206 lines
6.9 KiB
TypeScript
206 lines
6.9 KiB
TypeScript
|
import { describe, it, expect, beforeEach, afterEach } from 'vitest'
|
|||
|
|
import { mkdtempSync, writeFileSync, readFileSync, readdirSync, existsSync, rmSync } from 'fs'
|
|||
|
|
import { tmpdir } from 'os'
|
|||
|
|
import { join } from 'path'
|
|||
|
|
import {
|
|||
|
|
isExclusivePlatformKey,
|
|||
|
|
stripExclusivePlatformCredentials,
|
|||
|
|
disableExclusivePlatformsInConfig,
|
|||
|
|
EXCLUSIVE_PLATFORMS,
|
|||
|
|
EXCLUSIVE_PLATFORM_ENV_PATTERNS,
|
|||
|
|
} from '../../packages/server/src/services/hermes/profile-credentials'
|
|||
|
|
|
|||
|
|
let tmpDir: string
|
|||
|
|
|
|||
|
|
beforeEach(() => {
|
|||
|
|
tmpDir = mkdtempSync(join(tmpdir(), 'profile-cred-test-'))
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
afterEach(() => {
|
|||
|
|
rmSync(tmpDir, { recursive: true, force: true })
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
describe('isExclusivePlatformKey', () => {
|
|||
|
|
it('matches all known exclusive platform prefixes (aligned with hermes-agent gateway/platforms)', () => {
|
|||
|
|
const samples = [
|
|||
|
|
'TELEGRAM_BOT_TOKEN',
|
|||
|
|
'DISCORD_BOT_TOKEN',
|
|||
|
|
'SLACK_APP_TOKEN',
|
|||
|
|
'WHATSAPP_PHONE_NUMBER_ID',
|
|||
|
|
'SIGNAL_PHONE_NUMBER',
|
|||
|
|
'WEIXIN_TOKEN', 'WEIXIN_ACCOUNT_ID',
|
|||
|
|
'FEISHU_APP_ID',
|
|||
|
|
]
|
|||
|
|
for (const k of samples) {
|
|||
|
|
expect(isExclusivePlatformKey(k)).toBe(true)
|
|||
|
|
}
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
it('does not match removed aliases or non-lock platforms', () => {
|
|||
|
|
// 这些前缀在 hermes-agent gateway/platforms/ 中没有 _acquire_platform_lock 调用
|
|||
|
|
const nonLock = [
|
|||
|
|
'WECHAT_APP_ID', // wechat 不是上游 platform key(实际是 weixin)
|
|||
|
|
'LARK_APP_SECRET', // lark 不是上游 platform key(实际是 feishu)
|
|||
|
|
'LINE_CHANNEL_SECRET', // line 在 hermes-agent 中没有 adapter
|
|||
|
|
'MATTERMOST_TOKEN', 'MATRIX_TOKEN', 'DINGTALK_TOKEN',
|
|||
|
|
'WECOM_TOKEN', 'QQBOT_TOKEN', 'BLUEBUBBLES_TOKEN',
|
|||
|
|
]
|
|||
|
|
for (const k of nonLock) {
|
|||
|
|
expect(isExclusivePlatformKey(k)).toBe(false)
|
|||
|
|
}
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
it('does not match model provider keys or generic config', () => {
|
|||
|
|
const safe = [
|
|||
|
|
'OPENAI_API_KEY',
|
|||
|
|
'ANTHROPIC_API_KEY',
|
|||
|
|
'GEMINI_API_KEY',
|
|||
|
|
'DEEPSEEK_API_KEY',
|
|||
|
|
'MINIMAX_API_KEY',
|
|||
|
|
'DASHSCOPE_API_KEY',
|
|||
|
|
'BROWSER_HEADLESS',
|
|||
|
|
'TERMINAL_DEFAULT_SHELL',
|
|||
|
|
'HERMES_MAX_ITERATIONS',
|
|||
|
|
'PORT',
|
|||
|
|
'NODE_ENV',
|
|||
|
|
]
|
|||
|
|
for (const k of safe) {
|
|||
|
|
expect(isExclusivePlatformKey(k)).toBe(false)
|
|||
|
|
}
|
|||
|
|
})
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
