fix(orchestrator): encrypt OpenClaw provider tokens at rest

2026-03-07 16:55:51 -06:00
parent ff73fbd391
commit d60165572a
4 changed files with 148 additions and 7 deletions
--- a/apps/orchestrator/src/api/agent-providers/agent-providers.service.spec.ts
+++ b/apps/orchestrator/src/api/agent-providers/agent-providers.service.spec.ts
@@ -1,5 +1,6 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import { NotFoundException } from "@nestjs/common";
+import { EncryptionService } from "../../security/encryption.service";
 import { AgentProvidersService } from "./agent-providers.service";
 import { PrismaService } from "../../prisma/prisma.service";

@@ -14,6 +15,9 @@ describe("AgentProvidersService", () => {
      delete: ReturnType<typeof vi.fn>;
    };
  };
+  let encryptionService: {
+    encryptIfNeeded: ReturnType<typeof vi.fn>;
+  };

  beforeEach(() => {
    prisma = {
@@ -26,7 +30,14 @@ describe("AgentProvidersService", () => {
      },
    };

-    service = new AgentProvidersService(prisma as unknown as PrismaService);
+    encryptionService = {
+      encryptIfNeeded: vi.fn((value: string) => `enc:${value}`),
+    };
+
+    service = new AgentProvidersService(
+      prisma as unknown as PrismaService,
+      encryptionService as unknown as EncryptionService
+    );
  });

  it("lists all provider configs", async () => {
@@ -111,6 +122,42 @@ describe("AgentProvidersService", () => {
        credentials: {},
      },
    });
+    expect(encryptionService.encryptIfNeeded).not.toHaveBeenCalled();
+    expect(result).toEqual(created);
+  });
+
+  it("encrypts openclaw token credentials when creating provider config", async () => {
+    const created = {
+      id: "cfg-openclaw",
+      workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
+      name: "OpenClaw",
+      provider: "openclaw",
+      gatewayUrl: "https://openclaw.example.com",
+      credentials: { apiToken: "enc:top-secret" },
+      isActive: true,
+      createdAt: new Date("2026-03-07T18:00:00.000Z"),
+      updatedAt: new Date("2026-03-07T18:00:00.000Z"),
+    };
+    prisma.agentProviderConfig.create.mockResolvedValue(created);
+
+    const result = await service.create({
+      workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
+      name: "OpenClaw",
+      provider: "openclaw",
+      gatewayUrl: "https://openclaw.example.com",
+      credentials: { apiToken: "top-secret" },
+    });
+
+    expect(encryptionService.encryptIfNeeded).toHaveBeenCalledWith("top-secret");
+    expect(prisma.agentProviderConfig.create).toHaveBeenCalledWith({
+      data: {
+        workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
+        name: "OpenClaw",
+        provider: "openclaw",
+        gatewayUrl: "https://openclaw.example.com",
+        credentials: { apiToken: "enc:top-secret" },
+      },
+    });
    expect(result).toEqual(created);
  });

@@ -156,6 +203,47 @@ describe("AgentProvidersService", () => {
        isActive: false,
      },
    });
+    expect(encryptionService.encryptIfNeeded).not.toHaveBeenCalled();
+    expect(result).toEqual(updated);
+  });
+
+  it("encrypts openclaw token credentials when updating provider config", async () => {
+    prisma.agentProviderConfig.findUnique.mockResolvedValue({
+      id: "cfg-openclaw",
+      workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
+      name: "OpenClaw",
+      provider: "openclaw",
+      gatewayUrl: "https://openclaw.example.com",
+      credentials: { apiToken: "enc:existing" },
+      isActive: true,
+      createdAt: new Date("2026-03-07T18:00:00.000Z"),
+      updatedAt: new Date("2026-03-07T18:00:00.000Z"),
+    });
+
+    const updated = {
+      id: "cfg-openclaw",
+      workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
+      name: "OpenClaw",
+      provider: "openclaw",
+      gatewayUrl: "https://openclaw.example.com",
+      credentials: { apiToken: "enc:rotated-token" },
+      isActive: true,
+      createdAt: new Date("2026-03-07T18:00:00.000Z"),
+      updatedAt: new Date("2026-03-07T19:00:00.000Z"),
+    };
+    prisma.agentProviderConfig.update.mockResolvedValue(updated);
+
+    const result = await service.update("cfg-openclaw", {
+      credentials: { apiToken: "rotated-token" },
+    });
+
+    expect(encryptionService.encryptIfNeeded).toHaveBeenCalledWith("rotated-token");
+    expect(prisma.agentProviderConfig.update).toHaveBeenCalledWith({
+      where: { id: "cfg-openclaw" },
+      data: {
+        credentials: { apiToken: "enc:rotated-token" },
+      },
+    });
    expect(result).toEqual(updated);
  });