openclaw-cloudflare 0.1.0 → 0.3.0

package/src/index.test.ts

@@ -1,395 +0,0 @@
-import type { IncomingMessage, ServerResponse } from "node:http";
-import { describe, expect, it, vi, beforeEach } from "vitest";
-
-const createCloudflareAccessVerifierMock = vi.fn();
-const startGatewayCloudflareExposureMock = vi.fn();
-
-vi.mock("./tunnel/access.js", () => ({
-  createCloudflareAccessVerifier: (...args: unknown[]) =>
-    createCloudflareAccessVerifierMock(...args),
-}));
-
-vi.mock("./tunnel/exposure.js", () => ({
-  startGatewayCloudflareExposure: (...args: unknown[]) =>
-    startGatewayCloudflareExposureMock(...args),
-}));
-
-function createMockApi(pluginConfig?: Record<string, unknown>) {
-  return {
-    pluginConfig,
-    logger: {
-      info: vi.fn(),
-      warn: vi.fn(),
-      error: vi.fn(),
-    },
-    registerService: vi.fn(),
-    registerHttpHandler: vi.fn(),
-  };
-}
-
-function createMockReq(headers: Record<string, string | string[] | undefined> = {}): IncomingMessage {
-  return { headers } as unknown as IncomingMessage;
-}
-
-function createMockRes(): ServerResponse {
-  return {} as unknown as ServerResponse;
-}
-
-describe("cloudflare plugin", () => {
-  beforeEach(() => {
-    vi.restoreAllMocks();
-    createCloudflareAccessVerifierMock.mockReset();
-    startGatewayCloudflareExposureMock.mockReset();
-    delete process.env.OPENCLAW_CLOUDFLARE_TUNNEL_TOKEN;
-  });
-
-  it("does nothing when mode is off", async () => {
-    const { default: plugin } = await import("./index.js");
-    const api = createMockApi({ tunnel: { mode: "off" } });
-
-    plugin.register(api);
-
-    expect(api.registerService).not.toHaveBeenCalled();
-    expect(api.registerHttpHandler).not.toHaveBeenCalled();
-  });
-
-  it("does nothing when no tunnel config (defaults to off)", async () => {
-    const { default: plugin } = await import("./index.js");
-    const api = createMockApi({});
-
-    plugin.register(api);
-
-    expect(api.registerService).not.toHaveBeenCalled();
-    expect(api.registerHttpHandler).not.toHaveBeenCalled();
-  });
-
-  it("logs error and returns when managed mode has no token", async () => {
-    const { default: plugin } = await import("./index.js");
-    const api = createMockApi({ tunnel: { mode: "managed" } });
-
-    plugin.register(api);
-
-    expect(api.logger.error).toHaveBeenCalledWith(
-      expect.stringContaining("managed mode requires tunnelToken"),
-    );
-    expect(api.registerService).not.toHaveBeenCalled();
-  });
-
-  it("reads tunnel token from env var when not in config", async () => {
-    process.env.OPENCLAW_CLOUDFLARE_TUNNEL_TOKEN = "env-token";
-    startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-    const { default: plugin } = await import("./index.js");
-    const api = createMockApi({
-      tunnel: { mode: "managed", teamDomain: "myteam" },
-    });
-
-    plugin.register(api);
-
-    expect(api.registerService).toHaveBeenCalled();
-    // Extract and run the service start to verify token is passed through
-    const service = api.registerService.mock.calls[0][0];
-    await service.start();
-
-    expect(startGatewayCloudflareExposureMock).toHaveBeenCalledWith(
-      expect.objectContaining({ tunnelToken: "env-token" }),
-    );
-  });
-
-  it("warns when mode is active but no teamDomain is configured", async () => {
-    startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-    const { default: plugin } = await import("./index.js");
-    const api = createMockApi({ tunnel: { mode: "access-only" } });
-
-    plugin.register(api);
-
-    expect(api.logger.warn).toHaveBeenCalledWith(
-      expect.stringContaining("no teamDomain configured"),
-    );
-  });
-
