macOS: respect exec-approvals.json settings in gateway prompter (#13707)
Fix macOS gateway exec approvals to respect exec-approvals.json. This updates the macOS gateway prompter to resolve per-agent exec approval policy before deciding whether to show UI, use agentId for policy lookup, honor askFallback when prompts cannot be presented, and resolve no-prompt decisions from the configured security policy instead of hardcoded allow-once behavior. It also adds regression coverage for ask-policy and allowlist-fallback behavior, plus a changelog entry for the fix. Co-authored-by: ImLukeF <92253590+ImLukeF@users.noreply.github.com>
This commit is contained in:
Steven
GitHub
parent
1aca4c7b87
commit
25f458a907
@ -18,6 +18,7 @@ Docs: https://docs.openclaw.ai
|
||||
- Ollama/reasoning visibility: stop promoting native `thinking` and `reasoning` fields into final assistant text so local reasoning models no longer leak internal thoughts in normal replies. (#45330) Thanks @xi7ang.
|
||||
- Android/onboarding QR scan: switch setup QR scanning to Google Code Scanner so onboarding uses a more reliable scanner instead of the legacy embedded ZXing flow. (#45021) Thanks @obviyus.
|
||||
- Browser/existing-session: accept text-only `list_pages` and `new_page` responses from Chrome DevTools MCP so live-session tab discovery and new-tab open flows keep working when the server omits structured page metadata.
|
||||
- macOS/exec approvals: respect per-agent exec approval settings in the gateway prompter, including allowlist fallback when the native prompt cannot be shown, so gateway-triggered `system.run` requests follow configured policy instead of always prompting or denying unexpectedly. (#13707) Thanks @sliekens.
|
||||
- Telegram/media downloads: thread the same direct or proxy transport policy into SSRF-guarded file fetches so inbound attachments keep working when Telegram falls back between env-proxy and direct networking. (#44639) Thanks @obviyus.
|
||||
- Telegram/inbound media IPv4 fallback: retry SSRF-guarded Telegram file downloads once with the same IPv4 fallback policy as Bot API calls so fresh installs on IPv6-broken hosts no longer fail to download inbound images.
|
||||
- Control UI/insecure auth: preserve explicit shared token and password auth on plain-HTTP Control UI connects so LAN and reverse-proxy sessions no longer drop shared auth before the first WebSocket handshake. (#45088) Thanks @velvet-shark.
|
||||
|
||||
@ -370,6 +370,17 @@ enum ExecApprovalsStore {
|
||||
|
||||
static func resolve(agentId: String?) -> ExecApprovalsResolved {
|
||||
let file = self.ensureFile()
|
||||
return self.resolveFromFile(file, agentId: agentId)
|
||||
}
|
||||
|
||||
/// Read-only resolve: loads file without writing (no ensureFile side effects).
|
||||
/// Safe to call from background threads / off MainActor.
|
||||
static func resolveReadOnly(agentId: String?) -> ExecApprovalsResolved {
|
||||
let file = self.loadFile()
|
||||
return self.resolveFromFile(file, agentId: agentId)
|
||||
}
|
||||
|
||||
private static func resolveFromFile(_ file: ExecApprovalsFile, agentId: String?) -> ExecApprovalsResolved {
|
||||
let defaults = file.defaults ?? ExecApprovalsDefaults()
|
||||
let resolvedDefaults = ExecApprovalsResolvedDefaults(
|
||||
security: defaults.security ?? self.defaultSecurity,
|
||||
|
||||
@ -43,7 +43,33 @@ final class ExecApprovalsGatewayPrompter {
|
||||
do {
|
||||
let data = try JSONEncoder().encode(payload)
|
||||
let request = try JSONDecoder().decode(GatewayApprovalRequest.self, from: data)
|
||||
guard self.shouldPresent(request: request) else { return }
|
||||
let presentation = self.shouldPresent(request: request)
|
||||
guard presentation.shouldAsk else {
|
||||
// Ask policy says no prompt needed – resolve based on security policy
|
||||
let decision: ExecApprovalDecision = presentation.security == .full ? .allowOnce : .deny
|
||||
try await GatewayConnection.shared.requestVoid(
|
||||
method: .execApprovalResolve,
|
||||
params: [
|
||||
"id": AnyCodable(request.id),
|
||||
"decision": AnyCodable(decision.rawValue),
|
||||
],
|
||||
timeoutMs: 10000)
|
||||
return
|
||||
}
|
||||
guard presentation.canPresent else {
|
||||
let decision = Self.fallbackDecision(
|
||||
request: request.request,
|
||||
askFallback: presentation.askFallback,
|
||||
allowlist: presentation.allowlist)
|
||||
try await GatewayConnection.shared.requestVoid(
|
||||
method: .execApprovalResolve,
|
||||
params: [
|
||||
"id": AnyCodable(request.id),
|
||||
"decision": AnyCodable(decision.rawValue),
|
||||
],
|
||||
timeoutMs: 10000)
|
||||
return
|
||||
}
|
||||
let decision = ExecApprovalsPromptPresenter.prompt(request.request)
|
||||
try await GatewayConnection.shared.requestVoid(
|
||||
method: .execApprovalResolve,
|
||||
@ -57,16 +83,89 @@ final class ExecApprovalsGatewayPrompter {
|
||||
}
|
||||
}
|
||||
|
||||
private func shouldPresent(request: GatewayApprovalRequest) -> Bool {
|
||||
/// Whether the ask policy requires prompting the user.
