§
    ËÐ)jµq  ã                  ó&  — U d Z ddlmZ ddlZddlZddlZddlZddlZddlZddl	Z	ddl
ZddlmZmZmZ ddlZddlmZmZmZmZmZmZ  ej        e¦  «        ZdZdZdZdZd	Zd
Z da!de"d<   d!d„Z#d"d„Z$ G d„ de¦  «        Z%d#d„Z&d$d„Z'd%d„Z(d&d „Z)dS )'u  SelfHostedOIDCProvider â€” generic self-hosted OpenID Connect dashboard auth.

A standards-compliant OpenID Connect Relying Party for the ``hermes dashboard``
OAuth gate. Unlike the bundled ``nous`` provider (which encodes Nous Portal's
bespoke contract â€” ``agent:{instance_id}`` client ids, a custom access-token
JWT, the ``x-nous-refresh-token`` header, an ``oauth_contract_version`` claim),
this provider speaks **plain OIDC** so it works against any conformant
self-hosted identity provider:

    Authentik Â· Keycloak Â· Zitadel Â· Authelia Â· Auth0 Â· Okta Â· Google Â· â€¦

It is a pure drop-in plugin: it implements the five
:class:`~hermes_cli.dashboard_auth.DashboardAuthProvider` methods and touches
nothing in core auth/runtime/login. The HTTP round trip, cookies, CSRF
``state`` check and ``redirect_uri`` reconstruction are all owned by
``hermes_cli/dashboard_auth/routes.py``; this provider only:

  1. discovers the IDP's endpoints from ``{issuer}/.well-known/openid-configuration``,
  2. builds the ``/authorize`` URL with PKCE (S256),
  3. exchanges the authorization code for tokens at the discovered
     ``token_endpoint``,
  4. verifies the **ID token** (RS256/ES256) against the discovered
     ``jwks_uri`` with ``iss`` / ``aud`` pinned to the configured issuer /
     client id, and maps standard OIDC claims (``sub``, ``email``, ``name``)
     onto a :class:`~hermes_cli.dashboard_auth.Session`.

Why the ID token (not the access token)? OIDC guarantees the ID token is a
signed JWT carrying identity claims â€” that is its entire purpose. The access
token's format is opaque to the client per the spec; many IDPs issue random
opaque strings the client cannot verify locally. Verifying the ID token is the
only choice that is universally correct across self-hosted IDPs. (The ``nous``
provider verifies its *access* token because Nous Portal mints a custom JWT
access token with the dashboard claims baked in â€” a non-OIDC shortcut.)

Public PKCE clients only. Confidential clients (with a ``client_secret``) are
not yet supported â€” see the ``# TODO(confidential-client)`` seam in
``complete_login`` / ``refresh_session``. Self-hosters configuring a CLI/SPA
client almost always register a public + PKCE client, which is the smaller,
simpler surface.

Configuration surfaces (env wins over config.yaml when set non-empty, so a
provisioned-but-not-populated secret can't shadow a valid config.yaml entry â€”
same precedence convention as the ``nous`` plugin)::

    # config.yaml â€” canonical surface
    dashboard:
      oauth:
        provider: self-hosted
        self_hosted:
          issuer: https://auth.example.com/application/o/hermes/   # required
          client_id: hermes-dashboard                              # required
          scopes: "openid profile email"                           # optional

    # Environment overrides (Docker/Fly secret injection)
    HERMES_DASHBOARD_OIDC_ISSUER
    HERMES_DASHBOARD_OIDC_CLIENT_ID
    HERMES_DASHBOARD_OIDC_SCOPES        # optional; defaults to "openid profile email"

Skip reasons: when the plugin loads but can't register (missing issuer /
client_id), it writes a human-readable reason to the module-level
:data:`LAST_SKIP_REASON` so the gate's fail-closed branch can surface a useful
operator error instead of the bare "no providers registered".
é    )ÚannotationsN)ÚAnyÚDictÚOptional)ÚDashboardAuthProviderÚInvalidCodeErrorÚ
LoginStartÚProviderErrorÚRefreshExpiredErrorÚSessionzopenid profile email)ÚRS256ÚES256ÚRS384ÚRS512ÚES384ÚES512g      $@i  i,  Ú ÚstrÚLAST_SKIP_REASONÚrawÚbytesÚreturnc                ót   — t          j        | ¦  «                             d¦  «                             ¦   «         S )u6   Base64url-encode without ``=`` padding (RFC 7636 Â§4).ó   =)Úbase64Úurlsafe_b64encodeÚrstripÚdecode)r   s    úR/home/wildlama/.hermes/hermes-agent/plugins/dashboard_auth/self_hosted/__init__.pyÚ_b64url_no_padr    ƒ   s-   € åÔ# CÑ(Ô(×/Ò/°Ñ5Ô5×<Ò<Ñ>Ô>Ð>ó    ÚurlÚfieldc               ó´   — t           j                             | ¦  «        }|j        dk    r| S |j        dk    r|j        pddv r| S t          d|› d| ›¦  «        ‚)a{  Reject an endpoint URL that isn't HTTPS (loopback http is allowed).