-  it("warns when managed mode has no teamDomain", async () => {
-    startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-    const { default: plugin } = await import("./index.js");
-    const api = createMockApi({
-      tunnel: { mode: "managed", tunnelToken: "tok" },
-    });
-
-    plugin.register(api);
-
-    expect(api.logger.warn).toHaveBeenCalledWith(
-      expect.stringContaining("no teamDomain configured"),
-    );
-  });
-
-  it("registers service and HTTP handler in managed mode", async () => {
-    startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-    const { default: plugin } = await import("./index.js");
-    const api = createMockApi({
-      tunnel: { mode: "managed", tunnelToken: "tok", teamDomain: "myteam" },
-    });
-
-    plugin.register(api);
-
-    expect(api.registerService).toHaveBeenCalledTimes(1);
-    expect(api.registerHttpHandler).toHaveBeenCalledTimes(1);
-
-    const service = api.registerService.mock.calls[0][0];
-    expect(service.id).toBe("cloudflare-tunnel");
-  });
-
-  it("service start creates verifier when teamDomain is set", async () => {
-    const mockVerifier = { verify: vi.fn() };
-    createCloudflareAccessVerifierMock.mockReturnValue(mockVerifier);
-    startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-    const { default: plugin } = await import("./index.js");
-    const api = createMockApi({
-      tunnel: {
-        mode: "managed",
-        tunnelToken: "tok",
-        teamDomain: "myteam",
-        audience: "my-aud",
-      },
-    });
-
-    plugin.register(api);
-
-    const service = api.registerService.mock.calls[0][0];
-    await service.start();
-
-    expect(createCloudflareAccessVerifierMock).toHaveBeenCalledWith({
-      teamDomain: "myteam",
-      audience: "my-aud",
-    });
-    expect(api.logger.info).toHaveBeenCalledWith(
-      expect.stringContaining("myteam.cloudflareaccess.com"),
-    );
-  });
-
-  it("service start does not create verifier when teamDomain is unset", async () => {
-    startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-    const { default: plugin } = await import("./index.js");
-    const api = createMockApi({
-      tunnel: { mode: "managed", tunnelToken: "tok" },
-    });
-
-    plugin.register(api);
-
-    const service = api.registerService.mock.calls[0][0];
-    await service.start();
-
-    expect(createCloudflareAccessVerifierMock).not.toHaveBeenCalled();
-  });
-
-  it("service stop calls tunnel stop and clears verifier", async () => {
-    const tunnelStopFn = vi.fn();
-    startGatewayCloudflareExposureMock.mockResolvedValue(tunnelStopFn);
-    createCloudflareAccessVerifierMock.mockReturnValue({ verify: vi.fn() });
-
-    const { default: plugin } = await import("./index.js");
-    const api = createMockApi({
-      tunnel: { mode: "managed", tunnelToken: "tok", teamDomain: "myteam" },
-    });
-
-    plugin.register(api);
-
-    const service = api.registerService.mock.calls[0][0];
-    await service.start();
-    await service.stop();
-
-    expect(tunnelStopFn).toHaveBeenCalled();
-  });
-
-  it("service stop is safe when no tunnel was started", async () => {
-    startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-    const { default: plugin } = await import("./index.js");
-    const api = createMockApi({
-      tunnel: { mode: "access-only", teamDomain: "myteam" },
-    });
-
-    plugin.register(api);
-
-    const service = api.registerService.mock.calls[0][0];
-    await service.start();
-    // Should not throw
-    await service.stop();
-  });
-
-  describe("HTTP handler", () => {
-    it("strips spoofed identity headers even when no verifier is active", async () => {
-      startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-      const { default: plugin } = await import("./index.js");
