mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-27 11:22:03 +00:00
cb9cb6ba1c
Task 2.0a of the safe-shutdown drain-coordination plan. Widens the dashboard auth framework GENERICALLY to support non-interactive (service-to-service) bearer-token auth, mirroring the existing supports_password precedent. This is a reusable capability — any future machine-credential provider plugs in without core changes (decisions.md Q-C). The drain bearer-secret plugin (Task 2.0b) is the first consumer, not the definition. - base.py: add TokenPrincipal dataclass (the token analog of Session) + supports_token capability flag + verify_token() on the ABC (default raises NotImplementedError so a misconfigured provider fails loud). Contract mirrors verify_session stacking: return None for unrecognised tokens (never raise), raise ProviderError only on a genuine backing-store outage. - registry.py: list_token_providers() — the supports_token subset, in registration order. Empty when none registered (token routes fail closed). - token_auth.py (new): route-agnostic seam. Routes opt in via register_token_route(exact path); token_auth_middleware owns the auth decision for those routes only — authenticate via stacked providers, attach request.state.token_principal + token_authenticated, pass through. 401 on missing/unrecognised token, 503 when a provider was unreachable, untouched passthrough for non-token routes. Fails closed (never open). - web_server.py: install the seam OUTERMOST (registered last → runs first). Both downstream gates (legacy auth_middleware + gated_auth_middleware) honour request.state.token_authenticated and skip enforcement, so a token-authed service request is never bounced to /login. - audit.py: TOKEN_AUTH_SUCCESS / TOKEN_AUTH_FAILURE events. Tests: tests/hermes_cli/test_dashboard_token_auth.py — ABC flag default, verify_token NotImplementedError, registry filter, bearer extraction (case-insensitive scheme, malformed/non-bearer → ""), provider stacking (first-match-wins, unreachable-remembered, unreachable-then-valid, buggy provider doesn't crash the gate), and the seam's passthrough/401/503/ fail-closed behaviour. 29 new tests; full dashboard-auth suite 169 passed. Intentionally deferred: - The concrete shared-bearer-secret provider plugin — Task 2.0b. - The begin/cancel-drain endpoint that registers itself as a token route — Task 2.1. Build status: dashboard-auth + plugin-hook suites green.
46 lines
1.2 KiB
Python
46 lines
1.2 KiB
Python
"""Dashboard authentication provider framework.
|
|
|
|
The dashboard auth gate engages only when the dashboard binds to a
|
|
non-loopback host without ``--insecure``. In that mode, every request must
|
|
carry a verified session from one of the registered ``DashboardAuthProvider``
|
|
plugins.
|
|
|
|
The Nous provider lives in ``plugins/dashboard-auth-nous/`` and is the
|
|
default. Third parties register their own providers via the plugin hook
|
|
``ctx.register_dashboard_auth_provider``.
|
|
"""
|
|
from hermes_cli.dashboard_auth.base import (
|
|
DashboardAuthProvider,
|
|
Session,
|
|
TokenPrincipal,
|
|
LoginStart,
|
|
InvalidCodeError,
|
|
InvalidCredentialsError,
|
|
ProviderError,
|
|
RefreshExpiredError,
|
|
assert_protocol_compliance,
|
|
)
|
|
from hermes_cli.dashboard_auth.registry import (
|
|
register_provider,
|
|
get_provider,
|
|
list_providers,
|
|
list_token_providers,
|
|
clear_providers,
|
|
)
|
|
|
|
__all__ = [
|
|
"DashboardAuthProvider",
|
|
"Session",
|
|
"TokenPrincipal",
|
|
"LoginStart",
|
|
"InvalidCodeError",
|
|
"InvalidCredentialsError",
|
|
"ProviderError",
|
|
"RefreshExpiredError",
|
|
"assert_protocol_compliance",
|
|
"register_provider",
|
|
"get_provider",
|
|
"list_providers",
|
|
"list_token_providers",
|
|
"clear_providers",
|
|
]
|