agent/vertex_adapter.py resolved VERTEX_CREDENTIALS_PATH, GOOGLE_APPLICATION_CREDENTIALS, VERTEX_PROJECT_ID, and VERTEX_REGION via raw os.environ.get() instead of the profile-scoped get_secret() every other credential lookup in hermes_cli/runtime_provider.py uses. In a multiplex gateway serving several profiles from one process, os.environ still holds whichever profile's .env python-dotenv loaded at boot — so a raw read here let one profile's turn silently mint a Vertex OAuth2 token from, and get billed against, a different profile's GCP service account. No error, no fail-closed guard: the multiplex UnscopedSecretError protection was bypassed entirely because these reads never went through get_secret(). - _resolve_credentials_path/_resolve_project_override/_resolve_region now call agent.secret_scope.get_secret(), matching the _getenv() pattern already used for every other provider's credentials. - get_vertex_credentials()'s ADC fallback (google.auth.default()) reads GOOGLE_APPLICATION_CREDENTIALS from os.environ internally, bypassing get_secret() entirely — closed with a narrow guard: when multiplexing is active and this profile's scope has no Vertex credentials of its own, but os.environ still carries a value (left by a different profile's boot-time dotenv load), refuse ADC rather than silently authenticate as a stranger. - Zero behavior change for single-profile installs: get_secret() falls through to os.environ transparently whenever multiplexing is off. Same bug class as the already-fixed _HERMES_OAUTH_FILE/_AUTH_JSON_PATH/ HOOKS_DIR cross-profile leaks, now closed for Vertex's OAuth2 credential path.
232 lines
8.7 KiB
Python
232 lines
8.7 KiB
Python
"""Tests for the Vertex AI adapter (agent/vertex_adapter.py).
|
|
|
|
Vertex uses OAuth2 (short-lived access tokens from a service-account JSON or
|
|
ADC), NOT a static API key. These tests mock google-auth entirely — no network
|
|
calls — and cover token minting, the config.yaml→env precedence bridge, the
|
|
global vs regional base-URL shapes, and the ADC→service-account fallback.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import importlib
|
|
import sys
|
|
import types
|
|
|
|
import pytest
|
|
|
|
|
|
def _install_fake_google_auth(monkeypatch, *, adc_ok=True, adc_project="adc-project",
|
|
sa_project="sa-project", token="ya29.FAKE"):
|
|
"""Register a fake google-auth tree in sys.modules and return the module set."""
|
|
ga = types.ModuleType("google.auth")
|
|
gt = types.ModuleType("google.auth.transport")
|
|
gtr = types.ModuleType("google.auth.transport.requests")
|
|
go = types.ModuleType("google.oauth2")
|
|
gsa = types.ModuleType("google.oauth2.service_account")
|
|
gp = types.ModuleType("google")
|
|
|
|
gtr.Request = type("Request", (), {})
|
|
|
|
class _Creds:
|
|
def __init__(self):
|
|
self.token = None
|
|
self.expiry = None
|
|
self.expired = False
|
|
|
|
def refresh(self, req):
|
|
self.token = token
|
|
|
|
def _default(scopes=None):
|
|
if not adc_ok:
|
|
raise RuntimeError("Could not automatically determine credentials")
|
|
return _Creds(), adc_project
|
|
|
|
ga.default = _default
|
|
ga.transport = gt
|
|
gt.requests = gtr
|
|
|
|
class _SA:
|
|
@staticmethod
|
|
def from_service_account_file(path, scopes=None):
|
|
c = _Creds()
|
|
c.project_id = sa_project
|
|
return c
|
|
|
|
gsa.Credentials = _SA
|
|
go.service_account = gsa
|
|
gp.auth = ga
|
|
gp.oauth2 = go
|
|
|
|
for name, mod in [
|
|
("google", gp), ("google.auth", ga), ("google.auth.transport", gt),
|
|
("google.auth.transport.requests", gtr), ("google.oauth2", go),
|
|
("google.oauth2.service_account", gsa),
|
|
]:
|
|
monkeypatch.setitem(sys.modules, name, mod)
|
|
return gp
|
|
|
|
|
|
@pytest.fixture
|
|
def vertex_adapter(monkeypatch):
|
|
"""Fresh vertex_adapter with a fake google-auth and clean caches/env."""