    OAuth credentials (codes, tokens) flow over these URLs. We require HTTPS
    for everything except an explicit loopback host so a misconfigured issuer
    can't ship the authorization code / refresh token in cleartext. Returns
    the URL unchanged on success; raises :class:`ProviderError` otherwise.
    ÚhttpsÚhttpr   )Ú	localhostú	127.0.0.1z::1zOIDC z. must be https:// (or http on localhost), got )ÚurllibÚparseÚurlparseÚschemeÚhostnamer
   )r"   r#   Úparseds      r   Ú_require_https_or_loopbackr/   ˆ   s|   € õ Œ\×"Ò" 3Ñ'Ô'€FØ„}˜ÒÐØˆ
Ø„}˜ÒÐ F¤OÐ$9°rð ?ð $ð $ð
 ˆ
Ý
ØLÐLÐLÀSÐLÐLñô ð r!   c                  óž   — e Zd ZdZdZdZedœd2d„Zd3d„Zd4d„Z	d5d„Z
d6d„Zd7d„Zddœd8d"„Zd9d$„Zd:d%„Zd9d&„Zd;d(„Zd<d*„Zd=d,„Zd>d-„Zd?d0„Zd1S )@ÚSelfHostedOIDCProviderzHGeneric self-hosted OpenID Connect provider (authorization-code + PKCE).zself-hostedzSelf-Hosted OIDC)ÚscopesÚissuerr   Ú	client_idr2   r   ÚNonec               óR  — |st          d¦  «        ‚|st          d¦  «        ‚|                     d¦  «        | _        t          | j        d¬¦  «         || _        |                     ¦   «         pt          | _        d | _        d| _	        t          j        ¦   «         | _        d | _        d S )Nzissuer is requiredzclient_id is requiredú/r3   ©r#   g        )Ú
ValueErrorr   Ú_issuerr/   Ú
_client_idÚstripÚ_DEFAULT_SCOPESÚ_scopesÚ
_discoveryÚ_discovery_fetched_atÚ	threadingÚLockÚ_discovery_lockÚ_jwks_client)Úselfr3   r4   r2   s       r   Ú__init__zSelfHostedOIDCProvider.__init__©   s¦   € ð ð 	3ÝÐ1Ñ2Ô2Ð2Øð 	6ÝÐ4Ñ5Ô5Ð5ð —}’} SÑ)Ô)ˆŒÝ" 4¤<°xÐ@Ñ@Ô@Ð@Ø#ˆŒØ—|’|‘~”~Ð8­ˆŒð
 26ˆŒØ,/ˆÔ"Ý(œ~Ñ/Ô/ˆÔØ!%ˆÔÐÐr!   Úredirect_urir	   c               ó  — |                       |¦  «         |                      ¦   «         }t          t          j        d¦  «        ¦  «        }t          t          j        |                     d¦  «        ¦  «                             ¦   «         ¦  «        }t          t          j        d¦  «        ¦  «        }d| j	        || j
        ||ddœ}|d         › dt          j                             |¦  «        › }d	d
|› d|› i}t          ||¬¦  «        S )Né@   Úasciié    ÚcodeÚS256)Úresponse_typer4   rG   ÚscopeÚstateÚcode_challengeÚcode_challenge_methodÚauthorization_endpointú?Úhermes_session_pkcezstate=z
;verifier=)Úredirect_urlÚcookie_payload)Ú_validate_redirect_uriÚ_get_discoveryr    ÚsecretsÚtoken_bytesÚhashlibÚsha256ÚencodeÚdigestr;   r>   r)   r*   Ú	urlencoder	   )	rE   rG   ÚdiscoÚcode_verifierrQ   rP   ÚparamsrV   rW   s	            r   Ústart_loginz"SelfHostedOIDCProvider.start_loginÈ   s  € Ø×#Ò# LÑ1Ô1Ð1Ø×#Ò#Ñ%Ô%ˆå&¥wÔ':¸2Ñ'>Ô'>Ñ?Ô?ˆÝ'ÝŒN˜=×/Ò/°Ñ8Ô8Ñ9Ô9×@Ò@ÑBÔBñ
ô 
ˆõ wÔ2°2Ñ6Ô6Ñ7Ô7ˆð $ØœØ(Ø”\ØØ,Ø%+ð
ð 
ˆð Ð-Ô.ÐQÐQµ´×1GÒ1GÈÑ1OÔ1OÐQÐQð 	ð "Ð#L¨EÐ#LÐ#L¸]Ð#LÐ#Lð
ˆõ  |ÀNÐSÑSÔSÐSr!   rL   rP   rb   r   c               óŽ   — |}|                       ¦   «         }d||| j        |dœ}|                      |d         |t          ¬¦  «        S )NÚauthorization_code)Ú
grant_typerL   rG   r4   rb   Útoken_endpoint)Úbad_request_exc)rY   r;   Ú	_exchanger   )rE   rL   rP   rb   rG   Ú_ra   Údatas           r   Úcomplete_loginz%SelfHostedOIDCProvider.complete_loginå   sd   € ð ˆØ×#Ò#Ñ%Ô%ˆð /ØØ(ØœØ*ð
ð 
ˆð ~Š~ØÐ"Ô# TÕ;Kð ñ 
ô 
ð 	
r!   Úrefresh_tokenc               ó¶   — |st          d¦  «        ‚|                      ¦   «         }d| j        || j        dœ}|                      |d         |t           |¬¦  «        S )Nz#no refresh token present in sessionrn   )rg   r4   rn   rO   rh   )ri   Úprevious_refresh_token)r   rY   r;   r>   rj   )rE   rn   ra   rl   s       r   Úrefresh_sessionz&SelfHostedOIDCProvider.refresh_sessionÿ   sz   € Øð 	MÝ%Ð&KÑLÔLÐLØ×#Ò#Ñ%Ô%ˆð *ØœØ*ð ”\ð
ð 
ˆð ~Š~ØÐ"Ô#ØÝ/Ø#0ð	 ñ 
ô 
ð 	
r!   Úaccess_tokenúOptional[Session]c               ó–   — 	 |                       |¦  «        }n# t          $ r Y d S t          $ r ‚ w xY w|                      |d|¬¦  «        S )Nr   ©Úid_tokenrn   Úclaims)Ú_verify_id_tokenr   r
   Ú_session_from_tokens)rE   rr   rw   s      r   Úverify_sessionz%SelfHostedOIDCProvider.verify_session  sy   € ð	Ø×*Ò*¨<Ñ8Ô8ˆFˆFøÝð 	ð 	ð 	à44Ýð 	ð 	ð 	Øð	øøøð ×(Ò(Ø!°¸Fð )ñ 
ô 
ð 	
s   ‚ ˜
0¥0c               óˆ  — |sd S 	 |                       ¦   «         }n# t          $ r Y d S w xY wt          |                     d¦  «        pd¦  «                             ¦   «         }|sd S 	 t          j        ||d| j        dœddit          ¬¦  «         n2# t          $ r%}t                               d|¦  «         Y d }~nd }~ww xY wd S )	NÚrevocation_endpointr   rn   )ÚtokenÚtoken_type_hintr4   ÚAcceptúapplication/json©rl   ÚheadersÚtimeoutz-self-hosted OIDC: revoke failed (ignored): %s)rY   r
   r   Úgetr<   ÚhttpxÚpostr;   Ú_TOKEN_ENDPOINT_TIMEOUT_SECÚ	ExceptionÚloggerÚdebug)rE   rn   ra   ÚendpointÚexcs        r   Úrevoke_sessionz%SelfHostedOIDCProvider.revoke_session'  s  € ð ð 	Ø4ð	Ø×'Ò'Ñ)Ô)ˆEˆEøÝð 	ð 	ð 	Ø44ð	øøøåu—y’yÐ!6Ñ7Ô7Ð=¸2Ñ>Ô>×DÒDÑFÔFˆØð 	Ø4ð	OÝŒJØà*Ø'6Ø!%¤ðð ð
 "Ð#5Ð6Ý3ð	ñ 	ô 	ð 	ð 	øõ ð 	Oð 	Oð 	OÝLŠLÐHÈ#ÑNÔNÐNÐNÐNÐNÐNÐNøøøøð	Oøøøàˆts$   † ›
)¨)Á'(B Â
B?ÂB:Â:B?r   )rp   rh   rl   úDict[str, str]ri   útype[Exception]rp   c               ó|  — 	 t          j        ||ddit          ¬¦  «        }n*# t           j        $ r}t	          d|› ¦  «        |‚d}~ww xY w|j        dk    r9|                      |¦  «        }|                     dd¦  «        } |d	|› ¦  «        ‚|j        d
k    r't	          d|j        › d|j        dd
…         ›¦  «        ‚|                      |¦  «        }	|	                     d¦  «        }
|
rt          |
t          ¦  «        st	          d¦  «        ‚t          |	                     dd¦  «        ¦  «                             ¦   «         }|r|dk    rt	          d|›¦  «        ‚|                      |
¦  «        }|	                     d¦  «        }t          |t          ¦  «        r|s|pd}|                      |
||¬¦  «        S )uw  POST the token endpoint and turn the response into a Session.

