hermes-agent/tests/hermes_cli/test_custom_provider_extra_headers.py
kshitijk4poor ed4123792c refactor(providers): dedupe extra_headers normalizer + key picker groups by headers
Follow-up to @helix4u's #57336 salvage. Two review findings:

- W1: model-picker grouped custom-provider rows by
  (api_url, credential, api_mode) but NOT extra_headers. Entries sharing a
  URL+credential+api_mode yet declaring different headers (e.g. per-tenant
  routing behind one proxy) collapsed into one row and probed /models with
  whichever header set was seen first (order-dependent). Fold a canonical
  header identity into group_key so distinct header-authed endpoints stay
  separate; drops the now-dead first-non-empty merge branch.
- W2: the extra_headers stringify+None-filter comprehension existed in 5
  copies (config.py x2, runtime_provider.py, model_switch.py, models.py).
  Extract one shared hermes_cli.config.normalize_extra_headers primitive;
  all sites now call it.

Tests: +normalize_extra_headers unit tests, +regression test proving two
same-endpoint entries with different headers stay distinct and each probes
with its own headers. 223 targeted tests pass; ruff clean.
2026-07-03 04:23:15 +05:30

183 lines
5.8 KiB
Python

"""Tests for per-provider ``extra_headers`` in providers / custom_providers config.
PR #3526 salvage — user-configurable extra HTTP headers on LLM API calls
(reverse proxies, gateways, custom auth such as Cloudflare Access tokens).
"""
import json
from hermes_cli.config import (
_normalize_custom_provider_entry,
apply_custom_provider_extra_headers_to_client_kwargs,
get_custom_provider_extra_headers,
normalize_extra_headers,
)
from hermes_cli import models as models_mod
def test_normalize_extra_headers_stringifies_and_drops_none():
assert normalize_extra_headers({"X-Int": 7, "X-Str": "v", "X-None": None}) == {
"X-Int": "7",
"X-Str": "v",
}
def test_normalize_extra_headers_rejects_non_dict_and_empty():
for bad in (None, "x", 42, ["a"], {}):
assert normalize_extra_headers(bad) == {}
def test_normalize_entry_keeps_extra_headers():
normalized = _normalize_custom_provider_entry(
{
"name": "my-proxy",
"base_url": "https://llm.internal.example.com/v1",
"extra_headers": {"X-Custom-Auth": "tok", "X-Client-Name": "hermes"},
}
)
assert normalized is not None
assert normalized["extra_headers"] == {
"X-Custom-Auth": "tok",
"X-Client-Name": "hermes",
}
def test_normalize_entry_drops_invalid_extra_headers():
for bad in ("not-a-dict", {}, 42, ["a"]):
normalized = _normalize_custom_provider_entry(
{
"name": "my-proxy",
"base_url": "https://llm.internal.example.com/v1",
"extra_headers": bad,
}
)
assert normalized is not None
assert "extra_headers" not in normalized
def test_normalize_entry_stringifies_values_and_skips_none():
normalized = _normalize_custom_provider_entry(
{
"name": "my-proxy",
"base_url": "https://llm.internal.example.com/v1",
"extra_headers": {"X-Int": 7, "X-None": None},
}
)
assert normalized is not None
assert normalized["extra_headers"] == {"X-Int": "7"}
def test_get_custom_provider_extra_headers_matches_base_url():
providers = [
{
"name": "my-proxy",
"base_url": "https://llm.internal.example.com/v1",
"extra_headers": {"CF-Access-Client-Id": "xxxx.access"},
}
]
# trailing-slash and case insensitive match, mirroring the TLS helper
headers = get_custom_provider_extra_headers(
"https://LLM.internal.example.com/v1/",
custom_providers=providers,
)
assert headers == {"CF-Access-Client-Id": "xxxx.access"}
def test_get_custom_provider_extra_headers_no_match_returns_empty():
providers = [
{
"name": "my-proxy",
"base_url": "https://llm.internal.example.com/v1",
"extra_headers": {"X-Secret": "s"},
}
]
assert get_custom_provider_extra_headers(
"https://other.example.com/v1", custom_providers=providers,
) == {}
# prefix look-alike host must not match (no substring bypass)
assert get_custom_provider_extra_headers(
"https://llm.internal.example.com.attacker.test/v1",
custom_providers=providers,
) == {}
def test_apply_extra_headers_merges_onto_existing_defaults():
client_kwargs = {
"api_key": "x",
"base_url": "https://llm.internal.example.com/v1",
"default_headers": {"User-Agent": "curl/8.7.1", "X-Keep": "1"},
}
providers = [
{
"name": "my-proxy",
"base_url": "https://llm.internal.example.com/v1",
"extra_headers": {"User-Agent": "override", "X-New": "2"},
}
]
apply_custom_provider_extra_headers_to_client_kwargs(
client_kwargs,
"https://llm.internal.example.com/v1",
custom_providers=providers,
)
assert client_kwargs["default_headers"] == {
"User-Agent": "override", # provider-specific value wins
"X-Keep": "1", # untouched defaults preserved
"X-New": "2",
}
def test_apply_extra_headers_noop_without_match():
client_kwargs = {"api_key": "x", "base_url": "https://other.example.com/v1"}
providers = [
{
"name": "my-proxy",
"base_url": "https://llm.internal.example.com/v1",
"extra_headers": {"X-Secret": "s"},
}
]
apply_custom_provider_extra_headers_to_client_kwargs(
client_kwargs,
"https://other.example.com/v1",
custom_providers=providers,
)
assert "default_headers" not in client_kwargs
def test_fetch_api_models_sends_extra_headers_to_models_probe(monkeypatch):
captured = {}
class FakeResponse:
def __enter__(self):
return self
def __exit__(self, exc_type, exc, tb):
return False
def read(self):
return json.dumps({"data": [{"id": "proxy-model"}]}).encode()
def fake_urlopen(request, timeout=0):
captured["url"] = request.full_url
captured["timeout"] = timeout
captured["headers"] = {
key.lower(): value
for key, value in request.header_items()
}
return FakeResponse()
monkeypatch.setattr(models_mod.urllib.request, "urlopen", fake_urlopen)
models = models_mod.fetch_api_models(
"proxy-key",
"https://llm.internal.example.com/v1",
headers={
"sleeve-harness": "hermes",
"sleeve-base-url": "http://localhost:8081/v1",
},
)
assert models == ["proxy-model"]
assert captured["url"] == "https://llm.internal.example.com/v1/models"
assert captured["headers"]["authorization"] == "Bearer proxy-key"
assert captured["headers"]["sleeve-harness"] == "hermes"
assert captured["headers"]["sleeve-base-url"] == "http://localhost:8081/v1"