From f3026583d70a5c299477cb994fcd7d689baaba75 Mon Sep 17 00:00:00 2001 From: Tim O'Farrell Date: Tue, 3 Mar 2026 06:35:19 -0700 Subject: [PATCH 01/67] Refactor enterprise code to use async database sessions (Round 3) (#13148) Co-authored-by: openhands --- AGENTS.md | 2 +- .../openhands-enterprise-telemetry-design.md | 165 ++++++++------ enterprise/downgrade_migrated_users.py | 207 ------------------ enterprise/saas_server.py | 4 - .../server/clustered_conversation_manager.py | 12 +- enterprise/server/routes/debugging.py | 163 -------------- enterprise/server/routes/integration/slack.py | 13 +- .../saas_nested_conversation_manager.py | 81 +++---- .../test_clustered_conversation_manager.py | 28 ++- 9 files changed, 167 insertions(+), 508 deletions(-) delete mode 100644 enterprise/downgrade_migrated_users.py delete mode 100644 enterprise/server/routes/debugging.py diff --git a/AGENTS.md b/AGENTS.md index 425ca5a1a6..878a26e884 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -165,7 +165,7 @@ Each integration follows a consistent pattern with service classes, storage mode **Import Patterns:** - Use relative imports without `enterprise.` prefix in enterprise code -- Example: `from storage.database import session_maker` not `from enterprise.storage.database import session_maker` +- Example: `from storage.database import a_session_maker` not `from enterprise.storage.database import a_session_maker` - This ensures code works in both OpenHands and enterprise contexts **Test Structure:** diff --git a/enterprise/doc/design-doc/openhands-enterprise-telemetry-design.md b/enterprise/doc/design-doc/openhands-enterprise-telemetry-design.md index 4fc9f72c00..5ed22d782b 100644 --- a/enterprise/doc/design-doc/openhands-enterprise-telemetry-design.md +++ b/enterprise/doc/design-doc/openhands-enterprise-telemetry-design.md @@ -200,7 +200,7 @@ class MetricsCollector(ABC): """Base class for metrics collectors.""" @abstractmethod - def collect(self) -> List[MetricResult]: + async def collect(self) -> List[MetricResult]: """Collect metrics and return results.""" pass @@ -264,12 +264,13 @@ class SystemMetricsCollector(MetricsCollector): def collector_name(self) -> str: return "system_metrics" - def collect(self) -> List[MetricResult]: + async def collect(self) -> List[MetricResult]: results = [] # Collect user count - with session_maker() as session: - user_count = session.query(UserSettings).count() + async with a_session_maker() as session: + user_count_result = await session.execute(select(func.count()).select_from(UserSettings)) + user_count = user_count_result.scalar() results.append(MetricResult( key="total_users", value=user_count @@ -277,9 +278,11 @@ class SystemMetricsCollector(MetricsCollector): # Collect conversation count (last 30 days) thirty_days_ago = datetime.now(timezone.utc) - timedelta(days=30) - conversation_count = session.query(StoredConversationMetadata)\ - .filter(StoredConversationMetadata.created_at >= thirty_days_ago)\ - .count() + conversation_count_result = await session.execute( + select(func.count()).select_from(StoredConversationMetadata) + .where(StoredConversationMetadata.created_at >= thirty_days_ago) + ) + conversation_count = conversation_count_result.scalar() results.append(MetricResult( key="conversations_30d", @@ -303,7 +306,7 @@ class TelemetryCollectionProcessor(MaintenanceTaskProcessor): """Collect metrics from all registered collectors.""" # Check if collection is needed - if not self._should_collect(): + if not await self._should_collect(): return {"status": "skipped", "reason": "too_recent"} # Collect metrics from all registered collectors @@ -313,7 +316,7 @@ class TelemetryCollectionProcessor(MaintenanceTaskProcessor): for collector in collector_registry.get_all_collectors(): try: if collector.should_collect(): - results = collector.collect() + results = await collector.collect() for result in results: all_metrics[result.key] = result.value collector_results[collector.collector_name] = len(results) @@ -322,13 +325,13 @@ class TelemetryCollectionProcessor(MaintenanceTaskProcessor): collector_results[collector.collector_name] = f"error: {e}" # Store metrics in database - with session_maker() as session: + async with a_session_maker() as session: telemetry_record = TelemetryMetrics( metrics_data=all_metrics, collected_at=datetime.now(timezone.utc) ) session.add(telemetry_record) - session.commit() + await session.commit() # Note: No need to track last_collection_at separately # Can be derived from MAX(collected_at) in telemetry_metrics @@ -339,11 +342,12 @@ class TelemetryCollectionProcessor(MaintenanceTaskProcessor): "collectors_run": collector_results } - def _should_collect(self) -> bool: + async def _should_collect(self) -> bool: """Check if collection is needed based on interval.""" - with session_maker() as session: + async with a_session_maker() as session: # Get last collection time from metrics table - last_collected = session.query(func.max(TelemetryMetrics.collected_at)).scalar() + result = await session.execute(select(func.max(TelemetryMetrics.collected_at))) + last_collected = result.scalar() if not last_collected: return True @@ -366,17 +370,19 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor): """Upload pending metrics to Replicated.""" # Get pending metrics - with session_maker() as session: - pending_metrics = session.query(TelemetryMetrics)\ - .filter(TelemetryMetrics.uploaded_at.is_(None))\ - .order_by(TelemetryMetrics.collected_at)\ - .all() + async with a_session_maker() as session: + result = await session.execute( + select(TelemetryMetrics) + .where(TelemetryMetrics.uploaded_at.is_(None)) + .order_by(TelemetryMetrics.collected_at) + ) + pending_metrics = result.scalars().all() if not pending_metrics: return {"status": "no_pending_metrics"} # Get admin email - skip if not available - admin_email = self._get_admin_email() + admin_email = await self._get_admin_email() if not admin_email: logger.info("Skipping telemetry upload - no admin email available") return { @@ -413,13 +419,15 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor): await instance.set_status(InstanceStatus.RUNNING) # Mark as uploaded - with session_maker() as session: - record = session.query(TelemetryMetrics)\ - .filter(TelemetryMetrics.id == metric_record.id)\ - .first() + async with a_session_maker() as session: + result = await session.execute( + select(TelemetryMetrics) + .where(TelemetryMetrics.id == metric_record.id) + ) + record = result.scalar_one_or_none() if record: record.uploaded_at = datetime.now(timezone.utc) - session.commit() + await session.commit() uploaded_count += 1 @@ -427,14 +435,16 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor): logger.error(f"Failed to upload metrics {metric_record.id}: {e}") # Update error info - with session_maker() as session: - record = session.query(TelemetryMetrics)\ - .filter(TelemetryMetrics.id == metric_record.id)\ - .first() + async with a_session_maker() as session: + result = await session.execute( + select(TelemetryMetrics) + .where(TelemetryMetrics.id == metric_record.id) + ) + record = result.scalar_one_or_none() if record: record.upload_attempts += 1 record.last_upload_error = str(e) - session.commit() + await session.commit() failed_count += 1 @@ -448,7 +458,7 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor): "total_processed": len(pending_metrics) } - def _get_admin_email(self) -> str | None: + async def _get_admin_email(self) -> str | None: """Get administrator email for customer identification.""" # 1. Check environment variable first env_admin_email = os.getenv('OPENHANDS_ADMIN_EMAIL') @@ -457,12 +467,15 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor): return env_admin_email # 2. Use first active user's email (earliest accepted_tos) - with session_maker() as session: - first_user = session.query(UserSettings)\ - .filter(UserSettings.email.isnot(None))\ - .filter(UserSettings.accepted_tos.isnot(None))\ - .order_by(UserSettings.accepted_tos.asc())\ - .first() + async with a_session_maker() as session: + result = await session.execute( + select(UserSettings) + .where(UserSettings.email.isnot(None)) + .where(UserSettings.accepted_tos.isnot(None)) + .order_by(UserSettings.accepted_tos.asc()) + .limit(1) + ) + first_user = result.scalar_one_or_none() if first_user and first_user.email: logger.info(f"Using first active user email: {first_user.email}") @@ -474,15 +487,16 @@ class TelemetryUploadProcessor(MaintenanceTaskProcessor): async def _update_telemetry_identity(self, customer_id: str, instance_id: str) -> None: """Update or create telemetry identity record.""" - with session_maker() as session: - identity = session.query(TelemetryIdentity).first() + async with a_session_maker() as session: + result = await session.execute(select(TelemetryIdentity).limit(1)) + identity = result.scalar_one_or_none() if not identity: identity = TelemetryIdentity() session.add(identity) identity.customer_id = customer_id identity.instance_id = instance_id - session.commit() + await session.commit() ``` ### 4.4 License Warning System @@ -503,11 +517,13 @@ async def get_license_status(): if not _is_openhands_enterprise(): return {"warn": False, "message": ""} - with session_maker() as session: + async with a_session_maker() as session: # Get last successful upload time from metrics table - last_upload = session.query(func.max(TelemetryMetrics.uploaded_at))\ - .filter(TelemetryMetrics.uploaded_at.isnot(None))\ - .scalar() + result = await session.execute( + select(func.max(TelemetryMetrics.uploaded_at)) + .where(TelemetryMetrics.uploaded_at.isnot(None)) + ) + last_upload = result.scalar() if not last_upload: # No successful uploads yet - show warning after 4 days @@ -521,10 +537,13 @@ async def get_license_status(): if days_since_upload > 4: # Find oldest unsent batch - oldest_unsent = session.query(TelemetryMetrics)\ - .filter(TelemetryMetrics.uploaded_at.is_(None))\ - .order_by(TelemetryMetrics.collected_at)\ - .first() + result = await session.execute( + select(TelemetryMetrics) + .where(TelemetryMetrics.uploaded_at.is_(None)) + .order_by(TelemetryMetrics.collected_at) + .limit(1) + ) + oldest_unsent = result.scalar_one_or_none() if oldest_unsent: # Calculate expiration date (oldest unsent + 34 days) @@ -630,19 +649,23 @@ spec: - python - -c - | + import asyncio from enterprise.storage.maintenance_task import MaintenanceTask, MaintenanceTaskStatus - from enterprise.storage.database import session_maker + from enterprise.storage.database import a_session_maker from enterprise.server.telemetry.collection_processor import TelemetryCollectionProcessor - # Create collection task - processor = TelemetryCollectionProcessor() - task = MaintenanceTask() - task.set_processor(processor) - task.status = MaintenanceTaskStatus.PENDING + async def main(): + # Create collection task + processor = TelemetryCollectionProcessor() + task = MaintenanceTask() + task.set_processor(processor) + task.status = MaintenanceTaskStatus.PENDING - with session_maker() as session: - session.add(task) - session.commit() + async with a_session_maker() as session: + session.add(task) + await session.commit() + + asyncio.run(main()) restartPolicy: OnFailure ``` @@ -680,23 +703,27 @@ spec: - python - -c - | + import asyncio from enterprise.storage.maintenance_task import MaintenanceTask, MaintenanceTaskStatus - from enterprise.storage.database import session_maker + from enterprise.storage.database import a_session_maker from enterprise.server.telemetry.upload_processor import TelemetryUploadProcessor import os - # Create upload task - processor = TelemetryUploadProcessor( - replicated_publishable_key=os.getenv('REPLICATED_PUBLISHABLE_KEY'), - replicated_app_slug=os.getenv('REPLICATED_APP_SLUG', 'openhands-enterprise') - ) - task = MaintenanceTask() - task.set_processor(processor) - task.status = MaintenanceTaskStatus.PENDING + async def main(): + # Create upload task + processor = TelemetryUploadProcessor( + replicated_publishable_key=os.getenv('REPLICATED_PUBLISHABLE_KEY'), + replicated_app_slug=os.getenv('REPLICATED_APP_SLUG', 'openhands-enterprise') + ) + task = MaintenanceTask() + task.set_processor(processor) + task.status = MaintenanceTaskStatus.PENDING - with session_maker() as session: - session.add(task) - session.commit() + async with a_session_maker() as session: + session.add(task) + await session.commit() + + asyncio.run(main()) restartPolicy: OnFailure ``` diff --git a/enterprise/downgrade_migrated_users.py b/enterprise/downgrade_migrated_users.py deleted file mode 100644 index a9798476bc..0000000000 --- a/enterprise/downgrade_migrated_users.py +++ /dev/null @@ -1,207 +0,0 @@ -#!/usr/bin/env python -""" -This script can be removed once orgs is established - probably after Feb 15 2026 - -Downgrade script for migrated users. - -This script identifies users who have been migrated (already_migrated=True) -and reverts them back to the pre-migration state. - -Usage: - # Dry run - just list the users that would be downgraded - python downgrade_migrated_users.py --dry-run - - # Downgrade a specific user by their keycloak_user_id - python downgrade_migrated_users.py --user-id - - # Downgrade all migrated users (with confirmation) - python downgrade_migrated_users.py --all - - # Downgrade all migrated users without confirmation (dangerous!) - python downgrade_migrated_users.py --all --no-confirm -""" - -import argparse -import asyncio -import sys - -# Add the enterprise directory to the path -sys.path.insert(0, '/workspace/project/OpenHands/enterprise') - -from server.logger import logger -from sqlalchemy import select, text -from storage.database import session_maker -from storage.user_settings import UserSettings -from storage.user_store import UserStore - - -def get_migrated_users() -> list[str]: - """Get list of keycloak_user_ids for users who have been migrated. - - This includes: - 1. Users with already_migrated=True in user_settings (migrated users) - 2. Users in the 'user' table who don't have a user_settings entry (new sign-ups) - """ - with session_maker() as session: - # Get users from user_settings with already_migrated=True - migrated_result = session.execute( - select(UserSettings.keycloak_user_id).where( - UserSettings.already_migrated.is_(True) - ) - ) - migrated_users = {row[0] for row in migrated_result.fetchall() if row[0]} - - # Get users from the 'user' table (new sign-ups won't have user_settings) - # These are users who signed up after the migration was deployed - new_signup_result = session.execute( - text(""" - SELECT CAST(u.id AS VARCHAR) - FROM "user" u - WHERE NOT EXISTS ( - SELECT 1 FROM user_settings us - WHERE us.keycloak_user_id = CAST(u.id AS VARCHAR) - ) - """) - ) - new_signups = {row[0] for row in new_signup_result.fetchall() if row[0]} - - # Combine both sets - all_users = migrated_users | new_signups - return list(all_users) - - -async def downgrade_user(user_id: str) -> bool: - """Downgrade a single user. - - Args: - user_id: The keycloak_user_id to downgrade - - Returns: - True if successful, False otherwise - """ - try: - result = await UserStore.downgrade_user(user_id) - if result: - print(f'✓ Successfully downgraded user: {user_id}') - return True - else: - print(f'✗ Failed to downgrade user: {user_id}') - return False - except Exception as e: - print(f'✗ Error downgrading user {user_id}: {e}') - logger.exception( - 'downgrade_script:error', - extra={'user_id': user_id, 'error': str(e)}, - ) - return False - - -async def main(): - parser = argparse.ArgumentParser( - description='Downgrade migrated users back to pre-migration state' - ) - parser.add_argument( - '--dry-run', - action='store_true', - help='Just list users that would be downgraded, without making changes', - ) - parser.add_argument( - '--user-id', - type=str, - help='Downgrade a specific user by keycloak_user_id', - ) - parser.add_argument( - '--all', - action='store_true', - help='Downgrade all migrated users', - ) - parser.add_argument( - '--no-confirm', - action='store_true', - help='Skip confirmation prompt (use with caution!)', - ) - - args = parser.parse_args() - - # Get list of migrated users - migrated_users = get_migrated_users() - print(f'\nFound {len(migrated_users)} migrated user(s).') - - if args.dry_run: - print('\n--- DRY RUN MODE ---') - print('The following users would be downgraded:') - for user_id in migrated_users: - print(f' - {user_id}') - print('\nNo changes were made.') - return - - if args.user_id: - # Downgrade a specific user - if args.user_id not in migrated_users: - print(f'\nUser {args.user_id} is not in the migrated users list.') - print('Either the user was not migrated, or the user_id is incorrect.') - return - - print(f'\nDowngrading user: {args.user_id}') - if not args.no_confirm: - confirm = input('Are you sure? (yes/no): ') - if confirm.lower() != 'yes': - print('Cancelled.') - return - - success = await downgrade_user(args.user_id) - if success: - print('\nDowngrade completed successfully.') - else: - print('\nDowngrade failed. Check logs for details.') - sys.exit(1) - - elif args.all: - # Downgrade all migrated users - if not migrated_users: - print('\nNo migrated users to downgrade.') - return - - print(f'\n⚠️ About to downgrade {len(migrated_users)} user(s).') - if not args.no_confirm: - print('\nThis will:') - print(' - Revert LiteLLM team/user budget settings') - print(' - Delete organization entries') - print(' - Delete user entries in the new schema') - print(' - Reset the already_migrated flag') - print('\nUsers to downgrade:') - for user_id in migrated_users[:10]: # Show first 10 - print(f' - {user_id}') - if len(migrated_users) > 10: - print(f' ... and {len(migrated_users) - 10} more') - - confirm = input('\nType "yes" to proceed: ') - if confirm.lower() != 'yes': - print('Cancelled.') - return - - print('\nStarting downgrade...