        Shared by ``complete_login`` (auth-code grant) and ``refresh_session``
        (refresh grant). ``bad_request_exc`` is raised on a 400 â€”
        ``InvalidCodeError`` for the auth-code path, ``RefreshExpiredError``
        for the refresh path â€” preserving the middleware's distinct handling.
        r   r€   r   z!OIDC token endpoint unreachable: Ni  ÚerrorÚinvalid_requestzIDP rejected token request: éÈ   zOIDC token endpoint returned z: rv   u‚   OIDC token response missing id_token â€” ensure the 'openid' scope is configured and the client is allowed to receive an ID token.Ú
token_typer   Úbearerzunexpected token_type=rn   ru   )r…   r†   r‡   ÚRequestErrorr
   Ústatus_codeÚ_parse_json_bodyr„   ÚtextÚ
isinstancer   Úlowerrx   ry   )rE   rh   rl   ri   rp   ÚresponserŒ   ÚbodyÚ
error_codeÚpayloadrv   r”   rw   rn   s                 r   rj   z SelfHostedOIDCProvider._exchangeD  s/  € ð
	Ý”zØØØ!Ð#5Ð6Ý3ð	ñ ô ˆHˆHøõ Ô!ð 	ð 	ð 	ÝØ9°CÐ9Ð9ñô àðøøøøð	øøøð
 Ô 3Ò&Ð&Ø×(Ò(¨Ñ2Ô2ˆDØŸš 'Ð+<Ñ=Ô=ˆJØ!/Ø;¨zÐ;Ð;ñô ð ð Ô 3Ò&Ð&Ýð+°Ô0Dð +ð +Ø”=  # Ô&ð+ð +ñô ð ð
 ×'Ò'¨Ñ1Ô1ˆà—;’;˜zÑ*Ô*ˆØð 	z¨(µCÑ8Ô8ð 	Ýðñô ð õ ˜Ÿš \°2Ñ6Ô6Ñ7Ô7×=Ò=Ñ?Ô?ˆ
Øð 	I˜*¨Ò0Ð0ÝÐ G¸Ð GÐ GÑHÔHÐHà×&Ò& xÑ0Ô0ˆð
  Ÿš OÑ4Ô4ˆÝ˜-­Ñ-Ô-ð 	9°]ð 	9Ø2Ð8°bˆMà×(Ò(Ø¨]À6ð )ñ 
ô 
ð 	
s   ‚" ¢A	±AÁA	úDict[str, Any]c                ó‚  — t          j         ¦   «         }| j        || j        z
  t          k     r| j        S | j        5  t          j         ¦   «         }| j        &|| j        z
  t          k     r| j        cddd¦  «         S |                      ¦   «         }|| _        || _        d| _        |cddd¦  «         S # 1 swxY w Y   dS )z=Return the cached OIDC discovery document, fetching if stale.N)Útimer?   r@   Ú_DISCOVERY_CACHE_TTL_SECrC   Ú_fetch_discoveryrD   )rE   Únowra   s      r   rY   z%SelfHostedOIDCProvider._get_discoveryˆ  s!  € åŒi‰kŒkˆàŒOÐ'ØtÔ1Ñ1Õ5MÒMÐMà”?Ð"ØÔ!ð 	ð 	Ý”)‘+”+ˆCà”Ð+Ø˜4Ô5Ñ5Õ9QÒQÐQà”ð	ð 	ð 	ð 	ñ 	ô 	ð 	ð 	ð ×)Ò)Ñ+Ô+ˆEØ#ˆDŒOØ),ˆDÔ&ð !%ˆDÔØð	ð 	ð 	ð 	ñ 	ô 	ð 	ð 	ð 	ð 	ð 	ð 	øøøð 	ð 	ð 	ð 	ð 	ð 	s   ¼4B4Á=*B4Â4B8Â;B8c                ó   — | j         › dS )Nz!/.well-known/openid-configuration)r:   )rE   s    r   Ú_discovery_urlz%SelfHostedOIDCProvider._discovery_urlŸ  s   € à”,ÐAÐAÐAÐAr!   c                óœ  — |                       ¦   «         }	 t          j        |ddit          ¬¦  «        }n*# t          j        $ r}t          d|› ¦  «        |‚d }~ww xY w|j        dk    rt          d|j        › d|›¦  «        ‚|                      |¦  «        }|st          d¦  «        ‚t          |                     d	d
¦  «        pd
¦  «         	                    ¦   «         }t          |                     dd
¦  «        pd
¦  «         	                    ¦   «         }t          |                     dd
¦  «        pd
¦  «         	                    ¦   «         }|r|r|st          d¦  «        ‚t          |                     dd
¦  «        pd
¦  «         	                    ¦   «         }|r8| 
                    d¦  «        | j        k    rt          d|›d| j        ›¦  «        ‚t          |d	¬¦  «         t          |d¬¦  «         t          |d¬¦  «         t          |                     dd
