j2dZddlmZddlmZmZddlmZddlm Z edGdd Z edGd d Z Gd d e Z Gdde ZGdde ZGddeZddZdS)zFAbstract base + dataclasses + exceptions for dashboard auth providers.) annotations)ABCabstractmethod) dataclass)OptionalT)frozencdeZdZUdZded<ded<ded<ded<ded<ded <ded <ded <d S) Sessionu A verified identity. Returned by ``complete_login`` and ``verify_session``. All fields are mandatory. Providers that don't have a concept of orgs should set ``org_id`` to an empty string. ``access_token`` and ``refresh_token`` are opaque to Hermes — provider-specific. struser_idemail display_nameorg_idproviderint expires_at access_token refresh_tokenN__name__ __module__ __qualname____doc____annotations__=/usr/local/lib/hermes-agent/hermes_cli/dashboard_auth/base.pyr r soLLLJJJKKKMMMOOOrr c(eZdZUdZded<ded<dS) LoginStartuFirst leg of the OAuth round trip. ``redirect_url`` is the URL the browser must navigate to (e.g. the Portal's ``/oauth/authorize``). ``cookie_payload`` is a dict of cookie name → serialised value that the auth route will ``Set-Cookie`` on the response. Used for PKCE state, CSRF nonces, etc. Cookies set here MUST be HttpOnly + Secure (when over HTTPS) + SameSite=Lax with a TTL ≤ 10 minutes (the login lifetime). r redirect_urlzdict[str, str]cookie_payloadNrrrrrrs6""""""rrceZdZdZdS) ProviderErrorzmIDP unreachable, network error, or other transient failure. Middleware translates this to HTTP 503. Nrrrrrrrr#r#,rr#ceZdZdZdS)InvalidCodeErrorzlThe OAuth callback ``code`` / ``state`` failed validation. Middleware translates this to HTTP 400. Nr$rrrr'r'3r%rr'ceZdZdZdS)RefreshExpiredErroruhThe refresh token is dead. Middleware clears cookies and forces re-login (302 → ``/login``). Nr$rrrr)r):r%rr)ceZdZUdZdZded<dZded<edd ZeddZ eddZ eddZ eddZ dS)DashboardAuthProvideruProtocol every dashboard-auth provider plugin implements. Lifecycle: 1. ``start_login`` — user clicks "Log in with X" on the login page. Provider returns a redirect URL and any PKCE/CSRF state to stash in short-lived cookies. 2. Browser bounces through the OAuth IDP and lands at /auth/callback. 3. ``complete_login`` — exchange the code + verifier for a Session. 4. ``verify_session`` — called on every request to validate the access token in the cookie. Returns ``None`` if the token is expired or invalid (middleware then triggers refresh or logout). 5. ``refresh_session`` — called when the access token is near expiry. Returns a new Session with rotated tokens. 6. ``revoke_session`` — called on /auth/logout. Best-effort. Failure semantics: * ``start_login`` may raise ``ProviderError`` if the IDP is unreachable. * ``complete_login`` raises ``InvalidCodeError`` on bad code/state; ``ProviderError`` if the IDP is unreachable. * ``verify_session`` returns ``None`` on expiry / unknown token; raises ``ProviderError`` if the IDP is unreachable. Middleware treats expiry and unreachable differently (expiry → refresh; unreachable → 503). * ``refresh_session`` raises ``RefreshExpiredError`` when the refresh token is also invalid; middleware then forces re-login. Raises ``ProviderError`` on network failure. * ``revoke_session`` is best-effort and must not raise. Subclasses MUST set ``name`` (lowercase identifier, stable forever) and ``display_name`` (user-facing label on the login page). r namer redirect_urireturnrcdSNr)selfr.s r start_loginz!DashboardAuthProvider.start_loginfs?Bsrcodestate code_verifierr cdSr1r)r2r4r5r6r.s rcomplete_loginz$DashboardAuthProvider.complete_loginis #rrOptional[Session]cdSr1r)r2rs rverify_sessionz$DashboardAuthProvider.verify_sessionssILrrcdSr1rr2rs rrefresh_sessionz%DashboardAuthProvider.refresh_sessionvsADrNonecdSr1rr=s rrevoke_sessionz$DashboardAuthProvider.revoke_sessionys=@SrN)r.r r/r) r4r r5r r6r r.r r/r )rr r/r9)rr r/r )rr r/r?) rrrrr-rrrr3r8r;r>rArrrr+r+AsBDNNNNLBBB^B^LLL^LDDD^D@@@^@@@rr+clstyper/r?c`d}d}|D].}t||d}|st|jd|/|D]9}tt||dst|jd|:t|ddr+t|jdt |jdS) a+Raise ``TypeError`` if ``cls`` doesn't fully implement the provider protocol. Call this in every provider plugin's unit tests:: def test_protocol_compliance(): assert_protocol_compliance(MyProvider) Returns ``None`` on success so callers can assert it explicitly. )r3r8r;r>rA)r-rr,z missing or empty attribute: Nz missing method: __abstractmethods__z% has unimplemented abstract methods: )getattr TypeErrorrcallablesortedrE)rBrequired_methodsrequired_attrsattrvalmethods rassert_protocol_compliancerO}s.Nc4$$ <FFdFF  #HHVT2233 Hs|FFfFFGG G Hs)400 | 1 1c-.. 1 1     rN)rBrCr/r?)r __future__rabcrr dataclassesrtypingrr r Exceptionr#r'r)r+rOrrrrUsLL""""""########!!!!!! $$ $ # # # # # # # #Iy)9A9A9A9A9AC9A9A9Ax! ! ! ! ! ! r