mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-22 10:32:00 +00:00
c34840e22e
Live-test finding: the Chronos fire webhook was only on the APIServerAdapter
(aiohttp), but hosted agents expose `hermes dashboard` (the FastAPI web_server
app on :9119) as their public URL — NOT the api_server adapter. So NAS's relay
callback to {callback_url}/api/cron/fire could never reach the verifier on a
hosted agent (the exact target environment). Two layers were wrong:
1. Wrong server: /api/cron/fire didn't exist on the dashboard app. Added
cron_fire_webhook there, alongside the existing /api/cron/* dashboard routes.
It resolves the job's profile (_find_cron_job_profile) and runs fire_due via
the resolved provider under the cron-profile retarget lock
(_fire_cron_job_for_profile, mirroring _call_cron_for_profile) so the CAS
claim + run_one_job operate on the right profile's jobs.json. Runs with no
live adapters (delivery falls back to the per-platform send path, like the
desktop cron path). 202 + background so a long turn never trips NAS's
timeout; the store CAS de-dupes a NAS retry. job-not-found -> 200 "gone".
2. Auth gate: the dashboard auth middleware 401s any non-cookie request before
the handler runs. Added /api/cron/fire to the shared PUBLIC_API_PATHS so the
NAS bearer-JWT callback reaches the verifier — the JWT (purpose=cron_fire),
not the cookie, is the real gate. One shared frozenset feeds both the
loopback and OAuth middlewares, so no drift.
Kept the APIServerAdapter route too (valid self-host api_server surface).
Contract doc updated to name the dashboard app as the hosted-agent callback
surface.
Tests: test_cron_fire_dashboard (6) — route registered on the dashboard app,
in PUBLIC_API_PATHS, 401 on bad token WITH the cookie gate engaged (proves it's
reachable past the gate + JWT is the gate), 400 missing job_id, 200 gone for
unknown job, 202 + fire_due invoked for the resolved profile on a valid token.
Full hermes_cli + cron + chronos + webhook suites green (7637).
Why the original tests missed it: the api_server webhook test built an
APIServerAdapter client directly and never asserted which server the hosted
public URL exposes — green-but-wrong-integration. The new test pins the route
to the dashboard app.
142 lines
5.3 KiB
Python
142 lines
5.3 KiB
Python
"""Tests for the Chronos cron-fire webhook ON THE DASHBOARD APP (web_server).
|
|
|
|
Regression guard for the relocation bug: the fire webhook MUST live on the
|
|
dashboard FastAPI app (`hermes_cli.web_server.app`) — the agent's public HTTP
|
|
surface on hosted deployments — not only on the aiohttp APIServerAdapter (which
|
|
hosted agents don't expose). It must:
|
|
- be a registered route on the dashboard app,
|
|
- be in PUBLIC_API_PATHS so the dashboard cookie gate doesn't 401 it before
|
|
the JWT verifier runs,
|
|
- reject a bad/missing NAS-JWT with 401 (the JWT is the real gate),
|
|
- 400 on missing job_id,
|
|
- on a valid token, resolve the job's profile and run fire_due in the
|
|
background, returning 202.
|
|
"""
|
|
|
|
import pytest
|
|
from starlette.testclient import TestClient
|
|
|
|
from hermes_cli import web_server
|
|
from hermes_cli.dashboard_auth.public_paths import PUBLIC_API_PATHS
|
|
|
|
|
|
def _client(auth_required: bool):
|
|
prev_auth = getattr(web_server.app.state, "auth_required", None)
|
|
prev_host = getattr(web_server.app.state, "bound_host", None)
|
|
web_server.app.state.auth_required = auth_required
|
|
web_server.app.state.bound_host = None
|
|
client = TestClient(web_server.app)
|
|
return client, prev_auth, prev_host
|
|
|
|
|
|
def _restore(prev_auth, prev_host):
|
|
if prev_auth is None:
|
|
if hasattr(web_server.app.state, "auth_required"):
|
|
delattr(web_server.app.state, "auth_required")
|
|
else:
|
|
web_server.app.state.auth_required = prev_auth
|
|
if prev_host is None:
|
|
if hasattr(web_server.app.state, "bound_host"):
|
|
delattr(web_server.app.state, "bound_host")
|
|
else:
|
|
web_server.app.state.bound_host = prev_host
|
|
|
|
|
|
def test_route_registered_on_dashboard_app():
|
|
"""The fire webhook is served by the dashboard app (the hosted-agent public
|
|
surface), not only the aiohttp adapter."""