¦  «        pd
¦  «         	                    ¦   «         }	|p| j        ||||	dœS )Nr   r€   )r‚   rƒ   zOIDC discovery unreachable: r“   zOIDC discovery returned z for z'OIDC discovery returned a non-JSON bodyrS   r   rh   Újwks_urizPOIDC discovery missing one of authorization_endpoint / token_endpoint / jwks_urir3   r7   z4OIDC discovery issuer mismatch: document advertises z but configured issuer is r8   r|   )r3   rS   rh   r©   r|   )r§   r…   r„   Ú_DISCOVERY_TIMEOUT_SECr–   r
   r—   r˜   r   r<   r   r:   r/   )
rE   r"   rœ   rŒ   rŸ   rS   rh   r©   Úadvertised_issuerr|   s
             r   r¤   z'SelfHostedOIDCProvider._fetch_discovery£  sÄ  € Ø×!Ò!Ñ#Ô#ˆð	OÝ”yØØ!Ð#5Ð6Ý.ðñ ô ˆHˆHøõ
 Ô!ð 	Oð 	Oð 	OÝÐ D¸sÐ DÐ DÑEÔEÈ3ÐNøøøøð	OøøøàÔ 3Ò&Ð&ÝØM¨8Ô+?ÐMÐMÀcÐMÐMñô ð ð ×'Ò'¨Ñ1Ô1ˆØð 	KÝÐ IÑJÔJÐJå!$ØKŠKÐ0°"Ñ5Ô5Ð;¸ñ"
ô "
ç
Š%‰'Œ'ð 	õ ˜WŸ[š[Ð)9¸2Ñ>Ô>ÐDÀ"ÑEÔE×KÒKÑMÔMˆÝw—{’{ :¨rÑ2Ô2Ð8°bÑ9Ô9×?Ò?ÑAÔAˆØ%ð 	¨^ð 	À8ð 	Ýð,ñô ð õ   §¢¨H°bÑ 9Ô 9Ð ?¸RÑ@Ô@×FÒFÑHÔHÐØð 	Ð!2×!9Ò!9¸#Ñ!>Ô!>À$Ä,Ò!NÐ!NÝð$Ø$ð$ð $à”<ð$ð $ñô ð õ 	#Ø"Ð*Bð	
ñ 	
ô 	
ð 	
õ 	# >Ð9IÐJÑJÔJÐJÝ" 8°:Ð>Ñ>Ô>Ð>å!ØKŠKÐ-¨rÑ2Ô2Ð8°bñ
ô 
ç
Š%‰'Œ'ð 	ð
 (Ð7¨4¬<Ø&<Ø,Ø Ø#6ð
ð 
ð 	
s   –5 µAÁAÁAr   c                óŽ   — | j         €8ddlm} |                      ¦   «         } ||d         dt          ¬¦  «        | _         | j         S )Nr   )ÚPyJWKClientr©   T)Ú
cache_keysÚlifespan)rD   Újwtr­   rY   Ú_JWKS_CACHE_SECONDS)rE   r­   ra   s      r   Ú_get_jwks_clientz'SelfHostedOIDCProvider._get_jwks_clientà  s`   € ØÔÐ$Ø'Ð'Ð'Ð'Ð'Ð'à×'Ò'Ñ)Ô)ˆEØ + ØjÔ!ØÝ,ð!ñ !ô !ˆDÔð
 Ô Ð r!   rv   c           
     ó  — dd l }|                      ¦   «         }	 |                      ¦   «                              |¦  «        }nE# |j        $ r}t          d|› ¦  «        |‚d }~wt          $ r}t          d|›¦  «        |‚d }~ww xY w	 |                     ||j        t          t          ¦  «        | j        |d         dg d¢i¬¦  «        }nµ# |j        $ r}t          d|› ¦  «        |‚d }~w|j        $ rˆ}d}	 |                     |d	d	d
œ¬¦  «        }d|                     d¦  «        ›d|                     d¦  «        ›d|d         ›d| j        ›d	}n# t          $ r Y nw xY wt          d|› |› ¦  «        |‚d }~ww xY w|S )Nr   zJWKS lookup failed: r3   Úrequire)ÚexpÚiatÚaudÚissÚsub)Ú
algorithmsÚaudiencer3   ÚoptionszID token expired: r   F)Úverify_signatureÚ
verify_exp)r¼   z [token iss=r¸   z aud=r·   z; expected iss=ú]zID token verification failed: )r°   rY   r²   Úget_signing_key_from_jwtÚPyJWKClientErrorr
   rˆ   r   ÚkeyÚlistÚ_ALLOWED_ID_TOKEN_ALGSr;   ÚExpiredSignatureErrorr   ÚInvalidTokenErrorr„   )	rE   rv   r°   ra   Úsigning_keyrŒ   rw   ÚdetailsÚ
unverifieds	            r   rx   z'SelfHostedOIDCProvider._verify_id_tokenì  sF  € Øˆ
ˆ
ˆ
à×#Ò#Ñ%Ô%ˆð	IØ×/Ò/Ñ1Ô1×JÒJØñô ˆKˆKøð Ô#ð 	Gð 	Gð 	GÝÐ <°sÐ <Ð <Ñ=Ô=À3ÐFøøøøÝð 	Ið 	Ið 	IÝÐ >°sÐ >Ð >Ñ?Ô?ÀSÐHøøøøð	Iøøøð!	Ø—Z’ZØØ”ÝÕ 6Ñ7Ô7ØœØ˜X”Ø"Ð$GÐ$GÐ$GÐHð  ñ ô ˆFˆFøð Ô(ð 	Hð 	Hð 	Hå"Ð#=¸Ð#=Ð#=Ñ>Ô>ÀCÐGøøøøØÔ$ð 	ð 	ð 	ð
 ˆGðØ ŸZšZØØ16ÀeÐLÐLð (ñ ô 
ð
0 :§>¢>°%Ñ#8Ô#8ð 0ð 0Ø%Ÿ>š>¨%Ñ0Ô0ð0ð 0à$)¨(¤Oð0ð 0ð  œ?ð0ð 0ð 0ð øõ ð ð ð ØðøøøåØ?°Ð?°gÐ?Ð?ñô àðøøøøð'	øøøð. ˆsm   š'A Á
BÁAÁBÁ,A?Á?BÂAC
 Ã