\n') - success_count = 0 - fail_count = 0 - - for user_id in migrated_users: - success = await downgrade_user(user_id) - if success: - success_count += 1 - else: - fail_count += 1 - - print('\n--- Summary ---') - print(f'Successful: {success_count}') - print(f'Failed: {fail_count}') - - if fail_count > 0: - sys.exit(1) - - else: - parser.print_help() - print('\nPlease specify --dry-run, --user-id, or --all') - - -if __name__ == '__main__': - asyncio.run(main()) diff --git a/enterprise/saas_server.py b/enterprise/saas_server.py index 4fd2a6b569..106ca93200 100644 --- a/enterprise/saas_server.py +++ b/enterprise/saas_server.py @@ -27,7 +27,6 @@ from server.rate_limit import setup_rate_limit_handler # noqa: E402 from server.routes.api_keys import api_router as api_keys_router # noqa: E402 from server.routes.auth import api_router, oauth_router # noqa: E402 from server.routes.billing import billing_router # noqa: E402 -from server.routes.debugging import add_debugging_routes # noqa: E402 from server.routes.email import api_router as email_router # noqa: E402 from server.routes.event_webhook import event_webhook_router # noqa: E402 from server.routes.feedback import router as feedback_router # noqa: E402 @@ -124,9 +123,6 @@ override_llm_models_dependency(base_app) base_app.include_router(invitation_router) # Add routes for org invitation management base_app.include_router(invitation_accept_router) # Add route for accepting invitations add_github_proxy_routes(base_app) -add_debugging_routes( - base_app -) # Add diagnostic routes for testing and debugging (disabled in production) base_app.include_router(slack_router) if ENABLE_JIRA: base_app.include_router(jira_integration_router) diff --git a/enterprise/server/clustered_conversation_manager.py b/enterprise/server/clustered_conversation_manager.py index 69ac2f3bd6..b8b6e04b63 100644 --- a/enterprise/server/clustered_conversation_manager.py +++ b/enterprise/server/clustered_conversation_manager.py @@ -7,7 +7,8 @@ from uuid import uuid4 import socketio from server.logger import logger from server.utils.conversation_callback_utils import invoke_conversation_callbacks -from storage.database import session_maker +from sqlalchemy import select +from storage.database import a_session_maker from storage.stored_conversation_metadata_saas import StoredConversationMetadataSaas from openhands.core.config import LLMConfig @@ -523,15 +524,14 @@ class ClusteredConversationManager(StandaloneConversationManager): f'local_connection_to_stopped_conversation:{connection_id}:{conversation_id}' ) # Look up the user_id from the database - with session_maker() as session: - conversation_metadata_saas = ( - session.query(StoredConversationMetadataSaas) - .filter( + async with a_session_maker() as session: + result = await session.execute( + select(StoredConversationMetadataSaas).where( StoredConversationMetadataSaas.conversation_id == conversation_id ) - .first() ) + conversation_metadata_saas = result.scalars().first() user_id = ( str(conversation_metadata_saas.user_id) if conversation_metadata_saas diff --git a/enterprise/server/routes/debugging.py b/enterprise/server/routes/debugging.py deleted file mode 100644 index cb49254976..0000000000 --- a/enterprise/server/routes/debugging.py +++ /dev/null @@ -1,163 +0,0 @@ -import asyncio -import os -import time -from threading import Thread - -from fastapi import APIRouter, FastAPI -from sqlalchemy import func, select -from storage.database import a_session_maker, get_engine, session_maker -from storage.user import User - -from openhands.core.logger import openhands_logger as logger -from openhands.utils.async_utils import wait_all - -# Safety flag to prevent chaos routes from being added in production environments -# Only enables these routes in non-production environments -ADD_DEBUGGING_ROUTES = os.environ.get('ADD_DEBUGGING_ROUTES') in ('1', 'true') - - -def add_debugging_routes(api: FastAPI): - """ - # HERE BE DRAGONS! - Chaos scripts for debugging and stress testing the system. - - This module contains endpoints that deliberately stress test and potentially break - the system to help identify weaknesses and bottlenecks. It includes a safety check - to ensure these routes are never deployed to production environments. - - The routes in this module are specifically designed for: - - Testing connection pool behavior under load - - Simulating database connection exhaustion - - Testing async vs sync database access patterns - - Simulating event loop blocking - """ - - if not ADD_DEBUGGING_ROUTES: - return - - chaos_router = APIRouter(prefix='/debugging') - - @chaos_router.get('/pool-stats') - def pool_stats() -> dict[str, int]: - """ - Returns current database connection pool statistics. - - This endpoint provides real-time metrics about the SQLAlchemy connection pool: - - checked_in: Number of connections currently available in the pool - - checked_out: Number of connections currently in use - - overflow: Number of overflow connections created beyond pool_size - """ - engine = get_engine() - return { - 'checked_in': engine.pool.checkedin(), - 'checked_out': engine.pool.checkedout(), - 'overflow': engine.pool.overflow(), - } - - @chaos_router.get('/test-db') - def test_db(num_tests: int = 10, delay: int = 1) -> str: - """ - Stress tests the database connection pool using multiple threads. - - Creates multiple threads that each open a database connection, perform a query, - hold the connection for the specified delay, and then release it. - - Parameters: - num_tests: Number of concurrent database connections to create - delay: Number of seconds each connection is held open - - This test helps identify connection pool exhaustion issues and connection - leaks under concurrent load. - """ - threads = [Thread(target=_db_check, args=(delay,)) for _ in range(num_tests)] - for thread in threads: - thread.start() - for thread in threads: - thread.join() - return 'success' - - @chaos_router.get('/a-test-db') - async def a_chaos_monkey(num_tests: int = 10, delay: int = 1) -> str: - """ - Stress tests the async database connection pool. - - Similar to /test-db but uses async connections and coroutines instead of threads. - This endpoint helps compare the behavior of async vs sync connection pools - under similar load conditions. - - Parameters: - num_tests: Number of concurrent async database connections to create - delay: Number of seconds each connection is held open - """ - await wait_all((_a_db_check(delay) for _ in range(num_tests))) - return 'success' - - @chaos_router.get('/lock-main-runloop') - async def lock_main_runloop(duration: int = 10) -> str: - """ - Deliberately blocks the main asyncio event loop. - - This endpoint uses a synchronous sleep operation in an async function, - which blocks the entire FastAPI server's event loop for the specified duration. - This simulates what happens when CPU-intensive operations or blocking I/O - operations are incorrectly used in async code. - - Parameters: - duration: Number of seconds to block the event loop - - WARNING: This will make the entire server unresponsive for the duration! - """ - time.sleep(duration) - return 'success' - - api.include_router(chaos_router) # Add routes for readiness checks - - -def _db_check(delay: int): - """ - Executes a single request against the database with an artificial delay. - - This helper function: - 1. Opens a database connection from the pool - 2. Executes a simple query to count users - 3. Holds the connection for the specified delay - 4. Logs connection pool statistics - 5. Implicitly returns the connection to the pool when the session closes - - Args: - delay: Number of seconds to hold the database connection - """ - with session_maker() as session: - num_users = session.query(User).count() - time.sleep(delay) - engine = get_engine() - logger.info( - 'check', - extra={ - 'num_users': num_users, - 'checked_in': engine.pool.checkedin(), - 'checked_out': engine.pool.checkedout(), - 'overflow': engine.pool.overflow(), - }, - ) - - -async def _a_db_check(delay: int): - """ - Executes a single async request against the database with an artificial delay. - - This is the async version of _db_check that: - 1. Opens an async database connection from the pool - 2. Executes a simple query to count users using SQLAlchemy's async API - 3. Holds the connection for the specified delay using asyncio.sleep - 4. Logs the results - 5. Implicitly returns the connection to the pool when the async session closes - - Args: - delay: Number of seconds to hold the database connection - """ - async with a_session_maker() as a_session: - stmt = select(func.count(User.id)) - num_users = await a_session.execute(stmt) - await asyncio.sleep(delay) - logger.info(f'a_num_users:{num_users.scalar_one()}') diff --git a/enterprise/server/routes/integration/slack.py b/enterprise/server/routes/integration/slack.py index 3cda0bcb9a..e0d7f53f46 100644 --- a/enterprise/server/routes/integration/slack.py +++ b/enterprise/server/routes/integration/slack.py @@ -31,7 +31,8 @@ from server.logger import logger from slack_sdk.oauth import AuthorizeUrlGenerator from slack_sdk.signature import SignatureVerifier from slack_sdk.web.async_client import AsyncWebClient -from storage.database import session_maker +from sqlalchemy import delete +from storage.database import a_session_maker from storage.slack_team_store import SlackTeamStore from storage.slack_user import SlackUser from storage.user_store import UserStore @@ -239,15 +240,15 @@ async def keycloak_callback( slack_display_name=slack_display_name, ) - with session_maker(expire_on_commit=False) as session: + async with a_session_maker(expire_on_commit=False) as session: # First delete any existing tokens - session.query(SlackUser).filter( - SlackUser.slack_user_id == slack_user_id - ).delete() + await session.execute( + delete(SlackUser).where(SlackUser.slack_user_id == slack_user_id) + ) # Store the token session.add(slack_user) - session.commit() + await session.commit() message = Message(source=SourceType.SLACK, message=payload) diff --git a/enterprise/server/saas_nested_conversation_manager.py b/enterprise/server/saas_nested_conversation_manager.py index d4479da0b2..be5f787b10 100644 --- a/enterprise/server/saas_nested_conversation_manager.py +++ b/enterprise/server/saas_nested_conversation_manager.py @@ -19,9 +19,9 @@ from server.utils.conversation_callback_utils import ( process_event, update_conversation_metadata, ) -from sqlalchemy import orm +from sqlalchemy import select from storage.api_key_store import ApiKeyStore -from storage.database import session_maker +from storage.database import a_session_maker from storage.stored_conversation_metadata import StoredConversationMetadata from storage.stored_conversation_metadata_saas import StoredConversationMetadataSaas @@ -59,7 +59,6 @@ from openhands.storage.locations import ( get_conversation_event_filename, get_conversation_events_dir, ) -from openhands.utils.async_utils import call_sync_from_async from openhands.utils.http_session import httpx_verify_option from openhands.utils.import_utils import get_impl from openhands.utils.shutdown_listener import should_continue @@ -166,8 +165,8 @@ class SaasNestedConversationManager(ConversationManager): } if user_id: - user_conversation_ids = await call_sync_from_async( - self._get_recent_conversation_ids_for_user, user_id + user_conversation_ids = await self._get_recent_conversation_ids_for_user( + user_id ) conversation_ids = conversation_ids.intersection(user_conversation_ids) @@ -643,19 +642,18 @@ class SaasNestedConversationManager(ConversationManager): }, ) - def _get_user_id_from_conversation(self, conversation_id: str) -> str: + async def _get_user_id_from_conversation(self, conversation_id: str) -> str: """ Get user_id from conversation_id. """ - with session_maker() as session: - conversation_metadata_saas = ( - session.query(StoredConversationMetadataSaas) - .filter( + async with a_session_maker() as session: + result = await session.execute( + select(StoredConversationMetadataSaas).where( StoredConversationMetadataSaas.conversation_id == conversation_id ) - .first() ) + conversation_metadata_saas = result.scalars().first() if not conversation_metadata_saas: raise ValueError(f'No conversation found {conversation_id}') @@ -753,8 +751,8 @@ class SaasNestedConversationManager(ConversationManager): user_id_for_convo = user_id if not user_id_for_convo: try: - user_id_for_convo = await call_sync_from_async( - self._get_user_id_from_conversation, conversation_id + user_id_for_convo = await self._get_user_id_from_conversation( + conversation_id ) except Exception: continue @@ -995,23 +993,23 @@ class SaasNestedConversationManager(ConversationManager): } return conversation_ids - def _get_recent_conversation_ids_for_user(self, user_id: str) -> set[str]: - with session_maker() as session: + async def _get_recent_conversation_ids_for_user(self, user_id: str) -> set[str]: + async with a_session_maker() as session: # Only include conversations updated in the past week one_week_ago = datetime.now(UTC) - timedelta(days=7) - query = ( - session.query(StoredConversationMetadata.conversation_id) + result = await session.execute( + select(StoredConversationMetadata.conversation_id) .join( StoredConversationMetadataSaas, StoredConversationMetadata.conversation_id == StoredConversationMetadataSaas.conversation_id, ) - .filter( + .where( StoredConversationMetadataSaas.user_id == user_id, StoredConversationMetadata.last_updated_at >= one_week_ago, ) ) - user_conversation_ids = set(query) + user_conversation_ids = set(result.scalars().all()) return user_conversation_ids async def _get_runtime(self, sid: str) -> dict | None: @@ -1055,14 +1053,13 @@ class SaasNestedConversationManager(ConversationManager): await asyncio.sleep(_POLLING_INTERVAL) agent_loop_infos = await self.get_agent_loop_info() - with session_maker() as session: - for agent_loop_info in agent_loop_infos: - if agent_loop_info.status != ConversationStatus.RUNNING: - continue - try: - await self._poll_agent_loop_events(agent_loop_info, session) - except Exception as e: - logger.exception(f'error_polling_events:{str(e)}') + for agent_loop_info in agent_loop_infos: + if agent_loop_info.status != ConversationStatus.RUNNING: + continue + try: + await self._poll_agent_loop_events(agent_loop_info) + except Exception as e: + logger.exception(f'error_polling_events:{str(e)}') except Exception as e: try: asyncio.get_running_loop() @@ -1071,23 +1068,27 @@ class SaasNestedConversationManager(ConversationManager): # Loop has been shut down, exit gracefully return - async def _poll_agent_loop_events( - self, agent_loop_info: AgentLoopInfo, session: orm.Session - ): + async def _poll_agent_loop_events(self, agent_loop_info: AgentLoopInfo): """This method is typically only run in localhost, where the webhook callbacks from the remote runtime are unavailable""" if agent_loop_info.status != ConversationStatus.RUNNING: return conversation_id = agent_loop_info.conversation_id - conversation_metadata = ( - session.query(StoredConversationMetadata) - .filter(StoredConversationMetadata.conversation_id == conversation_id) - .first() - ) - conversation_metadata_saas = ( - session.query(StoredConversationMetadataSaas) - .filter(StoredConversationMetadataSaas.conversation_id == conversation_id) - .first() - ) + + async with a_session_maker() as session: + result = await session.execute( + select(StoredConversationMetadata).where( + StoredConversationMetadata.conversation_id == conversation_id + ) + ) + conversation_metadata = result.scalars().first() + + result = await session.execute( + select(StoredConversationMetadataSaas).where( + StoredConversationMetadataSaas.conversation_id == conversation_id + ) + ) + conversation_metadata_saas = result.scalars().first() + if conversation_metadata is None or conversation_metadata_saas is None: # Conversation is running in different server return diff --git a/enterprise/tests/unit/test_clustered_conversation_manager.py b/enterprise/tests/unit/test_clustered_conversation_manager.py index fefa29732d..0503d360cf 100644 --- a/enterprise/tests/unit/test_clustered_conversation_manager.py +++ b/enterprise/tests/unit/test_clustered_conversation_manager.py @@ -1,4 +1,5 @@ import asyncio +import contextlib import json import time from dataclasses import dataclass @@ -444,11 +445,19 @@ async def test_disconnect_from_stopped_with_stopped_remote(): # Create a mock SIO with scan results for only remote_session1 sio = get_mock_sio(scan_keys=[b'ohcnv:user1:remote_session1']) - # Mock the database connection to avoid actual database connections - db_mock = MagicMock() - db_session_mock = MagicMock() - db_mock.__enter__.return_value = db_session_mock - session_maker_mock = MagicMock(return_value=db_mock) + # Mock the async database session + mock_user = MagicMock() + mock_user.user_id = 'user1' + + mock_result = MagicMock() + mock_result.scalars.return_value.first.return_value = mock_user + + mock_session = AsyncMock() + mock_session.execute = AsyncMock(return_value=mock_result) + + @contextlib.asynccontextmanager + async def mock_a_session_maker(): + yield mock_session with ( patch( @@ -456,8 +465,8 @@ async def test_disconnect_from_stopped_with_stopped_remote(): AsyncMock(), ), patch( - 'server.clustered_conversation_manager.session_maker', - session_maker_mock, + 'server.clustered_conversation_manager.a_session_maker', + mock_a_session_maker, ), patch('asyncio.create_task', MagicMock()), ): @@ -484,11 +493,6 @@ async def test_disconnect_from_stopped_with_stopped_remote(): MagicMock() ) - # Create a mock for the database query result - mock_user = MagicMock() - mock_user.user_id = 'user1' - db_session_mock.query.return_value.filter.return_value.first.return_value = mock_user - # Mock the _handle_remote_conversation_stopped method with the correct signature conversation_manager._handle_remote_conversation_stopped = AsyncMock() From 6f1a7ddadd17c3a5ae0391ae58a9a3d68dc842db Mon Sep 17 00:00:00 2001 From: Hiep Le <69354317+hieptl@users.noreply.github.com> Date: Tue, 3 Mar 2026 20:54:10 +0700 Subject: [PATCH 02/67] fix(backend): resolve timezone mismatch in validate_api_key causing database error (#13158) --- enterprise/storage/api_key_store.py | 2 +- enterprise/tests/unit/test_api_key_store.py | 35 +++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/enterprise/storage/api_key_store.py b/enterprise/storage/api_key_store.py index e22229a5ab..3af7424e65 100644 --- a/enterprise/storage/api_key_store.py +++ b/enterprise/storage/api_key_store.py @@ -79,7 +79,7 @@ class ApiKeyStore: await session.execute( update(ApiKey) .where(ApiKey.id == key_record.id) - .values(last_used_at=now) + .values(last_used_at=now.replace(tzinfo=None)) ) await session.commit() diff --git a/enterprise/tests/unit/test_api_key_store.py b/enterprise/tests/unit/test_api_key_store.py index 68b9dce26e..fb163f978a 100644 --- a/enterprise/tests/unit/test_api_key_store.py +++ b/enterprise/tests/unit/test_api_key_store.py @@ -211,6 +211,41 @@ async def test_validate_api_key_not_found(api_key_store, async_session_maker): assert result is None +@pytest.mark.asyncio +async def test_validate_api_key_stores_timezone_naive_last_used_at( + api_key_store, async_session_maker +): + """Test that validate_api_key stores a timezone-naive datetime for last_used_at.""" + # Arrange + user_id = str(uuid.uuid4()) + org_id = uuid.uuid4() + api_key_value = 'test-timezone-naive-key' + + async with async_session_maker() as session: + key_record = ApiKey( + key=api_key_value, + user_id=user_id, + org_id=org_id, + name='Test Key', + last_used_at=None, + ) + session.add(key_record) + await session.commit() + + # Act + with patch('storage.api_key_store.a_session_maker', async_session_maker): + await api_key_store.validate_api_key(api_key_value) + + # Assert + async with async_session_maker() as session: + result_db = await session.execute( + select(ApiKey).filter(ApiKey.key == api_key_value) + ) + api_key = result_db.scalars().first() + assert api_key.last_used_at is not None + assert api_key.last_used_at.tzinfo is None + + @pytest.mark.asyncio async def test_delete_api_key(api_key_store, async_session_maker): """Test deleting an API key.""" From 501bf643122e5d82f7dad7bb2fbfb26c49a73253 Mon Sep 17 00:00:00 2001 From: Tim O'Farrell Date: Tue, 3 Mar 2026 07:07:44 -0700 Subject: [PATCH 03/67] Make SlackTeamStore fully async (#13160) Co-authored-by: openhands --- .../integrations/slack/slack_manager.py | 2 +- .../slack/slack_v1_callback_processor.py | 6 ++-- enterprise/integrations/slack/slack_view.py | 15 ++++----- .../slack_callback_processor.py | 2 +- enterprise/server/routes/integration/slack.py | 4 +-- enterprise/storage/slack_team_store.py | 31 ++++++++++--------- .../slack/test_slack_v1_callback_processor.py | 20 ++++++------ .../unit/test_slack_callback_processor.py | 6 ++-- 8 files changed, 44 insertions(+), 42 deletions(-) diff --git a/enterprise/integrations/slack/slack_manager.py b/enterprise/integrations/slack/slack_manager.py index 9325637178..16a60d9e3a 100644 --- a/enterprise/integrations/slack/slack_manager.py +++ b/enterprise/integrations/slack/slack_manager.py @@ -181,7 +181,7 @@ class SlackManager(Manager): ) try: - slack_view = SlackFactory.create_slack_view_from_payload( + slack_view = await SlackFactory.create_slack_view_from_payload( message, slack_user, saas_user_auth ) except Exception as e: diff --git a/enterprise/integrations/slack/slack_v1_callback_processor.py b/enterprise/integrations/slack/slack_v1_callback_processor.py index a20ef5fd52..05562aa1a8 100644 --- a/enterprise/integrations/slack/slack_v1_callback_processor.py +++ b/enterprise/integrations/slack/slack_v1_callback_processor.py @@ -88,9 +88,9 @@ class SlackV1CallbackProcessor(EventCallbackProcessor): # Slack helpers # ------------------------------------------------------------------------- - def _get_bot_access_token(self): + async def _get_bot_access_token(self) -> str | None: slack_team_store = SlackTeamStore.get_instance() - bot_access_token = slack_team_store.get_team_bot_token( + bot_access_token = await slack_team_store.get_team_bot_token( self.slack_view_data['team_id'] ) @@ -98,7 +98,7 @@ class SlackV1CallbackProcessor(EventCallbackProcessor): async def _post_summary_to_slack(self, summary: str) -> None: """Post a summary message to the configured Slack channel.""" - bot_access_token = self._get_bot_access_token() + bot_access_token = await self._get_bot_access_token() if not bot_access_token: raise RuntimeError('Missing Slack bot access token') diff --git a/enterprise/integrations/slack/slack_view.py b/enterprise/integrations/slack/slack_view.py index 85c2465b79..6c94dfdae5 100644 --- a/enterprise/integrations/slack/slack_view.py +++ b/enterprise/integrations/slack/slack_view.py @@ -1,3 +1,4 @@ +import asyncio from dataclasses import dataclass