|
||||
/// Note: this only determines if a prompt is shown, not whether the action is allowed.
|
||||
/// The security policy (full/deny/allowlist) decides the actual outcome.
|
||||
private static func shouldAsk(security: ExecSecurity, ask: ExecAsk) -> Bool {
|
||||
switch ask {
|
||||
case .always:
|
||||
return true
|
||||
case .onMiss:
|
||||
return security == .allowlist
|
||||
case .off:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
struct PresentationDecision {
|
||||
/// Whether the ask policy requires prompting the user (not whether the action is allowed).
|
||||
var shouldAsk: Bool
|
||||
/// Whether the prompt can actually be shown (session match, recent activity, etc.).
|
||||
var canPresent: Bool
|
||||
/// The resolved security policy, used to determine allow/deny when no prompt is shown.
|
||||
var security: ExecSecurity
|
||||
/// Fallback security policy when a prompt is needed but can't be presented.
|
||||
var askFallback: ExecSecurity
|
||||
var allowlist: [ExecAllowlistEntry]
|
||||
}
|
||||
|
||||
private func shouldPresent(request: GatewayApprovalRequest) -> PresentationDecision {
|
||||
let mode = AppStateStore.shared.connectionMode
|
||||
let activeSession = WebChatManager.shared.activeSessionKey?.trimmingCharacters(in: .whitespacesAndNewlines)
|
||||
let requestSession = request.request.sessionKey?.trimmingCharacters(in: .whitespacesAndNewlines)
|
||||
return Self.shouldPresent(
|
||||
|
||||
// Read-only resolve to avoid disk writes on the MainActor
|
||||
let approvals = ExecApprovalsStore.resolveReadOnly(agentId: request.request.agentId)
|
||||
let security = approvals.agent.security
|
||||
let ask = approvals.agent.ask
|
||||
|
||||
let shouldAsk = Self.shouldAsk(security: security, ask: ask)
|
||||
|
||||
let canPresent = shouldAsk && Self.shouldPresent(
|
||||
mode: mode,
|
||||
activeSession: activeSession,
|
||||
requestSession: requestSession,
|
||||
lastInputSeconds: Self.lastInputSeconds(),
|
||||
thresholdSeconds: 120)
|
||||
|
||||
return PresentationDecision(
|
||||
shouldAsk: shouldAsk,
|
||||
canPresent: canPresent,
|
||||
security: security,
|
||||
askFallback: approvals.agent.askFallback,
|
||||
allowlist: approvals.allowlist)
|
||||
}
|
||||
|
||||
private static func fallbackDecision(
|
||||
request: ExecApprovalPromptRequest,
|
||||
askFallback: ExecSecurity,
|
||||
allowlist: [ExecAllowlistEntry]) -> ExecApprovalDecision
|
||||
{
|
||||
guard askFallback == .allowlist else {
|
||||
return askFallback == .full ? .allowOnce : .deny
|
||||
}
|
||||
let resolution = self.fallbackResolution(for: request)
|
||||
let match = ExecAllowlistMatcher.match(entries: allowlist, resolution: resolution)
|
||||
return match == nil ? .deny : .allowOnce
|
||||
}
|
||||
|
||||
private static func fallbackResolution(for request: ExecApprovalPromptRequest) -> ExecCommandResolution? {
|
||||
let resolvedPath = request.resolvedPath?.trimmingCharacters(in: .whitespacesAndNewlines)
|
||||
let trimmedResolvedPath = (resolvedPath?.isEmpty == false) ? resolvedPath : nil
|
||||
let rawExecutable = self.firstToken(from: request.command) ?? trimmedResolvedPath ?? ""
|
||||
guard !rawExecutable.isEmpty || trimmedResolvedPath != nil else { return nil }
|
||||
let executableName = trimmedResolvedPath.map { URL(fileURLWithPath: $0).lastPathComponent } ?? rawExecutable
|
||||
return ExecCommandResolution(
|
||||
rawExecutable: rawExecutable,
|
||||
resolvedPath: trimmedResolvedPath,
|
||||
executableName: executableName,
|
||||
cwd: request.cwd)