E<ÃC'Ã'E<Ã4E7Ã7AEÅE7Å
EÅE7ÅEÅE7Å7E<rw   c               óÆ  — t          |                     dd¦  «        ¦  «        }|st          d¦  «        ‚t          |                     dd¦  «        pd¦  «        }t          |                     d¦  «        p-|                     d¦  «        p|                     d¦  «        p|pd¦  «        }|                     d¦  «        p|                     d	¦  «        pd}|sK|                     d
¦  «        }t          |t          ¦  «        r!|rd                     d„ |D ¦   «         ¦  «        }t          |pd¦  «        }t          ||||| j        t          |d         ¦  «        ||¬¦  «        S )u\  Map verified OIDC claims onto a Session.

        The verified ID token is stored in ``Session.access_token`` so the
        per-request ``verify_session`` re-verifies a real JWT. The opaque
        OAuth access token is intentionally NOT stored â€” Hermes does not call
        any resource API with it; the dashboard only needs identity.
        r¹   r   z&ID token missing 'sub' (user_id) claimÚemailÚnameÚpreferred_usernameÚnicknameÚorg_idÚorganizationÚgroupsú,c              3  ó4   K  — | ]}t          |¦  «        V — Œd S )N)r   )Ú.0Úgs     r   ú	<genexpr>z>SelfHostedOIDCProvider._session_from_tokens.<locals>.<genexpr>C  s(   è è € Ð!9Ð!9¨Q¥# a¡&¤&Ð!9Ð!9Ð!9Ð!9Ð!9Ð!9r!   rµ   )Úuser_idrË   Údisplay_namerÏ   ÚproviderÚ
expires_atrr   rn   )	r   r„   r
   rš   rÃ   Újoinr   rÌ   Úint)	rE   rv   rn   rw   r×   rË   rØ   rÏ   rÑ   s	            r   ry   z+SelfHostedOIDCProvider._session_from_tokens!  s{  € õ f—j’j ¨Ñ+Ô+Ñ,Ô,ˆØð 	JÝÐ HÑIÔIÐIåF—J’J˜w¨Ñ+Ô+Ð1¨rÑ2Ô2ˆåØJŠJvÑÔð ØzŠzÐ.Ñ/Ô/ðàzŠz˜*Ñ%Ô%ðð ðð ñ
ô 
ˆð —’˜HÑ%Ô%ÐI¨¯ª°NÑ)CÔ)CÐIÀrˆØð 	:Ø—Z’Z Ñ)Ô)ˆFÝ˜&¥$Ñ'Ô'ð :¨Fð :ØŸšÐ!9Ð!9°&Ð!9Ñ!9Ô!9Ñ9Ô9ÝV\˜rÑ"Ô"ˆåØØØ%ØØ”YÝ˜6 %œ=Ñ)Ô)Ø!Ø'ð	
ñ 	
ô 	
ð 		
r!   c                ó,  — t           j                             |¦  «        }|j        dvrt	          d|›¦  «        ‚|j        dk    r|j        dvrt	          d|›¦  «        ‚|j        r|j                             d¦  «        st	          d|›¦  «        ‚dS )	zêFast-fail obviously-broken redirect_uris before bouncing to the IDP.

