#j NdZddlmZddlmZmZddlmZddlm Z edGdd Z edGd d Z Gd d e Z Gdde ZGdde ZGdde ZGddeZddZdS)zFAbstract base + dataclasses + exceptions for dashboard auth providers.) annotations)ABCabstractmethod) dataclass)OptionalT)frozencdeZdZUdZded<ded<ded<ded<ded<ded <ded <ded <d S) Sessionu A verified identity. Returned by ``complete_login`` and ``verify_session``. All fields are mandatory. Providers that don't have a concept of orgs should set ``org_id`` to an empty string. ``access_token`` and ``refresh_token`` are opaque to Hermes — provider-specific. struser_idemail display_nameorg_idproviderint expires_at access_token refresh_tokenN__name__ __module__ __qualname____doc____annotations__C/home/ubuntu/.hermes/hermes-agent/hermes_cli/dashboard_auth/base.pyr r soLLLJJJKKKMMMOOOrr c(eZdZUdZded<ded<dS) LoginStartuFirst leg of the OAuth round trip. ``redirect_url`` is the URL the browser must navigate to (e.g. the Portal's ``/oauth/authorize``). ``cookie_payload`` is a dict of cookie name → serialised value that the auth route will ``Set-Cookie`` on the response. Used for PKCE state, CSRF nonces, etc. Cookies set here MUST be HttpOnly + Secure (when over HTTPS) + SameSite=Lax with a TTL ≤ 10 minutes (the login lifetime). r redirect_urlzdict[str, str]cookie_payloadNrrrrrrs6""""""rrceZdZdZdS) ProviderErrorzmIDP unreachable, network error, or other transient failure. Middleware translates this to HTTP 503. Nrrrrrrrr#r#,rr#ceZdZdZdS)InvalidCodeErrorzlThe OAuth callback ``code`` / ``state`` failed validation. Middleware translates this to HTTP 400. Nr$rrrr'r'3r%rr'ceZdZdZdS)InvalidCredentialsErrorafA username/password pair was rejected by a password provider. Raised by :meth:`DashboardAuthProvider.complete_password_login`. The ``/auth/password-login`` route translates this to HTTP 401 with a deliberately generic detail (never distinguishing "unknown user" from "wrong password") so the endpoint can't be used as a username oracle. Nr$rrrr)r):srr)ceZdZdZdS)RefreshExpiredErroruhThe refresh token is dead. Middleware clears cookies and forces re-login (302 → ``/login``). Nr$rrrr+r+Dr%rr+ceZdZUdZdZded<dZded<dZded<edd Z eddZ ed dZ ed!dZ ed"dZ d#dZdS)$DashboardAuthProvideru Protocol every dashboard-auth provider plugin implements. Lifecycle: 1. ``start_login`` — user clicks "Log in with X" on the login page. Provider returns a redirect URL and any PKCE/CSRF state to stash in short-lived cookies. 2. Browser bounces through the OAuth IDP and lands at /auth/callback. 3. ``complete_login`` — exchange the code + verifier for a Session. 4. ``verify_session`` — called on every request to validate the access token in the cookie. Returns ``None`` if the token is expired or invalid (middleware then triggers refresh or logout). 5. ``refresh_session`` — called when the access token is near expiry. Returns a new Session with rotated tokens. 6. ``revoke_session`` — called on /auth/logout. Best-effort. Failure semantics: * ``start_login`` may raise ``ProviderError`` if the IDP is unreachable. * ``complete_login`` raises ``InvalidCodeError`` on bad code/state; ``ProviderError`` if the IDP is unreachable. * ``verify_session`` returns ``None`` on expiry / unknown token; raises ``ProviderError`` if the IDP is unreachable. Middleware treats expiry and unreachable differently (expiry → refresh; unreachable → 503). * ``refresh_session`` raises ``RefreshExpiredError`` when the refresh token is also invalid; middleware then forces re-login. Raises ``ProviderError`` on network failure. * ``revoke_session`` is