-      const api = createMockApi({
-        tunnel: { mode: "managed", tunnelToken: "tok" },
-      });
-
-      plugin.register(api);
-
-      const handler = api.registerHttpHandler.mock.calls[0][0];
-      const req = createMockReq({
-        "x-openclaw-user-email": "spoofed@evil.com",
-        "x-openclaw-auth-source": "spoofed",
-      });
-      await handler(req, createMockRes());
-
-      expect(req.headers["x-openclaw-user-email"]).toBeUndefined();
-      expect(req.headers["x-openclaw-auth-source"]).toBeUndefined();
-    });
-
-    it("strips spoofed identity headers before setting verified ones", async () => {
-      const mockVerifier = {
-        verify: vi.fn().mockResolvedValue({ email: "real@example.com" }),
-      };
-      createCloudflareAccessVerifierMock.mockReturnValue(mockVerifier);
-      startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-      const { default: plugin } = await import("./index.js");
-      const api = createMockApi({
-        tunnel: { mode: "managed", tunnelToken: "tok", teamDomain: "myteam" },
-      });
-
-      plugin.register(api);
-
-      const service = api.registerService.mock.calls[0][0];
-      await service.start();
-
-      const handler = api.registerHttpHandler.mock.calls[0][0];
-      const req = createMockReq({
-        "cf-access-jwt-assertion": "valid-jwt",
-        "x-openclaw-user-email": "spoofed@evil.com",
-        "x-openclaw-auth-source": "spoofed",
-      });
-      await handler(req, createMockRes());
-
-      expect(req.headers["x-openclaw-user-email"]).toBe("real@example.com");
-      expect(req.headers["x-openclaw-auth-source"]).toBe("cloudflare-access");
-    });
-
-    it("returns false when no verifier is active", async () => {
-      startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-      const { default: plugin } = await import("./index.js");
-      const api = createMockApi({
-        tunnel: { mode: "managed", tunnelToken: "tok" },
-      });
-
-      plugin.register(api);
-
-      // Service not started yet, so no verifier
-      const handler = api.registerHttpHandler.mock.calls[0][0];
-      const req = createMockReq({ "cf-access-jwt-assertion": "some-jwt" });
-      const result = await handler(req, createMockRes());
-
-      expect(result).toBe(false);
-    });
-
-    it("returns false when no JWT header is present", async () => {
-      const mockVerifier = { verify: vi.fn() };
-      createCloudflareAccessVerifierMock.mockReturnValue(mockVerifier);
-      startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-      const { default: plugin } = await import("./index.js");
-      const api = createMockApi({
-        tunnel: { mode: "managed", tunnelToken: "tok", teamDomain: "myteam" },
-      });
-
-      plugin.register(api);
-
-      const service = api.registerService.mock.calls[0][0];
-      await service.start();
-
-      const handler = api.registerHttpHandler.mock.calls[0][0];
-      const req = createMockReq({});
-      const result = await handler(req, createMockRes());
-
-      expect(result).toBe(false);
-      expect(mockVerifier.verify).not.toHaveBeenCalled();
-    });
-
-    it("sets identity headers on valid JWT", async () => {
-      const mockVerifier = {
-        verify: vi.fn().mockResolvedValue({ email: "alice@example.com" }),
-      };
-      createCloudflareAccessVerifierMock.mockReturnValue(mockVerifier);
-      startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-      const { default: plugin } = await import("./index.js");
-      const api = createMockApi({
-        tunnel: { mode: "managed", tunnelToken: "tok", teamDomain: "myteam" },
-      });
-
-      plugin.register(api);