|
|
for var in ("VERTEX_CREDENTIALS_PATH", "GOOGLE_APPLICATION_CREDENTIALS",
|
|
"VERTEX_PROJECT_ID", "VERTEX_REGION", "GOOGLE_CLOUD_PROJECT"):
|
|
monkeypatch.delenv(var, raising=False)
|
|
_install_fake_google_auth(monkeypatch)
|
|
import agent.vertex_adapter as va
|
|
va = importlib.reload(va)
|
|
va._creds_cache.clear()
|
|
# Neutralize config.yaml by default; individual tests re-patch _vertex_config.
|
|
monkeypatch.setattr(va, "_vertex_config", lambda: {})
|
|
return va
|
|
|
|
|
|
def test_build_base_url_global(vertex_adapter):
|
|
url = vertex_adapter.build_vertex_base_url("proj", "global")
|
|
assert url == (
|
|
"https://aiplatform.googleapis.com/v1beta1/projects/proj/"
|
|
"locations/global/endpoints/openapi"
|
|
)
|
|
|
|
|
|
def test_build_base_url_regional(vertex_adapter):
|
|
url = vertex_adapter.build_vertex_base_url("proj", "us-central1")
|
|
assert url == (
|
|
"https://us-central1-aiplatform.googleapis.com/v1beta1/projects/proj/"
|
|
"locations/us-central1/endpoints/openapi"
|
|
)
|
|
|
|
|
|
def test_get_vertex_config_uses_adc_and_default_region(vertex_adapter):
|
|
token, base = vertex_adapter.get_vertex_config()
|
|
assert token == "ya29.FAKE"
|
|
assert base == (
|
|
"https://aiplatform.googleapis.com/v1beta1/projects/adc-project/"
|
|
"locations/global/endpoints/openapi"
|
|
)
|
|
|
|
|
|
def test_config_yaml_supplies_project_and_region(vertex_adapter, monkeypatch):
|
|
monkeypatch.setattr(
|
|
vertex_adapter, "_vertex_config",
|
|
lambda: {"project_id": "cfg-project", "region": "europe-west4"},
|
|
)
|
|
token, base = vertex_adapter.get_vertex_config()
|
|
assert token == "ya29.FAKE"
|
|
assert "projects/cfg-project" in base
|
|
assert "europe-west4-aiplatform.googleapis.com" in base
|
|
assert "locations/europe-west4" in base
|
|
|
|
|
|
def test_env_overrides_config_yaml(vertex_adapter, monkeypatch):
|
|
monkeypatch.setattr(
|
|
vertex_adapter, "_vertex_config",
|
|
lambda: {"project_id": "cfg-project", "region": "cfg-region"},
|
|
)
|
|
monkeypatch.setenv("VERTEX_PROJECT_ID", "env-project")
|
|
monkeypatch.setenv("VERTEX_REGION", "us-east4")
|
|
assert vertex_adapter._resolve_project_override() == "env-project"
|
|
assert vertex_adapter._resolve_region() == "us-east4"
|
|
|
|
|
|
def test_has_vertex_credentials_via_config_project(vertex_adapter, monkeypatch):
|
|
monkeypatch.setattr(vertex_adapter, "_vertex_config", lambda: {"project_id": "p"})
|
|
assert vertex_adapter.has_vertex_credentials() is True
|
|
|
|
|
|
def test_has_vertex_credentials_false_when_nothing_set(vertex_adapter):
|
|
assert vertex_adapter.has_vertex_credentials() is False
|
|
|
|
|
|
def test_missing_google_auth_returns_none(monkeypatch):
|
|
for var in ("VERTEX_CREDENTIALS_PATH", "GOOGLE_APPLICATION_CREDENTIALS",
|
|
"VERTEX_PROJECT_ID", "VERTEX_REGION"):
|
|
monkeypatch.delenv(var, raising=False)
|
|
import agent.vertex_adapter as va
|
|
va = importlib.reload(va)
|
|
monkeypatch.setattr(va, "google", None)
|
|
va._creds_cache.clear()
|
|
assert va.get_vertex_credentials() == (None, None)
|
|
|
|
|
|
def test_multiplex_scope_takes_precedence_over_raw_environ(vertex_adapter, monkeypatch):
|
|
"""In a multiplex gateway, a profile's own secret scope must win over a
|
|
stale value in process os.environ left behind by another profile's
|
|
dotenv load at boot — otherwise Profile B's turn could resolve Profile
|
|
A's Vertex project (or worse, its credentials file path)."""