from uuid import UUID, uuid4 @@ -42,7 +43,7 @@ from openhands.server.user_auth.user_auth import UserAuth from openhands.storage.data_models.conversation_metadata import ( ConversationTrigger, ) -from openhands.utils.async_utils import GENERAL_TIMEOUT, call_async_from_sync +from openhands.utils.async_utils import GENERAL_TIMEOUT # ================================================= # SECTION: Slack view types @@ -553,7 +554,8 @@ class SlackFactory: channel_id, thread_ts ) - def create_slack_view_from_payload( + @staticmethod + async def create_slack_view_from_payload( message: Message, slack_user: SlackUser | None, saas_user_auth: UserAuth | None ): payload = message.message @@ -564,7 +566,7 @@ class SlackFactory: team_id = payload['team_id'] user_msg = payload.get('user_msg') - bot_access_token = slack_team_store.get_team_bot_token(team_id) + bot_access_token = await slack_team_store.get_team_bot_token(team_id) if not bot_access_token: logger.error( 'Did not find slack team', @@ -594,10 +596,9 @@ class SlackFactory: v1_enabled=False, ) - conversation: SlackConversation | None = call_async_from_sync( - SlackFactory.determine_if_updating_existing_conversation, - GENERAL_TIMEOUT, - message, + conversation = await asyncio.wait_for( + SlackFactory.determine_if_updating_existing_conversation(message), + timeout=GENERAL_TIMEOUT, ) if conversation: logger.info( diff --git a/enterprise/server/conversation_callback_processor/slack_callback_processor.py b/enterprise/server/conversation_callback_processor/slack_callback_processor.py index d29a39e9a6..ce7f06245c 100644 --- a/enterprise/server/conversation_callback_processor/slack_callback_processor.py +++ b/enterprise/server/conversation_callback_processor/slack_callback_processor.py @@ -62,7 +62,7 @@ class SlackCallbackProcessor(ConversationCallbackProcessor): slack_user, saas_user_auth = await slack_manager.authenticate_user( self.slack_user_id ) - slack_view = SlackFactory.create_slack_view_from_payload( + slack_view = await SlackFactory.create_slack_view_from_payload( message_obj, slack_user, saas_user_auth ) # Send the message directly as a string diff --git a/enterprise/server/routes/integration/slack.py b/enterprise/server/routes/integration/slack.py index e0d7f53f46..c39d8ac838 100644 --- a/enterprise/server/routes/integration/slack.py +++ b/enterprise/server/routes/integration/slack.py @@ -219,9 +219,9 @@ async def keycloak_callback( # Retrieve bot token if team_id and bot_access_token: - slack_team_store.create_team(team_id, bot_access_token) + await slack_team_store.create_team(team_id, bot_access_token) else: - bot_access_token = slack_team_store.get_team_bot_token(team_id) + bot_access_token = await slack_team_store.get_team_bot_token(team_id) if not bot_access_token: logger.error( diff --git a/enterprise/storage/slack_team_store.py b/enterprise/storage/slack_team_store.py index 95924e769a..42ce75c4d4 100644 --- a/enterprise/storage/slack_team_store.py +++ b/enterprise/storage/slack_team_store.py @@ -1,23 +1,26 @@ +from __future__ import annotations + from dataclasses import dataclass -from sqlalchemy.orm import sessionmaker -from storage.database import session_maker +from sqlalchemy import delete, select +from storage.database import a_session_maker from storage.slack_team import SlackTeam @dataclass class SlackTeamStore: - session_maker: sessionmaker - - def get_team_bot_token(self, team_id: str) -> str | None: + async def get_team_bot_token(self, team_id: str) -> str | None: """ Get a team's bot access token by team_id """ - with session_maker() as session: - team = session.query(SlackTeam).filter(SlackTeam.team_id == team_id).first() + async with a_session_maker() as session: + result = await session.execute( + select(SlackTeam).where(SlackTeam.team_id == team_id) + ) + team = result.scalar_one_or_none() return team.bot_access_token if team else None - def create_team( + async def create_team( self, team_id: str, bot_access_token: str, @@ -26,14 +29,12 @@ class SlackTeamStore: Create a new SlackTeam """ slack_team = SlackTeam(team_id=team_id, bot_access_token=bot_access_token) - with session_maker() as session: - session.query(SlackTeam).filter(SlackTeam.team_id == team_id).delete() - - # Store the token + async with a_session_maker() as session: + await session.execute(delete(SlackTeam).where(SlackTeam.team_id == team_id)) session.add(slack_team) - session.commit() + await session.commit() return slack_team @classmethod - def get_instance(cls): - return SlackTeamStore(session_maker) + def get_instance(cls) -> SlackTeamStore: + return SlackTeamStore() diff --git a/enterprise/tests/unit/integrations/slack/test_slack_v1_callback_processor.py b/enterprise/tests/unit/integrations/slack/test_slack_v1_callback_processor.py index 6aa03c408d..e72e89233e 100644 --- a/enterprise/tests/unit/integrations/slack/test_slack_v1_callback_processor.py +++ b/enterprise/tests/unit/integrations/slack/test_slack_v1_callback_processor.py @@ -145,9 +145,9 @@ class TestSlackV1CallbackProcessor: """Test that processor handles double callback correctly and processes both times.""" conversation_id = uuid4() - # Mock SlackTeamStore + # Mock SlackTeamStore (async method) mock_store = MagicMock() - mock_store.get_team_bot_token.return_value = 'xoxb-test-token' + mock_store.get_team_bot_token = AsyncMock(return_value='xoxb-test-token') mock_slack_team_store.return_value = mock_store # Mock successful summary generation @@ -208,9 +208,9 @@ class TestSlackV1CallbackProcessor: """Test successful end-to-end callback execution.""" conversation_id = uuid4() - # Mock SlackTeamStore + # Mock SlackTeamStore (async method) mock_store = MagicMock() - mock_store.get_team_bot_token.return_value = 'xoxb-test-token' + mock_store.get_team_bot_token = AsyncMock(return_value='xoxb-test-token') mock_slack_team_store.return_value = mock_store # Mock summary instruction @@ -287,9 +287,9 @@ class TestSlackV1CallbackProcessor: expected_error, ): """Test error handling when bot access token is missing or empty.""" - # Mock SlackTeamStore to return the test token + # Mock SlackTeamStore to return the test token (async method) mock_store = MagicMock() - mock_store.get_team_bot_token.return_value = bot_token + mock_store.get_team_bot_token = AsyncMock(return_value=bot_token) mock_slack_team_store.return_value = mock_store # Mock successful summary generation @@ -327,9 +327,9 @@ class TestSlackV1CallbackProcessor: expected_error, ): """Test error handling for various Slack API errors.""" - # Mock SlackTeamStore + # Mock SlackTeamStore (async method) mock_store = MagicMock() - mock_store.get_team_bot_token.return_value = 'xoxb-test-token' + mock_store.get_team_bot_token = AsyncMock(return_value='xoxb-test-token') mock_slack_team_store.return_value = mock_store # Mock successful summary generation @@ -392,9 +392,9 @@ class TestSlackV1CallbackProcessor: """Test error handling for various agent server errors.""" conversation_id = uuid4() - # Mock SlackTeamStore + # Mock SlackTeamStore (async method) mock_store = MagicMock() - mock_store.get_team_bot_token.return_value = 'xoxb-test-token' + mock_store.get_team_bot_token = AsyncMock(return_value='xoxb-test-token') mock_slack_team_store.return_value = mock_store # Mock summary instruction diff --git a/enterprise/tests/unit/test_slack_callback_processor.py b/enterprise/tests/unit/test_slack_callback_processor.py index 79475d4f2a..5cfb81e0b9 100644 --- a/enterprise/tests/unit/test_slack_callback_processor.py +++ b/enterprise/tests/unit/test_slack_callback_processor.py @@ -240,12 +240,12 @@ class TestSlackCallbackProcessor: return_value=(mock_slack_user, mock_saas_user_auth) ) - # Mock the SlackFactory + # Mock the SlackFactory (async method) with patch( 'server.conversation_callback_processor.slack_callback_processor.SlackFactory' ) as mock_slack_factory: - mock_slack_factory.create_slack_view_from_payload.return_value = ( - mock_slack_view + mock_slack_factory.create_slack_view_from_payload = AsyncMock( + return_value=mock_slack_view ) mock_slack_manager.send_message = AsyncMock() From 0b9fd442bd8cac12e488244f1bdd6284cf19c78a Mon Sep 17 00:00:00 2001 From: aivong-openhands Date: Tue, 3 Mar 2026 09:19:30 -0600 Subject: [PATCH 04/67] chore: update uv lock and enterprise poetry lock to replace python-jose with jwcrypto (#13105) Co-authored-by: openhands --- enterprise/poetry.lock | 45 +-------------------------------------- uv.lock | 48 +++++++++++++----------------------------- 2 files changed, 16 insertions(+), 77 deletions(-) diff --git a/enterprise/poetry.lock b/enterprise/poetry.lock index 81cf9be3bd..f617080882 100644 --- a/enterprise/poetry.lock +++ b/enterprise/poetry.lock @@ -2079,25 +2079,6 @@ files = [ {file = "durationpy-0.10.tar.gz", hash = "sha256:1fa6893409a6e739c9c72334fc65cca1f355dbdd93405d30f726deb5bde42fba"}, ] -[[package]] -name = "ecdsa" -version = "0.19.1" -description = "ECDSA cryptographic signature library (pure python)" -optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.6" -groups = ["main"] -files = [ - {file = "ecdsa-0.19.1-py2.py3-none-any.whl", hash = "sha256:30638e27cf77b7e15c4c4cc1973720149e1033827cfd00661ca5c8cc0cdb24c3"}, - {file = "ecdsa-0.19.1.tar.gz", hash = "sha256:478cba7b62555866fcb3bb3fe985e06decbdb68ef55713c4e5ab98c57d508e61"}, -] - -[package.dependencies] -six = ">=1.9.0" - -[package.extras] -gmpy = ["gmpy"] -gmpy2 = ["gmpy2"] - [[package]] name = "email-validator" version = "2.3.0" @@ -6155,6 +6136,7 @@ jinja2 = ">=3.1.6" joblib = "*" json-repair = "*" jupyter-kernel-gateway = "*" +jwcrypto = ">=1.5.6" kubernetes = ">=33.1" libtmux = ">=0.46.2" litellm = ">=1.74.3" @@ -6185,7 +6167,6 @@ pypdf = ">=6.7.2" python-docx = "*" python-dotenv = "*" python-frontmatter = ">=1.1" -python-jose = {version = ">=3.3", extras = ["cryptography"]} python-json-logger = ">=3.2.1" python-multipart = ">=0.0.22" python-pptx = "*" @@ -11819,30 +11800,6 @@ PyYAML = "*" docs = ["sphinx"] test = ["mypy", "pyaml", "pytest", "toml", "types-PyYAML", "types-toml"] -[[package]] -name = "python-jose" -version = "3.5.0" -description = "JOSE implementation in Python" -optional = false -python-versions = ">=3.9" -groups = ["main"] -files = [ - {file = "python_jose-3.5.0-py2.py3-none-any.whl", hash = "sha256:abd1202f23d34dfad2c3d28cb8617b90acf34132c7afd60abd0b0b7d3cb55771"}, - {file = "python_jose-3.5.0.tar.gz", hash = "sha256:fb4eaa44dbeb1c26dcc69e4bd7ec54a1cb8dd64d3b4d81ef08d90ff453f2b01b"}, -] - -[package.dependencies] -cryptography = {version = ">=3.4.0", optional = true, markers = "extra == \"cryptography\""} -ecdsa = "!=0.15" -pyasn1 = ">=0.5.0" -rsa = ">=4.0,<4.1.1 || >4.1.1,<4.4 || >4.4,<5.0" - -[package.extras] -cryptography = ["cryptography (>=3.4.0)"] -pycrypto = ["pycrypto (>=2.6.0,<2.7.0)"] -pycryptodome = ["pycryptodome (>=3.3.1,<4.0.0)"] -test = ["pytest", "pytest-cov"] - [[package]] name = "python-json-logger" version = "3.3.0" diff --git a/uv.lock b/uv.lock index 5d571c142a..06d1579c34 100644 --- a/uv.lock +++ b/uv.lock @@ -1224,18 +1224,6 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/1b/e7/09b9106ead227f7be14bd97c3181391ee498bb38933b1a9c566b72c8567a/e2b_code_interpreter-2.4.1-py3-none-any.whl", hash = "sha256:15d35f025b4a15033e119f2e12e7ac65657ad2b5a013fa9149e74581fbee778a", size = 13719, upload-time = "2025-11-26T18:12:36.7Z" }, ] -[[package]] -name = "ecdsa" -version = "0.19.1" -source = { registry = "https://pypi.org/simple" } -dependencies = [ - { name = "six" }, -] -sdist = { url = "https://files.pythonhosted.org/packages/c0/1f/924e3caae75f471eae4b26bd13b698f6af2c44279f67af317439c2f4c46a/ecdsa-0.19.1.tar.gz", hash = "sha256:478cba7b62555866fcb3bb3fe985e06decbdb68ef55713c4e5ab98c57d508e61", size = 201793, upload-time = "2025-03-13T11:52:43.25Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/cb/a3/460c57f094a4a165c84a1341c373b0a4f5ec6ac244b998d5021aade89b77/ecdsa-0.19.1-py2.py3-none-any.whl", hash = "sha256:30638e27cf77b7e15c4c4cc1973720149e1033827cfd00661ca5c8cc0cdb24c3", size = 150607, upload-time = "2025-03-13T11:52:41.757Z" }, -] - [[package]] name = "email-validator" version = "2.3.0" @@ -2656,6 +2644,19 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/ab/b5/36c712098e6191d1b4e349304ef73a8d06aed77e56ceaac8c0a306c7bda1/jupyterlab_widgets-3.0.16-py3-none-any.whl", hash = "sha256:45fa36d9c6422cf2559198e4db481aa243c7a32d9926b500781c830c80f7ecf8", size = 914926, upload-time = "2025-11-01T21:11:28.008Z" }, ] +[[package]] +name = "jwcrypto" +version = "1.5.6" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "cryptography" }, + { name = "typing-extensions" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/e1/db/870e5d5fb311b0bcf049630b5ba3abca2d339fd5e13ba175b4c13b456d08/jwcrypto-1.5.6.tar.gz", hash = "sha256:771a87762a0c081ae6166958a954f80848820b2ab066937dc8b8379d65b1b039", size = 87168, upload-time = "2024-03-06T19:58:31.831Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/cd/58/4a1880ea64032185e9ae9f63940c9327c6952d5584ea544a8f66972f2fda/jwcrypto-1.5.6-py3-none-any.whl", hash = "sha256:150d2b0ebbdb8f40b77f543fb44ffd2baeff48788be71f67f03566692fd55789", size = 92520, upload-time = "2024-03-06T19:58:29.765Z" }, +] + [[package]] name = "keyring" version = "25.7.0" @@ -3652,6 +3653,7 @@ dependencies = [ { name = "joblib" }, { name = "json-repair" }, { name = "jupyter-kernel-gateway" }, + { name = "jwcrypto" }, { name = "kubernetes" }, { name = "libtmux" }, { name = "litellm" }, @@ -3682,7 +3684,6 @@ dependencies = [ { name = "python-docx" }, { name = "python-dotenv" }, { name = "python-frontmatter" }, - { name = "python-jose", extra = ["cryptography"] }, { name = "python-json-logger" }, { name = "python-multipart" }, { name = "python-pptx" }, @@ -3774,6 +3775,7 @@ requires-dist = [ { name = "joblib" }, { name = "json-repair" }, { name = "jupyter-kernel-gateway" }, + { name = "jwcrypto", specifier = ">=1.5.6" }, { name = "kubernetes", specifier = ">=33.1" }, { name = "libtmux", specifier = ">=0.46.2" }, { name = "litellm", specifier = ">=1.74.3" }, @@ -3805,7 +3807,6 @@ requires-dist = [ { name = "python-docx" }, { name = "python-dotenv" }, { name = "python-frontmatter", specifier = ">=1.1" }, - { name = "python-jose", extras = ["cryptography"], specifier = ">=3.3" }, { name = "python-json-logger", specifier = ">=3.2.1" }, { name = "python-multipart", specifier = ">=0.0.22" }, { name = "python-pptx" }, @@ -7515,25 +7516,6 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/49/87/3c8da047b3ec5f99511d1b4d7a5bc72d4b98751c7e78492d14dc736319c5/python_frontmatter-1.1.0-py3-none-any.whl", hash = "sha256:335465556358d9d0e6c98bbeb69b1c969f2a4a21360587b9873bfc3b213407c1", size = 9834, upload-time = "2024-01-16T18:50:00.911Z" }, ] -[[package]] -name = "python-jose" -version = "3.5.0" -source = { registry = "https://pypi.org/simple" } -dependencies = [ - { name = "ecdsa" }, - { name = "pyasn1" }, - { name = "rsa" }, -] -sdist = { url = "https://files.pythonhosted.org/packages/c6/77/3a1c9039db7124eb039772b935f2244fbb73fc8ee65b9acf2375da1c07bf/python_jose-3.5.0.tar.gz", hash = "sha256:fb4eaa44dbeb1c26dcc69e4bd7ec54a1cb8dd64d3b4d81ef08d90ff453f2b01b", size = 92726, upload-time = "2025-05-28T17:31:54.288Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/d9/c3/0bd11992072e6a1c513b16500a5d07f91a24017c5909b02c72c62d7ad024/python_jose-3.5.0-py2.py3-none-any.whl", hash = "sha256:abd1202f23d34dfad2c3d28cb8617b90acf34132c7afd60abd0b0b7d3cb55771", size = 34624, upload-time = "2025-05-28T17:31:52.802Z" }, -] - -[package.optional-dependencies] -cryptography = [ - { name = "cryptography" }, -] - [[package]] name = "python-json-logger" version = "4.0.0" From a927b9dc732ef3f709277ab7b73627dd91cee6f7 Mon Sep 17 00:00:00 2001 From: aivong-openhands Date: Tue, 3 Mar 2026 09:19:50 -0600 Subject: [PATCH 05/67] Fix CVE-2023-36464 update to openhands-aci 0.3.3 to remove pypdf2 (#13142) --- poetry.lock | 28 ++++------------------------ pyproject.toml | 4 ++-- uv.lock | 18 ++++-------------- 3 files changed, 10 insertions(+), 40 deletions(-) diff --git a/poetry.lock b/poetry.lock index f52815963f..d8cb26a1fa 100644 --- a/poetry.lock +++ b/poetry.lock @@ -6181,14 +6181,14 @@ openapi-schema-validator = ">=0.6.0,<0.7.0" [[package]] name = "openhands-aci" -version = "0.3.2" +version = "0.3.3" description = "An Agent-Computer Interface (ACI) designed for software development agents OpenHands." optional = false python-versions = "<4.0,>=3.12" groups = ["main"] files = [ - {file = "openhands_aci-0.3.2-py3-none-any.whl", hash = "sha256:a3ff6fe3dd50124598b8bc3aff8d9742d6e75f933f7e7635a9d0b37d45eb826e"}, - {file = "openhands_aci-0.3.2.tar.gz", hash = "sha256:df7b64df6acb70b45b23e88c13508e7af8f27725bed30c3e88691a0f3d1f7a44"}, + {file = "openhands_aci-0.3.3-py3-none-any.whl", hash = "sha256:35795a4d6f5939290f74b26190d5b4cd7477b06ffb7c7f0b505166739461d651"}, + {file = "openhands_aci-0.3.3.tar.gz", hash = "sha256:567fc65bb881e3ea56c987f4251c8f703d3c88fae99402b46ea7dcc48d85adb2"}, ] [package.dependencies] @@ -6211,7 +6211,6 @@ puremagic = ">=1.28" pydantic = ">=2.11.3,<3.0.0" pydub = ">=0.25.1,<0.26.0" pypdf = ">=5.1.0" -pypdf2 = ">=3.0.1,<4.0.0" python-pptx = ">=1.0.2,<2.0.0" rapidfuzz = ">=3.13.0,<4.0.0" requests = ">=2.32.3" @@ -11409,25 +11408,6 @@ docs = ["myst_parser", "sphinx", "sphinx_rtd_theme"] full = ["Pillow (>=8.0.0)", "cryptography"] image = ["Pillow (>=8.0.0)"] -[[package]] -name = "pypdf2" -version = "3.0.1" -description = "A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files" -optional = false -python-versions = ">=3.6" -groups = ["main"] -files = [ - {file = "PyPDF2-3.0.1.tar.gz", hash = "sha256:a74408f69ba6271f71b9352ef4ed03dc53a31aa404d29b5d31f53bfecfee1440"}, - {file = "pypdf2-3.0.1-py3-none-any.whl", hash = "sha256:d16e4205cfee272fbdc0568b68d82be796540b1537508cef59388f839c191928"}, -] - -[package.extras] -crypto = ["PyCryptodome"] -dev = ["black", "flit", "pip-tools", "pre-commit (<2.18.0)", "pytest-cov", "wheel"] -docs = ["myst_parser", "sphinx", "sphinx_rtd_theme"] -full = ["Pillow", "PyCryptodome"] -image = ["Pillow"] - [[package]] name = "pyperclip" version = "1.11.0" @@ -14676,4 +14656,4 @@ third-party-runtimes = ["daytona", "e2b-code-interpreter", "modal", "runloop-api [metadata] lock-version = "2.1" python-versions = "^3.12,<3.14" -content-hash = "1353c2f30d46d205c369736ead67515e81041ec5e0af4534c52a57d4b2307da2" +content-hash = "3976934d4a0d1759399dc90318e580ce68b7beb8a8b494c465ee29893e1a1c1e" diff --git a/pyproject.toml b/pyproject.toml index f8d1a65f2d..54162a32c7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -54,7 +54,7 @@ dependencies = [ "memory-profiler>=0.61", "numpy", "openai==2.8", - "openhands-aci==0.3.2", + "openhands-aci==0.3.3", "openhands-agent-server==1.11.5", "openhands-sdk==1.11.5", "openhands-tools==1.11.5", @@ -198,7 +198,7 @@ opentelemetry-exporter-otlp-proto-grpc = "^1.33.1" libtmux = ">=0.46.2" pygithub = "^2.5.0" joblib = "*" -openhands-aci = "0.3.2" +openhands-aci = "0.3.3" python-socketio = "5.14.0" sse-starlette = "^3.0.2" psutil = "*" diff --git a/uv.lock b/uv.lock index 06d1579c34..9faf603f89 100644 --- a/uv.lock +++ b/uv.lock @@ -3565,7 +3565,7 @@ wheels = [ [[package]] name = "openhands-aci" -version = "0.3.2" +version = "0.3.3" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "beautifulsoup4" }, @@ -3587,7 +3587,6 @@ dependencies = [ { name = "pydantic" }, { name = "pydub" }, { name = "pypdf" }, - { name = "pypdf2" }, { name = "python-pptx" }, { name = "rapidfuzz" }, { name = "requests" }, @@ -3598,9 +3597,9 @@ dependencies = [ { name = "xlrd" }, { name = "youtube-transcript-api" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/74/d3/bc218623dcf3a6d72e2e47627ff2f30cf46eece83f77d81cab00bef23286/openhands_aci-0.3.2.tar.gz", hash = "sha256:df7b64df6acb70b45b23e88c13508e7af8f27725bed30c3e88691a0f3d1f7a44", size = 78318, upload-time = "2025-08-21T09:47:36.866Z" } +sdist = { url = "https://files.pythonhosted.org/packages/c2/02/f82be4fd3b079bd12d53cc3083811535ed01e1b528b02f9571b9e5e04f9e/openhands_aci-0.3.3.tar.gz", hash = "sha256:567fc65bb881e3ea56c987f4251c8f703d3c88fae99402b46ea7dcc48d85adb2", size = 78525, upload-time = "2026-02-27T20:38:26.3Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/2b/ae/4c3d5e334a79d64e2266785f12ddb88861b18ed0f03c103828981b445d46/openhands_aci-0.3.2-py3-none-any.whl", hash = "sha256:a3ff6fe3dd50124598b8bc3aff8d9742d6e75f933f7e7635a9d0b37d45eb826e", size = 