-
-      const service = api.registerService.mock.calls[0][0];
-      await service.start();
-
-      const handler = api.registerHttpHandler.mock.calls[0][0];
-      const req = createMockReq({ "cf-access-jwt-assertion": "valid-jwt" });
-      const result = await handler(req, createMockRes());
-
-      expect(result).toBe(false);
-      expect(mockVerifier.verify).toHaveBeenCalledWith("valid-jwt");
-      expect(req.headers["x-openclaw-user-email"]).toBe("alice@example.com");
-      expect(req.headers["x-openclaw-auth-source"]).toBe("cloudflare-access");
-    });
-
-    it("does not set headers on invalid JWT", async () => {
-      const mockVerifier = {
-        verify: vi.fn().mockResolvedValue(null),
-      };
-      createCloudflareAccessVerifierMock.mockReturnValue(mockVerifier);
-      startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-      const { default: plugin } = await import("./index.js");
-      const api = createMockApi({
-        tunnel: { mode: "managed", tunnelToken: "tok", teamDomain: "myteam" },
-      });
-
-      plugin.register(api);
-
-      const service = api.registerService.mock.calls[0][0];
-      await service.start();
-
-      const handler = api.registerHttpHandler.mock.calls[0][0];
-      const req = createMockReq({ "cf-access-jwt-assertion": "bad-jwt" });
-      const result = await handler(req, createMockRes());
-
-      expect(result).toBe(false);
-      expect(req.headers["x-openclaw-user-email"]).toBeUndefined();
-    });
-
-    it("handles array JWT header (takes first value)", async () => {
-      const mockVerifier = {
-        verify: vi.fn().mockResolvedValue({ email: "bob@example.com" }),
-      };
-      createCloudflareAccessVerifierMock.mockReturnValue(mockVerifier);
-      startGatewayCloudflareExposureMock.mockResolvedValue(null);
-
-      const { default: plugin } = await import("./index.js");
-      const api = createMockApi({
-        tunnel: { mode: "managed", tunnelToken: "tok", teamDomain: "myteam" },
-      });
-
-      plugin.register(api);
-
-      const service = api.registerService.mock.calls[0][0];
-      await service.start();
-
-      const handler = api.registerHttpHandler.mock.calls[0][0];
-      const req = createMockReq({
-        "cf-access-jwt-assertion": ["first-jwt", "second-jwt"] as unknown as string,
-      });
-      const result = await handler(req, createMockRes());
-
-      expect(result).toBe(false);
-      expect(mockVerifier.verify).toHaveBeenCalledWith("first-jwt");
-    });
-  });
-});

package/src/tunnel/access.test.ts

@@ -1,280 +0,0 @@
-import crypto from "node:crypto";
-import { describe, expect, it, vi } from "vitest";
-import { createCloudflareAccessVerifier } from "./access.js";
-
-// Generate a test RSA keypair for signing JWTs
-const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", {
-  modulusLength: 2048,
-  publicKeyEncoding: { type: "spki", format: "pem" },
-  privateKeyEncoding: { type: "pkcs8", format: "pem" },
-});
-
-// Export as JWK for the mock JWKS endpoint
-const publicJwk = crypto.createPublicKey(publicKey).export({ format: "jwk" }) as {
-  kty: string;
-  n: string;
-  e: string;
-};
-
-const TEST_KID = "test-key-1";
-const TEST_TEAM_DOMAIN = "myteam";
-const TEST_ISSUER = `https://${TEST_TEAM_DOMAIN}.cloudflareaccess.com`;
-const TEST_AUDIENCE = "test-aud-tag";
-
-function base64UrlEncode(data: Buffer | string): string {
-  const buf = typeof data === "string" ? Buffer.from(data) : data;
-  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-
-async function createTestJwt(opts: {
-  email?: string;
-  iss?: string;
-  aud?: string | string[];
-  exp?: number;
-  kid?: string;
-}): Promise<string> {
-  const header = {
-    alg: "RS256",