best-effort and must not raise. Subclasses MUST set ``name`` (lowercase identifier, stable forever) and ``display_name`` (user-facing label on the login page). Password (non-redirect) providers: A provider that authenticates with a username + password instead of an OAuth redirect sets ``supports_password = True`` and implements ``complete_password_login``. The login page then renders a credential form (POSTing to ``/auth/password-login``) instead of a "Log in with X" redirect button. Everything downstream of login — ``verify_session`` / ``refresh_session`` / ``revoke_session``, the session cookies, the WS-ticket mint — is identical to the OAuth path, because a password session is just a :class:`Session` with provider-minted opaque tokens. The OAuth methods (``start_login`` / ``complete_login``) remain abstract; a pure-password provider that will never be reached via the redirect flow may implement them as stubs that raise ``NotImplementedError``. r namerFboolsupports_password redirect_urireturnrcdSNr)selfr2s r start_loginz!DashboardAuthProvider.start_logins?Bsrcodestate code_verifierr cdSr5r)r6r8r9r:r2s rcomplete_loginz$DashboardAuthProvider.complete_logins #rrOptional[Session]cdSr5r)r6rs rverify_sessionz$DashboardAuthProvider.verify_sessionsILrrcdSr5rr6rs rrefresh_sessionz%DashboardAuthProvider.refresh_sessionsADrNonecdSr5rrAs rrevoke_sessionz$DashboardAuthProvider.revoke_sessions=@Srusernamepassword 'Session'cJtt|jd)u$Verify a username/password pair and mint a :class:`Session`. Only called when ``supports_password`` is True (the ``/auth/password-login`` route guards on the flag). The default raises ``NotImplementedError`` so an OAuth-only provider that forgets to set the flag fails loudly rather than silently accepting credentials. The returned ``Session`` carries provider-minted opaque ``access_token`` / ``refresh_token`` exactly like the OAuth path, so all downstream session handling (cookies, verify, refresh, ws-tickets, logout) is identical. Failure semantics: * ``InvalidCredentialsError`` — username/password rejected. The route surfaces a generic 401 (no user-vs-password distinction). Implementations SHOULD spend constant time on unknown users (dummy hash verify) to avoid a timing oracle. * ``ProviderError`` — the backing credential store is unreachable (LDAP/DB down); the route surfaces 503. zd does not support password login (set supports_password = True and override complete_password_login))NotImplementedErrortyper)r6rFrGs rcomplete_password_loginz-DashboardAuthProvider.complete_password_logins10"Dzz" ' ' '   rN)r2r r3r) r8r r9r r:r r2r r3r )rr r3r=)rr r3r )rr r3rC)rFr rGr r3rH)rrrrr/rrr1rr7r<r?rBrErLrrrr-r-Ks--^DNNNNL$####BBB^B^LLL^LDDD^D@@@^@      rr-clsrKr3rCc`d}d}|D].}t||d}|st|jd|/|D]9}tt||dst|jd|:t|ddr+t|jdt |jdS) a+Raise ``TypeError`` if ``cls`` doesn't fully implement the provider protocol. Call this in every provider plugin's unit tests:: def test_protocol_compliance(): assert_protocol_compliance(MyProvider) Returns ``None`` on success so callers can assert it explicitly. )r7r<r?rBrE)r/rr.z missing or empty attribute: Nz missing method: __abstractmethods__z% has unimplemented abstract methods: )getattr TypeErrorrcallablesortedrO)rMrequired_methodsrequired_attrsattrvalmethods rassert_protocol_compliancerYs.Nc4$$ <FFdFF  #HHVT2233 Hs|FFfFFGG G Hs)400 | 1 1c-.. 1 1     rN)rMrKr3rC)r __future__rabcrr dataclassesrtypingrr r Exceptionr#r'r)r+r-rYrrrr_sLL""""""########!!!!!! $$ $ # # # # # # # #Iyi)m m m m m Cm m m `! ! ! ! ! ! r