mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-10 08:32:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 11
hermes-agent/tests/tools/test_terminal_tool.py
BROCCOLO1D 29036155ce
fix(terminal): lazy-parse docker env config (#42733) 
Co-authored-by: BROCCOLO1D <279959838+BROCCOLO1D@users.noreply.github.com>
2026-06-10 11:04:27 +10:00

213 lines
7.7 KiB
Python
Raw Blame History

"""Regression tests for sudo detection and sudo password handling."""
import tools.terminal_tool as terminal_tool
def setup_function():
terminal_tool._reset_cached_sudo_passwords()
def teardown_function():
terminal_tool._reset_cached_sudo_passwords()
def test_searching_for_sudo_does_not_trigger_rewrite(monkeypatch):
monkeypatch.delenv("SUDO_PASSWORD", raising=False)
monkeypatch.delenv("HERMES_INTERACTIVE", raising=False)
command = "rg --line-number --no-heading --with-filename 'sudo' . | head -n 20"
transformed, sudo_stdin = terminal_tool._transform_sudo_command(command)
assert transformed == command
assert sudo_stdin is None
def test_printf_literal_sudo_does_not_trigger_rewrite(monkeypatch):
monkeypatch.delenv("SUDO_PASSWORD", raising=False)
monkeypatch.delenv("HERMES_INTERACTIVE", raising=False)
command = "printf '%s\\n' sudo"
transformed, sudo_stdin = terminal_tool._transform_sudo_command(command)
assert transformed == command
assert sudo_stdin is None
def test_non_command_argument_named_sudo_does_not_trigger_rewrite(monkeypatch):
monkeypatch.delenv("SUDO_PASSWORD", raising=False)
monkeypatch.delenv("HERMES_INTERACTIVE", raising=False)
command = "grep -n sudo README.md"
transformed, sudo_stdin = terminal_tool._transform_sudo_command(command)
assert transformed == command
assert sudo_stdin is None
def test_actual_sudo_command_uses_configured_password(monkeypatch):
monkeypatch.setenv("SUDO_PASSWORD", "testpass")
monkeypatch.delenv("HERMES_INTERACTIVE", raising=False)
transformed, sudo_stdin = terminal_tool._transform_sudo_command("sudo apt install -y ripgrep")
assert transformed == "sudo -S -p '' apt install -y ripgrep"
assert sudo_stdin == "testpass\n"
def test_actual_sudo_after_leading_env_assignment_is_rewritten(monkeypatch):
monkeypatch.setenv("SUDO_PASSWORD", "testpass")
monkeypatch.delenv("HERMES_INTERACTIVE", raising=False)
transformed, sudo_stdin = terminal_tool._transform_sudo_command("DEBUG=1 sudo whoami")
assert transformed == "DEBUG=1 sudo -S -p '' whoami"
assert sudo_stdin == "testpass\n"
def test_explicit_empty_sudo_password_tries_empty_without_prompt(monkeypatch):
monkeypatch.setenv("SUDO_PASSWORD", "")
monkeypatch.setenv("HERMES_INTERACTIVE", "1")
def _fail_prompt(*_args, **_kwargs):
raise AssertionError("interactive sudo prompt should not run for explicit empty password")
monkeypatch.setattr(terminal_tool, "_prompt_for_sudo_password", _fail_prompt)
transformed, sudo_stdin = terminal_tool._transform_sudo_command("sudo true")
assert transformed == "sudo -S -p '' true"
assert sudo_stdin == "\n"
def test_cached_sudo_password_is_used_when_env_is_unset(monkeypatch):
monkeypatch.delenv("SUDO_PASSWORD", raising=False)
monkeypatch.delenv("HERMES_INTERACTIVE", raising=False)
terminal_tool._set_cached_sudo_password("cached-pass")
transformed, sudo_stdin = terminal_tool._transform_sudo_command("echo ok && sudo whoami")
assert transformed == "echo ok && sudo -S -p '' whoami"
assert sudo_stdin == "cached-pass\n"
def test_cached_sudo_password_isolated_by_session_key(monkeypatch):
monkeypatch.delenv("SUDO_PASSWORD", raising=False)
monkeypatch.delenv("HERMES_INTERACTIVE", raising=False)
monkeypatch.setenv("HERMES_SESSION_KEY", "session-a")
terminal_tool._set_cached_sudo_password("alpha-pass")
monkeypatch.setenv("HERMES_SESSION_KEY", "session-b")
assert terminal_tool._get_cached_sudo_password() == ""
monkeypatch.setenv("HERMES_SESSION_KEY", "session-a")
assert terminal_tool._get_cached_sudo_password() == "alpha-pass"
