@@ -669,6 +669,56 @@ describe("resolve-openclaw-package-candidate", () => {
|
669 | 669 | ).rejects.toThrow("is not allowed by trusted package source enterprise-artifactory"); |
670 | 670 | }); |
671 | 671 | |
| 672 | +it("does not forward trusted package auth headers to redirect hosts", async () => { |
| 673 | +const dir = await mkdtemp(path.join(tmpdir(), "openclaw-package-download-")); |
| 674 | +tempDirs.push(dir); |
| 675 | +const target = path.join(dir, "openclaw.tgz"); |
| 676 | +const previousToken = process.env.OPENCLAW_TRUSTED_PACKAGE_TOKEN; |
| 677 | +process.env.OPENCLAW_TRUSTED_PACKAGE_TOKEN = "token-123"; |
| 678 | +const trustedSource = { |
| 679 | +allowPrivateNetwork: true, |
| 680 | +auth: { type: "bearer" }, |
| 681 | +hosts: ["packages.internal"], |
| 682 | +id: "enterprise-artifactory", |
| 683 | +pathPrefixes: ["/artifactory/openclaw/"], |
| 684 | +ports: [8443], |
| 685 | +redirectHosts: ["packages.internal", "mirror.internal"], |
| 686 | +}; |
| 687 | +const requestHeaders: Array<Record<string, string> | undefined> = []; |
| 688 | + |
| 689 | +try { |
| 690 | +await downloadUrl("https://packages.internal:8443/artifactory/openclaw/openclaw.tgz", target, { |
| 691 | +fetchImpl: async (_url: URL, init?: RequestInit) => { |
| 692 | +requestHeaders.push(init?.headers as Record<string, string> | undefined); |
| 693 | +if (requestHeaders.length === 1) { |
| 694 | +return new Response(null, { |
| 695 | +headers: { |
| 696 | +location: "https://mirror.internal:8443/artifactory/openclaw/openclaw.tgz", |
| 697 | +}, |
| 698 | +status: 302, |
| 699 | +}); |
| 700 | +} |
| 701 | +return new Response(new Uint8Array([4, 5, 6]), { |
| 702 | +headers: { "content-length": "3" }, |
| 703 | +status: 200, |
| 704 | +}); |
| 705 | +}, |
| 706 | +lookupHost: lookupAddresses([{ address: "10.0.0.8", family: 4 }]), |
| 707 | +maxBytes: 3, |
| 708 | + trustedSource, |
| 709 | +}); |
| 710 | +} finally { |
| 711 | +if (previousToken === undefined) { |
| 712 | +delete process.env.OPENCLAW_TRUSTED_PACKAGE_TOKEN; |
| 713 | +} else { |
| 714 | +process.env.OPENCLAW_TRUSTED_PACKAGE_TOKEN = previousToken; |
| 715 | +} |
| 716 | +} |
| 717 | + |
| 718 | +expect(requestHeaders).toEqual([{ authorization: "Bearer token-123" }, undefined]); |
| 719 | +await expect(readFile(target)).resolves.toEqual(Buffer.from([4, 5, 6])); |
| 720 | +}); |
| 721 | + |
672 | 722 | it("validates redirects for package_url downloads", async () => { |
673 | 723 | const dir = await mkdtemp(path.join(tmpdir(), "openclaw-package-download-")); |
674 | 724 | tempDirs.push(dir); |
|