|
|
paths = {r.path for r in web_server.app.routes if hasattr(r, "path")}
|
|
assert "/api/cron/fire" in paths
|
|
|
|
|
|
def test_fire_path_is_public():
|
|
"""Must bypass the dashboard cookie gate so the NAS bearer-JWT callback
|
|
reaches the verifier (the JWT is the real auth)."""
|
|
assert "/api/cron/fire" in PUBLIC_API_PATHS
|
|
|
|
|
|
def test_bad_token_401(monkeypatch):
|
|
"""Invalid NAS-JWT -> 401, even with the dashboard auth gate ENGAGED
|
|
(proves the route is reachable past the cookie gate and the verifier is the
|
|
gate). fire_due must NOT run."""
|
|
fired = []
|
|
monkeypatch.setattr(
|
|
"plugins.cron.chronos.verify.get_fire_verifier",
|
|
lambda: (lambda **kw: None), # verification fails
|
|
)
|
|
monkeypatch.setattr(web_server, "_find_cron_job_profile", lambda jid: "default")
|
|
monkeypatch.setattr(web_server, "_fire_cron_job_for_profile",
|
|
lambda p, j: fired.append((p, j)))
|
|
|
|
client, pa, ph = _client(auth_required=True)
|
|
try:
|
|
resp = client.post("/api/cron/fire",
|
|
headers={"Authorization": "Bearer forged"},
|
|
json={"job_id": "abc"})
|
|
assert resp.status_code == 401
|
|
assert fired == []
|
|
finally:
|
|
_restore(pa, ph)
|
|
client.close()
|
|
|
|
|
|
def test_missing_job_id_400(monkeypatch):
|
|
monkeypatch.setattr(
|
|
"plugins.cron.chronos.verify.get_fire_verifier",
|
|
lambda: (lambda **kw: {"purpose": "cron_fire"}),
|
|
)
|
|
client, pa, ph = _client(auth_required=False)
|
|
try:
|
|
resp = client.post("/api/cron/fire",
|
|
headers={"Authorization": "Bearer good"},
|
|
json={})
|
|
assert resp.status_code == 400
|
|
finally:
|
|
_restore(pa, ph)
|
|
client.close()
|
|
|
|
|
|
def test_unknown_job_200_gone(monkeypatch):
|
|
"""Valid token but the job isn't found in any profile -> 200 'gone'
|
|
(NAS shouldn't retry a fire for a cancelled/completed job)."""
|
|
monkeypatch.setattr(
|
|
"plugins.cron.chronos.verify.get_fire_verifier",
|
|
lambda: (lambda **kw: {"purpose": "cron_fire"}),
|
|
)
|
|
monkeypatch.setattr(web_server, "_find_cron_job_profile", lambda jid: None)
|
|
client, pa, ph = _client(auth_required=False)
|
|
try:
|
|
resp = client.post("/api/cron/fire",
|
|
headers={"Authorization": "Bearer good"},
|
|
json={"job_id": "ghost"})
|
|
assert resp.status_code == 200
|
|
assert resp.json().get("status") == "gone"
|
|
finally:
|
|
_restore(pa, ph)
|
|
client.close()
|
|
|
|
|
|
def test_valid_token_accepts_and_fires(monkeypatch):
|
|
"""Valid token + known job -> 202 and fire_due invoked for the resolved
|
|
profile."""
|
|
fired = []
|
|
monkeypatch.setattr(
|
|
"plugins.cron.chronos.verify.get_fire_verifier",
|
|
lambda: (lambda **kw: {"purpose": "cron_fire", "aud": "agent:x"}),
|
|
)
|
|
monkeypatch.setattr(web_server, "_find_cron_job_profile", lambda jid: "default")
|
|
monkeypatch.setattr(web_server, "_fire_cron_job_for_profile",
|
|
lambda p, j: fired.append((p, j)) or True)
|
|
|
|
client, pa, ph = _client(auth_required=False)
|
|
try:
|
|
resp = client.post("/api/cron/fire",
|
|
headers={"Authorization": "Bearer good"},
|
|
json={"job_id": "j1"})
|
|
assert resp.status_code == 202
|
|
assert resp.json()["job_id"] == "j1"
|
|
finally:
|
|
_restore(pa, ph)
|
|
client.close()
|
|
# background task ran the fire for the resolved profile
|
|
assert fired == [("default", "j1")]
|