@nextclaw/channel-plugin-feishu 0.2.12 → 0.2.14

package/src/monitor.webhook-security.test.ts

@@ -0,0 +1,142 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import {
+  createFeishuClientMockModule,
+  createFeishuRuntimeMockModule,
+} from "./monitor.test-mocks.js";
+import {
+  buildWebhookConfig,
+  getFreePort,
+  withRunningWebhookMonitor,
+} from "./monitor.webhook.test-helpers.js";
+
+const probeFeishuMock = vi.hoisted(() => vi.fn());
+
+vi.mock("./probe.js", () => ({
+  probeFeishu: probeFeishuMock,
+}));
+
+vi.mock("./client.js", () => createFeishuClientMockModule());
+vi.mock("./runtime.js", () => createFeishuRuntimeMockModule());
+
+vi.mock("@larksuiteoapi/node-sdk", () => ({
+  adaptDefault: vi.fn(
+    () => (_req: unknown, res: { statusCode?: number; end: (s: string) => void }) => {
+      res.statusCode = 200;
+      res.end("ok");
+    },
+  ),
+}));
+
+import {
+  clearFeishuWebhookRateLimitStateForTest,
+  getFeishuWebhookRateLimitStateSizeForTest,
+  isWebhookRateLimitedForTest,
+  monitorFeishuProvider,
+  stopFeishuMonitor,
+} from "./monitor.js";
+
+afterEach(() => {
+  clearFeishuWebhookRateLimitStateForTest();
+  stopFeishuMonitor();
+});
+
+describe("Feishu webhook security hardening", () => {
+  it("rejects webhook mode without verificationToken", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+
+    const cfg = buildWebhookConfig({
+      accountId: "missing-token",
+      path: "/hook-missing-token",
+      port: await getFreePort(),
+    });
+
+    await expect(monitorFeishuProvider({ config: cfg })).rejects.toThrow(
+      /requires verificationToken/i,
+    );
+  });
+
+  it("rejects webhook mode without encryptKey", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+
+    const cfg = buildWebhookConfig({
+      accountId: "missing-encrypt-key",
+      path: "/hook-missing-encrypt",
+      port: await getFreePort(),
+      verificationToken: "verify_token",
+    });
+
+    await expect(monitorFeishuProvider({ config: cfg })).rejects.toThrow(/requires encryptKey/i);
+  });
+
+  it("returns 415 for POST requests without json content type", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+    await withRunningWebhookMonitor(
+      {
+        accountId: "content-type",
+        path: "/hook-content-type",
+        verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
+      },
+      monitorFeishuProvider,
+      async (url) => {
+        const response = await fetch(url, {
+          method: "POST",
+          headers: { "content-type": "text/plain" },
+          body: "{}",
+        });
+
+        expect(response.status).toBe(415);
+        expect(await response.text()).toBe("Unsupported Media Type");
+      },
+    );
+  });
+
+  it("rate limits webhook burst traffic with 429", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+    await withRunningWebhookMonitor(
+      {
+        accountId: "rate-limit",
+        path: "/hook-rate-limit",
+        verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
+      },
+      monitorFeishuProvider,
+      async (url) => {
+        let saw429 = false;
+        for (let i = 0; i < 130; i += 1) {
+          const response = await fetch(url, {
+            method: "POST",
+            headers: { "content-type": "text/plain" },
+            body: "{}",
+          });
+          if (response.status === 429) {
+            saw429 = true;
+            expect(await response.text()).toBe("Too Many Requests");
+            break;
+          }
+        }
+
+        expect(saw429).toBe(true);
+      },
+    );
+  });
+
+  it("caps tracked webhook rate-limit keys to prevent unbounded growth", () => {
+    const now = 1_000_000;
+    for (let i = 0; i < 4_500; i += 1) {
+      isWebhookRateLimitedForTest(`/feishu-rate-limit:key-${i}`, now);
+    }
+    expect(getFeishuWebhookRateLimitStateSizeForTest()).toBeLessThanOrEqual(4_096);
+  });
+
+  it("prunes stale webhook rate-limit state after window elapses", () => {
+    const now = 2_000_000;
+    for (let i = 0; i < 100; i += 1) {
+      isWebhookRateLimitedForTest(`/feishu-rate-limit-stale:key-${i}`, now);
+    }
+    expect(getFeishuWebhookRateLimitStateSizeForTest()).toBe(100);
+
+    isWebhookRateLimitedForTest("/feishu-rate-limit-stale:fresh", now + 60_001);
+    expect(getFeishuWebhookRateLimitStateSizeForTest()).toBe(1);
+  });
+});

