mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-21 10:22:18 +00:00
3fc7b624d8
Phase 4E (E.1 + E.2). The inbound side of Chronos: NAS POSTs the agent when a one-shot fires; the agent verifies a NAS-minted JWT and runs the job. E.1 — plugins/cron/chronos/verify.py: - verify_nas_fire_token(token, expected_audience, jwks_or_key, issuer): verifies signature against the NAS JWKS (RS/ES family; symmetric rejected), aud == this agent, exp/nbf, iss, and purpose == "cron_fire" (so a general agent JWT can't be replayed against the fire endpoint). Returns claims or None; never raises. Crypto delegated to PyJWT[crypto] (already a declared dep) — no hand-rolled JWT, no new dependency. No key configured → refuse (never unsigned-decode a security boundary). - get_fire_verifier(): pluggable indirection so the DQ-4 escape hatch (direct per-job cron-key) can swap in with no handler change. E.2 — gateway/platforms/api_server.py: - POST /api/cron/fire (registered only when _CRON_AVAILABLE). Authenticated by the NAS-JWT via get_fire_verifier() — NOT API_SERVER_KEY (NAS holds no API key; this is the only inbound that triggers remote job execution, so it gets its own purpose-scoped check). Verifier args come from cron.chronos.* config. 401 on bad/missing/forged token. 400 on missing job_id. On success: 202 + fire_due runs in the background (so a long agent turn never trips NAS's HTTP timeout); the store CAS claim inside fire_due de-dupes a scheduler retry. Tests: - test_chronos_verify (11): REAL RS256 signing — valid→claims, wrong-aud, missing/wrong purpose, expired, wrong-iss, tampered-signature (attacker key), no-key-refuse, empty-token, JWKS-URL key resolution, get_fire_verifier. - test_cron_fire_webhook (5): valid→202+fire, invalid→401+no-fire, missing token→401, missing job_id→400, and fire path does NOT require API_SERVER_KEY. api_server regression suites (214) green. E.3 (NAS endpoints) is a separate cross-repo PR; the wire contract lands next (docs/chronos-managed-cron-contract.md).
152 lines
5.3 KiB
Python
152 lines
5.3 KiB
Python
"""Tests for the Chronos cron-fire webhook (POST /api/cron/fire) — Phase 4E.2.
|
|
|
|
The webhook authenticates a NAS-minted JWT via the pluggable fire-verifier
|
|
(NOT API_SERVER_KEY), then runs the job via the resolved provider's fire_due in
|
|
the background, returning 202. These tests monkeypatch the verifier and
|
|
resolve_cron_scheduler — the verifier itself is tested with real crypto in
|
|
test_chronos_verify.py.
|
|
"""
|
|
|
|
import asyncio
|
|
|
|
import pytest
|
|
from aiohttp import web
|
|
from aiohttp.test_utils import TestClient, TestServer
|
|
|
|
from gateway.config import PlatformConfig
|
|
from gateway.platforms.api_server import APIServerAdapter, cors_middleware
|
|
|
|
_MOD = "gateway.platforms.api_server"
|
|
|
|
|
|
def _make_adapter() -> APIServerAdapter:
|
|
return APIServerAdapter(PlatformConfig(enabled=True, extra={"key": "sk-secret"}))
|
|
|
|
|
|
def _create_app(adapter: APIServerAdapter) -> web.Application:
|
|
app = web.Application(middlewares=[cors_middleware])
|
|
app["api_server_adapter"] = adapter
|
|
app.router.add_post("/api/cron/fire", adapter._handle_cron_fire)
|
|
return app
|
|
|
|
|
|
@pytest.fixture
|
|
def adapter():
|
|
return _make_adapter()
|
|
|
|
|
|
class _SpyProvider:
|
|
"""Records fire_due calls; stands in for the resolved provider."""
|
|
|
|
def __init__(self):
|
|
self.fired = []
|
|
|
|
def fire_due(self, job_id, *, adapters=None, loop=None):
|
|
self.fired.append(job_id)
|
|
return True
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_valid_token_accepts_and_fires(adapter, monkeypatch):
|
|
"""Valid NAS-JWT + {job_id} → 202 and fire_due invoked with that id."""
