FijFdZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z mZddlmZddlmZdZd Zd Zd Zd Zd Zd ZeddZde deddfdZGddZdS)a DM Pairing System Code-based approval flow for authorizing new users on messaging platforms. Instead of static allowlists with user IDs, unknown users receive a one-time pairing code that the bot owner approves via the CLI. Security features (based on OWASP + NIST SP 800-63-4 guidance): - 8-char codes from 32-char unambiguous alphabet (no 0/O/1/I) - Cryptographic randomness via secrets.choice() - 1-hour code expiry - Max 3 pending codes per platform - Rate limiting: 1 request per user per 10 minutes - Lockout after 5 failed approval attempts (1 hour) - File permissions: chmod 0600 on all data files - Codes are never logged to stdout Storage: ~/.hermes/pairing/ N)Path)Optional)expand_whatsapp_aliasesnormalize_whatsapp_identifier)get_hermes_dir)atomic_replace ABCDEFGHJKLMNPQRSTUVWXYZ23456789iiXzplatforms/pairingpairingpathdatareturncj|jddtjt |jd\}} t j|dd5}|||t j | dddn #1swxYwYt|| t j |d dS#t$rYdSwxYw#t$r( t j|n#t$rYnwxYwwxYw) uWrite data to file with restrictive permissions (owner read/write only). Uses a temp-file + atomic rename so readers always see either the old complete file or the new one — never a partial write. Tparentsexist_okz.tmp)dirsuffixwutf-8encodingNi)parentmkdirtempfilemkstempstrosfdopenwriteflushfsyncfilenorchmodOSError BaseExceptionunlink)rrfdtmp_pathfs 4/home/ubuntu/.hermes/hermes-agent/gateway/pairing.py _secure_writer.7s  KdT222#DK(8(8HHHLB Yr3 1 1 1 !Q GGDMMM GGIII HQXXZZ  ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! x&&&  HT5 ! ! ! ! !    DD    Ih        D  ss D AB<0 D<CDCDC// C=9D<C==D D2 D D2 D-*D2,D--D2c eZdZdZdZdedefdZdedefdZdefdZ dede fd Z ded e dd fd Z ded edefdZ ded edeefdZdedededefdZded edefdZd'dedefdZd(ded ededd fdZded edefdZedededefdZ d(ded ededeefdZdededee fdZd'dedefdZd'dedefdZded edefd Z ded edd fd!Z!dedefd"Z"dedd fd#Z#dedd fd$Z$d%edefd&Z%d S)) PairingStorea Manages pairing codes and approved user lists. Data files per platform: - {platform}-pending.json : pending pairing requests - {platform}-approved.json : approved (paired) users - _rate_limits.json : rate limit tracking cntddtj|_dS)NTr) PAIRING_DIRr threadingRLock_lockselfs r-__init__zPairingStore.__init__[s0$666_&& platformrct|dz S)Nz -pending.jsonr2r7r:s r- _pending_pathzPairingStore._pending_pathas77777r9ct|dz S)Nz-approved.jsonr<r=s r-_approved_pathzPairingStore._approved_pathds88888r9ctdz S)Nz_rate_limits.jsonr<r6s r-_rate_limit_pathzPairingStore._rate_limit_pathgs000r9rc|rG tj|dS#tjt f$ricYSwxYwiS)Nrr)existsjsonloads read_textJSONDecodeErrorr')r7rs r- _load_jsonzPairingStore._load_jsonjsf ;;==  z$..'."B"BCCC('2      s'>AArNcPt|tj|dddS)NF)indent ensure_ascii)r.rEdumps)r7rrs r- _save_jsonzPairingStore._save_jsonrs)dDJtAEJJJKKKKKr9user_idczt|pd}|dkrt|p|S|S)z> LU]U }8TVVVr9c|||}|D]}||||rdSdS)z3Check if a user is approved (paired) on a platform.TF)rIr@rc)r7r:rPapprovedapproved_user_ids r- is_approvedzPairingStore.is_approveds]??4#6#6x#@#@AA (   ##H.>HH tt ur9cg}|r|gn|d}|D]^}|||}|D]\}}|||d| _|S)z5List approved users, optionally filtered by platform.re)r:rP)_all_platformsrIr@itemsappend)r7r:results platformspreuidinfos r- list_approvedzPairingStore.list_approveds"*OXJJ0C0CJ0O0O  H HAt':':1'='=>>H%^^-- H H TA#FFFGGGG Hr9rR user_namec<}|fd|D}|D]}||=|tjd|<|dS)zAAdd a user to the approved list. Must be called under self._lock.cBg|]}||Src).0rfnormalized_user_idr:r7s r- z.PairingStore._approve_user..sC    ##H.