#j'p UdZddlmZddlZddlZddlZddlZddlZddlZ ddl m Z m Z m Z ddlZddlmZmZmZmZmZmZejeZdZdaded <d Zd Zd Zd ZddZ GddeZ!ddZ"ddZ#ddZ$ddZ%dS)u1 NousDashboardAuthProvider — Nous Portal OAuth (authorization-code + PKCE). Implements ``nous-account-service/docs/agent-dashboard-oauth-contract.md`` (PR #180). The plugin auto-loads (bundled, kind=backend) but only registers its provider when a client_id is configured — either via ``config.yaml`` or via the Portal-injected env var — so loopback / ``--insecure`` operators are unaffected. Configuration surfaces (env wins over config.yaml when set non-empty): ``config.yaml`` — canonical surface:: dashboard: oauth: client_id: agent:{agent_instance_id} # required portal_url: https://portal.example # optional Environment overrides — used by Fly.io's platform-secret injection so per-deploy values don't need to bake into ``config.yaml``: HERMES_DASHBOARD_OAUTH_CLIENT_ID — shape ``agent:{agent_instance_id}`` HERMES_DASHBOARD_PORTAL_URL — defaults to ``https://portal.nousresearch.com`` (production Portal). Override only for staging (``portal.rewbs.uk``) or a custom deployment. Empty env var values are treated as unset so a provisioned-but-not-populated Fly secret can't shadow a valid config.yaml entry. Key contract points encoded here: - client_id is per-instance (``agent:{instance_id}``); the suffix is also cross-checked against the token's ``agent_instance_id`` claim as defense-in-depth. - scope is ``agent_dashboard:access`` only (no OIDC scopes). - tokens are RS256 JWTs verified against ``/.well-known/jwks.json``; JWKS is cached for 5 minutes. - the dashboard auth-code grant issues a 24h rotating refresh token (Portal NAS PR #293). ``refresh_session`` posts ``grant_type=refresh_token`` to rotate the access token; ``complete_login`` and ``refresh_session`` both populate ``Session.refresh_token`` with the (rotating) value the middleware persists back to the HttpOnly cookie. On a dead/expired/ reuse-detected refresh token Portal returns 400 → ``RefreshExpiredError`` → middleware redirects to ``/auth/login``. - audience claim is the bare ``client_id`` (no ``hermes-cli:`` prefix). - tolerant ``oauth_contract_version`` check: missing → warn + proceed; present and ``!= 1`` → refuse. The cookie payload returned by ``start_login`` stashes the PKCE ``code_verifier`` and the OAuth ``state`` parameter for the ``/auth/callback`` handler to retrieve. The auth-route layer is the owner of cookie names; this provider just hands back ``{"code_verifier": …, "state": …}`` and the route serializes those into the ``hermes_session_pkce`` cookie. Refresh-token rotation: Portal rotates the refresh token on every successful refresh and runs reuse-detection (replaying a rotated token outside Portal's 60s grace revokes the whole session). The host middleware therefore MUST persist the rotated ``Session.refresh_token`` back to the cookie on every refresh. Skip reasons: The plugin exposes a module-level ``LAST_SKIP_REASON`` that the gate's fail-closed branch reads to surface a useful operator error message ("Set HERMES_DASHBOARD_OAUTH_CLIENT_ID …") instead of the bare "no providers registered" the gate would otherwise emit. ) annotationsN)AnyDictOptional)DashboardAuthProviderInvalidCodeError LoginStart ProviderErrorRefreshExpiredErrorSessionzhttps://portal.nousresearch.comstrLAST_SKIP_REASONzagent_dashboard:accessi,g$@rawbytesreturncttj|dS)u6Base64url-encode without ``=`` padding (RFC 7636 §4).