#jGhUdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z m Z ddlmZmZmZmZmZejeZdZdZdZd Zd Zd Zd ZejjZ d a!de"d<d)dZ#d*dZ$e#dZ%d+dZ&d,dZ'Gdd eZ(d-d!Z)d.d%Z*d/d&Z+d0d(Z,dS)1u BasicAuthProvider — username/password dashboard auth (no OAuth IDP). A self-hosted "just put a password on my dashboard" provider. It plugs into the same ``DashboardAuthProvider`` framework as the Nous OAuth provider, but authenticates with a username + password instead of an OAuth redirect: it sets ``supports_password = True`` and implements ``complete_password_login``. The login page renders a credential form for it; everything downstream of login (session cookies, verify, refresh, ws-tickets, logout) is identical to the OAuth path because a password session is just a :class:`Session` with provider-minted opaque tokens. This provider has **no external IDP and no database**. Credentials are configured up front; sessions are stateless HMAC-signed tokens this provider mints and verifies itself. That keeps it zero-infrastructure — appropriate for a single-box self-hosted dashboard. Configuration surfaces (env wins over config.yaml when set non-empty), mirroring the Nous provider's precedence convention: ``config.yaml`` — canonical surface:: dashboard: basic_auth: username: admin # required # Provide EITHER a precomputed scrypt hash (preferred — no # plaintext at rest) ... password_hash: "scrypt$..." # see hash_password() # ... OR a plaintext password (hashed in-memory at load). password: "s3cret" secret: "<32+ random bytes, base64 or hex>" # optional; token-signing key session_ttl_seconds: 43200 # optional; access-token lifetime (default 12h) Environment overrides:: HERMES_DASHBOARD_BASIC_AUTH_USERNAME HERMES_DASHBOARD_BASIC_AUTH_PASSWORD_HASH # preferred HERMES_DASHBOARD_BASIC_AUTH_PASSWORD # plaintext fallback HERMES_DASHBOARD_BASIC_AUTH_SECRET HERMES_DASHBOARD_BASIC_AUTH_TTL_SECONDS If ``secret`` is not configured, a random per-process secret is generated at startup. That's fine for a single-process dashboard, but means all sessions are invalidated on restart and sessions don't survive across multiple worker processes — set an explicit ``secret`` for stable multi-worker / restart-surviving sessions. Password hashing uses stdlib :func:`hashlib.scrypt` (memory-hard, no third-party dependency). ``complete_password_login`` runs a constant-time comparison and always performs a hash even for an unknown username, so the endpoint is not a username-enumeration timing oracle. Skip reasons: Like the Nous provider, this exposes a module-level ``LAST_SKIP_REASON`` the gate's fail-closed branch can surface when the plugin loads but declines to register (no username/password configured). ) annotationsN)AnyOptional)DashboardAuthProviderInvalidCredentialsError LoginStartRefreshExpiredErrorSessionii'i@ strLAST_SKIP_REASONpasswordreturnc tjt}tj|d|t tttd}dt dtdtdtj | dtj | S)a@Return a ``scrypt$n$r$p$$`` hash string. Use this to precompute ``password_hash`` for config.yaml so plaintext never sits at rest. Exposed as a module function so operators can run ``python -c "from plugins.dashboard_auth.basic import hash_password; print(hash_password('pw'))"``. utf-8rsaltnrpdklenmaxmemzscrypt$$) secrets token_bytes_SCRYPT_SALT_BYTEShashlibscryptencode _SCRYPT_N _SCRYPT_R _SCRYPT_P _SCRYPT_DKLENbase64 b64encodedecode)rrdks J/home/ubuntu/.hermes/hermes-agent/plugins/dashboard_auth/basic/__init__.py hash_passwordr-ss  1 2 2D         B M) M Mi M M) M M  D ! ! ( ( * * M M-3-=b-A-A-H-H-J-J M Mencodedboolc  |d\}}}}}}|dkrdSt|t|t|} } }tj|} tj|} n#tt f$rYdSwxYw t j|d| || | t| d} n#ttf$rYdSwxYwtj | | S)z@Constant-time scrypt verify. False on any malformed hash string.rr"Frrr) splitintr( b64decode ValueError TypeErrorr!r"r#len MemoryErrorhmaccompare_digest)rr/schemen_sr_sp_ssalt_b64dk_b64rrrrexpectedactuals r,_verify_passwordrCs29--2D2D/S#x X  5c((CHHc#hha1))#F++  "uu  OOG $ $h--     $uu  vx 0 00s)"A<AA<<BB;CC&%C&z'dummy-password-for-constant-time-verifypayloaddictsecretbytesctj|d}tj||t j}tj ||z S)N),:) separators) jsondumpsr#r9newr!sha256digestr(urlsafe_b64encoder*)rDrFrawsigs r,_signrTsd *W 4 4 4 ; ; = =C (63 / / 6 6 8 8C  #C#I . . 