>@RSS    r9)rr approved_atN)rIr@rVtimerO)r7r:rPrrre duplicate_idsrfrxs`` @r- _approve_userzPairingStore._approve_users??4#6#6x#@#@AA!44XwGG      $,   !. + + )**#9;;( ( #$ ++H55x@@@@@r9c}j5|}fd|D}|r,|D]}||=|| ddddS dddn #1swxYwYdS)z.sB$''2BGLL r9NTF)r@r5rIrO)r7r:rPrre matching_idsrfs``` r-revokezPairingStore.revokes)""8,, Z  t,,H(0L  (433$ !122h///                        usABBBcodesaltcztj||dzS)z6Hash a pairing code with the given salt using SHA-256.r)hashlibsha256encode hexdigest)rrs r- _hash_codezPairingStore._hash_codes1~dT[[%9%99::DDFFFr9c|j5|||||}||r ddddS|||r ddddS|||}t|tkr ddddSd dttD}tj d}|||}tjd} ||||t%jd|| <||||||||cdddS#1swxYwYdS)a Generate a pairing code for a new user. Returns the code string, or None if: - User is rate-limited (too recent request) - Max pending codes reached for this platform - User/platform is in lockout due to failed attempts The code is NOT stored in plaintext. Only a salted SHA-256 hash is persisted so that reading the pending file does not reveal codes. NrRc3HK|]}tjtVdSN)secretschoiceALPHABET)rw_s r- z-PairingStore.generate_code..s,PP7>(33PPPPPPr9r )hashrrPrr created_at)r5_cleanup_expiredrV_is_locked_out_is_rate_limitedrIr>lenMAX_PENDING_PER_PLATFORMjoinrange CODE_LENGTHr urandomrr token_hexhexr{rO_record_rate_limit) r7r:rPrrrxpendingrr code_hashentry_ids r- generate_codezPairingStore.generate_codesNZ( (   ! !( + + +!%!8!87!K!K ""8,,  ( ( ( ( ( ( ( ( $$Xw77 ( ( ( ( ( ( ( ( ood&8&8&B&BCCG7||777( ( ( ( ( ( ( ( $77PPU;=O=OPPPPPD:b>>Dd33I(++H" -&"ikk !!GH  OOD..x88' B B B  # #Hg 6 6 6Q( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( s&AF3F3;AF3 CF33F7:F7c |j5|||}||r ddddS|||}d}d}|D]\}}t|tsd|vsd|vr$ t |d}n#t$rYRwxYw| ||} tj| |dr|}|}n|#|| ddddS||=|||||||d|dd|d|dddcdddS#1swxYwYdS)u Approve a pairing code. Adds the user to the approved list. Returns ``{user_id, user_name}`` on success, ``None`` if the code is invalid/expired OR the platform is currently locked out after ``MAX_FAILED_ATTEMPTS`` failed approvals (#10195). Callers can disambiguate with ``_is_locked_out(platform)``. Verification: the user-provided code is hashed with each stored entry's salt and compared to the stored hash using constant-time comparison. Pre-hash entries (legacy plaintext-key format from pre-upgrade pending.json files) are silently ignored — they get pruned at TTL by ``_cleanup_expired``. NrrrPrrrR)rPrr)r5rupperrTrrIr>rj isinstancedictbytesfromhex ValueErrorrrcompare_digest_record_failed_attemptrOr}get) r7r:rr matched_key matched_entryrentryrcandidate_hashs r- approve_codezPairingStore.approve_codesZ3 3   ! !( + + +::<<%%''D""8,, 3 3 3 3 3 3 3 3 ood&8&8&B&BCCGK M#*==??  %!%..&&&*=*= ==v77DD!H!%t!rjrrrintfloatr{rrk) r7r:rlrmrnrrrprage_minhash_val code_displays r- list_pendingzPairingStore.list_pendingHs Z  &.R D4G4G 4R4RI  %%a(((//$*<*%>'. $$                *sE E77E;>E;cN|j5d}|r|gn|d}|D]e}|||}|t |z }|||if dddn #1swxYwY|S)z2Clear all pending requests. Returns count removed.rrN)r5rirIr>rrO)r7r:countrmrnrs r- clear_pendingzPairingStore.clear_pendingis Z ; ;E&.R D4G4G 4R4RI ; ;//$*<*rIr{rjrrrkrrrCODE_TTL_SECONDSrO) r7r:rrrexpiredrrprs r-rzPairingStore._cleanup_expireds !!(++//$''ikk%mmoo ) )NHddD)) x(((,//Jj3,77 x(((j $444x(((  +# & &H%% OOD' * * * * * + +r9rcg}tD]i}|jd|drI|jd|dd}|ds||j|S)z:List all platforms that have data files of a given suffix.-z.jsonrRr)r2iterdirnameendswithreplace startswithrk)r7rrmr,r:s r-rizPairingStore._all_platformss $$&& / /Av0600011 /6>>*;f*;*;*;R@@**3///$$X...r9r)rR)&__name__ __module__ __qualname____doc__r8rrr>r@rBrrIrOrVrXr\r`rcrglistrqr}r staticmethodrrrrrrrrrrrrrrirur9r-r0r0Qs''' 8c8d88889s9t99991$1111tLtL4LDLLLL3  s s3x    WW3WsWtWWWWC#$cTAAcACACAQUAAAA$sST&GGEGcGGG\G =?666&)6696 #6666pBSBBBBBBHSDB  c S    st93999999+s+t++++ 9s 9t 9 9 9 9 ++++++4STr9r0)rrrEr rrr3r{pathlibrtypingrgateway.whatsapp_identityrrhermes_constantsrutilsrrrrrrrrr2rr.r0rur9r-rsi(  ,+++++  . n0)<< CD4qqqqqqqqqqr9