package/src/monitor.webhook.test-helpers.ts

@@ -0,0 +1,98 @@
+import { createServer } from "node:http";
+import type { AddressInfo } from "node:net";
+import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+import { vi } from "vitest";
+import type { monitorFeishuProvider } from "./monitor.js";
+
+export async function getFreePort(): Promise<number> {
+  const server = createServer();
+  await new Promise<void>((resolve) => server.listen(0, "127.0.0.1", () => resolve()));
+  const address = server.address() as AddressInfo | null;
+  if (!address) {
+    throw new Error("missing server address");
+  }
+  await new Promise<void>((resolve) => server.close(() => resolve()));
+  return address.port;
+}
+
+async function waitUntilServerReady(url: string): Promise<void> {
+  for (let i = 0; i < 50; i += 1) {
+    try {
+      const response = await fetch(url, { method: "GET" });
+      if (response.status >= 200 && response.status < 500) {
+        return;
+      }
+    } catch {
+      // retry
+    }
+    await new Promise((resolve) => setTimeout(resolve, 20));
+  }
+  throw new Error(`server did not start: ${url}`);
+}
+
+export function buildWebhookConfig(params: {
+  accountId: string;
+  path: string;
+  port: number;
+  verificationToken?: string;
+  encryptKey?: string;
+}): ClawdbotConfig {
+  return {
+    channels: {
+      feishu: {
+        enabled: true,
+        accounts: {
+          [params.accountId]: {
+            enabled: true,
+            appId: "cli_test",
+            appSecret: "secret_test", // pragma: allowlist secret
+            connectionMode: "webhook",
+            webhookHost: "127.0.0.1",
+            webhookPort: params.port,
+            webhookPath: params.path,
+            encryptKey: params.encryptKey,
+            verificationToken: params.verificationToken,
+          },
+        },
+      },
+    },
+  } as ClawdbotConfig;
+}
+
+export async function withRunningWebhookMonitor(
+  params: {
+    accountId: string;
+    path: string;
+    verificationToken: string;
+    encryptKey: string;
+  },
+  monitor: typeof monitorFeishuProvider,
+  run: (url: string) => Promise<void>,
+) {
+  const port = await getFreePort();
+  const cfg = buildWebhookConfig({
+    accountId: params.accountId,
+    path: params.path,
+    port,
+    encryptKey: params.encryptKey,
+    verificationToken: params.verificationToken,
+  });
+
+  const abortController = new AbortController();
+  const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
+  const monitorPromise = monitor({
+    config: cfg,
+    runtime,
+    abortSignal: abortController.signal,
+  });
+
+  const url = `http://127.0.0.1:${port}${params.path}`;
+  await waitUntilServerReady(url);
+
+  try {
+    await run(url);
+  } finally {
+    abortController.abort();
+    await monitorPromise;
+  }
+}

package/src/onboarding.status.test.ts

@@ -0,0 +1,25 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk/feishu";
+import { describe, expect, it } from "vitest";
+import { feishuOnboardingAdapter } from "./onboarding.js";
+
+describe("feishu onboarding status", () => {
+  it("treats SecretRef appSecret as configured when appId is present", async () => {
+    const status = await feishuOnboardingAdapter.getStatus({
+      cfg: {
+        channels: {
+          feishu: {
+            appId: "cli_a123456",
+            appSecret: {
+              source: "env",
+              provider: "default",
+              id: "FEISHU_APP_SECRET",
+            },
+          },
+        },
+      } as OpenClawConfig,
+      accountOverrides: {},
+    });
+
+    expect(status.configured).toBe(true);
+  });
+});