-    typ: "JWT",
-    kid: opts.kid ?? TEST_KID,
-  };
-
-  const payload = {
-    email: opts.email ?? "user@example.com",
-    sub: "user-123",
-    iss: opts.iss ?? TEST_ISSUER,
-    aud: opts.aud ?? TEST_AUDIENCE,
-    exp: opts.exp ?? Math.floor(Date.now() / 1000) + 3600,
-    iat: Math.floor(Date.now() / 1000),
-  };
-
-  const headerB64 = base64UrlEncode(JSON.stringify(header));
-  const payloadB64 = base64UrlEncode(JSON.stringify(payload));
-  const signingInput = `${headerB64}.${payloadB64}`;
-
-  const sign = crypto.createSign("RSA-SHA256");
-  sign.update(signingInput);
-  const signature = sign.sign(privateKey);
-
-  return `${signingInput}.${base64UrlEncode(signature)}`;
-}
-
-function createMockFetch(): typeof globalThis.fetch {
-  return vi.fn(async (url: string | URL | Request) => {
-    const urlStr = typeof url === "string" ? url : url instanceof URL ? url.toString() : url.url;
-    if (urlStr.includes("/cdn-cgi/access/certs")) {
-      return new Response(
-        JSON.stringify({
-          keys: [
-            {
-              kty: publicJwk.kty,
-              kid: TEST_KID,
-              alg: "RS256",
-              use: "sig",
-              n: publicJwk.n,
-              e: publicJwk.e,
-            },
-          ],
-        }),
-        { status: 200 },
-      );
-    }
-    return new Response("Not Found", { status: 404 });
-  }) as typeof globalThis.fetch;
-}
-
-describe("cloudflare-access verifier", () => {
-  it("verifies a valid JWT and returns user email", async () => {
-    const verifier = createCloudflareAccessVerifier({
-      teamDomain: TEST_TEAM_DOMAIN,
-      audience: TEST_AUDIENCE,
-      fetchFn: createMockFetch(),
-    });
-
-    const token = await createTestJwt({});
-    const result = await verifier.verify(token);
-
-    expect(result).not.toBeNull();
-    expect(result!.email).toBe("user@example.com");
-  });
-
-  it("rejects expired JWT", async () => {
-    const verifier = createCloudflareAccessVerifier({
-      teamDomain: TEST_TEAM_DOMAIN,
-      audience: TEST_AUDIENCE,
-      fetchFn: createMockFetch(),
-    });
-
-    const token = await createTestJwt({
-      exp: Math.floor(Date.now() / 1000) - 3600,
-    });
-    const result = await verifier.verify(token);
-
-    expect(result).toBeNull();
-  });
-
-  it("rejects JWT with wrong issuer", async () => {
-    const verifier = createCloudflareAccessVerifier({
-      teamDomain: TEST_TEAM_DOMAIN,
-      audience: TEST_AUDIENCE,
-      fetchFn: createMockFetch(),
-    });
-
-    const token = await createTestJwt({
-      iss: "https://evil.cloudflareaccess.com",
-    });
-    const result = await verifier.verify(token);
-
-    expect(result).toBeNull();
-  });
-
-  it("rejects JWT with wrong audience when audience is configured", async () => {
-    const verifier = createCloudflareAccessVerifier({
-      teamDomain: TEST_TEAM_DOMAIN,
-      audience: TEST_AUDIENCE,
-      fetchFn: createMockFetch(),
-    });
-
-    const token = await createTestJwt({
-      aud: "wrong-audience",
-    });
-    const result = await verifier.verify(token);
-
-    expect(result).toBeNull();
-  });
-
-  it("accepts any audience when audience is not configured", async () => {
-    const verifier = createCloudflareAccessVerifier({
-      teamDomain: TEST_TEAM_DOMAIN,
-      fetchFn: createMockFetch(),
-    });
-
-    const token = await createTestJwt({
-      aud: "any-audience",
-    });
-    const result = await verifier.verify(token);
-
-    expect(result).not.toBeNull();
-    expect(result!.email).toBe("user@example.com");
-  });
-
-  it("rejects malformed token", async () => {
-    const verifier = createCloudflareAccessVerifier({
-      teamDomain: TEST_TEAM_DOMAIN,