5 5 7 77r.tokenOptional[dict]c tj|}t|tkrdS|dt |t d}}t j||tj }t j ||sdStj |S#t$rYdSwxYwN)r(urlsafe_b64decoder#r7_SIG_LENr9rNr!rOrPr:rLloads Exception)rUrFblobrRrSrAs r,_unsignr^s ' 77 t99 4 ( #T8)**%5S8FC88??AA"311 4z# tts>B?A'B?+B?? C  C cleZdZdZdZdZdZedd&dZd'dZ d(dZ d)dZ d*dZ d+dZ d,dZd-d!Zd.d$Zd%S)/BasicAuthProviderz?Username/password provider with stateless HMAC-signed sessions.basiczUsername & PasswordT) ttl_secondsusernamer password_hashrFrGrbr3rNonec|std|stdt|dkrtd||_||_||_t dt ||_dS)Nzusername must be non-emptyzpassword_hash must be non-emptyrz secret must be at least 16 bytes<)r5r7 _username_password_hash_secretmaxr3_ttl)selfrcrdrFrbs r,__init__zBasicAuthProvider.__init__s ;9:: : @>?? ? v;;  ?@@ @!+ C ,,-- r. redirect_urirc td)NzzBasicAuthProvider is password-only; there is no OAuth redirect flow. The login page POSTs to /auth/password-login instead.NotImplementedError)rmros r, start_loginzBasicAuthProvider.start_logins! J   r.codestate code_verifierr c td)Nz@BasicAuthProvider is password-only; use complete_password_login.rq)rmrtrurvros r,complete_loginz BasicAuthProvider.complete_logins" N   r.rctj|d|jd}|r|jnt }t ||}|r|std||jS)Nrzinvalid username or password) r9r:r#rhri _DUMMY_HASHrCr _mint_session)rmrcr username_ok target_hash password_oks r,complete_password_loginz)BasicAuthProvider.complete_password_logins) OOG $ $dn&;&;G&D&D  .9Id))k &x==  J  J)*HII I!!$.111r. access_tokenOptional[Session]ct||j}|Q|ddks8|ddtt jkrdS||d|S)Nkindaccessexprr)r^rjgetr3time_session_from_payload)rmrrDs r,verify_sessionz BasicAuthProvider.verify_sessionss, 55 O{{6""h..{{5!$$DIKK(8(8884)),GDDDr. refresh_tokenc|stdt||j}|Q|ddks8|ddt t jkrtd|t|d|jS)Nz#no refresh token present in sessionrrefreshrrz refresh token expired or invalidsub) r r^rjrr3rr{rrh)rmrrDs r,refresh_sessionz!BasicAuthProvider.refresh_sessions M%&KLL L-66 O{{6""i//{{5!$$DIKK(8(888%&HII I!!#gkk%&H&H"I"IJJJr.c |}dSrX)rmr_s r,revoke_sessionz BasicAuthProvider.revoke_sessions tr.user_idc ttj}||jz}t|d|d|j}t|d|t zd|j}t |d|d|j|||S)Nr)rrrrrremail display_nameorg_idprovider expires_atrr)r3rrlrTrj_REFRESH_TTL_SECONDSr name)rmrnowrrrs r,r{zBasicAuthProvider._mint_session%s$)++DIoXc : :DL  Ys=Q7Q R R L   Y%'    r.rDrEc t|dd}t|d|d|jt |d||S)Nrrrr)rrr rr3)rmrrrDrs r,rz'BasicAuthProvider._session_from_payload:s\gkk%,,-- Y75>**%'    r.N) rcrrdrrFrGrbr3rre)rorrr) rtrrurrvrrorrr )rcrrrrr )rrrr)rrrr )rrrre)rrrr )rrrrrDrErr )__name__ __module__ __qualname____doc__rrsupports_password_DEFAULT_TTL_SECONDSrnrsrxrrrrr{rrr.r,r`r`sII D(L0 ......*        2222&EEEE K K K K    *       r.r`c ddlm}m}|}n4#t$r'}td|icYd}~Sd}~wwxYw||ddd}t |tr|niS)uReturn ``dashboard.basic_auth`` from config.yaml, or ``{}``. Robust to load_config() raising, the keys being absent, or the value not being a dict — every shape falls through to ``{}``. r)cfg_get load_configzUdashboard-auth-basic: load_config() raised %s; falling back to env-only configurationN dashboard basic_auth)default)hermes_cli.configrrr\loggerdebug isinstancerE)rrcfgexcsections r,_load_config_basic_auth_sectionrOs ::::::::kmm   5     gc; dCCCG $// 777R7s AAAAenv_name cfg_sectioncfg_keyctj|d}|r|St ||dpdS)zrs+777r#"""""      8 $ $$(    7>   '01111:mEFF 8888    &~ ~ ~ ~ ~ -~ ~ ~ L8888*;;;;