6j"dZddlmZddlZddlZddlZddlZddlm Z ej e Z dZ dZde fde ffZhd Zhd Zd&d'dZd(dZd)dZed fd*dZd+d,d!Zd+d,d"Zd-d#Zd.d$Zd+d,d%ZdS)/a{Safe server-side probe for the official Hermes Agent dashboard. The official `hermes dashboard` binds to 127.0.0.1:9119 by default and exposes GET /api/status as a public, read-only identity/status endpoint. Keep all probing server-side to avoid browser CORS/mixed-content failures, and only allow loopback targets so a user-controlled setting cannot become an SSRF primitive. ) annotationsN)urlparsei#g? 127.0.0.1 localhost>autoneveralways>::1rrhttphoststrportintschemereturncXd|vr|dsd|dn|}|d|d|S)N:[]z://) startswith)r rr display_hosts )/root/hermes-webui/api/dashboard_probe.py _base_urlrsH"%++dooc6J6J+;t;;;;PTL . . . . . ..raw_url str | None tuple[str, int, str, str] | Nonect|pd}|sdSt|}|jdvrt d|js|jrt d|jpd}|}|tvrt d |j }n"#t$r}t d|d}~wwxYwt|trd|cxkrd ksnt d|j pd}|d vs|js|js|jrt d t#|||j}|||j|fS) a]Return (host, port, scheme, base_url) for a safe loopback dashboard URL. Overrides intentionally accept only scheme + loopback host + explicit port. Paths, query strings, fragments, and credentials are rejected: the probe appends the official `/api/status` fingerprint itself and must not become an arbitrary local URL fetcher. N>r httpszinvalid dashboard URL schemez!invalid dashboard URL credentialszinvalid dashboard URL hostzinvalid dashboard URL port)r/zinvalid dashboard URL path)r striprr ValueErrorusernamepasswordhostnamelower_LOOPBACK_HOSTSr isinstancerpathparamsqueryfragmentr) rrawparsedr normalized_hostrexcr,bases rnormalize_dashboard_urlr5s gm   " " $ $C t c]]F }---7888 >&/><=== ? bDjjll((**Oo--5666@{ @@@566C?@ dC 7d););););e););););5666 ; "D 9 5666 _dFM : :D D&- 55s4B<< CCCpayloadobjectboolcttsdSd}t|tr|sdSt fddDS)NFversionc3 K|]}|vV dSN).0keyr6s r z1_looks_like_official_dashboard..Js'kk#sg~kkkkkkr) release_date hermes_home config_pathgateway_running)r+dictgetr r$any)r6r:s` r_looks_like_official_dashboardrH@sw gt $ $ukk)$$G gs # #7==??u kkkk)jkkk k kkrtimeoutfloatrEc t|pd}|tvrt dt |}d|cxkrdksnt d|dvrt dt |||}tj |dd d d  }tj || 5}t|dddkrddicdddStj |d}dddn #1swxYwYt!|sddiSd|||d} |d} t%| tr+| r| | d<| S#t&$r#t(ddddicYSwxYw)zBBest-effort check that `hermes dashboard` is running on host:port.rz%dashboard probe host must be loopbackr!r"z!dashboard probe port out of range>r r z,dashboard probe scheme must be http or httpsz /api/statuszapplication/jsonzhermes-webui-dashboard-probe)Acceptz User-Agent)headers)rIstatusNrunningFzutf-8T)rPr rurlr:z&official Hermes dashboard probe failed)exc_info)r r$r)r*r%rrurllibrequestRequesturlopengetattrjsonloadsreaddecoderHrFr+ Exceptionloggerdebug) r rrIrr2r4rTresponser6resultr:s rprobe_official_dashboardraMs"djb////117799 / 1 1DEE E4yyT""""U""""@AA A * * *KLL L$77.