def test_passwordless_sudo_skips_interactive_prompt_and_rewrite(monkeypatch):
monkeypatch.delenv("SUDO_PASSWORD", raising=False)
monkeypatch.delenv("TERMINAL_ENV", raising=False)
monkeypatch.setenv("HERMES_INTERACTIVE", "1")
def _fail_prompt(*_args, **_kwargs):
raise AssertionError(
"interactive sudo prompt should not run when sudo -n already works"
)
monkeypatch.setattr(terminal_tool, "_prompt_for_sudo_password", _fail_prompt)
monkeypatch.setattr(terminal_tool, "_sudo_nopasswd_works", lambda: True, raising=False)
transformed, sudo_stdin = terminal_tool._transform_sudo_command("sudo whoami")
assert transformed == "sudo whoami"
assert sudo_stdin is None
def test_passwordless_sudo_probe_rechecks_local_terminal(monkeypatch):
monkeypatch.delenv("TERMINAL_ENV", raising=False)
calls = []
class Result:
def __init__(self, returncode):
self.returncode = returncode
def fake_run(args, **kwargs):
calls.append((args, kwargs))
return Result(0 if len(calls) == 1 else 1)
monkeypatch.setattr(terminal_tool.subprocess, "run", fake_run)
assert terminal_tool._sudo_nopasswd_works() is True
assert terminal_tool._sudo_nopasswd_works() is False
assert len(calls) == 2
assert calls[0][0] == ["sudo", "-n", "true"]
assert calls[1][0] == ["sudo", "-n", "true"]
def test_passwordless_sudo_probe_is_disabled_for_nonlocal_terminal_env(monkeypatch):
monkeypatch.setenv("TERMINAL_ENV", "docker")
def _fail_run(*_args, **_kwargs):
raise AssertionError("host sudo probe must not run for non-local terminal envs")
monkeypatch.setattr(terminal_tool.subprocess, "run", _fail_run)
assert terminal_tool._sudo_nopasswd_works() is False
def test_validate_workdir_allows_windows_drive_paths():
assert terminal_tool._validate_workdir(r"C:\Users\Alice\project") is None
assert terminal_tool._validate_workdir("C:/Users/Alice/project") is None
def test_validate_workdir_allows_windows_unc_paths():
assert terminal_tool._validate_workdir(r"\\server\share\project") is None
def test_validate_workdir_blocks_shell_metacharacters_in_windows_paths():
assert terminal_tool._validate_workdir(r"C:\Users\Alice\project; rm -rf /")
assert terminal_tool._validate_workdir(r"C:\Users\Alice\project$(whoami)")
assert terminal_tool._validate_workdir("C:\\Users\\Alice\\project\nwhoami")
def test_get_env_config_ignores_bad_docker_json_for_local_backend(monkeypatch):
"""Docker-only JSON env vars must not break the default local backend."""
monkeypatch.setenv("TERMINAL_ENV", "local")
monkeypatch.setenv("TERMINAL_DOCKER_VOLUMES", "None")
monkeypatch.setenv("TERMINAL_DOCKER_ENV", "not-json")
monkeypatch.setenv("TERMINAL_DOCKER_FORWARD_ENV", "not-json")
monkeypatch.setenv("TERMINAL_DOCKER_EXTRA_ARGS", "not-json")
config = terminal_tool._get_env_config()
assert config["env_type"] == "local"
assert config["docker_volumes"] == []
assert config["docker_env"] == {}
assert config["docker_forward_env"] == []
assert config["docker_extra_args"] == []
def test_get_env_config_ignores_bad_docker_json_for_ssh_backend(monkeypatch):
"""Non-container remote backends should also ignore Docker-only JSON."""
monkeypatch.setenv("TERMINAL_ENV", "ssh")
monkeypatch.setenv("TERMINAL_DOCKER_VOLUMES", "None")
monkeypatch.setenv("TERMINAL_DOCKER_ENV", "not-json")
config = terminal_tool._get_env_config()
assert config["env_type"] == "ssh"
assert config["docker_volumes"] == []
assert config["docker_env"] == {}
def test_get_env_config_still_rejects_bad_docker_json_for_docker_backend(monkeypatch):
"""Selecting Docker should keep the existing actionable config error."""
monkeypatch.setenv("TERMINAL_ENV", "docker")
monkeypatch.setenv("TERMINAL_DOCKER_VOLUMES", "None")
try:
terminal_tool._get_env_config()
except ValueError as exc:
assert "TERMINAL_DOCKER_VOLUMES" in str(exc)
else:
raise AssertionError("Docker backend must validate TERMINAL_DOCKER_VOLUMES")
Reference in a new issue View git blame Copy permalink