b4fbd6fe9f
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
105 lines
4.3 KiB
Python
105 lines
4.3 KiB
Python
"""Redaction-safe forensic logging at the Nous OAuth quarantine path.
|
|
|
|
A NAS-hosted Fly agent's Nous bootstrap session can take a terminal
|
|
``invalid_grant`` and get quarantined (dead tokens cleared from auth.json).
|
|
Historically this was completely silent — no WARNING+ record at the terminal
|
|
rejection, only a downstream "No access token found" warning once the pool was
|
|
already empty. The Fly log drain is WARNING-only, so nothing about the terminal
|
|
death reached centralized logging. These tests lock in that
|
|
``_quarantine_nous_oauth_state`` now emits a WARNING+ forensic record, and — the
|
|
load-bearing assertion — that the raw refresh token never appears in that output.
|
|
"""
|
|
|
|
import hashlib
|
|
import logging
|
|
|
|
from hermes_cli.auth import AuthError, _quarantine_nous_oauth_state
|
|
|
|
|
|
# A distinctive, obviously-fake refresh token so the redaction assertion is
|
|
# unambiguous if it ever leaks.
|
|
_FAKE_RT = "nous_rt_LEAK_CANARY_do_not_log_raw_0123456789abcdef"
|
|
_EXPECTED_FP = hashlib.sha256(_FAKE_RT.encode("utf-8")).hexdigest()[:12]
|
|
|
|
|
|
def _make_state(**overrides):
|
|
state = {
|
|
"portal_base_url": "https://portal.example.com",
|
|
"client_id": "test-client-id",
|
|
"access_token": "nous_at_SECRET_access_token_material",
|
|
"refresh_token": _FAKE_RT,
|
|
"agent_key": "nous_agent_key_SECRET_material",
|
|
"agent_key_id": "ak-12345",
|
|
"expires_at": "2020-01-01T00:00:00+00:00", # in the past
|
|
"obtained_at": "2019-12-31T00:00:00+00:00",
|
|
}
|
|
state.update(overrides)
|
|
return state
|
|
|
|
|
|
def _error():
|
|
return AuthError(
|
|
"invalid_grant: token expired or revoked",
|
|
provider="nous",
|
|
code="invalid_grant",
|
|
relogin_required=True,
|
|
)
|
|
|
|
|
|
def test_quarantine_emits_warning(caplog):
|
|
state = _make_state()
|
|
with caplog.at_level(logging.WARNING, logger="hermes_cli.auth"):
|
|
_quarantine_nous_oauth_state(state, _error(), reason="unit_test_quarantine")
|
|
|
|
warnings = [r for r in caplog.records if r.levelno >= logging.WARNING]
|
|
assert warnings, "expected at least one WARNING+ record from quarantine"
|
|
assert any("quarantined" in r.getMessage() for r in warnings)
|
|
|
|
|
|
def test_warning_contains_hash_prefix_and_error_code(caplog):
|
|
state = _make_state()
|
|
with caplog.at_level(logging.WARNING, logger="hermes_cli.auth"):
|
|
_quarantine_nous_oauth_state(state, _error(), reason="unit_test_quarantine")
|
|
|
|
text = caplog.text
|
|
assert _EXPECTED_FP in text, (
|
|
f"expected refresh-token hash prefix {_EXPECTED_FP} in log output"
|
|
)
|
|
assert "invalid_grant" in text, "expected error.code in log output"
|
|
assert "unit_test_quarantine" in text, "expected reason in log output"
|
|
|
|
|
|
def test_raw_refresh_token_never_logged(caplog):
|
|
"""Load-bearing redaction-safety test: the raw secret must never appear."""
|
|
state = _make_state()
|
|
with caplog.at_level(logging.DEBUG, logger="hermes_cli.auth"):
|
|
_quarantine_nous_oauth_state(state, _error(), reason="unit_test_quarantine")
|
|
|
|
text = caplog.text
|
|
assert _FAKE_RT not in text, "RAW refresh token leaked into log output!"
|
|
# Belt-and-suspenders: the access token and agent key must not leak either.
|
|
assert "nous_at_SECRET_access_token_material" not in text
|
|
assert "nous_agent_key_SECRET_material" not in text
|
|
|
|
|
|
def test_quarantine_no_refresh_token_does_not_throw(caplog):
|
|
state = _make_state()
|
|
state.pop("refresh_token", None)
|
|
with caplog.at_level(logging.WARNING, logger="hermes_cli.auth"):
|
|
# Must not raise even when there is no refresh token to fingerprint.
|
|
_quarantine_nous_oauth_state(state, _error(), reason="unit_test_no_rt")
|
|
|
|
warnings = [r for r in caplog.records if r.levelno >= logging.WARNING]
|
|
assert warnings, "expected a WARNING even when refresh_token is absent"
|
|
# Fingerprint should be null/None, and definitely not the canary prefix.
|
|
assert _EXPECTED_FP not in caplog.text
|
|
|
|
|
|
def test_quarantine_clears_token_material():
|
|
"""Regression guard: the quarantine still clears dead token keys."""
|
|
state = _make_state()
|
|
_quarantine_nous_oauth_state(state, _error(), reason="unit_test_quarantine")
|
|
for key in ("access_token", "refresh_token", "agent_key", "agent_key_id", "expires_at"):
|
|
assert key not in state, f"{key} should have been cleared by quarantine"
|
|
assert state["last_auth_error"]["code"] == "invalid_grant"
|