mirror of
https://github.com/moltbot/moltbot.git
synced 2026-03-07 22:44:16 +00:00
fix(ios): harden team-id profile fallback and tests
This commit is contained in:
Peter Steinberger
@@ -24,6 +24,7 @@ Docs: https://docs.openclaw.ai
|
||||
- Exec approvals: treat bare allowlist `*` as a true wildcard for parsed executables, including unresolved PATH lookups, so global opt-in allowlists work as configured. (#25250) Thanks @widingmarcus-cyber.
|
||||
- Gateway/Auth: allow trusted-proxy authenticated Control UI websocket sessions to skip device pairing when device identity is absent, preventing false `pairing required` failures behind trusted reverse proxies. (#25428) Thanks @SidQin-cyber.
|
||||
- Agents/Tool dispatch: await block-reply flush before tool execution starts so buffered block replies preserve message ordering around tool calls. (#25427) Thanks @SidQin-cyber.
|
||||
- iOS/Signing: improve `scripts/ios-team-id.sh` for Xcode 16+ by falling back to Xcode-managed provisioning profiles, add actionable guidance when an Apple account exists but no Team ID can be resolved, and ignore Xcode `xcodebuild` output directories (`apps/ios/build`, `apps/shared/OpenClawKit/build`, `Swabble/build`). (#22773) Thanks @brianleach.
|
||||
- macOS/Menu bar: stop reusing the injector delegate for the "Usage cost (30 days)" submenu to prevent recursive submenu injection loops when opening cost history. (#25341) Thanks @yingchunbai.
|
||||
- Control UI/Chat images: centralize safe external URL opening for image clicks (allowlist `http/https/blob` + opt-in `data:image/*`) and enforce opener isolation (`noopener,noreferrer` + `window.opener = null`) to prevent tabnabbing/unsafe schemes. (#25444) Thanks @shakkernerd.
|
||||
- CLI/Doctor: correct stale recovery hints to use valid commands (`openclaw gateway status --deep` and `openclaw configure --section model`). (#24485) Thanks @chilu18.
|
||||
|
||||
@@ -94,7 +94,10 @@ load_teams_from_xcode_managed_profiles() {
|
||||
| /usr/bin/python3 -c '
|
||||
import plistlib, sys
|
||||
try:
|
||||
d = plistlib.load(sys.stdin.buffer)
|
||||
raw = sys.stdin.buffer.read()
|
||||
if not raw:
|
||||
raise SystemExit(0)
|
||||
d = plistlib.loads(raw)
|
||||
for tid in d.get("TeamIdentifier", []):
|
||||
print(tid)
|
||||
except Exception:
|
||||
|
||||
195
test/scripts/ios-team-id.test.ts
Normal file
195
test/scripts/ios-team-id.test.ts
Normal file
@@ -0,0 +1,195 @@
|
||||
import { execFileSync } from "node:child_process";
|
||||
import { chmodSync } from "node:fs";
|
||||
import { mkdir, mkdtemp, writeFile } from "node:fs/promises";
|
||||
import os from "node:os";
|
||||
import path from "node:path";
|
||||
import { describe, expect, it } from "vitest";
|
||||
|
||||
const SCRIPT = path.join(process.cwd(), "scripts", "ios-team-id.sh");
|
||||
|
||||
async function writeExecutable(filePath: string, body: string): Promise<void> {
|
||||
await writeFile(filePath, body, "utf8");
|
||||
chmodSync(filePath, 0o755);
|
||||
}
|
||||
|
||||
function runScript(
|
||||
homeDir: string,
|
||||
extraEnv: Record<string, string> = {},
|