95467, upload-time = "2025-08-21T09:47:35.962Z" }, + { url = "https://files.pythonhosted.org/packages/82/50/7821e227e3d613741f233d07526da7e3dc558bc8e4143c016c110e2222d7/openhands_aci-0.3.3-py3-none-any.whl", hash = "sha256:35795a4d6f5939290f74b26190d5b4cd7477b06ffb7c7f0b505166739461d651", size = 95623, upload-time = "2026-02-27T20:38:27.348Z" }, ] [[package]] @@ -3784,7 +3783,7 @@ requires-dist = [ { name = "modal", marker = "extra == 'third-party-runtimes'", specifier = ">=0.66.26,<1.2" }, { name = "numpy" }, { name = "openai", specifier = "==2.8" }, - { name = "openhands-aci", specifier = "==0.3.2" }, + { name = "openhands-aci", specifier = "==0.3.3" }, { name = "openhands-agent-server", specifier = "==1.11.5" }, { name = "openhands-sdk", specifier = "==1.11.5" }, { name = "openhands-tools", specifier = "==1.11.5" }, @@ -7322,15 +7321,6 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/b0/90/3308a9b8b46c1424181fdf3f4580d2b423c5471425799e7fc62f92d183f4/pypdf-6.7.3-py3-none-any.whl", hash = "sha256:cd25ac508f20b554a9fafd825186e3ba29591a69b78c156783c5d8a2d63a1c0a", size = 331263, upload-time = "2026-02-24T17:23:09.932Z" }, ] -[[package]] -name = "pypdf2" -version = "3.0.1" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/9f/bb/18dc3062d37db6c491392007dfd1a7f524bb95886eb956569ac38a23a784/PyPDF2-3.0.1.tar.gz", hash = "sha256:a74408f69ba6271f71b9352ef4ed03dc53a31aa404d29b5d31f53bfecfee1440", size = 227419, upload-time = "2022-12-31T10:36:13.13Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/8e/5e/c86a5643653825d3c913719e788e41386bee415c2b87b4f955432f2de6b2/pypdf2-3.0.1-py3-none-any.whl", hash = "sha256:d16e4205cfee272fbdc0568b68d82be796540b1537508cef59388f839c191928", size = 232572, upload-time = "2022-12-31T10:36:10.327Z" }, -] - [[package]] name = "pyperclip" version = "1.11.0" From e7934ea6e57c9097d85bcc07ac7827e301225acd Mon Sep 17 00:00:00 2001 From: Pierrick Hymbert Date: Tue, 3 Mar 2026 16:51:43 +0100 Subject: [PATCH 06/67] feat(bitbucket): supports cloud and server APIs (#11052) Co-authored-by: Ray Myers Co-authored-by: Chris Bagwell Co-authored-by: CHANGE Co-authored-by: Joe Laverty --- .../features/auth/login-content.test.tsx | 20 + .../chat/git-control-bar-repo-button.test.tsx | 4 + .../__tests__/routes/git-settings.test.tsx | 4 + .../features/auth/login-content.tsx | 31 ++ .../chat/git-control-bar-branch-button.tsx | 13 +- .../chat/git-control-bar-repo-button.tsx | 9 +- .../conversation-repo-link.tsx | 1 + .../git-provider-dropdown.tsx | 2 + .../bitbucket-dc-token-help-anchor.tsx | 27 ++ .../bitbucket-dc-token-help-input.tsx | 67 ++++ .../components/shared/git-provider-icon.tsx | 3 + frontend/src/hooks/use-auto-login.ts | 8 + frontend/src/i18n/declaration.ts | 5 + frontend/src/i18n/translation.json | 80 ++++ frontend/src/routes.ts | 1 + frontend/src/routes/git-settings.tsx | 34 ++ frontend/src/types/settings.ts | 1 + frontend/src/utils/local-storage.ts | 1 + frontend/src/utils/utils.ts | 49 ++- .../bitbucket_dc_service.py | 107 ++++++ .../bitbucket_data_center/service/__init__.py | 15 + .../bitbucket_data_center/service/base.py | 333 ++++++++++++++++ .../bitbucket_data_center/service/branches.py | 136 +++++++ .../bitbucket_data_center/service/features.py | 96 +++++ .../bitbucket_data_center/service/prs.py | 134 +++++++ .../bitbucket_data_center/service/repos.py | 203 ++++++++++ .../bitbucket_data_center/service/resolver.py | 113 ++++++ openhands/integrations/provider.py | 41 +- openhands/integrations/service_types.py | 11 + openhands/integrations/utils.py | 19 +- .../interfaces/bitbucket_data_center.py | 357 ++++++++++++++++++ openhands/resolver/issue_handler_factory.py | 26 ++ openhands/resolver/issue_resolver.py | 2 + openhands/resolver/send_pull_request.py | 30 ++ openhands/server/routes/git.py | 2 + openhands/server/routes/mcp.py | 74 ++++ skills/bitbucket_data_center.md | 41 ++ .../test_bitbucket_dc.py | 258 +++++++++++++ .../test_bitbucket_dc_branches.py | 139 +++++++ .../test_bitbucket_dc_prs.py | 138 +++++++ .../test_bitbucket_dc_repos.py | 355 +++++++++++++++++ .../test_bitbucket_dc_resolver.py | 179 +++++++++ .../test_bitbucket_dc_issue_handler.py | 357 ++++++++++++++++++ 43 files changed, 3514 insertions(+), 12 deletions(-) create mode 100644 frontend/src/components/features/settings/git-settings/bitbucket-dc-token-help-anchor.tsx create mode 100644 frontend/src/components/features/settings/git-settings/bitbucket-dc-token-help-input.tsx create mode 100644 openhands/integrations/bitbucket_data_center/bitbucket_dc_service.py create mode 100644 openhands/integrations/bitbucket_data_center/service/__init__.py create mode 100644 openhands/integrations/bitbucket_data_center/service/base.py create mode 100644 openhands/integrations/bitbucket_data_center/service/branches.py create mode 100644 openhands/integrations/bitbucket_data_center/service/features.py create mode 100644 openhands/integrations/bitbucket_data_center/service/prs.py create mode 100644 openhands/integrations/bitbucket_data_center/service/repos.py create mode 100644 openhands/integrations/bitbucket_data_center/service/resolver.py create mode 100644 openhands/resolver/interfaces/bitbucket_data_center.py create mode 100644 skills/bitbucket_data_center.md create mode 100644 tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc.py create mode 100644 tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_branches.py create mode 100644 tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_prs.py create mode 100644 tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_repos.py create mode 100644 tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_resolver.py create mode 100644 tests/unit/resolver/bitbucket_dc/test_bitbucket_dc_issue_handler.py diff --git a/frontend/__tests__/components/features/auth/login-content.test.tsx b/frontend/__tests__/components/features/auth/login-content.test.tsx index f45e89bbb7..efedb93164 100644 --- a/frontend/__tests__/components/features/auth/login-content.test.tsx +++ b/frontend/__tests__/components/features/auth/login-content.test.tsx @@ -13,6 +13,8 @@ vi.mock("#/hooks/use-auth-url", () => ({ const urls: Record = { gitlab: "https://gitlab.com/oauth/authorize", bitbucket: "https://bitbucket.org/site/oauth2/authorize", + bitbucket_data_center: + "https://bitbucket-dc.example.com/site/oauth2/authorize", }; if (config.appMode === "saas") { return urls[config.identityProvider] || null; @@ -297,6 +299,24 @@ describe("LoginContent", () => { }); }); + it("should display Bitbucket Data Center button when configured", () => { + render( + + + , + ); + + expect( + screen.getByRole("button", { + name: /BITBUCKET_DATA_CENTER\$CONNECT_TO_BITBUCKET_DATA_CENTER/i, + }), + ).toBeInTheDocument(); + }); + it("should encode state with invitation token when buildOAuthStateData provides token", async () => { const user = userEvent.setup(); const mockBuildOAuthStateData = vi.fn((baseState) => ({ diff --git a/frontend/__tests__/components/features/chat/git-control-bar-repo-button.test.tsx b/frontend/__tests__/components/features/chat/git-control-bar-repo-button.test.tsx index 01890d1b8b..5a6d15e84b 100644 --- a/frontend/__tests__/components/features/chat/git-control-bar-repo-button.test.tsx +++ b/frontend/__tests__/components/features/chat/git-control-bar-repo-button.test.tsx @@ -32,6 +32,10 @@ vi.mock("#/icons/repo-forked.svg?react", () => ({ default: () => forked, })); +vi.mock("#/hooks/query/use-settings", () => ({ + useSettings: () => ({ data: { provider_tokens_set: {} } }), +})); + // Mock constructRepositoryUrl vi.mock("#/utils/utils", async (importOriginal) => { const actual = await importOriginal(); diff --git a/frontend/__tests__/routes/git-settings.test.tsx b/frontend/__tests__/routes/git-settings.test.tsx index 4466436534..2f903aa3a2 100644 --- a/frontend/__tests__/routes/git-settings.test.tsx +++ b/frontend/__tests__/routes/git-settings.test.tsx @@ -321,6 +321,7 @@ describe("Form submission", () => { github: { token: "test-token", host: "" }, gitlab: { token: "", host: "" }, bitbucket: { token: "", host: "" }, + bitbucket_data_center: { token: "", host: "" }, azure_devops: { token: "", host: "" }, forgejo: { token: "", host: "" }, }); @@ -344,6 +345,7 @@ describe("Form submission", () => { github: { token: "", host: "" }, gitlab: { token: "test-token", host: "" }, bitbucket: { token: "", host: "" }, + bitbucket_data_center: { token: "", host: "" }, azure_devops: { token: "", host: "" }, forgejo: { token: "", host: "" }, }); @@ -367,6 +369,7 @@ describe("Form submission", () => { github: { token: "", host: "" }, gitlab: { token: "", host: "" }, bitbucket: { token: "test-token", host: "" }, + bitbucket_data_center: { token: "", host: "" }, azure_devops: { token: "", host: "" }, forgejo: { token: "", host: "" }, }); @@ -392,6 +395,7 @@ describe("Form submission", () => { github: { token: "", host: "" }, gitlab: { token: "", host: "" }, bitbucket: { token: "", host: "" }, + bitbucket_data_center: { token: "", host: "" }, azure_devops: { token: "test-token", host: "" }, forgejo: { token: "", host: "" }, }); diff --git a/frontend/src/components/features/auth/login-content.tsx b/frontend/src/components/features/auth/login-content.tsx index 47db28f245..30da67c301 100644 --- a/frontend/src/components/features/auth/login-content.tsx +++ b/frontend/src/components/features/auth/login-content.tsx @@ -59,6 +59,12 @@ export function LoginContent({ authUrl, }); + const bitbucketDataCenterAuthUrl = useAuthUrl({ + appMode: appMode || null, + identityProvider: "bitbucket_data_center", + authUrl, + }); + const handleAuthRedirect = async ( redirectUrl: string, provider: Provider, @@ -115,6 +121,12 @@ export function LoginContent({ } }; + const handleBitbucketDataCenterAuth = () => { + if (bitbucketDataCenterAuthUrl) { + handleAuthRedirect(bitbucketDataCenterAuthUrl, "bitbucket_data_center"); + } + }; + const showGithub = providersConfigured && providersConfigured.length > 0 && @@ -127,6 +139,10 @@ export function LoginContent({ providersConfigured && providersConfigured.length > 0 && providersConfigured.includes("bitbucket"); + const showBitbucketDataCenter = + providersConfigured && + providersConfigured.length > 0 && + providersConfigured.includes("bitbucket_data_center"); const noProvidersConfigured = !providersConfigured || providersConfigured.length === 0; @@ -230,6 +246,21 @@ export function LoginContent({ )} + + {showBitbucketDataCenter && ( + + )} )} diff --git a/frontend/src/components/features/chat/git-control-bar-branch-button.tsx b/frontend/src/components/features/chat/git-control-bar-branch-button.tsx index bd256fac0d..e873da3735 100644 --- a/frontend/src/components/features/chat/git-control-bar-branch-button.tsx +++ b/frontend/src/components/features/chat/git-control-bar-branch-button.tsx @@ -4,6 +4,7 @@ import { constructBranchUrl, cn } from "#/utils/utils"; import { Provider } from "#/types/settings"; import { I18nKey } from "#/i18n/declaration"; import { GitExternalLinkIcon } from "./git-external-link-icon"; +import { useSettings } from "#/hooks/query/use-settings"; interface GitControlBarBranchButtonProps { selectedBranch: string | null | undefined; @@ -17,10 +18,20 @@ export function GitControlBarBranchButton({ gitProvider, }: GitControlBarBranchButtonProps) { const { t } = useTranslation(); + const { data: settings } = useSettings(); + + const providerHost = gitProvider + ? settings?.provider_tokens_set[gitProvider] + : null; const hasBranch = selectedBranch && selectedRepository && gitProvider; const branchUrl = hasBranch - ? constructBranchUrl(gitProvider, selectedRepository, selectedBranch) + ? constructBranchUrl( + gitProvider, + selectedRepository, + selectedBranch, + providerHost, + ) : undefined; const buttonText = hasBranch ? selectedBranch : t(I18nKey.COMMON$NO_BRANCH); diff --git a/frontend/src/components/features/chat/git-control-bar-repo-button.tsx b/frontend/src/components/features/chat/git-control-bar-repo-button.tsx index bd6159c11b..fcc2f7fb5f 100644 --- a/frontend/src/components/features/chat/git-control-bar-repo-button.tsx +++ b/frontend/src/components/features/chat/git-control-bar-repo-button.tsx @@ -5,6 +5,7 @@ import { I18nKey } from "#/i18n/declaration"; import { GitProviderIcon } from "#/components/shared/git-provider-icon"; import { GitExternalLinkIcon } from "./git-external-link-icon"; import RepoForkedIcon from "#/icons/repo-forked.svg?react"; +import { useSettings } from "#/hooks/query/use-settings"; interface GitControlBarRepoButtonProps { selectedRepository: string | null | undefined; @@ -20,11 +21,17 @@ export function GitControlBarRepoButton({ disabled, }: GitControlBarRepoButtonProps) { const { t } = useTranslation(); + const { data: settings } = useSettings(); const hasRepository = selectedRepository && gitProvider; + // Get the host for the current provider from settings + const providerHost = gitProvider + ? settings?.provider_tokens_set[gitProvider] + : null; + const repositoryUrl = hasRepository - ? constructRepositoryUrl(gitProvider, selectedRepository) + ? constructRepositoryUrl(gitProvider, selectedRepository, providerHost) : undefined; const buttonText = hasRepository diff --git a/frontend/src/components/features/conversation-panel/conversation-card/conversation-repo-link.tsx b/frontend/src/components/features/conversation-panel/conversation-card/conversation-repo-link.tsx index 27c50bbcb4..5e1c15099a 100644 --- a/frontend/src/components/features/conversation-panel/conversation-card/conversation-repo-link.tsx +++ b/frontend/src/components/features/conversation-panel/conversation-card/conversation-repo-link.tsx @@ -11,6 +11,7 @@ interface ConversationRepoLinkProps { const providerIcon: Partial> = { bitbucket: FaBitbucket, + bitbucket_data_center: FaBitbucket, github: FaGithub, gitlab: FaGitlab, enterprise_sso: FaUserShield, diff --git a/frontend/src/components/features/home/git-provider-dropdown/git-provider-dropdown.tsx b/frontend/src/components/features/home/git-provider-dropdown/git-provider-dropdown.tsx index 53696b1ecb..c119a4a861 100644 --- a/frontend/src/components/features/home/git-provider-dropdown/git-provider-dropdown.tsx +++ b/frontend/src/components/features/home/git-provider-dropdown/git-provider-dropdown.tsx @@ -51,6 +51,8 @@ export function GitProviderDropdown({ return "GitLab"; case "bitbucket": return "Bitbucket"; + case "bitbucket_data_center": + return "Bitbucket Data Center"; case "azure_devops": return "Azure DevOps"; case "enterprise_sso": diff --git a/frontend/src/components/features/settings/git-settings/bitbucket-dc-token-help-anchor.tsx b/frontend/src/components/features/settings/git-settings/bitbucket-dc-token-help-anchor.tsx new file mode 100644 index 0000000000..1d74b94b58 --- /dev/null +++ b/frontend/src/components/features/settings/git-settings/bitbucket-dc-token-help-anchor.tsx @@ -0,0 +1,27 @@ +import { Trans, useTranslation } from "react-i18next"; +import { I18nKey } from "#/i18n/declaration"; + +export function BitbucketDCTokenHelpAnchor() { + const { t } = useTranslation(); + + return ( +

+ , + ]} + /> +

+ ); +} diff --git a/frontend/src/components/features/settings/git-settings/bitbucket-dc-token-help-input.tsx b/frontend/src/components/features/settings/git-settings/bitbucket-dc-token-help-input.tsx new file mode 100644 index 0000000000..3cb87c1b2f --- /dev/null +++ b/frontend/src/components/features/settings/git-settings/bitbucket-dc-token-help-input.tsx @@ -0,0 +1,67 @@ +import { useTranslation } from "react-i18next"; +import { I18nKey } from "#/i18n/declaration"; +import { SettingsInput } from "../settings-input"; +import { BitbucketDCTokenHelpAnchor } from "./bitbucket-dc-token-help-anchor"; +import { KeyStatusIcon } from "../key-status-icon"; +import { cn } from "#/utils/utils"; + +interface BitbucketDCTokenInputProps { + onChange: (value: string) => void; + onBitbucketDCHostChange: (value: string) => void; + isBitbucketDCTokenSet: boolean; + name: string; + bitbucketDCHostSet: string | null | undefined; + className?: string; +} + +export function BitbucketDCTokenInput({ + onChange, + onBitbucketDCHostChange, + isBitbucketDCTokenSet, + name, + bitbucketDCHostSet, + className, +}: BitbucketDCTokenInputProps) { + const { t } = useTranslation(); + + return ( +
+ " : "username:token"} + startContent={ + isBitbucketDCTokenSet && ( + + ) + } + /> + + {})} + name="bitbucket-dc-host-input" + testId="bitbucket-dc-host-input" + label={t(I18nKey.BITBUCKET_DATA_CENTER$HOST_LABEL)} + type="text" + className="w-full max-w-[680px]" + placeholder="bitbucket.your-company.com" + defaultValue={bitbucketDCHostSet || undefined} + startContent={ + bitbucketDCHostSet && + bitbucketDCHostSet.trim() !== "" && ( + + ) + } + /> + + +
+ ); +} diff --git a/frontend/src/components/shared/git-provider-icon.tsx b/frontend/src/components/shared/git-provider-icon.tsx index efa9481ad1..ee8c869595 100644 --- a/frontend/src/components/shared/git-provider-icon.tsx +++ b/frontend/src/components/shared/git-provider-icon.tsx @@ -18,6 +18,9 @@ export function GitProviderIcon({ {gitProvider === "bitbucket" && ( )} + {gitProvider === "bitbucket_data_center" && ( + + )} {gitProvider === "azure_devops" && ( )} diff --git a/frontend/src/hooks/use-auto-login.ts b/frontend/src/hooks/use-auto-login.ts index 1d9f766b0e..8d4cd2dee7 100644 --- a/frontend/src/hooks/use-auto-login.ts +++ b/frontend/src/hooks/use-auto-login.ts @@ -34,6 +34,12 @@ export const useAutoLogin = () => { authUrl: config?.auth_url, }); + const bitbucketDataCenterUrl = useAuthUrl({ + appMode: config?.app_mode || null, + identityProvider: "bitbucket_data_center", + authUrl: config?.auth_url, + }); + const enterpriseSsoUrl = useAuthUrl({ appMode: config?.app_mode || null, identityProvider: "enterprise_sso", @@ -69,6 +75,8 @@ export const useAutoLogin = () => { authUrl = gitlabAuthUrl; } else if (loginMethod === LoginMethod.BITBUCKET) { authUrl = bitbucketAuthUrl; + } else if (loginMethod === LoginMethod.BITBUCKET_DATA_CENTER) { + authUrl = bitbucketDataCenterUrl; } else if (loginMethod === LoginMethod.ENTERPRISE_SSO) { authUrl = enterpriseSsoUrl; } diff --git a/frontend/src/i18n/declaration.ts b/frontend/src/i18n/declaration.ts index 062112460b..a42047bb84 100644 --- a/frontend/src/i18n/declaration.ts +++ b/frontend/src/i18n/declaration.ts @@ -610,6 +610,7 @@ export enum I18nKey { GITHUB$CONNECT_TO_GITHUB = "GITHUB$CONNECT_TO_GITHUB", GITLAB$CONNECT_TO_GITLAB = "GITLAB$CONNECT_TO_GITLAB", BITBUCKET$CONNECT_TO_BITBUCKET = "BITBUCKET$CONNECT_TO_BITBUCKET", + BITBUCKET_DATA_CENTER$CONNECT_TO_BITBUCKET_DATA_CENTER = "BITBUCKET_DATA_CENTER$CONNECT_TO_BITBUCKET_DATA_CENTER", ENTERPRISE_SSO$CONNECT_TO_ENTERPRISE_SSO = "ENTERPRISE_SSO$CONNECT_TO_ENTERPRISE_SSO", AUTH$SIGN_IN_WITH_IDENTITY_PROVIDER = "AUTH$SIGN_IN_WITH_IDENTITY_PROVIDER", WAITLIST$JOIN_WAITLIST = "WAITLIST$JOIN_WAITLIST", @@ -648,6 +649,9 @@ export enum I18nKey { BITBUCKET$TOKEN_HELP_TEXT = "BITBUCKET$TOKEN_HELP_TEXT", BITBUCKET$TOKEN_LINK_TEXT = "BITBUCKET$TOKEN_LINK_TEXT", BITBUCKET$INSTRUCTIONS_LINK_TEXT = "BITBUCKET$INSTRUCTIONS_LINK_TEXT", + BITBUCKET_DATA_CENTER$TOKEN_LABEL = "BITBUCKET_DATA_CENTER$TOKEN_LABEL", + BITBUCKET_DATA_CENTER$HOST_LABEL = "BITBUCKET_DATA_CENTER$HOST_LABEL", + BITBUCKET_DATA_CENTER$TOKEN_HELP_TEXT = "BITBUCKET_DATA_CENTER$TOKEN_HELP_TEXT", GITLAB$OR_SEE = "GITLAB$OR_SEE", AGENT_ERROR$ERROR_ACTION_NOT_EXECUTED_STOPPED = "AGENT_ERROR$ERROR_ACTION_NOT_EXECUTED_STOPPED", AGENT_ERROR$ERROR_ACTION_NOT_EXECUTED_ERROR = "AGENT_ERROR$ERROR_ACTION_NOT_EXECUTED_ERROR", @@ -732,6 +736,7 @@ export enum I18nKey { PAYMENT$SPECIFY_AMOUNT_USD = "PAYMENT$SPECIFY_AMOUNT_USD", GIT$BITBUCKET_TOKEN_HELP_LINK = "GIT$BITBUCKET_TOKEN_HELP_LINK", GIT$BITBUCKET_TOKEN_SEE_MORE_LINK = "GIT$BITBUCKET_TOKEN_SEE_MORE_LINK", + GIT$BITBUCKET_DC_TOKEN_HELP_LINK = "GIT$BITBUCKET_DC_TOKEN_HELP_LINK", GIT$GITHUB_TOKEN_HELP_LINK = "GIT$GITHUB_TOKEN_HELP_LINK", GIT$GITHUB_TOKEN_SEE_MORE_LINK = "GIT$GITHUB_TOKEN_SEE_MORE_LINK", GIT$GITLAB_TOKEN_HELP_LINK = "GIT$GITLAB_TOKEN_HELP_LINK", diff --git a/frontend/src/i18n/translation.json b/frontend/src/i18n/translation.json index b0c4a0f5ae..868eee4a94 100644 --- a/frontend/src/i18n/translation.json +++ b/frontend/src/i18n/translation.json @@ -9761,6 +9761,22 @@ "tr": "Bitbucket'a bağlan", "uk": "Увійти за допомогою Bitbucket" }, + "BITBUCKET_DATA_CENTER$CONNECT_TO_BITBUCKET_DATA_CENTER": { + "en": "Log in with Bitbucket Data Center", + "ja": "Bitbucket Data Centerに接続", + "zh-CN": "连接到Bitbucket Data Center", + "zh-TW": "連接到Bitbucket Data Center", + "ko-KR": "Bitbucket Data Center에 연결", + "de": "Mit Bitbucket Data Center verbinden", + "no": "Koble til Bitbucket Data Center", + "it": "Connetti a Bitbucket Data Center", + "pt": "Conectar ao Bitbucket Data Center", + "es": "Conectar a Bitbucket Data Center", + "ar": "الاتصال بـ Bitbucket Data Center", + "fr": "Se connecter à Bitbucket Data Center", + "tr": "Bitbucket Data Center'a bağlan", + "uk": "Увійти за допомогою Bitbucket Data Center" + }, "ENTERPRISE_SSO$CONNECT_TO_ENTERPRISE_SSO": { "en": "Login with Enterprise SSO", "ja": "エンタープライズSSOでログイン", @@ -10368,6 +10384,54 @@ "tr": "talimatlar için buraya tıklayın", "de": "klicken Sie hier für Anweisungen", "uk": "натисніть тут, щоб отримати інструкції" + }, + "BITBUCKET_DATA_CENTER$TOKEN_LABEL": { + "en": "Bitbucket Data Center Token", + "ja": "Bitbucket Data Centerトークン", + "zh-CN": "Bitbucket Data Center令牌", + "zh-TW": "Bitbucket Data Center權杖", + "ko-KR": "Bitbucket Data Center 토큰", + "no": "Bitbucket Data Center-token", + "ar": "رمز Bitbucket Data Center", + "de": "Bitbucket Data Center-Token", + "fr": "Jeton Bitbucket Data Center", + "it": "Token Bitbucket Data Center", + "pt": "Token do Bitbucket Data Center", + "es": "Token de Bitbucket Data Center", + "tr": "Bitbucket Data Center Token", + "uk": "Токен Bitbucket Data Center" + }, + "BITBUCKET_DATA_CENTER$HOST_LABEL": { + "en": "Bitbucket Data Center Host", + "ja": "Bitbucket Data Centerホスト", + "zh-CN": "Bitbucket Data Center主机", + "zh-TW": "Bitbucket Data Center主機", + "ko-KR": "Bitbucket Data Center 호스트", + "no": "Bitbucket Data Center-vert", + "ar": "مضيف Bitbucket Data Center", + "de": "Bitbucket Data Center-Host", + "fr": "Hôte Bitbucket Data Center", + "it": "Host Bitbucket Data Center", + "pt": "Host do Bitbucket Data Center", + "es": "Host de Bitbucket Data Center", + "tr": "Bitbucket Data Center Sunucu", + "uk": "Хост Bitbucket Data Center" + }, + "BITBUCKET_DATA_CENTER$TOKEN_HELP_TEXT": { + "en": "Create an <0>HTTP access token in your Bitbucket Data Center instance with repository read/write and pull request read/write permissions. For personal access tokens, use the format 'username:token'. For project tokens, use the format 'x-token-auth:your-token'.", + "ja": "リポジトリの読み取り/書き込みおよびプルリクエストの読み取り/書き込み権限を持つBitbucket Data Centerインスタンスで<0>HTTPアクセストークンを作成してください。