describe('stripExclusivePlatformCredentials', () => {
|
|||
|
|
it('returns empty when file does not exist', () => {
|
|||
|
|
expect(stripExclusivePlatformCredentials(join(tmpDir, 'nope.env'))).toEqual([])
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
it('returns empty and does not write when no exclusive keys present', () => {
|
|||
|
|
const p = join(tmpDir, '.env')
|
|||
|
|
const content = 'OPENAI_API_KEY=sk-xxx\nPORT=8642\n'
|
|||
|
|
writeFileSync(p, content)
|
|||
|
|
expect(stripExclusivePlatformCredentials(p)).toEqual([])
|
|||
|
|
expect(readFileSync(p, 'utf-8')).toBe(content)
|
|||
|
|
// 无备份文件
|
|||
|
|
expect(readdirSync(tmpDir).filter(f => f.startsWith('.env.bak'))).toHaveLength(0)
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
it('strips exclusive credentials, keeps safe ones, and creates a backup', () => {
|
|||
|
|
const p = join(tmpDir, '.env')
|
|||
|
|
writeFileSync(p, [
|
|||
|
|
'# comment',
|
|||
|
|
'OPENAI_API_KEY=sk-xxx',
|
|||
|
|
'WEIXIN_TOKEN=secret-token',
|
|||
|
|
'WEIXIN_ACCOUNT_ID=acct-1',
|
|||
|
|
'TELEGRAM_BOT_TOKEN=tg-token',
|
|||
|
|
'PORT=8642',
|
|||
|
|
'',
|
|||
|
|
].join('\n'))
|
|||
|
|
|
|||
|
|
const removed = stripExclusivePlatformCredentials(p)
|
|||
|
|
expect(removed).toEqual(['WEIXIN_TOKEN', 'WEIXIN_ACCOUNT_ID', 'TELEGRAM_BOT_TOKEN'])
|
|||
|
|
|
|||
|
|
const after = readFileSync(p, 'utf-8')
|
|||
|
|
expect(after).toContain('OPENAI_API_KEY=sk-xxx')
|
|||
|
|
expect(after).toContain('PORT=8642')
|
|||
|
|
expect(after).toContain('# comment')
|
|||
|
|
expect(after).not.toContain('WEIXIN_')
|
|||
|
|
expect(after).not.toContain('TELEGRAM_')
|
|||
|
|
|
|||
|
|
// 备份文件存在且与原始内容一致
|
|||
|
|
const backups = readdirSync(tmpDir).filter(f => f.startsWith('.env.bak'))
|
|||
|
|
expect(backups).toHaveLength(1)
|
|||
|
|
const backupContent = readFileSync(join(tmpDir, backups[0]), 'utf-8')
|
|||
|
|
expect(backupContent).toContain('WEIXIN_TOKEN=secret-token')
|
|||
|
|
})
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
describe('disableExclusivePlatformsInConfig', () => {
|
|||
|
|
it('returns empty when file does not exist', () => {
|
|||
|
|
expect(disableExclusivePlatformsInConfig(join(tmpDir, 'nope.yaml')))
|
|||
|
|
.toEqual({ disabled: [], strippedConfigCredentials: [] })
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
it('returns empty when no exclusive platforms enabled and no embedded credentials', () => {
|
|||
|
|
const p = join(tmpDir, 'config.yaml')
|
|||
|
|
writeFileSync(p, 'platforms:\n cli:\n enabled: true\n')
|
|||
|
|
expect(disableExclusivePlatformsInConfig(p))
|
|||
|
|
.toEqual({ disabled: [], strippedConfigCredentials: [] })
|
|||
|
|
expect(readdirSync(tmpDir).filter(f => f.startsWith('config.yaml.bak'))).toHaveLength(0)
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