||||
): {
|
||||
ok: boolean;
|
||||
stdout: string;
|
||||
stderr: string;
|
||||
} {
|
||||
const binDir = path.join(homeDir, "bin");
|
||||
const env = {
|
||||
...process.env,
|
||||
HOME: homeDir,
|
||||
PATH: `${binDir}:${process.env.PATH ?? ""}`,
|
||||
...extraEnv,
|
||||
};
|
||||
try {
|
||||
const stdout = execFileSync("bash", [SCRIPT], {
|
||||
env,
|
||||
encoding: "utf8",
|
||||
stdio: ["ignore", "pipe", "pipe"],
|
||||
});
|
||||
return { ok: true, stdout: stdout.trim(), stderr: "" };
|
||||
} catch (error) {
|
||||
const e = error as {
|
||||
stdout?: string | Buffer;
|
||||
stderr?: string | Buffer;
|
||||
};
|
||||
const stdout = typeof e.stdout === "string" ? e.stdout : (e.stdout?.toString("utf8") ?? "");
|
||||
const stderr = typeof e.stderr === "string" ? e.stderr : (e.stderr?.toString("utf8") ?? "");
|
||||
return { ok: false, stdout: stdout.trim(), stderr: stderr.trim() };
|
||||
}
|
||||
}
|
||||
|
||||
describe("scripts/ios-team-id.sh", () => {
|
||||
it("falls back to Xcode-managed provisioning profiles when preference teams are empty", async () => {
|
||||
const homeDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-ios-team-id-"));
|
||||
const binDir = path.join(homeDir, "bin");
|
||||
await mkdir(binDir, { recursive: true });
|
||||
await mkdir(path.join(homeDir, "Library", "Preferences"), { recursive: true });
|
||||
await mkdir(path.join(homeDir, "Library", "MobileDevice", "Provisioning Profiles"), {
|
||||
recursive: true,
|
||||
});
|
||||
await writeFile(path.join(homeDir, "Library", "Preferences", "com.apple.dt.Xcode.plist"), "");
|
||||
await writeFile(
|
||||
path.join(homeDir, "Library", "MobileDevice", "Provisioning Profiles", "one.mobileprovision"),
|
||||
"stub",
|
||||
);
|
||||
|
||||
await writeExecutable(
|
||||
path.join(binDir, "plutil"),
|
||||
`#!/usr/bin/env bash
|
||||
echo '{}'`,
|
||||
);
|
||||
await writeExecutable(
|
||||
path.join(binDir, "defaults"),
|
||||
`#!/usr/bin/env bash
|
||||
if [[ "$3" == "DVTDeveloperAccountManagerAppleIDLists" ]]; then
|
||||
echo '(identifier = "dev@example.com";)'
|
||||
exit 0
|
||||
fi
|
||||
exit 0`,
|
||||
);
|
||||
await writeExecutable(
|
||||
path.join(binDir, "security"),
|
||||
`#!/usr/bin/env bash
|
||||
if [[ "$1" == "cms" && "$2" == "-D" ]]; then
|
||||
cat <<'PLIST'
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>TeamIdentifier</key>
|
||||
<array>
|
||||
<string>ABCDE12345</string>
|
||||
</array>
|
||||
</dict>
|
||||
</plist>
|
||||
PLIST
|
||||
exit 0
|
||||
fi
|
||||
exit 0`,
|
||||
);
|
||||
|
||||
const result = runScript(homeDir);
|
||||
expect(result.ok).toBe(true);
|
||||
expect(result.stdout).toBe("ABCDE12345");
|
||||
});
|
||||
|
||||
it("prints actionable guidance when Xcode account exists but no Team ID is resolvable", async () => {
|
||||
const homeDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-ios-team-id-"));
|
||||
const binDir = path.join(homeDir, "bin");
|
||||
await mkdir(binDir, { recursive: true });
|
||||
await mkdir(path.join(homeDir, "Library", "Preferences"), { recursive: true });
|
||||