|
|
from agent import secret_scope
|
|
|
|
monkeypatch.setenv("VERTEX_PROJECT_ID", "other-profile-project")
|
|
|
|
secret_scope.set_multiplex_active(True)
|
|
token = secret_scope.set_secret_scope({"VERTEX_PROJECT_ID": "this-profile-project"})
|
|
try:
|
|
assert vertex_adapter._resolve_project_override() == "this-profile-project"
|
|
finally:
|
|
secret_scope.reset_secret_scope(token)
|
|
secret_scope.set_multiplex_active(False)
|
|
|
|
|
|
def test_multiplex_unscoped_read_fails_closed(vertex_adapter, monkeypatch):
|
|
"""A credential read with no profile scope installed while multiplexing
|
|
is active must raise rather than silently fall back to (possibly another
|
|
profile's) raw os.environ value."""
|
|
from agent import secret_scope
|
|
|
|
monkeypatch.setenv("VERTEX_PROJECT_ID", "leaked-project")
|
|
secret_scope.set_multiplex_active(True)
|
|
try:
|
|
with pytest.raises(secret_scope.UnscopedSecretError):
|
|
vertex_adapter._resolve_project_override()
|
|
finally:
|
|
secret_scope.set_multiplex_active(False)
|
|
|
|
|
|
def test_adc_refuses_foreign_profile_google_application_credentials(
|
|
vertex_adapter, monkeypatch, tmp_path
|
|
):
|
|
"""When this profile's scope defines no Vertex credentials, but os.environ
|
|
still carries a *different* profile's GOOGLE_APPLICATION_CREDENTIALS (left
|
|
there by python-dotenv at gateway boot), ADC must not silently mint a
|
|
token under that foreign service account."""
|
|
from agent import secret_scope
|
|
|
|
sa_file = tmp_path / "other_profile_sa.json"
|
|
sa_file.write_text('{"project_id": "other-profile"}')
|
|
monkeypatch.setenv("GOOGLE_APPLICATION_CREDENTIALS", str(sa_file))
|
|
|
|
secret_scope.set_multiplex_active(True)
|
|
token = secret_scope.set_secret_scope({}) # this profile defines nothing
|
|
try:
|
|
assert vertex_adapter.get_vertex_credentials() == (None, None)
|
|
finally:
|
|
secret_scope.reset_secret_scope(token)
|
|
secret_scope.set_multiplex_active(False)
|
|
|
|
|
|
def test_adc_still_works_when_not_multiplexed(vertex_adapter):
|
|
"""Single-profile (non-gateway) installs must see zero behavior change:
|
|
ADC still resolves normally when multiplexing is off, scope or not."""
|
|
token, base = vertex_adapter.get_vertex_config()
|
|
assert token == "ya29.FAKE"
|
|
assert "adc-project" in base
|
|
|
|
|
|
def test_adc_failure_falls_back_to_service_account(monkeypatch, tmp_path):
|
|
"""When ADC refresh fails but a service-account JSON exists, use the SA."""
|
|
for var in ("VERTEX_PROJECT_ID", "VERTEX_REGION", "GOOGLE_CLOUD_PROJECT"):
|
|
monkeypatch.delenv(var, raising=False)
|
|
sa_file = tmp_path / "sa.json"
|
|
sa_file.write_text('{"project_id": "sa-project"}')
|
|
monkeypatch.setenv("GOOGLE_APPLICATION_CREDENTIALS", str(sa_file))
|
|
monkeypatch.delenv("VERTEX_CREDENTIALS_PATH", raising=False)
|
|
_install_fake_google_auth(monkeypatch, adc_ok=False)
|
|
import agent.vertex_adapter as va
|
|
va = importlib.reload(va)
|
|
va._creds_cache.clear()
|
|
monkeypatch.setattr(va, "_vertex_config", lambda: {})
|
|
# A resolvable SA path means the primary cache key is the file (not __adc__),
|
|
# so this exercises the direct-SA path.
|
|
token, project = va.get_vertex_credentials()
|
|
assert token == "ya29.FAKE"
|
|
assert project == "sa-project"
|