Files
nousresearch--hermes-agent/tests/hermes_cli/test_cron_fire_dashboard.py
T
wehub-resource-sync b4fbd6fe9f
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 11:56:03 +08:00

143 lines
5.3 KiB
Python

"""Tests for the Chronos cron-fire webhook ON THE DASHBOARD APP (web_server).
Regression guard for the relocation bug: the fire webhook MUST live on the
dashboard FastAPI app (`hermes_cli.web_server.app`) — the agent's public HTTP
surface on hosted deployments — not only on the aiohttp APIServerAdapter (which
hosted agents don't expose). It must:
- be a registered route on the dashboard app,
- be in PUBLIC_API_PATHS so the dashboard cookie gate doesn't 401 it before
the JWT verifier runs,
- reject a bad/missing NAS-JWT with 401 (the JWT is the real gate),
- 400 on missing job_id,
- on a valid token, resolve the job's profile and run fire_due in the
background, returning 202.
"""
import pytest
from starlette.testclient import TestClient
from hermes_cli import web_server
from hermes_cli.dashboard_auth.public_paths import PUBLIC_API_PATHS
def _client(auth_required: bool):
prev_auth = getattr(web_server.app.state, "auth_required", None)
prev_host = getattr(web_server.app.state, "bound_host", None)
web_server.app.state.auth_required = auth_required
web_server.app.state.bound_host = None
client = TestClient(web_server.app)
return client, prev_auth, prev_host
def _restore(prev_auth, prev_host):
if prev_auth is None:
if hasattr(web_server.app.state, "auth_required"):
delattr(web_server.app.state, "auth_required")
else:
web_server.app.state.auth_required = prev_auth
if prev_host is None:
if hasattr(web_server.app.state, "bound_host"):
delattr(web_server.app.state, "bound_host")
else:
web_server.app.state.bound_host = prev_host
def test_route_registered_on_dashboard_app():
"""The fire webhook is served by the dashboard app (the hosted-agent public
surface), not only the aiohttp adapter."""
paths = {r.path for r in web_server.app.routes if hasattr(r, "path")}
assert "/api/cron/fire" in paths
def test_fire_path_is_public():
"""Must bypass the dashboard cookie gate so the NAS bearer-JWT callback
reaches the verifier (the JWT is the real auth)."""
assert "/api/cron/fire" in PUBLIC_API_PATHS
def test_bad_token_401(monkeypatch):
"""Invalid NAS-JWT -> 401, even with the dashboard auth gate ENGAGED
(proves the route is reachable past the cookie gate and the verifier is the
gate). fire_due must NOT run."""
fired = []
monkeypatch.setattr(
"plugins.cron_providers.chronos.verify.get_fire_verifier",
lambda: (lambda **kw: None), # verification fails
)
monkeypatch.setattr(web_server, "_find_cron_job_profile", lambda jid: "default")
monkeypatch.setattr(web_server, "_fire_cron_job_for_profile",
lambda p, j: fired.append((p, j)))
client, pa, ph = _client(auth_required=True)
try:
resp = client.post("/api/cron/fire",
headers={"Authorization": "Bearer forged"},
json={"job_id": "abc"})
assert resp.status_code == 401
assert fired == []
finally:
_restore(pa, ph)
client.close()
def test_missing_job_id_400(monkeypatch):
monkeypatch.setattr(
"plugins.cron_providers.chronos.verify.get_fire_verifier",
lambda: (lambda **kw: {"purpose": "cron_fire"}),
)
client, pa, ph = _client(auth_required=False)
try:
resp = client.post("/api/cron/fire",
headers={"Authorization": "Bearer good"},
json={})
assert resp.status_code == 400
finally:
_restore(pa, ph)
client.close()
def test_unknown_job_200_gone(monkeypatch):
"""Valid token but the job isn't found in any profile -> 200 'gone'
(NAS shouldn't retry a fire for a cancelled/completed job)."""
monkeypatch.setattr(
"plugins.cron_providers.chronos.verify.get_fire_verifier",
lambda: (lambda **kw: {"purpose": "cron_fire"}),
)
monkeypatch.setattr(web_server, "_find_cron_job_profile", lambda jid: None)
client, pa, ph = _client(auth_required=False)
try:
resp = client.post("/api/cron/fire",
headers={"Authorization": "Bearer good"},
json={"job_id": "ghost"})
assert resp.status_code == 200
assert resp.json().get("status") == "gone"
finally:
_restore(pa, ph)
client.close()
def test_valid_token_accepts_and_fires(monkeypatch):
"""Valid token + known job -> 202 and fire_due invoked for the resolved
profile."""
fired = []
monkeypatch.setattr(
"plugins.cron_providers.chronos.verify.get_fire_verifier",
lambda: (lambda **kw: {"purpose": "cron_fire", "aud": "agent:x"}),
)
monkeypatch.setattr(web_server, "_find_cron_job_profile", lambda jid: "default")
monkeypatch.setattr(web_server, "_fire_cron_job_for_profile",
lambda p, j: fired.append((p, j)) or True)
client, pa, ph = _client(auth_required=False)
try:
resp = client.post("/api/cron/fire",
headers={"Authorization": "Bearer good"},
json={"job_id": "j1"})
assert resp.status_code == 202
assert resp.json()["job_id"] == "j1"
finally:
_restore(pa, ph)
client.close()
# background task ran the fire for the resolved profile
assert fired == [("default", "j1")]