=)base64urlsafe_b64encoderstripdecode)rs I/home/ubuntu/.hermes/hermes-agent/plugins/dashboard_auth/nous/__init__.py_b64url_no_padrs-  #C ( ( / / 5 5 < < > >>ceZdZdZdZdZd(d Zd)d Zd*dZd+dZ d,dZ d-dZ d.dZ d/dZ d0dZd1d!Zd2d"Zd3d$Zd3d%Zd4d&Zd'S)5NousDashboardAuthProviderz7Nous Portal OAuth via authorization-code + PKCE (S256).nousz Nous Research client_idr portal_urlrNonec6|dstd|||_|tdd|_|d|_|jd|_|jd|_|jd|_ d|_ dS)Nagent:z?client_id must match contract shape 'agent:{instance_id}', got /z/.well-known/jwks.jsonz/oauth/authorizez/api/oauth/token) startswith ValueError _client_idlen_agent_instance_idr _portal_url _jwks_url_authorize_url _token_url _jwks_client)selfr r!s r__init__z"NousDashboardAuthProvider.__init__s##H-- % %% $"+CMMOO"<%,,S11 ,DDD!%!1CCC!-???"&r redirect_urir c||ttjd}tt j|d}ttjd}d|j|t||dd}|j dtj |}dd |d |i}t|| S) N@ascii codeS256) response_typer r2scopestatecode_challengecode_challenge_method?hermes_session_pkcezstate=z ;verifier=) redirect_urlcookie_payload)_validate_redirect_urirsecrets token_byteshashlibsha256encodedigestr(_SCOPEr-urllibparse urlencoder )r0r2 code_verifierr<r;paramsr@rAs r start_loginz%NousDashboardAuthProvider.start_logins ##L111&w':2'>'>?? ' N=//88 9 9 @ @ B B  w226677$(,%+  -PP 0F0Fv0N0NPP "#LE#L#L]#L#L |NSSSSrr7r;rMr c |} tj|jd|||j|dddit}n*#tj$r}t d||d}~wwxYw||tS)Nauthorization_code) grant_typer7r2r rMAcceptapplication/jsondataheaderstimeout#Portal token endpoint unreachable: bad_request_exc) httpxpostr.r(_TOKEN_ENDPOINT_TIMEOUT_SEC RequestErrorr _token_response_to_sessionr)r0r7r;rMr2_responseexcs rcomplete_loginz(NousDashboardAuthProvider.complete_logins  Vz"6 $0!%%2 "#563   HH! V V V Kc K KLLRU U V .. &6/   s/4AAA refresh_tokenc|std tj|jd|j|dd|dt }n*#tj$r}td||d}~wwxYw||t S) uRotate the access token using the refresh token. Posts ``grant_type=refresh_token`` to Portal's token endpoint. The refresh token is sent in the ``X-Refresh-Token`` header (not the body) so it never lands in Portal's request-body access logs — mirroring the device-flow CLI convention; Portal reconciles header vs. body and rejects conflicts. Portal rotates the refresh token on every successful refresh, so the returned ``Session.refresh_token`` is a NEW value the caller MUST persist (replacing the old cookie). Failing to persist it means the next refresh replays a rotated token and — outside Portal's 60s grace — trips reuse-detection and revokes the whole session. Raises ``RefreshExpiredError`` on a 400 (expired / revoked / reuse- detected), so the middleware clears cookies and forces re-login. Raises ``ProviderError`` if Portal is unreachable. z#no refresh token present in sessionre)rRr rerT)rSzx-nous-refresh-tokenrUrYNrZ) r r\r]r.r(r^r_r r`)r0rerbrcs rrefresh_sessionz)NousDashboardAuthProvider.refresh_sessions& M&&KLL L z#2!%%2 1,94-HH0!   ;c;;  .. &9/   s.AA)A$$A)rbhttpx.Responser[type[Exception]c|jdkr9||}|dd}|d||jdkr'td|jd|jdd||}|d }|rt |t std t |d d }|r|d krtd|||}|dpd } t | t sd } | || |S)uTranslate a Portal ``/api/oauth/token`` response into a Session. Shared by ``complete_login`` (auth-code grant) and ``refresh_session`` (refresh grant). ``bad_request_exc`` is the exception type raised on a 400 — ``InvalidCodeError`` for the auth-code path, ``RefreshExpiredError`` for the refresh path — so the middleware's distinct handling (400-on-callback vs. force-relogin) is preserved. ierrorinvalid_requestzPortal rejected token request: zPortal token endpoint returned z: N access_tokenz*Portal token response missing access_token token_typer bearerzunexpected token_type=re) status_code_parse_json_bodygetr text isinstancerlower _verify_jwt_session_from_claims) r0rbr[body error_codepayloadrnroclaimsres rr`z4NousDashboardAuthProvider._token_response_to_session0s  3 & &((22D'+<==J!/"PJ"P"PQQ Q  3 & &+(2F++=#&++  ''11{{>22  N:lC#@#@ N LMM M\26677==??  