-      fetchFn: createMockFetch(),
-    });
-
-    const result = await verifier.verify("not.a.valid.jwt");
-    expect(result).toBeNull();
-  });
-
-  it("rejects token with unknown kid", async () => {
-    const verifier = createCloudflareAccessVerifier({
-      teamDomain: TEST_TEAM_DOMAIN,
-      fetchFn: createMockFetch(),
-    });
-
-    const token = await createTestJwt({ kid: "unknown-key-id" });
-    const result = await verifier.verify(token);
-
-    expect(result).toBeNull();
-  });
-
-  it("rejects JWT with tampered signature", async () => {
-    const verifier = createCloudflareAccessVerifier({
-      teamDomain: TEST_TEAM_DOMAIN,
-      audience: TEST_AUDIENCE,
-      fetchFn: createMockFetch(),
-    });
-
-    const token = await createTestJwt({});
-    // Tamper with the signature
-    const parts = token.split(".");
-    parts[2] = base64UrlEncode(crypto.randomBytes(256));
-    const tampered = parts.join(".");
-
-    const result = await verifier.verify(tampered);
-    expect(result).toBeNull();
-  });
-
-  it("rejects JWT with unsupported algorithm", async () => {
-    const verifier = createCloudflareAccessVerifier({
-      teamDomain: TEST_TEAM_DOMAIN,
-      audience: TEST_AUDIENCE,
-      fetchFn: createMockFetch(),
-    });
-
-    // Create a token with alg: "none"
-    const header = { alg: "none", typ: "JWT", kid: TEST_KID };
-    const payload = {
-      email: "user@example.com",
-      sub: "user-123",
-      iss: TEST_ISSUER,
-      aud: TEST_AUDIENCE,
-      exp: Math.floor(Date.now() / 1000) + 3600,
-      iat: Math.floor(Date.now() / 1000),
-    };
-    const headerB64 = base64UrlEncode(JSON.stringify(header));
-    const payloadB64 = base64UrlEncode(JSON.stringify(payload));
-    const token = `${headerB64}.${payloadB64}.${base64UrlEncode("fake")}`;
-
-    const result = await verifier.verify(token);
-    expect(result).toBeNull();
-  });
-
-  it("rejects JWT with tampered payload but original signature", async () => {
-    const verifier = createCloudflareAccessVerifier({
-      teamDomain: TEST_TEAM_DOMAIN,
-      audience: TEST_AUDIENCE,
-      fetchFn: createMockFetch(),
-    });
-
-    const token = await createTestJwt({});
-    const parts = token.split(".");
-
-    // Tamper with the payload (change email) but keep original signature
-    const tamperedPayload = {
-      email: "attacker@evil.com",
-      sub: "user-123",
-      iss: TEST_ISSUER,
-      aud: TEST_AUDIENCE,
-      exp: Math.floor(Date.now() / 1000) + 3600,
-      iat: Math.floor(Date.now() / 1000),
-    };
-    parts[1] = base64UrlEncode(JSON.stringify(tamperedPayload));
-    const tampered = parts.join(".");
-
-    const result = await verifier.verify(tampered);
-    expect(result).toBeNull();
-  });
-
-  it("rejects JWT with no email claim", async () => {
-    const verifier = createCloudflareAccessVerifier({
-      teamDomain: TEST_TEAM_DOMAIN,
-      fetchFn: createMockFetch(),
-    });
-
-    // Create a token with no email
-    const header = {
-      alg: "RS256",
-      typ: "JWT",
-      kid: TEST_KID,
-    };
-    const payload = {
-      sub: "service-token",
-      iss: TEST_ISSUER,
-      exp: Math.floor(Date.now() / 1000) + 3600,
-      iat: Math.floor(Date.now() / 1000),
-    };
-    const headerB64 = base64UrlEncode(JSON.stringify(header));
-    const payloadB64 = base64UrlEncode(JSON.stringify(payload));
-    const signingInput = `${headerB64}.${payloadB64}`;
-    const sign = crypto.createSign("RSA-SHA256");
-    sign.update(signingInput);
-    const signature = sign.sign(privateKey);
-    const token = `${signingInput}.${base64UrlEncode(signature)}`;
-
-    const result = await verifier.verify(token);
-    expect(result).toBeNull();
-  });
-});