b4fbd6fe9f
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
82 lines
2.7 KiB
Python
82 lines
2.7 KiB
Python
"""Module-level registry for DashboardAuthProvider instances.
|
|
|
|
Plugins call ``register_provider`` via the plugin context hook at startup.
|
|
The auth gate middleware iterates ``list_providers()`` and uses
|
|
``get_provider`` to dispatch on the session's ``provider`` field.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
import logging
|
|
import threading
|
|
from typing import List, Optional
|
|
|
|
from hermes_cli.dashboard_auth.base import (
|
|
DashboardAuthProvider,
|
|
assert_protocol_compliance,
|
|
)
|
|
|
|
_log = logging.getLogger(__name__)
|
|
_lock = threading.Lock()
|
|
_providers: dict[str, DashboardAuthProvider] = {}
|
|
|
|
|
|
def register_provider(provider: DashboardAuthProvider) -> None:
|
|
"""Register a provider.
|
|
|
|
Raises:
|
|
TypeError: on protocol violation.
|
|
ValueError: if a provider with the same name is already registered.
|
|
"""
|
|
assert_protocol_compliance(type(provider))
|
|
with _lock:
|
|
if provider.name in _providers:
|
|
raise ValueError(
|
|
f"dashboard-auth provider already registered: {provider.name!r}"
|
|
)
|
|
_providers[provider.name] = provider
|
|
_log.info(
|
|
"dashboard-auth: registered provider %r (%s)",
|
|
provider.name, provider.display_name,
|
|
)
|
|
|
|
|
|
def get_provider(name: str) -> Optional[DashboardAuthProvider]:
|
|
"""Return the registered provider for ``name``, or None if unknown."""
|
|
with _lock:
|
|
return _providers.get(name)
|
|
|
|
|
|
def list_providers() -> List[DashboardAuthProvider]:
|
|
"""All registered providers, in registration order."""
|
|
with _lock:
|
|
return list(_providers.values())
|
|
|
|
|
|
def list_token_providers() -> List[DashboardAuthProvider]:
|
|
"""Registered providers that support non-interactive token auth.
|
|
|
|
The subset of ``list_providers()`` whose ``supports_token`` flag is True,
|
|
in registration order. The ``token_auth`` middleware seam consults these
|
|
(and only these) when a token-authable route is hit, so OAuth/password-only
|
|
providers are never asked to ``verify_token``. Returns an empty list when
|
|
no token provider is registered — a token-authable route then fails
|
|
closed (401), never open.
|
|
"""
|
|
with _lock:
|
|
return [p for p in _providers.values() if getattr(p, "supports_token", False)]
|
|
|
|
|
|
def list_session_providers() -> List[DashboardAuthProvider]:
|
|
"""Registered providers with supports_session True (interactive cookie
|
|
sessions). The login page, /auth/login, and the gate's verify/refresh loops
|
|
consult only these. Mirror of list_token_providers.
|
|
"""
|
|
with _lock:
|
|
return [p for p in _providers.values() if getattr(p, "supports_session", True)]
|
|
|
|
|
|
def clear_providers() -> None:
|
|
"""Test-only: drop all registrations."""
|
|
with _lock:
|
|
_providers.clear()
|