I*00 G G GHH H!!,// O44: --- M((}fMMMrrnOptional[Session]c ||}n#t$rYdSt$rwxYw||d|S)Nr )rwrr rx)r0rnr|s rverify_sessionz(NousDashboardAuthProvider.verify_session^sm  %%l33FF   44      ((r6BBBs  0 0c |}dS)N)r0reras rrevoke_sessionz(NousDashboardAuthProvider.revoke_sessionps trctj|}|jdvrt d||jr|jdst d|dS)uSurface obviously-broken redirect_uris before bouncing to Portal. The Portal-side check (``agent-redirect-uri.ts``) is authoritative; this is a fast-fail for the common operator-error case. We allow any ``http://`` host (not just localhost) so self-hosted dashboards reached over plain HTTP — LAN IPs, internal hostnames, reverse proxies that terminate TLS upstream — are not rejected here; Portal makes the final call on which redirect_uris are permitted. )httpshttpz"redirect_uri must be http(s), got z/auth/callbackz6redirect_uri path must end with '/auth/callback', got N)rJrKurlparseschemer pathendswith)r0r2parseds rrBz0NousDashboardAuthProvider._validate_redirect_uris&&|44 = 1 1 1E\EE { &+"6"67G"H"H (#((   rDict[str, Any]c|jdd}|dsiS |}n#t$ricYSwxYwt |t r|niS)Nz content-typer rT)rWrsr&jsonr'rudict)r0rbctyperys rrrz*NousDashboardAuthProvider._parse_json_bodys $$^R88 233 I ==??DD   III !$--5tt25sA AArcd|j#ddlm}||jdt|_|jS)Nr) PyJWKClientT) cache_keyslifespan)r/jwtrr,_JWKS_CACHE_SECONDS)r0rs r_get_jwks_clientz*NousDashboardAuthProvider._get_jwks_clientsL   $ ' ' ' ' ' ' + ,!!!D    rc ddl} ||}nE#|j$r}t d||d}~wt $r}t d||d}~wwxYw |||jdg|j|j dgdi}n#|j $r}td||d}~w|j $r}d} ||d d d  }d | d d| dd|j d|jd }n#t $rYnwxYwt d|||d}~wwxYw|||||S)NrzJWKS lookup failed: RS256require)expiataudisssub) algorithmsaudienceissueroptionszaccess token expired: r F)verify_signature verify_exp)rz [token iss=rz aud=rz; expected iss=]z"access token verification failed: )rrget_signing_key_from_jwtPyJWKClientErrorr Exceptionrkeyr(r+ExpiredSignatureErrorrInvalidTokenErrorrs_check_agent_instance_id_check_contract_version)r0rnr signing_keyrcr|details unverifieds rrwz%NousDashboardAuthProvider._verify_jwtsV   I//11JJKK# G G G s > >??S H I% ZZ#9'"$G$G$GH  FF( L L L"#AC#A#ABB K$   G  ZZ 16eLL( 0:>>%#8#800%>>%0000$($400 ?000     CSC'CC + 2 %%f--- $$V,,, si'. A0A  A0A++A04/B$$ E.C EEAD+*E+ D85E7D88EEr|c|d}|dS||jkrtd|d|jdS)z>Contract C9: cross-check agent_instance_id against our config.agent_instance_idNz"agent_instance_id mismatch: token=z vs configured=)rsr*r )r0r|token_instance_ids rrz2NousDashboardAuthProvider._check_agent_instance_idsl"JJ':;;  $ F  7 7 7=5F==!%!8==  8 7rc|d}|"tdtdS|tkrt d|dtdS)u.Contract C11 — tolerant treatment per OQ-C2.oauth_contract_versionNzjNous Portal token missing oauth_contract_version claim (contract says it should be %d); proceeding anyway.z#unsupported oauth_contract_version=z , expected )rsloggerwarning_EXPECTED_CONTRACT_VERSIONr )r0r|contract_versions rrz1NousDashboardAuthProvider._check_contract_versions!::&>??  # NNF*    F 9 9 996F99699  : 9rc  t|dd}|stdt|ddt|dpd|jt |d||S)Nrr z#token missing 'sub' (user_id) claimorg_idr)user_idemail display_namerprovider expires_atrnre)rrsr r nameint)r0rnrer|rs rrxz.NousDashboardAuthProvider._session_from_claimssfjj++,, G EFF Fvzz(++1r22Y6%=))%'    rN)r rr!rrr")r2rrr ) r7rr;rrMrr2rrr )rerrr )rbrhr[rirr )rnrrr})rerrr")r2rrr")rbrhrr)rr)rnrrr)r|rrr")rnrrerr|rrr )__name__ __module__ __qualname____doc__rrr1rOrdrgr`rrrBrrrrwrrrxrrrrrsLAA D"L&&&&(TTTT8# # # # J: : : : x+N+N+N+N\CCCC$     *6666 ! ! ! !7777r           rrrc ddlm}m}|}n4#t$r'}td|icYd}~Sd}~wwxYw||ddd}t |tr|niS)uReturn the ``dashboard.oauth`` block from ``config.yaml`` if it exists and is a dict; otherwise an empty dict. Robust to (a) load_config() raising (malformed YAML, IO error, config.yaml absent — common in fresh installs), (b) the ``dashboard`` key being absent or non-dict, and (c) the ``oauth`` sub-key being present but not a dict (user typo). Each shape falls through to ``{}`` so register() can rely on `.get(...)