mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-05-30 06:41:51 +00:00
243ebc7a61
The web dashboard's Anthropic OAuth helper wrote the credential file straight to its final destination and relied on the process umask for permissions. That left the dashboard-specific path weaker than the existing auth writers, which already use owner-only permissions and safer write semantics. This change keeps the scope narrow: make the dashboard helper write via a temp file + replace, chmod the final file to owner-only, and add a focused regression test for both permission handling and atomic-write behavior. Constraint: Must preserve the existing dashboard OAuth flow and credential-pool side effects Rejected: Broader auth-storage refactor | unnecessary scope for a single verified inconsistency Confidence: high Scope-risk: narrow Reversibility: clean Directive: Keep dashboard credential writes aligned with existing auth storage semantics; do not reintroduce direct write_text() here without matching chmod/atomic behavior Tested: pytest -o addopts='' tests/hermes_cli/test_web_server_oauth_write.py tests/hermes_cli/test_web_server.py -q (78 passed) Not-tested: Cross-platform permission semantics on Windows-managed filesystems
53 lines
1.5 KiB
Python
53 lines
1.5 KiB
Python
import os
|
|
|
|
import pytest
|
|
|
|
from hermes_cli.web_server import _save_anthropic_oauth_creds
|
|
|
|
|
|
class _DummyPool:
|
|
def entries(self):
|
|
return []
|
|
|
|
def remove_entry(self, _id):
|
|
return None
|
|
|
|
def add_entry(self, _entry):
|
|
return None
|
|
|
|
|
|
@pytest.fixture
|
|
def oauth_file(monkeypatch, tmp_path):
|
|
target = tmp_path / '.anthropic_oauth.json'
|
|
monkeypatch.setattr('agent.anthropic_adapter._HERMES_OAUTH_FILE', target)
|
|
monkeypatch.setattr('agent.credential_pool.load_pool', lambda _provider: _DummyPool())
|
|
return target
|
|
|
|
|
|
def test_dashboard_oauth_write_uses_owner_only_permissions(oauth_file):
|
|
old_umask = os.umask(0o022)
|
|
try:
|
|
_save_anthropic_oauth_creds('access-token', 'refresh-token', 123456)
|
|
finally:
|
|
os.umask(old_umask)
|
|
|
|
assert oauth_file.exists()
|
|
mode = oauth_file.stat().st_mode & 0o777
|
|
assert mode == 0o600
|
|
|
|
|
|
def test_dashboard_oauth_write_uses_atomic_replace_and_cleans_temp_files(oauth_file, monkeypatch):
|
|
replace_calls = []
|
|
|
|
def flaky_replace(src, dst):
|
|
replace_calls.append((src, dst))
|
|
raise OSError('simulated replace failure')
|
|
|
|
monkeypatch.setattr('hermes_cli.web_server.os.replace', flaky_replace)
|
|
|
|
with pytest.raises(OSError, match='simulated replace failure'):
|
|
_save_anthropic_oauth_creds('access-token', 'refresh-token', 123456)
|
|
|
|
assert replace_calls, 'helper should attempt atomic os.replace()'
|
|
assert not oauth_file.exists()
|
|
assert not list(oauth_file.parent.glob(f'{oauth_file.name}.tmp*'))
|