個人アクセストークンの場合は、'username:token'の形式を使用してください。プロジェクトトークンの場合は、'x-token-auth:your-token'の形式を使用してください。", + "zh-CN": "在您的Bitbucket Data Center实例中创建一个具有仓库读写和拉取请求读写权限的<0>HTTP访问令牌。对于个人访问令牌,请使用格式'username:token'。对于项目令牌,请使用格式'x-token-auth:your-token'。", + "zh-TW": "在您的Bitbucket Data Center實例中建立一個具有儲存庫讀寫和拉取請求讀寫權限的<0>HTTP存取權杖。對於個人存取權杖,請使用格式'username:token'。對於專案權杖,請使用格式'x-token-auth:your-token'。", + "ko-KR": "Bitbucket Data Center 인스턴스에서 저장소 읽기/쓰기 및 풀 리퀘스트 읽기/쓰기 권한이 있는 <0>HTTP 액세스 토큰을 생성하세요. 개인 액세스 토큰의 경우 'username:token' 형식을 사용하세요. 프로젝트 토큰의 경우 'x-token-auth:your-token' 형식을 사용하세요.", + "no": "Opprett et <0>HTTP-tilgangstoken i din Bitbucket Data Center-instans med lese-/skrivetilgang til repositorier og pull-forespørsler. For personlige tilgangstokener, bruk formatet 'username:token'. For prosjekttokener, bruk formatet 'x-token-auth:your-token'.", + "ar": "أنشئ <0>رمز وصول HTTP في مثيل Bitbucket Data Center الخاص بك مع أذونات قراءة/كتابة للمستودع وقراءة/كتابة لطلبات السحب. لرموز الوصول الشخصية، استخدم التنسيق 'username:token'. لرموز المشروع، استخدم التنسيق 'x-token-auth:your-token'.", + "de": "Erstellen Sie ein <0>HTTP-Zugriffstoken in Ihrer Bitbucket Data Center-Instanz mit Lese-/Schreibberechtigungen für Repositories und Pull Requests. Geben Sie für persönliche Zugriffstoken das Format 'username:token' ein. Geben Sie für Projekt-Token das Format 'x-token-auth:your-token' ein.", + "fr": "Créez un <0>jeton d'accès HTTP dans votre instance Bitbucket Data Center avec des permissions de lecture/écriture sur les dépôts et les pull requests. Pour les jetons d'accès personnels, utilisez le format 'username:token'. Pour les jetons de projet, utilisez le format 'x-token-auth:your-token'.", + "it": "Crea un <0>token di accesso HTTP nella tua istanza Bitbucket Data Center con permessi di lettura/scrittura per repository e pull request. Per i token di accesso personali, usa il formato 'username:token'. Per i token di progetto, usa il formato 'x-token-auth:your-token'.", + "pt": "Crie um <0>token de acesso HTTP na sua instância do Bitbucket Data Center com permissões de leitura/gravação de repositório e pull request. Para tokens de acesso pessoal, use o formato 'username:token'. Para tokens de projeto, use o formato 'x-token-auth:your-token'.", + "es": "Cree un <0>token de acceso HTTP en su instancia de Bitbucket Data Center con permisos de lectura/escritura de repositorio y pull request. Para los tokens de acceso personal, use el formato 'username:token'. Para los tokens de proyecto, use el formato 'x-token-auth:your-token'.", + "tr": "Bitbucket Data Center örneğinizde depo okuma/yazma ve pull request okuma/yazma izinlerine sahip bir <0>HTTP erişim jetonu oluşturun. Kişisel erişim jetonları için 'username:token' biçimini kullanın. Proje jetonları için 'x-token-auth:your-token' biçimini kullanın.", + "uk": "Створіть <0>HTTP-токен доступу у вашому екземплярі Bitbucket Data Center з правами читання/запису репозиторію та pull request. Для особистих токенів доступу використовуйте формат 'username:token'. Для токенів проекту використовуйте формат 'x-token-auth:your-token'." }, "GITLAB$OR_SEE": { "en": "or see the", @@ -11715,6 +11779,22 @@ "de": "Bitbucket-Token mehr sehen Link", "uk": "Посилання для перегляду більше про токен Bitbucket" }, + "GIT$BITBUCKET_DC_TOKEN_HELP_LINK": { + "en": "Bitbucket Data Center HTTP access token docs", + "ja": "Bitbucket Data Center HTTPアクセストークンドキュメント", + "zh-CN": "Bitbucket Data Center HTTP访问令牌文档", + "zh-TW": "Bitbucket Data Center HTTP存取權杖文件", + "ko-KR": "Bitbucket Data Center HTTP 액세스 토큰 문서", + "no": "Bitbucket Data Center HTTP-tilgangstoken-dokumentasjon", + "ar": "وثائق رمز وصول HTTP لـ Bitbucket Data Center", + "de": "Bitbucket Data Center HTTP-Zugriffstoken-Dokumentation", + "fr": "Documentation du jeton d'accès HTTP Bitbucket Data Center", + "it": "Documentazione token di accesso HTTP Bitbucket Data Center", + "pt": "Documentação do token de acesso HTTP do Bitbucket Data Center", + "es": "Documentación del token de acceso HTTP de Bitbucket Data Center", + "tr": "Bitbucket Data Center HTTP erişim jetonu belgeleri", + "uk": "Документація HTTP-токена доступу Bitbucket Data Center" + }, "GIT$GITHUB_TOKEN_HELP_LINK": { "en": "GitHub token help link", "ja": "GitHubトークンヘルプリンク", diff --git a/frontend/src/routes.ts b/frontend/src/routes.ts index 3c884347d3..b50091dc3c 100644 --- a/frontend/src/routes.ts +++ b/frontend/src/routes.ts @@ -22,6 +22,7 @@ export default [ route("api-keys", "routes/api-keys.tsx"), ]), route("conversations/:conversationId", "routes/conversation.tsx"), + route("microagent-management", "routes/microagent-management.tsx"), route("oauth/device/verify", "routes/device-verify.tsx"), ]), // Shared routes that don't require authentication diff --git a/frontend/src/routes/git-settings.tsx b/frontend/src/routes/git-settings.tsx index ad692f301a..1b07e081dc 100644 --- a/frontend/src/routes/git-settings.tsx +++ b/frontend/src/routes/git-settings.tsx @@ -8,6 +8,7 @@ import { GitHubTokenInput } from "#/components/features/settings/git-settings/gi import { GitLabTokenInput } from "#/components/features/settings/git-settings/gitlab-token-input"; import { GitLabWebhookManager } from "#/components/features/settings/git-settings/gitlab-webhook-manager"; import { BitbucketTokenInput } from "#/components/features/settings/git-settings/bitbucket-token-input"; +import { BitbucketDCTokenInput } from "#/components/features/settings/git-settings/bitbucket-dc-token-help-input"; import { AzureDevOpsTokenInput } from "#/components/features/settings/git-settings/azure-devops-token-input"; import { ForgejoTokenInput } from "#/components/features/settings/git-settings/forgejo-token-input"; import { ConfigureGitHubRepositoriesAnchor } from "#/components/features/settings/git-settings/configure-github-repositories-anchor"; @@ -42,6 +43,8 @@ function GitSettingsScreen() { React.useState(false); const [bitbucketTokenInputHasValue, setBitbucketTokenInputHasValue] = React.useState(false); + const [bitbucketDCTokenInputHasValue, setBitbucketDCTokenInputHasValue] = + React.useState(false); const [azureDevOpsTokenInputHasValue, setAzureDevOpsTokenInputHasValue] = React.useState(false); const [forgejoTokenInputHasValue, setForgejoTokenInputHasValue] = @@ -53,6 +56,8 @@ function GitSettingsScreen() { React.useState(false); const [bitbucketHostInputHasValue, setBitbucketHostInputHasValue] = React.useState(false); + const [bitbucketDCHostInputHasValue, setBitbucketDCHostInputHasValue] = + React.useState(false); const [azureDevOpsHostInputHasValue, setAzureDevOpsHostInputHasValue] = React.useState(false); const [forgejoHostInputHasValue, setForgejoHostInputHasValue] = @@ -61,6 +66,8 @@ function GitSettingsScreen() { const existingGithubHost = settings?.provider_tokens_set.github; const existingGitlabHost = settings?.provider_tokens_set.gitlab; const existingBitbucketHost = settings?.provider_tokens_set.bitbucket; + const existingBitbucketDCHost = + settings?.provider_tokens_set.bitbucket_data_center; const existingAzureDevOpsHost = settings?.provider_tokens_set.azure_devops; const existingForgejoHost = settings?.provider_tokens_set.forgejo; @@ -68,6 +75,7 @@ function GitSettingsScreen() { const isGitHubTokenSet = providers.includes("github"); const isGitLabTokenSet = providers.includes("gitlab"); const isBitbucketTokenSet = providers.includes("bitbucket"); + const isBitbucketDCTokenSet = providers.includes("bitbucket_data_center"); const isAzureDevOpsTokenSet = providers.includes("azure_devops"); const isForgejoTokenSet = providers.includes("forgejo"); @@ -89,6 +97,9 @@ function GitSettingsScreen() { const bitbucketToken = ( formData.get("bitbucket-token-input")?.toString() || "" ).trim(); + const bitbucketDCToken = ( + formData.get("bitbucket-dc-token-input")?.toString() || "" + ).trim(); const azureDevOpsToken = ( formData.get("azure-devops-token-input")?.toString() || "" ).trim(); @@ -104,6 +115,9 @@ function GitSettingsScreen() { const bitbucketHost = ( formData.get("bitbucket-host-input")?.toString() || "" ).trim(); + const bitbucketDCHost = ( + formData.get("bitbucket-dc-host-input")?.toString() || "" + ).trim(); const azureDevOpsHost = ( formData.get("azure-devops-host-input")?.toString() || "" ).trim(); @@ -116,6 +130,7 @@ function GitSettingsScreen() { github: { token: githubToken, host: githubHost }, gitlab: { token: gitlabToken, host: gitlabHost }, bitbucket: { token: bitbucketToken, host: bitbucketHost }, + bitbucket_data_center: { token: bitbucketDCToken, host: bitbucketDCHost }, azure_devops: { token: azureDevOpsToken, host: azureDevOpsHost }, forgejo: { token: forgejoToken, host: forgejoHost }, }; @@ -136,11 +151,13 @@ function GitSettingsScreen() { setGithubTokenInputHasValue(false); setGitlabTokenInputHasValue(false); setBitbucketTokenInputHasValue(false); + setBitbucketDCTokenInputHasValue(false); setAzureDevOpsTokenInputHasValue(false); setForgejoTokenInputHasValue(false); setGithubHostInputHasValue(false); setGitlabHostInputHasValue(false); setBitbucketHostInputHasValue(false); + setBitbucketDCHostInputHasValue(false); setAzureDevOpsHostInputHasValue(false); setForgejoHostInputHasValue(false); }, @@ -152,11 +169,13 @@ function GitSettingsScreen() { !githubTokenInputHasValue && !gitlabTokenInputHasValue && !bitbucketTokenInputHasValue && + !bitbucketDCTokenInputHasValue && !azureDevOpsTokenInputHasValue && !forgejoTokenInputHasValue && !githubHostInputHasValue && !gitlabHostInputHasValue && !bitbucketHostInputHasValue && + !bitbucketDCHostInputHasValue && !azureDevOpsHostInputHasValue && !forgejoHostInputHasValue; const shouldRenderExternalConfigureButtons = @@ -276,6 +295,20 @@ function GitSettingsScreen() { /> )} + {!isSaas && ( + { + setBitbucketDCTokenInputHasValue(!!value); + }} + onBitbucketDCHostChange={(value) => { + setBitbucketDCHostInputHasValue(!!value); + }} + bitbucketDCHostSet={existingBitbucketDCHost} + /> + )} + {!isSaas && ( { +export const getGitProviderBaseUrl = ( + gitProvider: Provider, + host?: string | null, +): string => { + // If custom host provided, use it (with https:// prefix if needed) + if (host && host.trim() !== "") { + return host.startsWith("http") ? host : `https://${host}`; + } + + // Fall back to defaults switch (gitProvider) { case "github": return "https://github.com"; @@ -249,6 +259,7 @@ export const getGitProviderBaseUrl = (gitProvider: Provider): string => { export const getProviderName = (gitProvider: Provider) => { if (gitProvider === "gitlab") return "GitLab"; if (gitProvider === "bitbucket") return "Bitbucket"; + if (gitProvider === "bitbucket_data_center") return "Bitbucket Data Center"; if (gitProvider === "azure_devops") return "Azure DevOps"; if (gitProvider === "forgejo") return "Forgejo"; return "GitHub"; @@ -280,13 +291,15 @@ export const getPRShort = (isGitLab: boolean) => (isGitLab ? "MR" : "PR"); * constructPullRequestUrl(123, "github", "owner/repo") // "https://github.com/owner/repo/pull/123" * constructPullRequestUrl(456, "gitlab", "owner/repo") // "https://gitlab.com/owner/repo/-/merge_requests/456" * constructPullRequestUrl(789, "bitbucket", "owner/repo") // "https://bitbucket.org/owner/repo/pull-requests/789" + * constructPullRequestUrl(789, "bitbucket", "PROJECT/repo", "server.com") // "https://server.com/projects/PROJECT/repos/repo/pull-requests/789" */ export const constructPullRequestUrl = ( prNumber: number, provider: Provider, repositoryName: string, + host?: string | null, ): string => { - const baseUrl = getGitProviderBaseUrl(provider); + const baseUrl = getGitProviderBaseUrl(provider, host); switch (provider) { case "github": @@ -297,6 +310,10 @@ export const constructPullRequestUrl = ( return `${baseUrl}/${repositoryName}/-/merge_requests/${prNumber}`; case "bitbucket": return `${baseUrl}/${repositoryName}/pull-requests/${prNumber}`; + case "bitbucket_data_center": { + const [project, repo] = repositoryName.split("/"); + return `${baseUrl}/projects/${project}/repos/${repo}/pull-requests/${prNumber}`; + } case "azure_devops": { // Azure DevOps format: org/project/repo const parts = repositoryName.split("/"); @@ -330,8 +347,9 @@ export const constructMicroagentUrl = ( gitProvider: Provider, repositoryName: string, microagentPath: string, + host?: string | null, ): string => { - const baseUrl = getGitProviderBaseUrl(gitProvider); + const baseUrl = getGitProviderBaseUrl(gitProvider, host); switch (gitProvider) { case "github": @@ -342,6 +360,10 @@ export const constructMicroagentUrl = ( return `${baseUrl}/${repositoryName}/-/blob/main/${microagentPath}`; case "bitbucket": return `${baseUrl}/${repositoryName}/src/main/${microagentPath}`; + case "bitbucket_data_center": { + const [project, repo] = repositoryName.split("/"); + return `${baseUrl}/projects/${project}/repos/${repo}/browse/${microagentPath}?at=refs/heads/main`; + } case "azure_devops": { // Azure DevOps format: org/project/repo const parts = repositoryName.split("/"); @@ -389,8 +411,13 @@ export const extractRepositoryInfo = ( export const constructRepositoryUrl = ( provider: Provider, repositoryName: string, + host?: string | null, ): string => { - const baseUrl = getGitProviderBaseUrl(provider); + const baseUrl = getGitProviderBaseUrl(provider, host); + if (provider === "bitbucket_data_center") { + const [project, repo] = repositoryName.split("/"); + return `${baseUrl}/projects/${project}/repos/${repo}`; + } return `${baseUrl}/${repositoryName}`; }; @@ -399,19 +426,22 @@ export const constructRepositoryUrl = ( * @param provider The git provider * @param repositoryName The repository name in format "owner/repo" * @param branchName The branch name + * @param host Optional custom host for self-hosted instances * @returns The branch URL * * @example * constructBranchUrl("github", "owner/repo", "main") // "https://github.com/owner/repo/tree/main" * constructBranchUrl("gitlab", "owner/repo", "develop") // "https://gitlab.com/owner/repo/-/tree/develop" * constructBranchUrl("bitbucket", "owner/repo", "feature") // "https://bitbucket.org/owner/repo/src/feature" + * constructBranchUrl("bitbucket", "PROJECT/repo", "feature", "server.com") // "https://server.com/projects/PROJECT/repos/repo/browse?at=refs/heads/feature" */ export const constructBranchUrl = ( provider: Provider, repositoryName: string, branchName: string, + host?: string | null, ): string => { - const baseUrl = getGitProviderBaseUrl(provider); + const baseUrl = getGitProviderBaseUrl(provider, host); switch (provider) { case "github": @@ -422,6 +452,15 @@ export const constructBranchUrl = ( return `${baseUrl}/${repositoryName}/-/tree/${branchName}`; case "bitbucket": return `${baseUrl}/${repositoryName}/src/${branchName}`; + case "bitbucket_data_center": { + // Bitbucket Server format: /projects/{PROJECT}/repos/{repo}/browse?at=refs/heads/{branch} + const parts = repositoryName.split("/"); + if (parts.length >= 2) { + const [project, repo] = parts; + return `${baseUrl}/projects/${project}/repos/${repo}/browse?at=refs/heads/${branchName}`; + } + return ""; + } case "azure_devops": { // Azure DevOps format: org/project/repo const parts = repositoryName.split("/"); diff --git a/openhands/integrations/bitbucket_data_center/bitbucket_dc_service.py b/openhands/integrations/bitbucket_data_center/bitbucket_dc_service.py new file mode 100644 index 0000000000..890540777d --- /dev/null +++ b/openhands/integrations/bitbucket_data_center/bitbucket_dc_service.py @@ -0,0 +1,107 @@ +import os + +from pydantic import SecretStr + +from openhands.integrations.bitbucket_data_center.service import ( + BitbucketDCBranchesMixin, + BitbucketDCFeaturesMixin, + BitbucketDCPRsMixin, + BitbucketDCReposMixin, + BitbucketDCResolverMixin, +) +from openhands.integrations.service_types import ( + GitService, + InstallationsService, + ProviderType, +) +from openhands.utils.import_utils import get_impl + + +class BitbucketDCService( + BitbucketDCResolverMixin, + BitbucketDCBranchesMixin, + BitbucketDCFeaturesMixin, + BitbucketDCPRsMixin, + BitbucketDCReposMixin, + GitService, + InstallationsService, +): + """Default implementation of GitService for Bitbucket data center integration. + + This is an extension point in OpenHands that allows applications to customize Bitbucket data center + integration behavior. Applications can substitute their own implementation by: + 1. Creating a class that inherits from GitService + 2. Implementing all required methods + 3. Setting server_config.bitbucket_service_class to the fully qualified name of the class + + The class is instantiated via get_impl() in openhands.server.shared.py. + """ + + def __init__( + self, + user_id: str | None = None, + external_auth_id: str | None = None, + external_auth_token: SecretStr | None = None, + token: SecretStr | None = None, + external_token_manager: bool = False, + base_domain: str | None = None, + ) -> None: + self.user_id = user_id + self.external_token_manager = external_token_manager + self.external_auth_id = external_auth_id + self.external_auth_token = external_auth_token + self.base_domain = base_domain + self.BASE_URL = f'https://{base_domain}/rest/api/1.0' if base_domain else '' + + if token: + token_val = token.get_secret_value() + if ':' not in token_val: + token = SecretStr(f'x-token-auth:{token_val}') + self.token = token + + # Derive user_id from token when not explicitly provided. + if not user_id and token: + token_val = token.get_secret_value() + if not token_val.startswith('x-token-auth:'): + user_id = token_val.split(':', 1)[0] + + self.user_id = user_id + + @property + def provider(self) -> str: + return ProviderType.BITBUCKET_DATA_CENTER.value + + +bitbucket_dc_service_cls = os.environ.get( + 'OPENHANDS_BITBUCKET_DATA_CENTER_SERVICE_CLS', + 'openhands.integrations.bitbucket_data_center.bitbucket_dc_service.BitbucketDCService', +) + +# Lazy loading to avoid circular imports +_bitbucket_dc_service_impl = None + + +def get_bitbucket_dc_service_impl(): + """Get