        The IDP's own allowlist is authoritative; this just catches the common
        operator-error case with a clear message. Mirrors the nous provider.
        )r%   r&   z"redirect_uri must be http(s), got r&   )r'   r(   z?redirect_uri may only use http:// for localhost/127.0.0.1, got z/auth/callbackz6redirect_uri path must end with '/auth/callback', got N)r)   r*   r+   r,   r
   r-   ÚpathÚendswith)rE   rG   r.   s      r   rX   z-SelfHostedOIDCProvider._validate_redirect_uriQ  sÞ   € õ ”×&Ò& |Ñ4Ô4ˆØŒ=Ð 1Ð1Ð1ÝØE°\ÐEÐEñô ð ð Œ=˜FÒ"Ð" v¤ð ?
ð (
ð (
õ  ð(Ø#ð(ð (ñô ð ð Œ{ð 	 &¤+×"6Ò"6Ð7GÑ"HÔ"Hð 	Ýð(Ø#ð(ð (ñô ð ð	ð 	r!   rœ   úhttpx.Responsec                óè   — |j                              dd¦  «        }|                     d¦  «        si S 	 |                     ¦   «         }n# t          $ r i cY S w xY wt          |t          ¦  «        r|ni S )Nzcontent-typer   r€   )r‚   r„   Ú
startswithÚjsonr9   rš   Údict)rE   rœ   Úctyper   s       r   r˜   z'SelfHostedOIDCProvider._parse_json_bodyj  s‡   € ØÔ ×$Ò$ ^°RÑ8Ô8ˆØ×ÒÐ 2Ñ3Ô3ð 	ØˆIð	Ø—=’=‘?”?ˆDˆDøÝð 	ð 	ð 	ØˆIˆIˆIð	øøøå! $­Ñ-Ô-Ð5ˆtˆt°2Ð5s   ´A	 Á	AÁAN)r3   r   r4   r   r2   r   r   r5   )rG   r   r   r	   )
rL   r   rP   r   rb   r   rG   r   r   r   )rn   r   r   r   )rr   r   r   rs   )rn   r   r   r5   )
rh   r   rl   rŽ   ri   r   rp   r   r   r   )r   r    )r   r   )r   r   )rv   r   r   r    )rv   r   rn   r   rw   r    r   r   )rG   r   r   r5   )rœ   rà   r   r    )Ú__name__Ú
__module__Ú__qualname__Ú__doc__rÌ   rØ   r=   rF   rd   rm   rq   rz   r   rj   rY   r§   r¤   r²   rx   ry   rX   r˜   © r!   r   r1   r1   £   s  € € € € € ØRÐRà€DØ%€Lð &ð&ð &ð &ð &ð &ð &ð>Tð Tð Tð Tð:
ð 
ð 
ð 
ð4
ð 
ð 
ð 
ð*
ð 
ð 
ð 
ð&ð ð ð ðF ')ð@
ð @
ð @
ð @
ð @
ð @
ðHð ð ð ð.Bð Bð Bð Bð9
ð 9
ð 9
ð 9
ðz
!ð 
!ð 
!ð 
!ð1ð 1ð 1ð 1ðj.
ð .
ð .
ð .
ð`ð ð ð ð26ð 6ð 6ð 6ð 6ð 6r!   r1   rä   c                 óâ   — 	 ddl m} m}  |¦   «         }n4# t          $ r'}t                               d|¦  «         i cY d}~S d}~ww xY w | |ddd¬¦  «        }t          |t          ¦  «        r|ni S )u  Return the ``dashboard.oauth`` block from config.yaml, or ``{}``.

