b4fbd6fe9f
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
143 lines
5.3 KiB
Python
143 lines
5.3 KiB
Python
"""Tests for the Chronos cron-fire webhook ON THE DASHBOARD APP (web_server).
|
|
|
|
Regression guard for the relocation bug: the fire webhook MUST live on the
|
|
dashboard FastAPI app (`hermes_cli.web_server.app`) — the agent's public HTTP
|
|
surface on hosted deployments — not only on the aiohttp APIServerAdapter (which
|
|
hosted agents don't expose). It must:
|
|
- be a registered route on the dashboard app,
|
|
- be in PUBLIC_API_PATHS so the dashboard cookie gate doesn't 401 it before
|
|
the JWT verifier runs,
|
|
- reject a bad/missing NAS-JWT with 401 (the JWT is the real gate),
|
|
- 400 on missing job_id,
|
|
- on a valid token, resolve the job's profile and run fire_due in the
|
|
background, returning 202.
|
|
"""
|
|
|
|
import pytest
|
|
from starlette.testclient import TestClient
|
|
|
|
from hermes_cli import web_server
|
|
from hermes_cli.dashboard_auth.public_paths import PUBLIC_API_PATHS
|
|
|
|
|
|
def _client(auth_required: bool):
|
|
prev_auth = getattr(web_server.app.state, "auth_required", None)
|
|
prev_host = getattr(web_server.app.state, "bound_host", None)
|
|
web_server.app.state.auth_required = auth_required
|
|
web_server.app.state.bound_host = None
|
|
client = TestClient(web_server.app)
|
|
return client, prev_auth, prev_host
|
|
|
|
|
|
def _restore(prev_auth, prev_host):
|
|
if prev_auth is None:
|
|
if hasattr(web_server.app.state, "auth_required"):
|
|
delattr(web_server.app.state, "auth_required")
|
|
else:
|
|
web_server.app.state.auth_required = prev_auth
|
|
if prev_host is None:
|
|
if hasattr(web_server.app.state, "bound_host"):
|
|
delattr(web_server.app.state, "bound_host")
|
|
else:
|
|
web_server.app.state.bound_host = prev_host
|
|
|
|
|
|
def test_route_registered_on_dashboard_app():
|
|
"""The fire webhook is served by the dashboard app (the hosted-agent public
|
|
surface), not only the aiohttp adapter."""
|
|
paths = {r.path for r in web_server.app.routes if hasattr(r, "path")}
|
|
assert "/api/cron/fire" in paths
|
|
|
|
|
|
def test_fire_path_is_public():
|
|
"""Must bypass the dashboard cookie gate so the NAS bearer-JWT callback
|
|
reaches the verifier (the JWT is the real auth)."""
|
|
assert "/api/cron/fire" in PUBLIC_API_PATHS
|
|
|
|
|
|
def test_bad_token_401(monkeypatch):
|
|
"""Invalid NAS-JWT -> 401, even with the dashboard auth gate ENGAGED
|
|
(proves the route is reachable past the cookie gate and the verifier is the
|
|
gate). fire_due must NOT run."""
|
|
fired = []
|
|
monkeypatch.setattr(
|
|
"plugins.cron_providers.chronos.verify.get_fire_verifier",
|
|
lambda: (lambda **kw: None), # verification fails
|
|
)
|
|
monkeypatch.setattr(web_server, "_find_cron_job_profile", lambda jid: "default")
|
|
monkeypatch.setattr(web_server, "_fire_cron_job_for_profile",
|
|
lambda p, j: fired.append((p, j)))
|
|
|
|
client, pa, ph = _client(auth_required=True)
|
|
try:
|
|
resp = client.post("/api/cron/fire",
|
|
headers={"Authorization": "Bearer forged"},
|
|
json={"job_id": "abc"})
|
|
assert resp.status_code == 401
|
|
assert fired == []
|
|
finally:
|
|
_restore(pa, ph)
|
|
client.close()
|
|
|
|
|
|
def test_missing_job_id_400(monkeypatch):
|
|
monkeypatch.setattr(
|
|
"plugins.cron_providers.chronos.verify.get_fire_verifier",
|
|
lambda: (lambda **kw: {"purpose": "cron_fire"}),
|
|
)
|
|
client, pa, ph = _client(auth_required=False)
|
|
try:
|
|
resp = client.post("/api/cron/fire",
|
|
headers={"Authorization": "Bearer good"},
|
|
json={})
|
|
assert resp.status_code == 400
|
|
finally:
|
|
_restore(pa, ph)
|
|
client.close()
|
|
|
|
|
|
def test_unknown_job_200_gone(monkeypatch):
|
|
"""Valid token but the job isn't found in any profile -> 200 'gone'
|
|
(NAS shouldn't retry a fire for a cancelled/completed job)."""
|
|
monkeypatch.setattr(
|
|
"plugins.cron_providers.chronos.verify.get_fire_verifier",
|
|
lambda: (lambda **kw: {"purpose": "cron_fire"}),
|
|
)
|
|
monkeypatch.setattr(web_server, "_find_cron_job_profile", lambda jid: None)
|
|
client, pa, ph = _client(auth_required=False)
|
|
try:
|
|
resp = client.post("/api/cron/fire",
|
|
headers={"Authorization": "Bearer good"},
|
|
json={"job_id": "ghost"})
|
|
assert resp.status_code == 200
|
|
assert resp.json().get("status") == "gone"
|
|
finally:
|
|
_restore(pa, ph)
|
|
client.close()
|
|
|
|
|
|
def test_valid_token_accepts_and_fires(monkeypatch):
|
|
"""Valid token + known job -> 202 and fire_due invoked for the resolved
|
|
profile."""
|
|
fired = []
|
|
monkeypatch.setattr(
|
|
"plugins.cron_providers.chronos.verify.get_fire_verifier",
|
|
lambda: (lambda **kw: {"purpose": "cron_fire", "aud": "agent:x"}),
|
|
)
|
|
monkeypatch.setattr(web_server, "_find_cron_job_profile", lambda jid: "default")
|
|
monkeypatch.setattr(web_server, "_fire_cron_job_for_profile",
|
|
lambda p, j: fired.append((p, j)) or True)
|
|
|
|
client, pa, ph = _client(auth_required=False)
|
|
try:
|
|
resp = client.post("/api/cron/fire",
|
|
headers={"Authorization": "Bearer good"},
|
|
json={"job_id": "j1"})
|
|
assert resp.status_code == 202
|
|
assert resp.json()["job_id"] == "j1"
|
|
finally:
|
|
_restore(pa, ph)
|
|
client.close()
|
|
# background task ran the fire for the resolved profile
|
|
assert fired == [("default", "j1")]
|