|
||||
}
|
||||
|
||||
private static func firstToken(from command: String) -> String? {
|
||||
let trimmed = command.trimmingCharacters(in: .whitespacesAndNewlines)
|
||||
guard !trimmed.isEmpty else { return nil }
|
||||
return trimmed.split(whereSeparator: { $0.isWhitespace }).first.map(String.init)
|
||||
}
|
||||
|
||||
private static func shouldPresent(
|
||||
@ -117,5 +216,29 @@ extension ExecApprovalsGatewayPrompter {
|
||||
lastInputSeconds: lastInputSeconds,
|
||||
thresholdSeconds: thresholdSeconds)
|
||||
}
|
||||
|
||||
static func _testShouldAsk(security: ExecSecurity, ask: ExecAsk) -> Bool {
|
||||
self.shouldAsk(security: security, ask: ask)
|
||||
}
|
||||
|
||||
static func _testFallbackDecision(
|
||||
command: String,
|
||||
resolvedPath: String?,
|
||||
askFallback: ExecSecurity,
|
||||
allowlistPatterns: [String]) -> ExecApprovalDecision
|
||||
{
|
||||
self.fallbackDecision(
|
||||
request: ExecApprovalPromptRequest(
|
||||
command: command,
|
||||
cwd: nil,
|
||||
host: nil,
|
||||
security: nil,
|
||||
ask: nil,
|
||||
agentId: nil,
|
||||
resolvedPath: resolvedPath,
|
||||
sessionKey: nil),
|
||||
askFallback: askFallback,
|
||||
allowlist: allowlistPatterns.map { ExecAllowlistEntry(pattern: $0) })
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -52,4 +52,51 @@ struct ExecApprovalsGatewayPrompterTests {
|
||||
lastInputSeconds: 400)
|
||||
#expect(!remote)
|
||||
}
|
||||
|
||||
// MARK: - shouldAsk
|
||||
|
||||
@Test func askAlwaysPromptsRegardlessOfSecurity() {
|
||||
#expect(ExecApprovalsGatewayPrompter._testShouldAsk(security: .deny, ask: .always))
|
||||
#expect(ExecApprovalsGatewayPrompter._testShouldAsk(security: .allowlist, ask: .always))
|
||||
#expect(ExecApprovalsGatewayPrompter._testShouldAsk(security: .full, ask: .always))
|
||||
}
|
||||
|
||||
@Test func askOnMissPromptsOnlyForAllowlist() {
|
||||
#expect(ExecApprovalsGatewayPrompter._testShouldAsk(security: .allowlist, ask: .onMiss))
|
||||
#expect(!ExecApprovalsGatewayPrompter._testShouldAsk(security: .deny, ask: .onMiss))
|
||||
#expect(!ExecApprovalsGatewayPrompter._testShouldAsk(security: .full, ask: .onMiss))
|
||||
}
|
||||
|
||||
@Test func askOffNeverPrompts() {
|
||||
#expect(!ExecApprovalsGatewayPrompter._testShouldAsk(security: .deny, ask: .off))
|
||||
#expect(!ExecApprovalsGatewayPrompter._testShouldAsk(security: .allowlist, ask: .off))
|
||||
#expect(!ExecApprovalsGatewayPrompter._testShouldAsk(security: .full, ask: .off))
|
||||
}
|
||||
|
||||
@Test func fallbackAllowlistAllowsMatchingResolvedPath() {
|
||||
let decision = ExecApprovalsGatewayPrompter._testFallbackDecision(
|
||||
command: "git status",
|
||||
resolvedPath: "/usr/bin/git",
|
||||
askFallback: .allowlist,
|
||||
allowlistPatterns: ["/usr/bin/git"])
|
||||
#expect(decision == .allowOnce)
|
||||
}
|
||||
|
||||
@Test func fallbackAllowlistDeniesAllowlistMiss() {
|
||||
let decision = ExecApprovalsGatewayPrompter._testFallbackDecision(
|
||||
command: "git status",
|
||||
resolvedPath: "/usr/bin/git",
|
||||
askFallback: .allowlist,
|
||||
allowlistPatterns: ["/usr/bin/rg"])
|
||||
#expect(decision == .deny)
|
||||
}
|
||||
|
||||
@Test func fallbackFullAllowsWhenPromptCannotBeShown() {
|
||||
let decision = ExecApprovalsGatewayPrompter._testFallbackDecision(
|
||||
command: "git status",
|
||||
resolvedPath: "/usr/bin/git",
|
||||
askFallback: .full,
|
||||
allowlistPatterns: [])
|
||||
#expect(decision == .allowOnce)
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user