    Robust to load_config() raising, the ``dashboard`` key being absent or
    non-dict, and ``oauth`` being present but not a dict â€” each falls through
    to ``{}`` so callers can rely on ``.get(...)``.
    r   )Úcfg_getÚload_configz[dashboard-auth-self-hosted: load_config() raised %s; falling back to env-only configurationNÚ	dashboardÚoauth)Údefault)Úhermes_cli.configrì   rí   rˆ   r‰   rŠ   rš   rä   )rì   rí   ÚcfgrŒ   Úsections        r   Ú_load_config_oauth_sectionrô   z  s­   € ð
Ø:Ð:Ð:Ð:Ð:Ð:Ð:Ð:àˆk‰mŒmˆˆøÝð ð ð ÝŠð5àñ	
ô 	
ð 	
ð
 ˆ	ˆ	ˆ	ˆ	ˆ	ˆ	øøøøðøøøð ˆgc˜;¨¸Ð>Ñ>Ô>€GÝ  ­$Ñ/Ô/Ð7ˆ7ˆ7°RÐ7s   ‚ •
AŸA»AÁAÚoauth_sectionc                ó^   — |                       d¦  «        }t          |t          ¦  «        r|ni S )z@Return the ``dashboard.oauth.self_hosted`` sub-block, or ``{}``.Úself_hosted)r„   rš   rä   )rõ   r¹   s     r   Ú_oidc_subsectionrø     s.   € à
×
Ò
˜MÑ
*Ô
*€CÝ˜S¥$Ñ'Ô'Ð/ˆ3ˆ3¨RÐ/r!   Úenv_varÚ	cfg_valuer   c                ó´   — t           j                             | d¦  «                             ¦   «         }|r|S t	          |pd¦  «                             ¦   «         S )zïenv-wins-config with empty-is-unset precedence.

