From c32b17f55761f6e495fdc2b43ac3f4ad54f7acc1 Mon Sep 17 00:00:00 2001 From: Ben Date: Thu, 21 May 2026 15:09:56 +1000 Subject: [PATCH] feat(plugins): add register_dashboard_auth_provider hook on PluginContext MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Phase 1, Task 1.3. Mirrors the existing register_image_gen_provider pattern (plugins.py:531) — wrong-type or duplicate-name registrations log at WARNING and silently return rather than raising, so a misbehaving auth plugin cannot crash the host. Deviation from plan: the plan's draft raised TypeError on non-provider input; switched to silent-warn to match the established image_gen convention. Test updated to match. --- hermes_cli/plugins.py | 40 +++++++++ .../test_dashboard_auth_plugin_hook.py | 90 +++++++++++++++++++ 2 files changed, 130 insertions(+) create mode 100644 tests/hermes_cli/test_dashboard_auth_plugin_hook.py diff --git a/hermes_cli/plugins.py b/hermes_cli/plugins.py index bd6367a44c8..854f3d9f309 100644 --- a/hermes_cli/plugins.py +++ b/hermes_cli/plugins.py @@ -553,6 +553,46 @@ class PluginContext: self.manifest.name, provider.name, ) + # -- dashboard auth provider registration -------------------------------- + + def register_dashboard_auth_provider(self, provider) -> None: + """Register a dashboard authentication provider. + + ``provider`` must be an instance of + :class:`hermes_cli.dashboard_auth.DashboardAuthProvider`. Used by + the dashboard OAuth auth gate, which engages when the dashboard + binds to a non-loopback host without ``--insecure``. + + Misbehaving providers (wrong type, duplicate name) are logged at + WARNING and silently ignored — never raised — so a broken plugin + cannot crash the host. Same convention as + ``register_image_gen_provider``. + """ + from hermes_cli.dashboard_auth import ( + DashboardAuthProvider, register_provider, + ) + + if not isinstance(provider, DashboardAuthProvider): + logger.warning( + "Plugin '%s' tried to register a dashboard-auth provider " + "that does not inherit from DashboardAuthProvider. Ignoring.", + self.manifest.name, + ) + return + try: + register_provider(provider) + except (TypeError, ValueError) as e: + logger.warning( + "Plugin '%s' failed to register dashboard-auth provider " + "%r: %s", + self.manifest.name, getattr(provider, "name", "?"), e, + ) + return + logger.info( + "Plugin '%s' registered dashboard-auth provider: %s (%s)", + self.manifest.name, provider.name, provider.display_name, + ) + # -- video gen provider registration ------------------------------------- def register_video_gen_provider(self, provider) -> None: diff --git a/tests/hermes_cli/test_dashboard_auth_plugin_hook.py b/tests/hermes_cli/test_dashboard_auth_plugin_hook.py new file mode 100644 index 00000000000..79947731063 --- /dev/null +++ b/tests/hermes_cli/test_dashboard_auth_plugin_hook.py @@ -0,0 +1,90 @@ +"""The plugin context exposes register_dashboard_auth_provider. + +Mirrors the image-gen / memory-provider hooks (see plugins.py:531 for prior +art). +""" +from __future__ import annotations + +import pytest + +from hermes_cli.dashboard_auth import clear_providers, get_provider +from hermes_cli.dashboard_auth.base import ( + DashboardAuthProvider, LoginStart, Session, +) +from hermes_cli.plugins import PluginContext, PluginManifest + + +class _Stub(DashboardAuthProvider): + name = "stub" + display_name = "Stub IdP" + + def start_login(self, *, redirect_uri): + return LoginStart(redirect_url="x", cookie_payload={}) + + def complete_login(self, *, code, state, code_verifier, redirect_uri): + return Session("u", "e", "n", "o", "stub", 0, "a", "r") + + def verify_session(self, *, access_token): + return None + + def refresh_session(self, *, refresh_token): + return Session("u", "e", "n", "o", "stub", 0, "a", "r") + + def revoke_session(self, *, refresh_token): + return None + + +class _MinimalManager: + """The fixture only needs whatever PluginContext touches at register-time. + + We don't import the real PluginManager because it pulls in the full + plugin-discovery surface. The hook we're testing only reads from + ``ctx.manifest``, so the manager attributes don't matter — but we set + the few that other PluginContext methods touch defensively. + """ + + _cli_ref = None + _context_engine = None + _tools: dict = {} + + +@pytest.fixture(autouse=True) +def _isolated_registry(): + clear_providers() + yield + clear_providers() + + +def _make_ctx(name: str = "dashboard-auth-stub") -> PluginContext: + manifest = PluginManifest(name=name, version="0.0.1", description="stub") + return PluginContext(manifest=manifest, manager=_MinimalManager()) # type: ignore[arg-type] + + +def test_plugin_ctx_exposes_register_dashboard_auth_provider(): + ctx = _make_ctx() + assert hasattr(ctx, "register_dashboard_auth_provider") + + +def test_plugin_ctx_register_dashboard_auth_provider_happy_path(): + ctx = _make_ctx() + ctx.register_dashboard_auth_provider(_Stub()) + p = get_provider("stub") + assert p is not None + assert p.display_name == "Stub IdP" + + +def test_plugin_ctx_silently_ignores_non_provider(caplog): + """Mirror image_gen behaviour: log warning, leave registry empty. + + We do NOT raise — a misbehaving plugin must not crash the host. + """ + import logging + ctx = _make_ctx("dashboard-auth-bad") + with caplog.at_level(logging.WARNING): + ctx.register_dashboard_auth_provider("not a provider") # type: ignore[arg-type] + assert get_provider("stub") is None + assert any( + "dashboard-auth-bad" in rec.message + and "DashboardAuthProvider" in rec.message + for rec in caplog.records + )