the BitBucket data center service implementation with lazy loading.""" + global _bitbucket_dc_service_impl + if _bitbucket_dc_service_impl is None: + _bitbucket_dc_service_impl = get_impl( + BitbucketDCService, bitbucket_dc_service_cls + ) + return _bitbucket_dc_service_impl + + +# For backward compatibility, provide the implementation as a property +class _BitbucketDCServiceImplProxy: + """Proxy class to provide lazy loading for BitbucketDCServiceImpl.""" + + def __getattr__(self, name): + impl = get_bitbucket_dc_service_impl() + return getattr(impl, name) + + def __call__(self, *args, **kwargs): + impl = get_bitbucket_dc_service_impl() + return impl(*args, **kwargs) + + +BitbucketDCServiceImpl: type[BitbucketDCService] = _BitbucketDCServiceImplProxy() # type: ignore[assignment] diff --git a/openhands/integrations/bitbucket_data_center/service/__init__.py b/openhands/integrations/bitbucket_data_center/service/__init__.py new file mode 100644 index 0000000000..63c4e54ae9 --- /dev/null +++ b/openhands/integrations/bitbucket_data_center/service/__init__.py @@ -0,0 +1,15 @@ +from .base import BitbucketDCMixinBase +from .branches import BitbucketDCBranchesMixin +from .features import BitbucketDCFeaturesMixin +from .prs import BitbucketDCPRsMixin +from .repos import BitbucketDCReposMixin +from .resolver import BitbucketDCResolverMixin + +__all__ = [ + 'BitbucketDCMixinBase', + 'BitbucketDCBranchesMixin', + 'BitbucketDCFeaturesMixin', + 'BitbucketDCPRsMixin', + 'BitbucketDCReposMixin', + 'BitbucketDCResolverMixin', +] diff --git a/openhands/integrations/bitbucket_data_center/service/base.py b/openhands/integrations/bitbucket_data_center/service/base.py new file mode 100644 index 0000000000..bb53d9102f --- /dev/null +++ b/openhands/integrations/bitbucket_data_center/service/base.py @@ -0,0 +1,333 @@ +import base64 +from typing import Any + +import httpx +from pydantic import SecretStr + +from openhands.core.logger import openhands_logger as logger +from openhands.integrations.protocols.http_client import HTTPClient +from openhands.integrations.service_types import ( + AuthenticationError, + BaseGitService, + OwnerType, + ProviderType, + Repository, + RequestMethod, + ResourceNotFoundError, + User, +) +from openhands.utils.http_session import httpx_verify_option + + +class BitbucketDCMixinBase(BaseGitService, HTTPClient): + """ + Base mixin for BitBucket data center service containing common functionality + """ + + BASE_URL: str = '' # Set dynamically from domain in __init__ + user_id: str | None + + def _repo_api_base(self, owner: str, repo: str) -> str: + return f'{self.BASE_URL}/projects/{owner}/repos/{repo}' + + @staticmethod + def _resolve_primary_email(emails: list[dict]) -> str | None: + """Find the primary confirmed email from a list of Bitbucket data center email objects. + + Bitbucket data center's /user/emails endpoint returns objects with + 'email', 'is_primary', and 'is_confirmed' keys. + """ + for entry in emails: + if entry.get('is_primary') and entry.get('is_confirmed'): + return entry.get('email') + return None + + def _extract_owner_and_repo(self, repository: str) -> tuple[str, str]: + """Extract owner and repo from repository string. + + Args: + repository: Repository name in format 'project/repo_slug' + + Returns: + Tuple of (owner, repo) + + Raises: + ValueError: If repository format is invalid + """ + parts = repository.split('/') + if len(parts) < 2: + raise ValueError(f'Invalid repository name: {repository}') + + return parts[-2], parts[-1] + + async def get_latest_token(self) -> SecretStr | None: + """Get latest working token of the user.""" + return self.token + + def _has_token_expired(self, status_code: int) -> bool: + return False # DC tokens cannot be refreshed programmatically + + async def _get_headers(self) -> dict[str, str]: + """Get headers for Bitbucket data center API requests.""" + token_value = self.token.get_secret_value() + + auth_str = base64.b64encode(token_value.encode()).decode() + return { + 'Authorization': f'Basic {auth_str}', + 'Accept': 'application/json', + } + + async def _make_request( + self, + url: str, + params: dict | None = None, + method: RequestMethod = RequestMethod.GET, + ) -> tuple[Any, dict]: + """Make a request to the Bitbucket data center API. + + Args: + url: The URL to request + params: Optional parameters for the request + method: The HTTP method to use + + Returns: + A tuple of (response_data, response_headers) + + """ + try: + async with httpx.AsyncClient(verify=httpx_verify_option()) as client: + bitbucket_headers = await self._get_headers() + response = await self.execute_request( + client, url, bitbucket_headers, params, method + ) + if self.refresh and self._has_token_expired(response.status_code): + await self.get_latest_token() + bitbucket_headers = await self._get_headers() + response = await self.execute_request( + client=client, + url=url, + headers=bitbucket_headers, + params=params, + method=method, + ) + response.raise_for_status() + try: + data = response.json() + except ValueError: + data = response.text + return data, dict(response.headers) + except httpx.HTTPStatusError as e: + raise self.handle_http_status_error(e) + except httpx.HTTPError as e: + raise self.handle_http_error(e) + + async def verify_access(self) -> None: + """Verify that the token and host are valid by making a lightweight API call. + Raises an exception if the token is invalid or the host is unreachable. + """ + url = f'{self.BASE_URL}/repos' + await self._make_request(url, {'limit': '1'}) + + async def _fetch_paginated_data( + self, url: str, params: dict, max_items: int + ) -> list[dict]: + """Fetch data with pagination support for Bitbucket data center API. + + Args: + url: The API endpoint URL + params: Query parameters for the request + max_items: Maximum number of items to fetch + + Returns: + List of data items from all pages + """ + all_items: list[dict] = [] + current_url = url + base_endpoint = url + + while current_url and len(all_items) < max_items: + response, _ = await self._make_request(current_url, params) + + # Extract items from response + page_items = response.get('values', []) + all_items.extend(page_items) + + if response.get('isLastPage', True): + break + next_start = response.get('nextPageStart') + if next_start is None: + break + params = params or {} + params = dict(params) + params['start'] = next_start + current_url = base_endpoint + + return all_items[:max_items] + + async def get_user_emails(self) -> list[dict]: + """Fetch the authenticated user's email addresses from Bitbucket data center. + + Calls GET /user/emails which returns a paginated response with a + 'values' list of email objects containing 'email', 'is_primary', + and 'is_confirmed' fields. + """ + url = f'{self.BASE_URL}/user/emails' + response, _ = await self._make_request(url) + return response.get('values', []) + + async def get_user(self) -> User: + """Get the authenticated user's information.""" + + if not self.user_id: + # HTTP Access tokens (x-token-auth) don't have user info. + # For OAuth, the user_id should be set. + return User( + id='', + login='', + avatar_url='', + name=None, + email=None, + ) + + # Basic auth - extract username and query users API to get slug + users_url = f'{self.BASE_URL}/users' + data, _ = await self._make_request( + users_url, {'filter': self.user_id, 'avatarSize': 64} + ) + users = data.get('values', []) + if not users: + raise AuthenticationError(f'User not found: {self.user_id}') + + user_data = users[0] + avatar = user_data.get('avatarUrl', '') + # Handle relative avatar URLs (Server returns /users/... paths) + if avatar.startswith('/users'): + # Strip /rest/api/1.0 from BASE_URL to get the base server URL + base_server_url = self.BASE_URL.rsplit('/rest/api/1.0', 1)[0] + avatar = f'{base_server_url}{avatar}' + display_name = user_data.get('displayName') + email = user_data.get('emailAddress') + return User( + id=str(user_data.get('id') or user_data.get('slug') or self.user_id), + login=user_data.get('name') or self.user_id, + avatar_url=avatar, + name=display_name, + email=email, + ) + + async def _parse_repository( + self, repo: dict, link_header: str | None = None + ) -> Repository: + """Parse a Bitbucket data center API repository response into a Repository object. + + Args: + repo: Repository data from Bitbucket data center API + link_header: Optional link header for pagination + + Returns: + Repository object + """ + project_key = repo.get('project', {}).get('key', '') + repo_slug = repo.get('slug', '') + + if not project_key or not repo_slug: + raise ValueError( + f'Cannot parse repository: missing project key or slug. ' + f'Got project_key={project_key!r}, repo_slug={repo_slug!r}' + ) + + full_name = f'{project_key}/{repo_slug}' + is_public = repo.get('public', False) + + main_branch: str | None = None + try: + default_branch_url = ( + f'{self._repo_api_base(project_key, repo_slug)}/default-branch' + ) + default_branch_data, _ = await self._make_request(default_branch_url) + main_branch = default_branch_data.get('displayId') or None + except Exception as e: + logger.debug(f'Could not fetch default branch for {full_name}: {e}') + + return Repository( + id=str(repo.get('id', '')), + full_name=full_name, + git_provider=ProviderType.BITBUCKET_DATA_CENTER, + is_public=is_public, + stargazers_count=None, + pushed_at=None, + owner_type=OwnerType.ORGANIZATION, + link_header=link_header, + main_branch=main_branch, + ) + + async def get_repository_details_from_repo_name( + self, repository: str + ) -> Repository: + """Get repository details from repository name. + + Args: + repository: Repository name in format 'project/repo_slug' + + Returns: + Repository object with details + """ + owner, repo = self._extract_owner_and_repo(repository) + url = self._repo_api_base(owner, repo) + data, _ = await self._make_request(url) + return await self._parse_repository(data) + + async def _get_cursorrules_url(self, repository: str) -> str: + """Get the URL for checking .cursorrules file.""" + # Get repository details to get the main branch + repo_details = await self.get_repository_details_from_repo_name(repository) + if not repo_details.main_branch: + raise ResourceNotFoundError( + f'Main branch not found for repository {repository}. ' + f'This repository may be empty or have no default branch configured.' + ) + owner, repo = self._extract_owner_and_repo(repository) + return ( + f'{self.BASE_URL}/projects/{owner}/repos/{repo}/browse/.cursorrules' + f'?at=refs/heads/{repo_details.main_branch}' + ) + + async def _get_microagents_directory_url( + self, repository: str, microagents_path: str + ) -> str: + """Get the URL for checking microagents directory.""" + # Get repository details to get the main branch + repo_details = await self.get_repository_details_from_repo_name(repository) + if not repo_details.main_branch: + raise ResourceNotFoundError( + f'Main branch not found for repository {repository}. ' + f'This repository may be empty or have no default branch configured.' + ) + + owner, repo = self._extract_owner_and_repo(repository) + return ( + f'{self.BASE_URL}/projects/{owner}/repos/{repo}/browse/{microagents_path}' + f'?at=refs/heads/{repo_details.main_branch}' + ) + + def _get_microagents_directory_params(self, microagents_path: str) -> dict | None: + """Get parameters for the microagents directory request. Return None if no parameters needed.""" + return None + + def _is_valid_microagent_file(self, item: dict) -> bool: + """Check if an item represents a valid microagent file.""" + file_name = item.get('path', {}).get('name', '') + return ( + item.get('type') == 'FILE' + and file_name.endswith('.md') + and file_name != 'README.md' + ) + + def _get_file_name_from_item(self, item: dict) -> str: + """Extract file name from directory item.""" + return item.get('path', {}).get('name', '') + + def _get_file_path_from_item(self, item: dict, microagents_path: str) -> str: + """Extract file path from directory item.""" + file_name = self._get_file_name_from_item(item) + return f'{microagents_path}/{file_name}' diff --git a/openhands/integrations/bitbucket_data_center/service/branches.py b/openhands/integrations/bitbucket_data_center/service/branches.py new file mode 100644 index 0000000000..bbf4be1996 --- /dev/null +++ b/openhands/integrations/bitbucket_data_center/service/branches.py @@ -0,0 +1,136 @@ +from datetime import datetime, timezone + +from openhands.integrations.bitbucket_data_center.service.base import ( + BitbucketDCMixinBase, +) +from openhands.integrations.service_types import Branch, PaginatedBranchesResponse + + +class BitbucketDCBranchesMixin(BitbucketDCMixinBase): + """ + Mixin for BitBucket data center branch-related operations + """ + + async def get_branches(self, repository: str) -> list[Branch]: + """Get branches for a repository.""" + owner, repo = self._extract_owner_and_repo(repository) + + url = f'{self._repo_api_base(owner, repo)}/branches' + + # Set maximum branches to fetch (similar to GitHub/GitLab implementations) + MAX_BRANCHES = 1000 + PER_PAGE = 100 + + params = { + 'limit': PER_PAGE, + 'orderBy': 'MODIFICATION', + } + + # Fetch all branches with pagination + branch_data = await self._fetch_paginated_data(url, params, MAX_BRANCHES) + + return [self._parse_branch(branch) for branch in branch_data] + + async def get_paginated_branches( + self, repository: str, page: int = 1, per_page: int = 30 + ) -> PaginatedBranchesResponse: + """Get branches for a repository with pagination.""" + # Extract owner and repo from the repository string (e.g., "owner/repo") + owner, repo = self._extract_owner_and_repo(repository) + parts = repository.split('/') + if len(parts) < 2: + raise ValueError(f'Invalid repository name: {repository}') + + owner = parts[-2] + repo = parts[-1] + + url = f'{self._repo_api_base(owner, repo)}/branches' + + start = max((page - 1) * per_page, 0) + params = { + 'limit': per_page, + 'start': start, + 'orderBy': 'MODIFICATION', + } + + response, _ = await self._make_request(url, params) + + branches = [self._parse_branch(branch) for branch in response.get('values', [])] + + has_next_page = not response.get('isLastPage', True) + total_count = response.get('size') + + return PaginatedBranchesResponse( + branches=branches, + has_next_page=has_next_page, + current_page=page, + per_page=per_page, + total_count=total_count, + ) + + async def search_branches( + self, repository: str, query: str, per_page: int = 30 + ) -> list[Branch]: + """Search branches by name using Bitbucket data center API with `q` param.""" + owner, repo = self._extract_owner_and_repo(repository) + + url = f'{self._repo_api_base(owner, repo)}/branches' + params = { + 'limit': per_page, + 'filterText': query, + 'orderBy': 'MODIFICATION', + } + + response, _ = await self._make_request(url, params) + + return [self._parse_branch(branch) for branch in response.get('values', [])] + + def _parse_branch(self, branch: dict) -> Branch: + """Normalize Bitbucket branch representations across Cloud and Server.""" + + name = branch.get('displayId') or '' + if not name: + branch_id = branch.get('id', '') + if isinstance(branch_id, str) and branch_id.startswith('refs/heads/'): + name = branch_id.split('refs/heads/', 1)[-1] + elif isinstance(branch_id, str): + name = branch_id + + commit_sha = branch.get('latestCommit', '') + last_push_date = self._extract_server_branch_last_modified(branch) + + return Branch( + name=name, + commit_sha=commit_sha, + protected=False, # Bitbucket doesn't expose branch protection via these endpoints + last_push_date=last_push_date, + ) + + def _extract_server_branch_last_modified(self, branch: dict) -> str | None: + """Extract the last modified timestamp from a Bitbucket Server branch payload.""" + + metadata = branch.get('metadata') + if not isinstance(metadata, dict): + return None + + for value in metadata.values(): + if not isinstance(value, list): + continue + for entry in value: + if not isinstance(entry, dict): + continue + timestamp = ( + entry.get('authorTimestamp') + or entry.get('committerTimestamp') + or entry.get('timestamp') + or entry.get('lastModified') + ) + if isinstance(timestamp, (int, float)): + return datetime.fromtimestamp( + timestamp / 1000, tz=timezone.utc + ).isoformat() + if isinstance(timestamp, str): + # Some Bitbucket instances might already return ISO 8601 strings + return timestamp + + return None diff --git a/openhands/integrations/bitbucket_data_center/service/features.py b/openhands/integrations/bitbucket_data_center/service/features.py new file mode 100644 index 0000000000..daa48f8b2f --- /dev/null +++ b/openhands/integrations/bitbucket_data_center/service/features.py @@ -0,0 +1,96 @@ +from openhands.core.logger import openhands_logger as logger +from openhands.integrations.bitbucket_data_center.service.base import ( + BitbucketDCMixinBase, +) +from openhands.integrations.service_types import ResourceNotFoundError +from openhands.microagent.types import MicroagentContentResponse, MicroagentResponse + + +class BitbucketDCFeaturesMixin(BitbucketDCMixinBase): + """ + Mixin for BitBucket data center feature operations (microagents, cursor rules, etc.) + """ + + async def get_microagent_content( + self, repository: str, file_path: str + ) -> MicroagentContentResponse: + """Fetch individual file content from Bitbucket data center repository. + + Args: + repository: Repository name in format 'project/repo_slug' + file_path: Path to the file within the repository + + Returns: + MicroagentContentResponse with parsed content and triggers + + Raises: + RuntimeError: If file cannot be fetched or doesn't exist + """ + # Step 1: Get repository details using existing method + repo_details = await self.get_repository_details_from_repo_name(repository) + + if not repo_details.main_branch: + logger.warning( + f'No main branch found in repository info for {repository}. ' + f'Repository response: mainbranch field missing' + ) + raise ResourceNotFoundError( + f'Main branch not found for repository {repository}. ' + f'This repository may be empty or have no default branch configured.' + ) + + # Step 2: Get file content using the main branch + owner, repo = self._extract_owner_and_repo(repository) + repo_base = self._repo_api_base(owner, repo) + + file_url = f'{repo_base}/browse/{file_path}' + params = {'at': f'refs/heads/{repo_details.main_branch}'} + response, _ = await self._make_request(file_url, params=params) + if isinstance(response, dict): + lines = response.get('lines') + if isinstance(lines, list): + content = '\n'.join( + line.get('text', '') for line in lines if isinstance(line, dict) + ) + else: + content = response.get('content', '') + else: + content = str(response) + + # Parse the content to extract triggers from frontmatter + return self._parse_microagent_content(content, file_path) + + async def _process_microagents_directory( + self, repository: str, microagents_path: str + ) -> list[MicroagentResponse]: + microagents = [] + try: + directory_url = await self._get_microagents_directory_url( + repository, microagents_path + ) + directory_params = self._get_microagents_directory_params(microagents_path) + response, _ = await self._make_request(directory_url, directory_params) + + # Bitbucket DC browse endpoint nests items under response['children']['values'] + items = response.get('children', {}).get('values', []) + + for item in items: + if self._is_valid_microagent_file(item): + try: + file_name = self._get_file_name_from_item(item) + file_path = self._get_file_path_from_item( + item, microagents_path + ) + microagents.append( + self._create_microagent_response(file_name, file_path) + ) + except Exception as e: + logger.warning(f'Error processing microagent {item}: {str(e)}') + except ResourceNotFoundError: + logger.info( + f'No microagents directory found in {repository} at {microagents_path}' + ) + except Exception as e: + logger.warning(f'Error fetching microagents directory: {str(e)}') + + return microagents diff --git a/openhands/integrations/bitbucket_data_center/service/prs.py b/openhands/integrations/bitbucket_data_center/service/prs.py new file mode 100644 index 0000000000..14844eb4f2 --- /dev/null +++ b/openhands/integrations/bitbucket_data_center/service/prs.py @@ -0,0 +1,134 @@ +from typing import Any + +from openhands.core.logger import openhands_logger as logger +from openhands.integrations.bitbucket_data_center.service.base import ( + BitbucketDCMixinBase, +) +from openhands.integrations.service_types import RequestMethod + + +class BitbucketDCPRsMixin(BitbucketDCMixinBase): + """ + Mixin for BitBucket data center pull request operations + """ + + async def create_pr( + self, + repo_name: str, + source_branch: str, + target_branch: str, + title: str, + body: str | None = None, + draft: bool = False, + ) -> str: + """Creates a pull request in Bitbucket data center. + + Args: + repo_name: The repository name in the format "project/repo" + source_branch: The source branch name + target_branch: The target branch name + title: The title of the pull request + body: The description of the pull request + draft: Whether to create a draft pull request + + Returns: + The URL of the created pull request + """ + owner, repo = self._extract_owner_and_repo(repo_name) + repo_base = self._repo_api_base(owner, repo) + + payload: dict[str, Any] + + url = f'{repo_base}/pull-requests' + payload = { + 'title': title, + 'description': body or '', + 'fromRef': { + 'id': f'refs/heads/{source_branch}', + 'repository': {'slug': repo, 'project': {'key': owner}}, + }, + 'toRef': { + 'id': f'refs/heads/{target_branch}', + 'repository': {'slug': repo, 'project': {'key': owner}}, + }, + } + + data, _ = await self._make_request( + url=url, params=payload, method=RequestMethod.POST + ) + + # Return the URL to the pull request + links = data.get('links', {}) if isinstance(data, dict) else {} + + if isinstance(links, dict): + html_link = links.get('html') + if isinstance(html_link, dict): + href = html_link.get('href') + if href: + return href + if isinstance(html_link, list) and html_link: + href = html_link[0].get('href') + if href: + return href + self_link = links.get('self') + if isinstance(self_link, dict): + href = self_link.get('href') + if href: + return href + if isinstance(self_link, list) and self_link: + href = self_link[0].get('href') + if href: + return href + + return '' + + async def get_pr_details(self, repository: str, pr_number: int) -> dict: + """Get detailed information about a specific pull request + + Args: + repository: Repository name in format 'owner/repo' + pr_number: The pull request number + + Returns: + Raw Bitbucket data center API response for the pull request + """ + owner, repo = self._extract_owner_and_repo(repository) + repo_base = self._repo_api_base(owner, repo) + url = f'{repo_base}/pull-requests/{pr_number}' + + pr_data, _ = await self._make_request(url) + + return pr_data + + async def is_pr_open(self, repository: str, pr_number: int) -> bool: + """Check if a Bitbucket data center pull request is still active (not closed/merged). + + Args: + repository: Repository name in format 'owner/repo' + pr_number: The PR number to check + + Returns: + True if PR is active (OPEN), False if closed/merged + """ + try: + pr_details = await self.get_pr_details(repository, pr_number) + + # Bitbucket data center API response structure + if 'state' in pr_details: + # Bitbucket data center state values: OPEN, MERGED, DECLINED, SUPERSEDED + return pr_details['state'] == 'OPEN' + + # If we can't determine the state, assume it's active (safer default) + logger.warning( + f'Could not determine Bitbucket PR status for {repository}#{pr_number}. ' + f'Response keys: {list(pr_details.keys())}. Assuming PR is active.' + ) + return True + + except Exception as e: + logger.warning( + f'Could not determine Bitbucket PR status for {repository}#{pr_number}: {e}. ' + f'Including conversation to be safe.' + ) + # If we can't determine the PR status, include the conversation to be safe + return True diff --git a/openhands/integrations/bitbucket_data_center/service/repos.py b/openhands/integrations/bitbucket_data_center/service/repos.py new file mode 100644 index 0000000000..5a587cd81e --- /dev/null +++ b/openhands/integrations/bitbucket_data_center/service/repos.py @@ -0,0 +1,203 @@ +from typing import Any +from urllib.parse import urlparse + +from openhands.integrations.bitbucket_data_center.service.base import ( + BitbucketDCMixinBase, +) +from openhands.integrations.service_types import Repository, SuggestedTask +from openhands.server.types import AppMode + + +class BitbucketDCReposMixin(BitbucketDCMixinBase): + """ + Mixin for BitBucket data center repository-related operations + """ + + async def search_repositories( + self, + query: str, + per_page: int, + sort: str, + order: str, + public: bool, + app_mode: AppMode, + ) -> list[Repository]: + """Search for repositories.""" + repositories = [] + + if public: + try: + parsed_url = urlparse(query) + path_segments = [ + segment for segment in parsed_url.path.split('/') if segment + ] + + if 'projects' in path_segments: + idx = path_segments.index('projects') + if ( + len(path_segments) > idx + 2 + and path_segments[idx + 1] + and path_segments[idx + 2] == 'repos' + ): + project_key = path_segments[idx + 1] + repo_name = ( + path_segments[idx + 3] + if len(path_segments) > idx + 3 + else '' + ) + elif len(path_segments) > idx + 2: + project_key = path_segments[idx + 1] + repo_name = path_segments[idx + 2] + else: + project_key = '' + repo_name = '' + else: + project_key = path_segments[0] if len(path_segments) >= 1 else '' + repo_name = path_segments[1] if len(path_segments) >= 2 else '' + + if project_key and repo_name: + repo = await self.get_repository_details_from_repo_name( + f'{project_key}/{repo_name}' + ) + repositories.append(repo) + except (ValueError, IndexError): + pass + + return repositories + + MAX_REPOS = 1000 + # Search for repos once project prefix exists + if '/' in query: + project_slug, repo_query = query.split('/', 1) + project_repos_url = f'{self.BASE_URL}/projects/{project_slug}/repos' + raw_repos = await self._fetch_paginated_data( + project_repos_url, {'limit': per_page}, MAX_REPOS + ) + if repo_query: + raw_repos = [ + r + for r in raw_repos + if repo_query.lower() in r.get('slug', '').lower() + or repo_query.lower() in r.get('name', '').lower() + ] + return [await self._parse_repository(repo) for repo in raw_repos] + + # No '/' in query, search across all projects + all_projects = await self.get_installations() + for project_key in all_projects: + try: + repos = await self.get_paginated_repos( + 1, per_page, sort, project_key, query + ) + repositories.extend(repos) + except Exception: + continue + return repositories + + async def _get_user_projects(self) -> list[dict[str, Any]]: + """Get all projects the user has access to""" + projects_url = f'{self.BASE_URL}/projects' + projects = await self._fetch_paginated_data(projects_url, {}, 100) + return projects + + async def get_installations( + self, query: str | None = None, limit: int = 100 + ) -> list[str]: + projects_url = f'{self.BASE_URL}/projects' + params: dict[str, Any] = {'limit': limit} + projects = await self._fetch_paginated_data(projects_url, params, limit) + project_keys: list[str] = [] + for project in projects: + key = project.get('key') + name = project.get('name', '') + if not key: + continue + if query and query.lower() not in f'{key}{name}'.lower(): + continue + project_keys.append(key) + return project_keys + + async def get_paginated_repos( + self, + page: int, + per_page: int, + sort: str, + installation_id: str | None, + query: str | None = None, + ) -> list[Repository]: + """Get paginated repositories for a specific project. + + Args: + page: The page number to fetch + per_page: The number of repositories per page + sort: The sort field ('pushed', 'updated', 'created', 'full_name') + installation_id: The project slug to fetch repositories from (as int, will be converted to string) + + Returns: + A list of Repository objects + """ + if not installation_id: + return [] + + # Convert installation_id to string for use as project_slug + project_slug = installation_id + + project_repos_url = f'{self.BASE_URL}/projects/{project_slug}/repos' + # Calculate start offset from page number (Bitbucket Server uses 0-based start index) + start = (page - 1) * per_page + params: dict[str, Any] = {'limit': per_page, 'start': start} + response, _ = await self._make_request(project_repos_url, params) + repos = response.get('values', []) + if query: + repos = [ + repo + for repo in repos + if query.lower() in repo.get('slug', '').lower() + or query.lower() in repo.get('name', '').lower() + ] + formatted_link_header = '' + if not response.get('isLastPage', True): + next_page = page + 1 + # Use 'page=' format for frontend compatibility with extractNextPageFromLink + formatted_link_header = ( + f'<{project_repos_url}?page={next_page}>; rel="next"' + ) + return [ + await self._parse_repository(repo, link_header=formatted_link_header) + for repo in repos + ] + + async def get_all_repositories( + self, sort: str, app_mode: AppMode + ) -> list[Repository]: + """Get repositories for the authenticated user using workspaces endpoint. + + This method gets all repositories (both public and private) that the user has access to + by iterating through their workspaces and fetching repositories from each workspace. + This approach is more comprehensive and efficient than the previous implementation + that made separate calls for public and private repositories. + """ + MAX_REPOS = 1000 + PER_PAGE = 100 # Maximum allowed by Bitbucket data center API + repositories: list[Repository] = [] + + projects = await self.get_installations(limit=MAX_REPOS) + for project_key in projects: + project_repos_url = f'{self.BASE_URL}/projects/{project_key}/repos' + project_repos = await self._fetch_paginated_data( + project_repos_url, + {'limit': PER_PAGE}, + MAX_REPOS - len(repositories), + ) + for repo in project_repos: + repositories.append(await self._parse_repository(repo)) + if len(repositories) >= MAX_REPOS: + break + if len(repositories) >= MAX_REPOS: + break + return repositories + + async def get_suggested_tasks(self) -> list[SuggestedTask]: + """Get suggested tasks for the authenticated user across all repositories.""" + # TODO: implemented suggested tasks + return [] diff --git a/openhands/integrations/bitbucket_data_center/service/resolver.py b/openhands/integrations/bitbucket_data_center/service/resolver.py new file mode 100644 index 0000000000..1559eba191 --- /dev/null +++ b/openhands/integrations/bitbucket_data_center/service/resolver.py @@ -0,0 +1,113 @@ +from datetime import datetime, timezone + +from openhands.integrations.bitbucket_data_center.service.base import ( + BitbucketDCMixinBase, +) +from openhands.integrations.service_types import Comment + + +class BitbucketDCResolverMixin(BitbucketDCMixinBase): + """ + Helper methods used for the Bitbucket Data Center Resolver + """ + + async def get_pr_title_and_body( + self, owner: str, repo_slug: str, pr_id: int + ) -> tuple[str, str]: + """Get the title and body of a pull request. + + Args: + owner: Project key (e.g. 'PROJ') + repo_slug: Repository slug + pr_id: Pull request ID + + Returns: + A tuple of (title, body) + """ + url = ( + f'{self.BASE_URL}/projects/{owner}/repos/{repo_slug}/pull-requests/{pr_id}' + ) + response, _ = await self._make_request(url) + title = response.get('title') or '' + body = response.get('description') or '' + return title, body + + async def get_pr_comments( + self, owner: str, repo_slug: str, pr_id: int, max_comments: int = 10 + ) -> list[Comment]: + """Get comments for a pull request. + + Uses the pull-requests/{id}/activities endpoint, filtering for + COMMENTED actions — the same approach used by the resolver interface. + + Args: + owner: Project key (e.g. 'PROJ') + repo_slug: Repository slug + pr_id: Pull request ID + max_comments: Maximum number of comments to retrieve + + Returns: + List of Comment objects ordered by creation date + """ + url = f'{self.BASE_URL}/projects/{owner}/repos/{repo_slug}/pull-requests/{pr_id}/activities' + all_raw: list[dict] = [] + + params: dict = {'limit': 100, 'start': 0} + while len(all_raw) < max_comments: + response, _ = await self._make_request(url, params) + for activity in response.get('values', []): + if activity.get('action') == 'COMMENTED': + comment = activity.get('comment', {}) + if comment: + all_raw.append(comment) + + if response.get('isLastPage', True): + break + + next_start = response.get('nextPageStart') + if next_start is None: + break + params = {'limit': 100, 'start': next_start} + + return self._process_raw_comments(all_raw, max_comments) + + def _process_raw_comments( + self, comments: list, max_comments: int = 10 + ) -> list[Comment]: + """Convert raw Bitbucket DC comment dicts to Comment objects.""" + all_comments: list[Comment] = [] + for comment_data in comments: + # Bitbucket DC activities use epoch milliseconds for createdDate/updatedDate + created_ms = comment_data.get('createdDate') + updated_ms = comment_data.get('updatedDate') + + created_at = ( + datetime.fromtimestamp(created_ms / 1000, tz=timezone.utc) + if created_ms is not None + else datetime.fromtimestamp(0, tz=timezone.utc) + ) + updated_at = ( + datetime.fromtimestamp(updated_ms / 1000, tz=timezone.utc) + if updated_ms is not None + else datetime.fromtimestamp(0, tz=timezone.utc) + ) + + author = ( + comment_data.get('author', {}).get('slug') + or comment_data.get('author', {}).get('name') + or 'unknown' + ) + + all_comments.append( + Comment( + id=str(comment_data.get('id', 'unknown')), + body=self._truncate_comment(comment_data.get('text', '')), + author=author, + created_at=created_at, + updated_at=updated_at, + system=False, + ) + ) + + all_comments.sort(key=lambda c: c.created_at) + return all_comments[-max_comments:] diff --git a/openhands/integrations/provider.py b/openhands/integrations/provider.py index d162298811..ad94305b3c 100644 --- a/openhands/integrations/provider.py +++ b/openhands/integrations/provider.py @@ -22,6 +22,9 @@ from openhands.integrations.azure_devops.azure_devops_service import ( AzureDevOpsServiceImpl, ) from openhands.integrations.bitbucket.bitbucket_service import BitBucketServiceImpl +from openhands.integrations.bitbucket_data_center.bitbucket_dc_service import ( + BitbucketDCServiceImpl, +) from openhands.integrations.forgejo.forgejo_service import ForgejoServiceImpl from openhands.integrations.github.github_service import GithubServiceImpl from openhands.integrations.gitlab.gitlab_service import GitLabServiceImpl @@ -128,6 +131,7 @@ class ProviderHandler: ProviderType.GITHUB: GithubServiceImpl, ProviderType.GITLAB: GitLabServiceImpl, ProviderType.BITBUCKET: BitBucketServiceImpl, + ProviderType.BITBUCKET_DATA_CENTER: BitbucketDCServiceImpl, ProviderType.FORGEJO: ForgejoServiceImpl, ProviderType.AZURE_DEVOPS: AzureDevOpsServiceImpl, } @@ -222,6 +226,18 @@ class ProviderHandler: return [] + async def get_bitbucket_dc_projects(self) -> list[str]: + service = cast( + InstallationsService, + self.get_service(ProviderType.BITBUCKET_DATA_CENTER), + ) + try: + return await service.get_installations() + except Exception as e: + logger.warning(f'Failed to get bitbucket data center projects {e}') + + return [] + async def get_azure_devops_organizations(self) -> list[str]: service = cast( InstallationsService, self.get_service(ProviderType.AZURE_DEVOPS) @@ -341,8 +357,9 @@ class ProviderHandler: def _is_repository_url(self, query: str, provider: ProviderType) -> bool: """Check if the query is a repository URL.""" custom_host = self.provider_tokens[provider].host - custom_host_exists = custom_host and custom_host in query - default_host_exists = self.PROVIDER_DOMAINS[provider] in query + custom_host_exists = bool(custom_host and custom_host in query) + default_domain = self.PROVIDER_DOMAINS.get(provider) + default_host_exists = default_domain is not None and default_domain in query return query.startswith(('http://', 'https://')) and ( custom_host_exists or default_host_exists @@ -673,7 +690,7 @@ class ProviderHandler: provider = repository.git_provider repo_name = repository.full_name - domain = self.PROVIDER_DOMAINS[provider] + domain = self.PROVIDER_DOMAINS.get(provider, '') # If provider tokens are provided, use the host from the token if available # Note: For Azure DevOps, don't use the host field as it may contain org/project path @@ -724,6 +741,24 @@ class ProviderHandler: else: # Access token format: use x-token-auth remote_url = f'{protocol}://x-token-auth:{token_value}@{domain}/{repo_name}.git' + elif provider == ProviderType.BITBUCKET_DATA_CENTER: + # DC uses HTTP Basic auth — token must be in username:token format + project, repo_slug = ( + repo_name.split('/', 1) + if '/' in repo_name + else (repo_name, repo_name) + ) + scm_path = f'scm/{project.lower()}/{repo_slug}.git' + # Percent-encode each credential part so special characters + # (e.g. @, #, /) don't break the URL. + if ':' in token_value: + dc_user, dc_pass = token_value.split(':', 1) + url_creds = ( + f'{quote(dc_user, safe="")}:{quote(dc_pass, safe="")}' + ) + else: + url_creds = f'x-token-auth:{quote(token_value, safe="")}' + remote_url = f'{protocol}://{url_creds}@{domain}/{scm_path}' elif provider == ProviderType.AZURE_DEVOPS: # Azure DevOps uses PAT with Basic auth # Format: https://{anything}:{PAT}@dev.azure.com/{org}/{project}/_git/{repo} diff --git a/openhands/integrations/service_types.py b/openhands/integrations/service_types.py index 9ee250085d..27ae0e5edb 100644 --- a/openhands/integrations/service_types.py +++ b/openhands/integrations/service_types.py @@ -21,6 +21,7 @@ class ProviderType(Enum): GITHUB = 'github' GITLAB = 'gitlab' BITBUCKET = 'bitbucket' + BITBUCKET_DATA_CENTER = 'bitbucket_data_center' FORGEJO = 'forgejo' AZURE_DEVOPS = 'azure_devops' ENTERPRISE_SSO = 'enterprise_sso' @@ -78,6 +79,16 @@ class SuggestedTask(BaseModel): 'ciProvider': 'Bitbucket', 'requestVerb': 'pull request', } + elif self.git_provider == ProviderType.BITBUCKET_DATA_CENTER: + return { + 'requestType': 'Pull Request', + 'requestTypeShort': 'PR', + 'apiName': 'Bitbucket Data Center API', + 'tokenEnvVar': 'BITBUCKET_DATA_CENTER_TOKEN', + 'ciSystem': 'Bitbucket Pipelines', + 'ciProvider': 'Bitbucket Data Center', + 'requestVerb': 'pull request', + } raise ValueError(f'Provider {self.git_provider} for suggested task prompts') diff --git a/openhands/integrations/utils.py b/openhands/integrations/utils.py index cbda2b06e7..d7446597c1 100644 --- a/openhands/integrations/utils.py +++ b/openhands/integrations/utils.py @@ -5,6 +5,9 @@ from openhands.integrations.azure_devops.azure_devops_service import ( AzureDevOpsServiceImpl as AzureDevOpsService, ) from openhands.integrations.bitbucket.bitbucket_service import BitBucketService +from openhands.integrations.bitbucket_data_center.bitbucket_dc_service import ( + BitbucketDCService, +) from openhands.integrations.forgejo.forgejo_service import ForgejoService from openhands.integrations.github.github_service import GitHubService from openhands.integrations.gitlab.gitlab_service import GitLabService @@ -14,7 +17,7 @@ from openhands.integrations.provider import ProviderType async def validate_provider_token( token: SecretStr, base_domain: str | None = None ) -> ProviderType | None: - """Determine whether a token is for GitHub, GitLab, Bitbucket, or Azure DevOps by attempting to get user info from the services. + """Determine whether a token is for GitHub, GitLab, Bitbucket, Bitbucket Data Center, or Azure DevOps by attempting to get user info from the services. Args: token: The token to check @@ -69,6 +72,18 @@ async def validate_provider_token( except Exception as e: bitbucket_error = e + # Try Bitbucket Data Center if a base_domain was provided (always self-hosted) + bitbucket_dc_error = None + if base_domain: + try: + bitbucket_dc_service = BitbucketDCService( + token=token, base_domain=base_domain + ) + await bitbucket_dc_service.verify_access() + return ProviderType.BITBUCKET_DATA_CENTER + except Exception as e: + bitbucket_dc_error = e + # Try Azure DevOps last azure_devops_error = None try: @@ -79,7 +94,7 @@ async def validate_provider_token( azure_devops_error = e logger.debug( - f'Failed to validate token: {github_error} \n {gitlab_error} \n {forgejo_error} \n {bitbucket_error} \n {azure_devops_error}' + f'Failed to validate token: {github_error} \n {gitlab_error} \n {forgejo_error} \n {bitbucket_error} \n {bitbucket_dc_error} \n {azure_devops_error}' ) return None diff --git a/openhands/resolver/interfaces/bitbucket_data_center.py