    1. ``env_var`` when non-empty after strip (an empty provisioned secret
       must not shadow a valid config.yaml entry).
    2. ``cfg_value`` from config.yaml.
    3. Empty string.
    r   )ÚosÚenvironr„   r<   r   )rù   rú   Úenvs      r   Ú_resolve_settingrÿ   –  sP   € õ Œ*.Š.˜ "Ñ
%Ô
%×
+Ò
+Ñ
-Ô
-€CØ
ð Øˆ
Ýˆyˆ˜BÑÔ×%Ò%Ñ'Ô'Ð'r!   r5   c                óÊ  — da t          ¦   «         }t          |¦  «        }t          d|                     d¦  «        ¦  «        }t          d|                     d¦  «        ¦  «        }t          d|                     d¦  «        ¦  «        pt
          }|r|sEdt          |¦  «        ›d	t          |¦  «        ›d
a t                               dt           ¦  «         dS 	 t          |||¬¦  «        }nD# t          t          f$ r0}d|› a t                               dt           ¦  «         Y d}~dS d}~ww xY w|                      |¦  «         t                               d|||¦  «         dS )u  Plugin entry â€” called by the plugin loader at startup.

    Registers :class:`SelfHostedOIDCProvider` only when both an issuer and a
    client_id are configured (via ``HERMES_DASHBOARD_OIDC_*`` env vars or the
    ``dashboard.oauth.self_hosted`` block in config.yaml). Operator-owned
    loopback / ``--insecure`` dashboards leave these unset, so the plugin is a
    no-op for them.

    On skip, writes a reason to :data:`LAST_SKIP_REASON` that names BOTH
    configuration surfaces so operators don't guess wrong about which to set.
    r   ÚHERMES_DASHBOARD_OIDC_ISSUERr3   ÚHERMES_DASHBOARD_OIDC_CLIENT_IDr4   ÚHERMES_DASHBOARD_OIDC_SCOPESr2   u:  Self-hosted OIDC dashboard auth is not configured. Set both an issuer and a client_id â€” either as env vars (HERMES_DASHBOARD_OIDC_ISSUER + HERMES_DASHBOARD_OIDC_CLIENT_ID) or under dashboard.oauth.self_hosted.{issuer,client_id} in config.yaml â€” or pass --insecure to skip the OAuth gate entirely. (issuer set: z; client_id set: ú)zdashboard-auth-self-hosted: %sN)r3   r4   r2   z,SelfHostedOIDCProvider construction failed: zTdashboard-auth-self-hosted: registered provider (issuer=%s, client_id=%s, scopes=%r))r   rô   rø   rÿ   r„   r=   Úboolr‰   rŠ   r1   r9   r
   ÚwarningÚ register_dashboard_auth_providerÚinfo)Úctxrõ   Úoidc_cfgr3   r4   r2   rÙ   rŒ   s           r   Úregisterr  ¤  s¢  € ð Ðå.Ñ0Ô0€MÝ Ñ.Ô.€HåØ&¨¯ª°XÑ(>Ô(>ñô €Fõ !Ø)¨8¯<ª<¸Ñ+DÔ+Dñô €Iõ 	Ð7¸¿ºÀhÑ9OÔ9OÑPÔPð 	Ýð ð
 ð ˜ð øõ F‰|Œ|ˆ|ˆ|T )™_œ_˜_˜_ð.ð 	õ 	ŠÐ5Õ7GÑHÔHÐHØˆð	Ý)Ø Y°vð
ñ 
ô 
ˆˆøõ Ð&ð ð ð à@¸3Ð@Ð@ð 	õ 	ŠÐ7Õ9IÑJÔJÐJØˆˆˆˆˆøøøøðøøøð ×(Ò(¨Ñ2Ô2Ð2Ý
‡K‚Kð	/àØØñô ð ð ð s   ÃC- Ã-D.Ã>%D)Ä)D.)r   r   r   r   )r"   r   r#   r   r   r   )r   rä   )rõ   rä   r   rä   )rù   r   rú   r   r   r   )r   r5   )*ré   Ú
__future__r   r   r\   Úloggingrü   rZ   rA   r¢   Úurllib.parser)   Útypingr   r   r   r…   Úhermes_cli.dashboard_authr   r   r	   r
   r   r   Ú	getLoggerræ   r‰   r=   rÄ   rª   r‡   r£   r±   r   Ú__annotations__r    r/   r1   rô   rø   rÿ   r  rê   r!   r   ú<module>r     sú  ðð>ð >ð >ð@ #Ð "Ð "Ð "Ð "Ð "à €€€Ø €€€Ø €€€Ø 	€	€	€	Ø €€€Ø Ð Ð Ð Ø €€€Ø Ð Ð Ð Ø &Ð &Ð &Ð &Ð &Ð &Ð &Ð &Ð &Ð &à €€€ðð ð ð ð ð ð ð ð ð ð ð ð ð ð ð ð 
ˆÔ	˜8Ñ	$Ô	$€ð )€ð PÐ ð Ð Ø"Ð ð
  Ð ð Ð ð Ð Ð Ð Ð Ñ ð?ð ?ð ?ð ?ð
ð ð ð ð6O6ð O6ð O6ð O6ð O6Ð2ñ O6ô O6ð O6ðn8ð 8ð 8ð 8ð,0ð 0ð 0ð 0ð(ð (ð (ð (ð<ð <ð <ð <ð <ð <r!   