it('disables enabled exclusive platforms, strips embedded credentials, and backs up', () => {
|
|||
|
|
const p = join(tmpDir, 'config.yaml')
|
|||
|
|
writeFileSync(p, [
|
|||
|
|
'platforms:',
|
|||
|
|
' cli:',
|
|||
|
|
' enabled: true',
|
|||
|
|
' weixin:',
|
|||
|
|
' enabled: true',
|
|||
|
|
' token: secret',
|
|||
|
|
' extra:',
|
|||
|
|
' account_id: acct-1',
|
|||
|
|
' app_id: app-1',
|
|||
|
|
' telegram:',
|
|||
|
|
' enabled: true',
|
|||
|
|
' bot_token: tg-token',
|
|||
|
|
' discord:',
|
|||
|
|
' enabled: false',
|
|||
|
|
'',
|
|||
|
|
].join('\n'))
|
|||
|
|
|
|||
|
|
const result = disableExclusivePlatformsInConfig(p)
|
|||
|
|
expect(result.disabled.sort()).toEqual(['telegram', 'weixin'])
|
|||
|
|
// 节点直挂 + extra 子节点的凭据都应该被清掉
|
|||
|
|
expect(result.strippedConfigCredentials.sort()).toEqual([
|
|||
|
|
'telegram.bot_token',
|
|||
|
|
'weixin.extra.account_id',
|
|||
|
|
'weixin.extra.app_id',
|
|||
|
|
'weixin.token',
|
|||
|
|
])
|
|||
|
|
|
|||
|
|
const after = readFileSync(p, 'utf-8')
|
|||
|
|
expect(after).toMatch(/weixin:[\s\S]*?enabled:\s*false/)
|
|||
|
|
expect(after).toMatch(/telegram:[\s\S]*?enabled:\s*false/)
|
|||
|
|
expect(after).toMatch(/cli:[\s\S]*?enabled:\s*true/)
|
|||
|
|
// 凭据已被清除
|
|||
|
|
expect(after).not.toContain('secret')
|
|||
|
|
expect(after).not.toContain('tg-token')
|
|||
|
|
expect(after).not.toContain('acct-1')
|
|||
|
|
|
|||
|
|
const backups = readdirSync(tmpDir).filter(f => f.startsWith('config.yaml.bak'))
|
|||
|
|
expect(backups).toHaveLength(1)
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
it('strips embedded credentials even when platform is already disabled', () => {
|
|||
|
|
const p = join(tmpDir, 'config.yaml')
|
|||
|
|
writeFileSync(p, [
|
|||
|
|
'platforms:',
|
|||
|
|
' weixin:',
|
|||
|
|
' enabled: false',
|
|||
|
|
' token: leftover-secret',
|
|||
|
|
'',
|
|||
|
|
].join('\n'))
|
|||
|
|
|
|||
|
|
const result = disableExclusivePlatformsInConfig(p)
|
|||
|
|
expect(result.disabled).toEqual([])
|
|||
|
|
expect(result.strippedConfigCredentials).toEqual(['weixin.token'])
|
|||
|
|
|
|||
|
|
const after = readFileSync(p, 'utf-8')
|
|||
|
|
expect(after).not.toContain('leftover-secret')
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
it('returns empty on malformed yaml without throwing', () => {
|
|||
|
|
const p = join(tmpDir, 'config.yaml')
|
|||
|
|
writeFileSync(p, 'platforms: [unclosed')
|
|||
|
|
expect(disableExclusivePlatformsInConfig(p))
|
|||
|
|
.toEqual({ disabled: [], strippedConfigCredentials: [] })
|
|||
|
|
})
|
|||
|
|
})
|
|||
|
|
|
|||
|
|
describe('EXCLUSIVE_PLATFORMS list', () => {
|
|||
|
|
it('stays in sync with the env pattern list (same length)', () => {
|
|||
|
|
expect(EXCLUSIVE_PLATFORMS.length).toBe(EXCLUSIVE_PLATFORM_ENV_PATTERNS.length)
|
|||
|
|
})
|
|||
|
|
})
|