await writeFile(path.join(homeDir, "Library", "Preferences", "com.apple.dt.Xcode.plist"), "");
|
||||
|
||||
await writeExecutable(
|
||||
path.join(binDir, "plutil"),
|
||||
`#!/usr/bin/env bash
|
||||
echo '{}'`,
|
||||
);
|
||||
await writeExecutable(
|
||||
path.join(binDir, "defaults"),
|
||||
`#!/usr/bin/env bash
|
||||
if [[ "$3" == "DVTDeveloperAccountManagerAppleIDLists" ]]; then
|
||||
echo '(identifier = "dev@example.com";)'
|
||||
exit 0
|
||||
fi
|
||||
echo "Domain/default pair of (com.apple.dt.Xcode, $3) does not exist" >&2
|
||||
exit 1`,
|
||||
);
|
||||
await writeExecutable(
|
||||
path.join(binDir, "security"),
|
||||
`#!/usr/bin/env bash
|
||||
exit 1`,
|
||||
);
|
||||
|
||||
const result = runScript(homeDir);
|
||||
expect(result.ok).toBe(false);
|
||||
expect(result.stderr).toContain("An Apple account is signed in to Xcode");
|
||||
expect(result.stderr).toContain("IOS_DEVELOPMENT_TEAM");
|
||||
});
|
||||
|
||||
it("honors IOS_PREFERRED_TEAM_ID when multiple profile teams are available", async () => {
|
||||
const homeDir = await mkdtemp(path.join(os.tmpdir(), "openclaw-ios-team-id-"));
|
||||
const binDir = path.join(homeDir, "bin");
|
||||
await mkdir(binDir, { recursive: true });
|
||||
await mkdir(path.join(homeDir, "Library", "Preferences"), { recursive: true });
|
||||
await mkdir(path.join(homeDir, "Library", "MobileDevice", "Provisioning Profiles"), {
|
||||
recursive: true,
|
||||
});
|
||||
await writeFile(path.join(homeDir, "Library", "Preferences", "com.apple.dt.Xcode.plist"), "");
|
||||
await writeFile(
|
||||
path.join(homeDir, "Library", "MobileDevice", "Provisioning Profiles", "one.mobileprovision"),
|
||||
"stub1",
|
||||
);
|
||||
await writeFile(
|
||||
path.join(homeDir, "Library", "MobileDevice", "Provisioning Profiles", "two.mobileprovision"),
|
||||
"stub2",
|
||||
);
|
||||
|
||||
await writeExecutable(
|
||||
path.join(binDir, "plutil"),
|
||||
`#!/usr/bin/env bash
|
||||
echo '{}'`,
|
||||
);
|
||||
await writeExecutable(
|
||||
path.join(binDir, "defaults"),
|
||||
`#!/usr/bin/env bash
|
||||
if [[ "$3" == "DVTDeveloperAccountManagerAppleIDLists" ]]; then
|
||||
echo '(identifier = "dev@example.com";)'
|
||||
exit 0
|
||||
fi
|
||||
exit 0`,
|
||||
);
|
||||
await writeExecutable(
|
||||
path.join(binDir, "security"),
|
||||
`#!/usr/bin/env bash
|
||||
if [[ "$1" == "cms" && "$2" == "-D" ]]; then
|
||||
if [[ "$4" == *"one.mobileprovision" ]]; then
|
||||
cat <<'PLIST'
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0"><dict><key>TeamIdentifier</key><array><string>AAAAA11111</string></array></dict></plist>
|
||||
PLIST
|
||||
exit 0
|
||||
fi
|
||||
cat <<'PLIST'
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0"><dict><key>TeamIdentifier</key><array><string>BBBBB22222</string></array></dict></plist>
|
||||
PLIST
|
||||
exit 0
|
||||
fi
|
||||
exit 0`,
|
||||
);
|
||||
|
||||
const result = runScript(homeDir, { IOS_PREFERRED_TEAM_ID: "BBBBB22222" });
|
||||
expect(result.ok).toBe(true);
|
||||
expect(result.stdout).toBe("BBBBB22222");
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user