets: allowlist test and docs false positives * Secrets: refresh baseline after allowlist updates * Secrets: fix gateway chat fixture pragma * Secrets: format pre-commit config * Android: keep talk mode fixture JSON valid * Feishu: rely on client timeout injection * Secrets: allowlist provider auth test fixtures * Secrets: allowlist onboard search fixtures * Secrets: allowlist onboard mode fixture * Secrets: allowlist gateway auth mode fixture * Secrets: allowlist APNS wake test key * Secrets: allowlist gateway reload fixtures * Secrets: allowlist moonshot video fixture * Secrets: allowlist auto audio fixture * Secrets: allowlist tiny audio fixture * Secrets: allowlist embeddings fixtures * Secrets: allowlist resolve fixtures * Secrets: allowlist target registry pattern fixtures * Secrets: allowlist gateway chat env fixture * Secrets: refresh baseline after fixture allowlists * Secrets: reapply gateway chat env allowlist * Secrets: reapply gateway chat env allowlist * Secrets: stabilize gateway chat env allowlist * Secrets: allowlist runtime snapshot save fixture * Secrets: allowlist oauth profile fixtures * Secrets: allowlist compaction identifier fixture * Secrets: allowlist model auth fixture * Secrets: allowlist model status fixtures * Secrets: allowlist custom onboarding fixture * Secrets: allowlist mattermost token summary fixtures * Secrets: allowlist gateway auth suite fixtures * Secrets: allowlist channel summary fixture * Secrets: allowlist provider usage auth fixtures * Secrets: allowlist media proxy fixture * Secrets: allowlist secrets audit fixtures * Secrets: refresh baseline after final fixture allowlists * Feishu: prefer explicit client timeout * Feishu: test direct timeout precedence 2026-03-06 19:35:26 -05:00			`secretSource: "none", // pragma: allowlist secret`
security(nextcloud-talk): isolate group allowlist from pairing-store entries 2026-02-24 21:35:31 -07:00			`config: {`
			`dmPolicy: "pairing",`
			`allowFrom: [],`
			`groupPolicy: "allowlist",`
			`groupAllowFrom: [],`
			`},`
			`};`

			`const config: CoreConfig = {`
			`channels: {`
			`"nextcloud-talk": {`
			`dmPolicy: "pairing",`
			`allowFrom: [],`
			`groupPolicy: "allowlist",`
			`groupAllowFrom: [],`
			`},`
			`},`
			`};`

			`await handleNextcloudTalkInbound({`
			`message,`
			`account,`
			`config,`
			`runtime: {`
			`log: vi.fn(),`
			`error: vi.fn(),`
			`} as unknown as RuntimeEnv,`
			`});`

test: fix pairing/daemon assertion drift 2026-02-26 21:24:50 +00:00			`expect(readAllowFromStore).toHaveBeenCalledWith({`
			`channel: "nextcloud-talk",`
			`accountId: "default",`
			`});`
security(nextcloud-talk): isolate group allowlist from pairing-store entries 2026-02-24 21:35:31 -07:00			`expect(buildMentionRegexes).not.toHaveBeenCalled();`
			`});`
			`});`