(( 1A_``)  ^ # #GW # = = Bx400C77!5) B B B B B B B Bj!7!7!@!@AAG B B B B B B B B B B B B B B B.g66 &u% %!?DQUVV++i(( gs # # 0  0 ' F9  """ = MMM5!!!!"sIC&G(E G9E GEGEG1AG*G<;G< config_data dict | Nonec4|$ ddlm}|}n#t$ri}YnwxYwt|tr|dini}t|tr|dini}t|tr|niS)Nr) get_configwebui dashboard) api.configrer\r+rErF)rbre webui_cfg dashboard_cfgs r_dashboard_configrkrs  - - - - - -$*,,KK   KKK 0:;0M0MU ,,,SUI6@D6Q6QYIMM+r222WYM&}d;; C==Cs  $$cjt|}t|ddpd}|t vrd}t|dpd}|rt |\}}}}||dS)uFReturn normalized profile config for the Settings → System controls.enabledrrQrrmrQ)rkr rFr$r)_DASHBOARD_ENABLED_VALUESr5)rbrjrmr_host_port_schemes rget_dashboard_configrss%k22M-##Iv66@&AAGGIIOOQQG///-##E**0b117799GJ)@)I)I&ugww / //rc0t|piddpd}|tvrt dt|piddpd}d}|rt |\}}}}ddlm}| }| |} | d} t| tsi} | | d<| d } t| tsi} | | d <|| d<|r|| d<n| dd ||| |||d S) zEPersist dashboard link settings under webui.dashboard in config.yaml.rmrzinvalid dashboard enabled moderQrr)configrfrgNrn)r rFr$r)ror%r5apiru_get_config_path_load_yaml_config_filer+rEpop_save_yaml_config_file reload_config) r6rmrnormalized_urlrprqrr webui_configrCrb webui_sectiondashboard_sections rsave_dashboard_configrs7=b%%i88BFCCIIKKQQSSG///9:::7=b%%eR006B77==??GNQ0G0P0P-ug~******//11K55kBBKOOG,,M mT * *- , G%))+66 ' . .7%6 k"#*i +#1%  eT***'' [AAA   ~ 6 66rc ttjdpd}|dddd}|tvS)NHERMES_WEBUI_HOSTrrrr)r osenvironrFr$r)replacer*)raw_hostr s r"_webui_bind_host_allows_auto_probersk2:>>"566E+FFLLNNTTVVH   C $ $ , ,S" 5 5D ? ""rct|}t|ddpd}|t vrd}|dkrdddS|dp|dpd} t |}n#t$r d|d d cYSwxYw|r|g}nd tD}|d kr|d \}}}} d|||| dStsd|dS|D]=\}}}} t||t|} | dr || d<| cS>d|dS)zEReturn the safe status payload consumed by GET /api/dashboard/status.rmrrF)rPrmrQtargetrzinvalid dashboard url)rPrmerrorc <g|]\}}||dt||fSr )r)r>r rs r z(get_dashboard_status..s/kkk:4D$ $(=(=>kkkrr rT)rPrmr rrQ)rIrrP) rkr rFr$r)ror5r%DEFAULT_DASHBOARD_TARGETSrraDEFAULT_DASHBOARD_TIMEOUT) rbrjrmroverridetargetsr rrr4_baser`s rget_dashboard_statusrs%k22M-##Iv66@&AAGGIIOOQQG///' W555&&K-*;*;H*E*EKGX*733 XXX W?VWWWWWXl*kkQjkkk(#*1: dFDGT4X\]]] - / /6 W555%,!dFE)$>W`fggg ::i   'F9 MMM  1 11sB,,B?>B?r)r r rrrr rr )rrrr)r6r7rr8) r r rrrIrJrr rrEr<)rbrcrrE)r6rErrE)rr8)__doc__ __future__rrXloggingrurllib.requestrS urllib.parser getLogger__name__r]DEFAULT_DASHBOARD_PORTrrror*rr5rHrarkrsrrrr=rrrs#"""""  !!!!!!  8 $ $)+AB[RhDij777333///// 6666B l l l l / """"""""""J D D D D D 0 0 0 0 07777@#### !2!2!2!2!2!2!2r