` access. r)cfg_get load_configzTdashboard-auth-nous: load_config() raised %s; falling back to env-only configurationN dashboardoauth)default)hermes_cli.configrrrrdebugrur)rrcfgrcsections r_load_config_oauth_sectionrs ::::::::kmm   5     gc;>>>G $// 777R7s AAAActjdd}|r|St dd}t |S)uResolve the OAuth client_id with env-overrides-config precedence. Order: 1. ``HERMES_DASHBOARD_OAUTH_CLIENT_ID`` env var (when non-empty after strip — empty values are treated as unset so a provisioned-but-not-populated Fly secret can't shadow a valid config.yaml entry). 2. ``dashboard.oauth.client_id`` in ``config.yaml``. 3. Empty string — signals "no client_id configured" to the caller. HERMES_DASHBOARD_OAUTH_CLIENT_IDr r )osenvironrsstriprrenv cfg_values r_resolve_client_idr6sf *..;R @ @ F F H HC  *,,00bAAI y>>   ! !!rctjdd}|r|St t dd}|pt S)a Resolve the Portal URL with env-overrides-config precedence. Order: 1. ``HERMES_DASHBOARD_PORTAL_URL`` env var (non-empty after strip). 2. ``dashboard.oauth.portal_url`` in ``config.yaml``. 3. :data:`_DEFAULT_PORTAL_URL` (production Portal). HERMES_DASHBOARD_PORTAL_URLr r!)rrrsrrr_DEFAULT_PORTAL_URLrs r_resolve_portal_urlrHsu *..6 ; ; A A C CC  "$$((r:: egg  +++rr"c dat}t}|s$datdtdS|ds(d|datdtdS t||}n=#t$r0}d |atdtYd}~dSd}~wwxYw| |t d ||dS) u_Plugin entry — called by the plugin loader at startup. Registers ``NousDashboardAuthProvider`` only when a client_id is configured (either via ``HERMES_DASHBOARD_OAUTH_CLIENT_ID`` env var or via ``dashboard.oauth.client_id`` in ``config.yaml``). The env var wins when set non-empty — Fly.io's platform-secret injection pushes the per-deploy value through this path. When skipping, writes a short human-readable reason to the module- level :data:`LAST_SKIP_REASON` so the dashboard's fail-closed branch can surface "Set HERMES_DASHBOARD_OAUTH_CLIENT_ID …" instead of the bare "no providers registered" the gate would otherwise emit. The reason mentions BOTH configuration surfaces so operators don't guess wrong about which one to populate. Operator-owned dashboards (loopback / ``--insecure``) leave both surfaces unset, so this plugin is a no-op for them. The gate- engagement layer (``hermes_cli.web_server.should_require_auth`` + the fail-closed check in ``start_server``) handles the "public bind with zero providers" case independently. r uyHERMES_DASHBOARD_OAUTH_CLIENT_ID is not set (and dashboard.oauth.client_id in config.yaml is empty). The Nous Portal provisions this env var (shape 'agent:{instance_id}') when it deploys a Hermes Agent instance — set it to your provisioned client id (either as an env var or under dashboard.oauth.client_id in config.yaml), or pass --insecure to skip the OAuth gate entirely.zdashboard-auth-nous: %sNr$z!HERMES_DASHBOARD_OAUTH_CLIENT_ID=z doesn't match the contract shape 'agent:{instance_id}'. The Nous Portal provisions this value at deploy time; check your Fly app's secrets or override with the value from the Portal admin UI.)r r!z/NousDashboardAuthProvider construction failed: zBdashboard-auth-nous: registered provider (client_id=%s, portal=%s)) rrrrrr&rrr' register_dashboard_auth_providerinfo)ctxr r!rrcs rregisterrYsR."$$I$&&J      .0@AAA    ) ) L  L L L  02BCCC,J    RSRR02BCCC ((222 KKLsB C%C  C)rrrr)rr)rr)rr")&r __future__rrrEloggingrrC urllib.parserJtypingrrrr\hermes_cli.dashboard_authrrr r r r getLoggerrrrr__annotations__rIrrr^rrrrrrrrrrsCCCJ#"""""  &&&&&&&&&&   8 $ $8" "#????| | | | | 5| | | H 88882""""$,,,,"BBBBBBr