|
|
spy = _SpyProvider()
|
|
monkeypatch.setattr("cron.scheduler_provider.resolve_cron_scheduler", lambda: spy)
|
|
# verifier returns claims (valid token)
|
|
monkeypatch.setattr(
|
|
"plugins.cron.chronos.verify.get_fire_verifier",
|
|
lambda: (lambda **kw: {"purpose": "cron_fire", "aud": "agent:x"}),
|
|
)
|
|
|
|
app = _create_app(adapter)
|
|
async with TestClient(TestServer(app)) as cli:
|
|
resp = await cli.post("/api/cron/fire",
|
|
headers={"Authorization": "Bearer good"},
|
|
json={"job_id": "abc123"})
|
|
assert resp.status == 202
|
|
data = await resp.json()
|
|
assert data["job_id"] == "abc123"
|
|
|
|
# fire runs in a background thread/task — give it a beat to land.
|
|
for _ in range(50):
|
|
if spy.fired:
|
|
break
|
|
await asyncio.sleep(0.01)
|
|
assert spy.fired == ["abc123"]
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_invalid_token_401_and_no_fire(adapter, monkeypatch):
|
|
"""Bad/forged token → 401, fire_due NOT invoked."""
|
|
spy = _SpyProvider()
|
|
monkeypatch.setattr("cron.scheduler_provider.resolve_cron_scheduler", lambda: spy)
|
|
monkeypatch.setattr(
|
|
"plugins.cron.chronos.verify.get_fire_verifier",
|
|
lambda: (lambda **kw: None), # verification fails
|
|
)
|
|
|
|
app = _create_app(adapter)
|
|
async with TestClient(TestServer(app)) as cli:
|
|
resp = await cli.post("/api/cron/fire",
|
|
headers={"Authorization": "Bearer forged"},
|
|
json={"job_id": "abc123"})
|
|
assert resp.status == 401
|
|
|
|
await asyncio.sleep(0.05)
|
|
assert spy.fired == []
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_missing_token_401(adapter, monkeypatch):
|
|
"""No Authorization header → verifier gets empty token → 401."""
|
|
spy = _SpyProvider()
|
|
monkeypatch.setattr("cron.scheduler_provider.resolve_cron_scheduler", lambda: spy)
|
|
# Real verifier: empty token returns None.
|
|
app = _create_app(adapter)
|
|
async with TestClient(TestServer(app)) as cli:
|
|
resp = await cli.post("/api/cron/fire", json={"job_id": "abc123"})
|
|
assert resp.status == 401
|
|
assert spy.fired == []
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_missing_job_id_400(adapter, monkeypatch):
|
|
"""Valid token but no job_id → 400, no fire."""
|
|
spy = _SpyProvider()
|
|
monkeypatch.setattr("cron.scheduler_provider.resolve_cron_scheduler", lambda: spy)
|
|
monkeypatch.setattr(
|
|
"plugins.cron.chronos.verify.get_fire_verifier",
|
|
lambda: (lambda **kw: {"purpose": "cron_fire"}),
|
|
)
|
|
|
|
app = _create_app(adapter)
|
|
async with TestClient(TestServer(app)) as cli:
|
|
resp = await cli.post("/api/cron/fire",
|
|
headers={"Authorization": "Bearer good"},
|
|
json={})
|
|
assert resp.status == 400
|
|
assert spy.fired == []
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_fire_does_not_require_api_server_key(adapter, monkeypatch):
|
|
"""The fire endpoint must NOT gate on API_SERVER_KEY — auth is the NAS-JWT.
|
|
A request with NO API key header but a valid fire token still succeeds."""
|
|
spy = _SpyProvider()
|
|
monkeypatch.setattr("cron.scheduler_provider.resolve_cron_scheduler", lambda: spy)
|
|
monkeypatch.setattr(
|
|
"plugins.cron.chronos.verify.get_fire_verifier",
|
|
lambda: (lambda **kw: {"purpose": "cron_fire"}),
|
|
)
|
|
|
|
app = _create_app(adapter)
|
|
async with TestClient(TestServer(app)) as cli:
|
|
# Bearer is the FIRE token, not the API_SERVER_KEY "sk-secret".
|
|
resp = await cli.post("/api/cron/fire",
|
|
headers={"Authorization": "Bearer nas-jwt"},
|
|
json={"job_id": "j9"})
|
|
assert resp.status == 202
|
|
for _ in range(50):
|
|
if spy.fired:
|
|
break
|
|
await asyncio.sleep(0.01)
|
|
assert spy.fired == ["j9"]
|