|+jRUdZddlmZddlZddlZddlZddlmZej e Z e dZ eZded<dd ZddZddZddZddZddZdS)uzHelpers for X-Forwarded-Prefix support. Mission-control style deploys reverse-proxy the dashboard at a path prefix (e.g. ``mission-control.tilos.com/hermes/*`` -> dashboard on :9119), injecting ``X-Forwarded-Prefix: /hermes`` so the backend can reconstruct prefixed URLs (Location: headers, OAuth redirect_uri, cookie Path attributes, SPA asset URLs). This module is also the home of the ``HERMES_DASHBOARD_PUBLIC_URL`` / ``dashboard.public_url`` resolution — when the operator declares a complete public URL (scheme + host + optional path prefix), we use that directly for the OAuth ``redirect_uri`` and skip the X-Forwarded-Prefix reconstruction. Relief valve for deploys where the proxy header chain isn't reliable. The single source of truth for both helpers lives here so the gate middleware, the OAuth routes, the cookie helpers, and the SPA mount all agree on validation rules. ) annotationsN)Optional)"'<>    set_warned_malformed_public_urlssourcestrrawreturnNonec|r|nd}|sdS||f}|tvrdSt|td|||ddpddS)uWarn (once per distinct value) when a non-empty public-url value was rejected by :func:`_normalise_public_url`. A non-empty value that normalises to ``""`` is almost always a missing scheme (``hermes.example.com`` instead of ``https://hermes.example.com``) — the single most common cause of "I set HERMES_DASHBOARD_PUBLIC_URL but the OAuth callback is still http://". Without this warning the value is silently discarded and the dashboard falls back to reconstructing the redirect URI from request headers, which behind a reverse proxy can yield the wrong scheme. Surfacing it turns a silent footgun into a self-diagnosing one. Nu%s is set to %r but was ignored because it is not a valid absolute URL — it must include an http:// or https:// scheme (e.g. https://%s). Falling back to reconstructing the OAuth redirect URI from request headers, which may produce the wrong scheme behind a reverse proxy.z://zhermes.example.com)stripradd_logwarningsplit)rrcleanedkeys ?/usr/local/lib/hermes-agent/hermes_cli/dashboard_auth/prefix.py_warn_if_malformedr*s!(ciikkkbG  7 C +++!%%c***LL )  eR 8$8      Optional[str]c|sdS|sdSdsdzddvs$dvs tfdtDrdSt dkrdSS)aTNormalise an X-Forwarded-Prefix header value. Returns a string like ``"/hermes"`` (no trailing slash) or ``""`` when no prefix is set / the header is malformed. We deliberately reject anything containing ``..`` or non-printable bytes so a hostile proxy can't inject HTML or path-traversal sequences via the prefix. r/z//z..c3 K|]}|vV dSN).0cps r z#normalise_prefix.._s'--!qAv------r @)r startswithrstripany _REJECT_CHARSlen)rr)s @rnormalise_prefixr1Ks r A r <<   !G  A  199 ----}--- - - r 1vv{{r Hr cPt|jdS)zConvenience wrapper that reads the header off a Starlette/FastAPI Request and normalises it. Returns ``""`` when no prefix. zx-forwarded-prefix)r1headersget)requests rprefix_from_requestr6gs# GO//0DEE F FFr c6|sdS|sdStfdtDrdS tj}n#t $rYdSwxYw|jdvrdS|jsdS dS)uNormalise a ``dashboard.public_url`` value. Returns the cleaned URL (scheme://netloc[/path], trailing slash removed) on success, or ``""`` when the value is empty, malformed, or contains characters that suggest header injection. The caller must treat ``""`` as "fall back to request reconstruction" — never as "the user explicitly chose no public URL", because the two are indistinguishable from an empty env var. rc3 K|]}|vV dSr%r&)r'r(urls rr*z(_normalise_public_url..s' + +18 + + + + + +r >httphttpsr#) rr.r/urllibparseurlparse ValueErrorschemenetlocr-)rparsedr9s @r_normalise_public_urlrCss r ))++C r  + + + +] + + +++r&&s++ rr }---r =r ::c??sA!! A/.A/dictc@ ddlm}n#t$ricYSwxYw |}n4#t$r'}td|icYd}~Sd}~wwxYwt |t r|dnd}t |t r|niS)aYReturn the ``dashboard`` block from ``config.yaml`` if it exists and is a dict; otherwise an empty dict. Robust to (a) load_config() raising (malformed YAML, IO error, config.yaml absent), and (b) ``dashboard`` being absent or non-dict. Both shapes fall through to ``{}`` so the caller can rely on ``.get(...)`` access. r) load_configzVdashboard-auth.prefix: load_config() raised %s; falling back to env-only configurationN dashboard)hermes_cli.configrF Exceptionrdebug isinstancerDr4)rFcfgexcsections r_load_dashboard_sectionrOs1111111  kmm   5     '1d&;&;Ecggk"""G $// 777R7s&  ' AA AAc,tjdd}t|}|r|St d|t t dd}t|}|st d||S)uResolve the operator-declared dashboard public URL. Precedence (mirrors ``dashboard.oauth.client_id``): 1. ``HERMES_DASHBOARD_PUBLIC_URL`` env var (when non-empty after strip — empty values are treated as unset so a provisioned-but- not-populated Fly secret can't shadow a valid config.yaml entry). 2. ``dashboard.public_url`` in ``config.yaml``. 3. Empty string — signals "no override, reconstruct from request" to the caller. Each candidate value is run through :func:`_normalise_public_url`. A malformed env var falls through to the config.yaml entry; a malformed config entry falls through to ``""``. This means a typo in one surface doesn't prevent the other from working. HERMES_DASHBOARD_PUBLIC_URLrz#HERMES_DASHBOARD_PUBLIC_URL env var public_urlz#dashboard.public_url in config.yaml)osenvironr4rCrrrO)env_raw env_cleancfg_raw cfg_cleans rresolve_public_urlrYs"jnn:B??G%g..Ircs&#""""" w""  EFF &)SUU****B    8GGGGD88884r