package/src/onboarding.test.ts

@@ -0,0 +1,143 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("./probe.js", () => ({
+  probeFeishu: vi.fn(async () => ({ ok: false, error: "mocked" })),
+}));
+
+import { feishuOnboardingAdapter } from "./onboarding.js";
+
+const baseConfigureContext = {
+  runtime: {} as never,
+  accountOverrides: {},
+  shouldPromptAccountIds: false,
+  forceAllowFrom: false,
+};
+
+const baseStatusContext = {
+  accountOverrides: {},
+};
+
+async function withEnvVars(values: Record<string, string | undefined>, run: () => Promise<void>) {
+  const previous = new Map<string, string | undefined>();
+  for (const [key, value] of Object.entries(values)) {
+    previous.set(key, process.env[key]);
+    if (value === undefined) {
+      delete process.env[key];
+    } else {
+      process.env[key] = value;
+    }
+  }
+
+  try {
+    await run();
+  } finally {
+    for (const [key, prior] of previous.entries()) {
+      if (prior === undefined) {
+        delete process.env[key];
+      } else {
+        process.env[key] = prior;
+      }
+    }
+  }
+}
+
+async function getStatusWithEnvRefs(params: { appIdKey: string; appSecretKey: string }) {
+  return await feishuOnboardingAdapter.getStatus({
+    cfg: {
+      channels: {
+        feishu: {
+          appId: { source: "env", id: params.appIdKey, provider: "default" },
+          appSecret: { source: "env", id: params.appSecretKey, provider: "default" },
+        },
+      },
+    } as never,
+    ...baseStatusContext,
+  });
+}
+
+describe("feishuOnboardingAdapter.configure", () => {
+  it("does not throw when config appId/appSecret are SecretRef objects", async () => {
+    const text = vi
+      .fn()
+      .mockResolvedValueOnce("cli_from_prompt")
+      .mockResolvedValueOnce("secret_from_prompt")
+      .mockResolvedValueOnce("oc_group_1");
+
+    const prompter = {
+      note: vi.fn(async () => undefined),
+      text,
+      confirm: vi.fn(async () => true),
+      select: vi.fn(
+        async ({ initialValue }: { initialValue?: string }) => initialValue ?? "allowlist",
+      ),
+    } as never;
+
+    await expect(
+      feishuOnboardingAdapter.configure({
+        cfg: {
+          channels: {
+            feishu: {
+              appId: { source: "env", id: "FEISHU_APP_ID", provider: "default" },
+              appSecret: { source: "env", id: "FEISHU_APP_SECRET", provider: "default" },
+            },
+          },
+        } as never,
+        prompter,
+        ...baseConfigureContext,
+      }),
+    ).resolves.toBeTruthy();
+  });
+});
+
+describe("feishuOnboardingAdapter.getStatus", () => {
+  it("does not fallback to top-level appId when account explicitly sets empty appId", async () => {
+    const status = await feishuOnboardingAdapter.getStatus({
+      cfg: {
+        channels: {
+          feishu: {
+            appId: "top_level_app",
+            accounts: {
+              main: {
+                appId: "",
+                appSecret: "sample-app-credential", // pragma: allowlist secret
+              },
+            },
+          },
+        },
+      } as never,
+      ...baseStatusContext,
+    });
+
+    expect(status.configured).toBe(false);
+  });
+
+  it("treats env SecretRef appId as not configured when env var is missing", async () => {
+    const appIdKey = "FEISHU_APP_ID_STATUS_MISSING_TEST";
+    const appSecretKey = "FEISHU_APP_CREDENTIAL_STATUS_MISSING_TEST"; // pragma: allowlist secret
+    await withEnvVars(
+      {
+        [appIdKey]: undefined,
+        [appSecretKey]: "env-credential-456", // pragma: allowlist secret
+      },
+      async () => {
+        const status = await getStatusWithEnvRefs({ appIdKey, appSecretKey });
+        expect(status.configured).toBe(false);
+      },
+    );
+  });
+
+  it("treats env SecretRef appId/appSecret as configured in status", async () => {
+    const appIdKey = "FEISHU_APP_ID_STATUS_TEST";
+    const appSecretKey = "FEISHU_APP_CREDENTIAL_STATUS_TEST"; // pragma: allowlist secret
+    await withEnvVars(
+      {
+        [appIdKey]: "cli_env_123",
+        [appSecretKey]: "env-credential-456", // pragma: allowlist secret
+      },
+      async () => {
+        const status = await getStatusWithEnvRefs({ appIdKey, appSecretKey });
+        expect(status.configured).toBe(true);
+      },
+    );
+  });
+});