b/openhands/resolver/interfaces/bitbucket_data_center.py new file mode 100644 index 0000000000..c5bf4f9552 --- /dev/null +++ b/openhands/resolver/interfaces/bitbucket_data_center.py @@ -0,0 +1,357 @@ +import base64 +from typing import Any +from urllib.parse import quote + +import httpx + +from openhands.core.logger import openhands_logger as logger +from openhands.resolver.interfaces.issue import ( + Issue, + IssueHandlerInterface, + ReviewThread, +) +from openhands.resolver.utils import extract_issue_references +from openhands.utils.async_utils import GENERAL_TIMEOUT, call_async_from_sync +from openhands.utils.http_session import httpx_verify_option + + +class BitbucketDCIssueHandler(IssueHandlerInterface): + def __init__( + self, + owner: str, + repo: str, + token: str, + username: str | None = None, + base_domain: str = 'bitbucket.example.com', + ): + """Initialize a Bitbucket Data Center issue handler. + + Args: + owner: The project key of the repository + repo: The slug of the repository + token: The Bitbucket DC API token (user:password or user:token format) + username: Optional username (used when token is a bare API token) + base_domain: The hostname of the Bitbucket DC instance + """ + self.owner = owner + self.repo = repo + self.token = token + self.username = username + self.base_domain = base_domain + self.base_url = self.get_base_url() + self.download_url = self.get_download_url() + self.clone_url = self.get_clone_url() + self.headers = self.get_headers() + + def set_owner(self, owner: str) -> None: + self.owner = owner + + def get_headers(self) -> dict[str, str]: + # DC always uses HTTP Basic auth + if ':' in self.token: + auth_str = base64.b64encode(self.token.encode()).decode() + elif self.username: + creds = f'{self.username}:{self.token}' + auth_str = base64.b64encode(creds.encode()).decode() + else: + auth_str = base64.b64encode(self.token.encode()).decode() + return { + 'Authorization': f'Basic {auth_str}', + 'Accept': 'application/json', + } + + def get_base_url(self) -> str: + return f'https://{self.base_domain}/rest/api/1.0' + + def _get_repo_api_base(self) -> str: + return f'{self.base_url}/projects/{self.owner}/repos/{self.repo}' + + def get_download_url(self) -> str: + return ( + f'https://{self.base_domain}/rest/api/latest' + f'/projects/{self.owner}/repos/{self.repo}/archive?format=zip' + ) + + def get_clone_url(self) -> str: + return f'https://{self.base_domain}/scm/{self.owner.lower()}/{self.repo}.git' + + def get_repo_url(self) -> str: + return f'https://{self.base_domain}/projects/{self.owner}/repos/{self.repo}' + + def get_issue_url(self, issue_number: int) -> str: + # DC has no issue tracker; use pull-requests URL + return f'{self.get_repo_url()}/pull-requests/{issue_number}' + + def get_pr_url(self, pr_number: int) -> str: + return f'{self.get_repo_url()}/pull-requests/{pr_number}' + + def get_pull_url(self, pr_number: int) -> str: + return f'{self.get_repo_url()}/pull-requests/{pr_number}' + + def get_branch_url(self, branch_name: str) -> str: + return f'{self.get_repo_url()}/browse?at=refs/heads/{branch_name}' + + def get_compare_url(self, branch_name: str) -> str: + default_branch = self.get_default_branch_name() + return ( + f'{self.get_repo_url()}/compare/commits' + f'?sourceBranch=refs/heads/{branch_name}' + f'&targetBranch=refs/heads/{default_branch}' + ) + + def get_authorize_url(self) -> str: + if ':' in self.token: + user, _, token = self.token.partition(':') + creds = f'{quote(user, safe="")}:{quote(token, safe="")}' + elif self.username: + creds = f'{quote(self.username, safe="")}:{quote(self.token, safe="")}' + else: + creds = quote(self.token, safe='') + return f'https://{creds}@{self.base_domain}/' + + def get_graphql_url(self) -> str: + # DC has no GraphQL API; return a placeholder + return f'https://{self.base_domain}/rest/api/1.0' + + def get_branch_name(self, base_branch_name: str) -> str: + return f'{base_branch_name}-{self.owner}' + + async def get_issue(self, issue_number: int) -> Issue: + """Fetch a Bitbucket DC pull request as an Issue. + + Args: + issue_number: The pull request ID + + Returns: + An Issue object populated from the DC pull request response + """ + url = f'{self._get_repo_api_base()}/pull-requests/{issue_number}' + async with httpx.AsyncClient(verify=httpx_verify_option()) as client: + response = await client.get(url, headers=self.headers) + response.raise_for_status() + data = response.json() + + head_branch = data.get('fromRef', {}).get('displayId', '') + base_branch = data.get('toRef', {}).get('displayId', '') + + return Issue( + owner=self.owner, + repo=self.repo, + number=data.get('id'), + title=data.get('title', ''), + body=data.get('description', ''), + head_branch=head_branch, + base_branch=base_branch, + ) + + def create_pr( + self, + title: str, + body: str, + head: str, + base: str, + ) -> str: + """Create a pull request on Bitbucket DC. + + Args: + title: PR title + body: PR description + head: Source branch name + base: Target branch name + + Returns: + The URL of the created pull request + """ + result = self.create_pull_request( + { + 'title': title, + 'description': body, + 'source_branch': head, + 'target_branch': base, + } + ) + return result.get('html_url', '') + + def create_pull_request(self, data: dict[str, Any] | None = None) -> dict[str, Any]: + """Create a pull request and return html_url and number. + + Args: + data: Dict with keys title, description, source_branch, target_branch + + Returns: + Dict with 'html_url' and 'number' keys + """ + if data is None: + data = {} + + title = data.get('title', '') + description = data.get('description', '') + source_branch = data.get('source_branch', '') + target_branch = data.get('target_branch', '') + + url = f'{self._get_repo_api_base()}/pull-requests' + payload = { + 'title': title, + 'description': description, + 'fromRef': { + 'id': f'refs/heads/{source_branch}', + 'repository': { + 'slug': self.repo, + 'project': {'key': self.owner}, + }, + }, + 'toRef': { + 'id': f'refs/heads/{target_branch}', + 'repository': { + 'slug': self.repo, + 'project': {'key': self.owner}, + }, + }, + } + response = httpx.post( + url, headers=self.headers, json=payload, verify=httpx_verify_option() + ) + response.raise_for_status() + resp_data = response.json() + + links = resp_data.get('links', {}).get('self', []) + html_url = links[0].get('href', '') if links else '' + + return { + 'html_url': html_url, + 'number': resp_data.get('id', 0), + } + + def send_comment_msg(self, issue_number: int, msg: str) -> None: + url = f'{self._get_repo_api_base()}/pull-requests/{issue_number}/comments' + payload = {'text': msg} + response = httpx.post( + url, headers=self.headers, json=payload, verify=httpx_verify_option() + ) + response.raise_for_status() + + def reply_to_comment(self, pr_number: int, comment_id: str, reply: str) -> None: + url = f'{self._get_repo_api_base()}/pull-requests/{pr_number}/comments' + payload = { + 'text': reply, + 'parent': {'id': int(comment_id)}, + } + response = httpx.post( + url, headers=self.headers, json=payload, verify=httpx_verify_option() + ) + response.raise_for_status() + + def branch_exists(self, branch_name: str) -> bool: + url = f'{self._get_repo_api_base()}/branches' + params = {'filterText': branch_name, 'limit': 1} + try: + response = httpx.get( + url, headers=self.headers, params=params, verify=httpx_verify_option() + ) + response.raise_for_status() + data = response.json() + values = data.get('values', []) + return any(v.get('displayId') == branch_name for v in values) + except httpx.HTTPError as e: + logger.warning(f'Failed to check branch existence: {e}') + return False + + def get_default_branch_name(self) -> str: + url = self._get_repo_api_base() + try: + response = httpx.get( + url, headers=self.headers, verify=httpx_verify_option() + ) + response.raise_for_status() + data = response.json() + default_branch = data.get('defaultBranch', {}) + if default_branch: + display_id = default_branch.get('displayId', '') + if display_id: + if display_id.startswith('refs/heads/'): + return display_id[len('refs/heads/') :] + return display_id + except httpx.HTTPError as e: + logger.warning(f'Failed to get default branch name: {e}') + return 'master' + + def download_issues(self) -> list[Any]: + logger.warning( + 'BitbucketDCIssueHandler.download_issues not implemented; ' + 'use get_issue() to fetch individual pull requests' + ) + return [] + + def get_issue_comments( + self, issue_number: int, comment_id: int | None = None + ) -> list[str] | None: + logger.warning('BitbucketDCIssueHandler.get_issue_comments not implemented') + return [] + + def get_issue_thread_comments(self, issue_number: int) -> list[str]: + logger.warning( + 'BitbucketDCIssueHandler.get_issue_thread_comments not implemented' + ) + return [] + + def get_issue_review_comments(self, issue_number: int) -> list[str]: + logger.warning( + 'BitbucketDCIssueHandler.get_issue_review_comments not implemented' + ) + return [] + + def get_issue_review_threads(self, issue_number: int) -> list[ReviewThread]: + logger.warning( + 'BitbucketDCIssueHandler.get_issue_review_threads not implemented' + ) + return [] + + def get_context_from_external_issues_references( + self, + closing_issues: list[str], + closing_issue_numbers: list[int], + issue_body: str, + review_comments: list[str] | None, + review_threads: list[ReviewThread], + thread_comments: list[str] | None, + ) -> list[str]: + # DC has no issue tracker; return closing_issues immediately without API calls + return closing_issues + + def request_reviewers(self, reviewer: str, pr_number: int) -> None: + logger.warning('BitbucketDCIssueHandler.request_reviewers not implemented') + + def get_issue_references(self, body: str) -> list[int]: + return extract_issue_references(body) + + def get_converted_issues( + self, issue_numbers: list[int] | None = None, comment_id: int | None = None + ) -> list[Issue]: + if not issue_numbers: + raise ValueError('Unspecified issue numbers') + + converted_issues = [] + for issue_number in issue_numbers: + try: + issue = call_async_from_sync( + self.get_issue, GENERAL_TIMEOUT, issue_number + ) + converted_issues.append(issue) + except Exception as e: + logger.warning(f'Failed to fetch pull request {issue_number}: {e}') + + return converted_issues + + +class BitbucketDCPRHandler(BitbucketDCIssueHandler): + """Handler for Bitbucket Data Center pull requests, extending the issue handler.""" + + def __init__( + self, + owner: str, + repo: str, + token: str, + username: str | None = None, + base_domain: str = 'bitbucket.example.com', + ): + super().__init__(owner, repo, token, username, base_domain) diff --git a/openhands/resolver/issue_handler_factory.py b/openhands/resolver/issue_handler_factory.py index f1e38e35b0..ddab05432c 100644 --- a/openhands/resolver/issue_handler_factory.py +++ b/openhands/resolver/issue_handler_factory.py @@ -12,6 +12,10 @@ from openhands.resolver.interfaces.bitbucket import ( BitbucketIssueHandler, BitbucketPRHandler, ) +from openhands.resolver.interfaces.bitbucket_data_center import ( + BitbucketDCIssueHandler, + BitbucketDCPRHandler, +) from openhands.resolver.interfaces.forgejo import ( ForgejoIssueHandler, ForgejoPRHandler, @@ -80,6 +84,17 @@ class IssueHandlerFactory: ), self.llm_config, ) + elif self.platform == ProviderType.BITBUCKET_DATA_CENTER: + return ServiceContextIssue( + BitbucketDCIssueHandler( + self.owner, + self.repo, + self.token, + self.username, + self.base_domain, + ), + self.llm_config, + ) elif self.platform == ProviderType.FORGEJO: return ServiceContextIssue( ForgejoIssueHandler( @@ -147,6 +162,17 @@ class IssueHandlerFactory: ), self.llm_config, ) + elif self.platform == ProviderType.BITBUCKET_DATA_CENTER: + return ServiceContextPR( + BitbucketDCPRHandler( + self.owner, + self.repo, + self.token, + self.username, + self.base_domain, + ), + self.llm_config, + ) elif self.platform == ProviderType.FORGEJO: return ServiceContextPR( ForgejoPRHandler( diff --git a/openhands/resolver/issue_resolver.py b/openhands/resolver/issue_resolver.py index 68abc4bc1b..1d1821b66b 100644 --- a/openhands/resolver/issue_resolver.py +++ b/openhands/resolver/issue_resolver.py @@ -141,6 +141,8 @@ class IssueResolver: if platform == ProviderType.GITLAB else 'bitbucket.org' if platform == ProviderType.BITBUCKET + else 'bitbucket.example.com' + if platform == ProviderType.BITBUCKET_DATA_CENTER else 'dev.azure.com' ) diff --git a/openhands/resolver/send_pull_request.py b/openhands/resolver/send_pull_request.py index c59b95c998..d2ffc7f8a8 100644 --- a/openhands/resolver/send_pull_request.py +++ b/openhands/resolver/send_pull_request.py @@ -20,6 +20,7 @@ from openhands.integrations.service_types import ProviderType from openhands.llm.llm import LLM from openhands.resolver.interfaces.azure_devops import AzureDevOpsIssueHandler from openhands.resolver.interfaces.bitbucket import BitbucketIssueHandler +from openhands.resolver.interfaces.bitbucket_data_center import BitbucketDCIssueHandler from openhands.resolver.interfaces.forgejo import ForgejoIssueHandler from openhands.resolver.interfaces.github import GithubIssueHandler from openhands.resolver.interfaces.gitlab import GitlabIssueHandler @@ -310,6 +311,13 @@ def send_pull_request( ), None, ) + elif platform == ProviderType.BITBUCKET_DATA_CENTER: + handler = ServiceContextIssue( + BitbucketDCIssueHandler( + issue.owner, issue.repo, token, username, base_domain + ), + None, + ) elif platform == ProviderType.FORGEJO: handler = ServiceContextIssue( ForgejoIssueHandler(issue.owner, issue.repo, token, username, base_domain), @@ -416,6 +424,14 @@ def send_pull_request( 'target_branch': base_branch, 'draft': pr_type == 'draft', } + elif platform == ProviderType.BITBUCKET_DATA_CENTER: + data = { + 'title': final_pr_title, + 'description': pr_body, + 'source_branch': head_branch, + 'target_branch': base_branch, + 'draft': pr_type == 'draft', + } elif platform == ProviderType.FORGEJO: data = { 'title': final_pr_title, @@ -476,6 +492,7 @@ def update_existing_pull_request( ProviderType.AZURE_DEVOPS: 'dev.azure.com', ProviderType.BITBUCKET: 'bitbucket.org', ProviderType.FORGEJO: 'codeberg.org', + ProviderType.BITBUCKET_DATA_CENTER: 'bitbucket.example.com', }.get(platform, 'github.com') handler = None @@ -503,6 +520,13 @@ def update_existing_pull_request( ), llm_config, ) + elif platform == ProviderType.BITBUCKET_DATA_CENTER: + handler = ServiceContextIssue( + BitbucketDCIssueHandler( + issue.owner, issue.repo, token, username, base_domain + ), + llm_config, + ) elif platform == ProviderType.FORGEJO: handler = ServiceContextIssue( ForgejoIssueHandler(issue.owner, issue.repo, token, username, base_domain), @@ -606,6 +630,12 @@ def process_single_issue( else 'gitlab.com' if platform == ProviderType.GITLAB else 'dev.azure.com' + if platform == ProviderType.AZURE_DEVOPS + else 'bitbucket.org' + if platform == ProviderType.BITBUCKET + else 'bitbucket.example.com' + if platform == ProviderType.BITBUCKET_DATA_CENTER + else 'github.com' ) if not resolver_output.success and not send_on_failure: logger.info( diff --git a/openhands/server/routes/git.py b/openhands/server/routes/git.py index 76ce6906ef..411d90ba79 100644 --- a/openhands/server/routes/git.py +++ b/openhands/server/routes/git.py @@ -61,6 +61,8 @@ async def get_user_installations( return await client.get_github_installations() elif provider == ProviderType.BITBUCKET: return await client.get_bitbucket_workspaces() + elif provider == ProviderType.BITBUCKET_DATA_CENTER: + return await client.get_bitbucket_dc_projects() elif provider == ProviderType.AZURE_DEVOPS: return await client.get_azure_devops_organizations() else: diff --git a/openhands/server/routes/mcp.py b/openhands/server/routes/mcp.py index df7c978de6..6cd62b2712 100644 --- a/openhands/server/routes/mcp.py +++ b/openhands/server/routes/mcp.py @@ -12,6 +12,9 @@ from openhands.integrations.azure_devops.azure_devops_service import ( AzureDevOpsServiceImpl, ) from openhands.integrations.bitbucket.bitbucket_service import BitBucketServiceImpl +from openhands.integrations.bitbucket_data_center.bitbucket_dc_service import ( + BitbucketDCServiceImpl, +) from openhands.integrations.github.github_service import GithubServiceImpl from openhands.integrations.gitlab.gitlab_service import GitLabServiceImpl from openhands.integrations.provider import ProviderToken @@ -61,16 +64,20 @@ async def save_pr_metadata( pull_pattern = r'pull/(\d+)' merge_request_pattern = r'merge_requests/(\d+)' + pull_requests_pattern = r'pull-requests/(\d+)' # Check if the tool_result contains the PR number pr_number = None match_pull = re.search(pull_pattern, tool_result) match_merge_request = re.search(merge_request_pattern, tool_result) + match_pull_requests = re.search(pull_requests_pattern, tool_result) if match_pull: pr_number = int(match_pull.group(1)) elif match_merge_request: pr_number = int(match_merge_request.group(1)) + elif match_pull_requests: + pr_number = int(match_pull_requests.group(1)) if pr_number: logger.info(f'Saving PR number: {pr_number} for conversation {conversation_id}') @@ -292,6 +299,73 @@ async def create_bitbucket_pr( return response +@mcp_server.tool() +async def create_bitbucket_data_center_pr( + repo_name: Annotated[ + str, Field(description='Bitbucket Data Center repository (PROJECT/repo_slug)') + ], + source_branch: Annotated[str, Field(description='Source branch on repo')], + target_branch: Annotated[str, Field(description='Target branch on repo')], + title: Annotated[ + str, + Field( + description='PR Title. Start title with `DRAFT:` or `WIP:` if applicable.' + ), + ], + description: Annotated[str | None, Field(description='PR description')], +) -> str: + """Open a PR in Bitbucket Data Center""" + logger.info('Calling OpenHands MCP create_bitbucket_data_center_pr') + + request = get_http_request() + headers = request.headers + conversation_id = headers.get('X-OpenHands-ServerConversation-ID', None) + + provider_tokens = await get_provider_tokens(request) + access_token = await get_access_token(request) + user_id = await get_user_id(request) + + bitbucket_dc_token = ( + provider_tokens.get(ProviderType.BITBUCKET_DATA_CENTER, ProviderToken()) + if provider_tokens + else ProviderToken() + ) + + bitbucket_dc_service = BitbucketDCServiceImpl( + user_id=bitbucket_dc_token.user_id, + external_auth_id=user_id, + external_auth_token=access_token, + token=bitbucket_dc_token.token, + base_domain=bitbucket_dc_token.host, + ) + + try: + description = await get_conversation_link( + bitbucket_dc_service, conversation_id, description or '' + ) + except Exception as e: + logger.warning(f'Failed to append conversation link: {e}') + + try: + response = await bitbucket_dc_service.create_pr( + repo_name=repo_name, + source_branch=source_branch, + target_branch=target_branch, + title=title, + body=description, + ) + + if conversation_id: + await save_pr_metadata(user_id, conversation_id, response) + + except Exception as e: + error = f'Error creating pull request: {e}' + logger.error(error) + raise ToolError(str(error)) + + return response + + @mcp_server.tool() async def create_azure_devops_pr( repo_name: Annotated[ diff --git a/skills/bitbucket_data_center.md b/skills/bitbucket_data_center.md new file mode 100644 index 0000000000..147ce18624 --- /dev/null +++ b/skills/bitbucket_data_center.md @@ -0,0 +1,41 @@ +--- +name: bitbucket_data_center +type: knowledge +version: 1.0.0 +agent: CodeActAgent +triggers: +- bitbucket_data_center +- bitbucket data center +--- + +You have access to an environment variable, `BITBUCKET_DATA_CENTER_TOKEN`, which contains +a basic auth token in the format `username:your-token` that allows you to interact with the git repository. + +You can also use this token to interact with Bitbucket Data Center's REST API: +```bash +curl -u "${BITBUCKET_DATA_CENTER_TOKEN}" https://{domain}/rest/api/1.0/... +``` + + +ALWAYS use the Bitbucket Data Center API for operations instead of a web browser. +ALWAYS use the `create_bitbucket_data_center_pr` tool to open a pull request + + +If you encounter authentication issues when pushing to Bitbucket Data Center (such as password prompts or permission errors), the old token may have expired. In such case, update the remote URL to include the current token: `git remote set-url origin https://${BITBUCKET_DATA_CENTER_TOKEN}@{domain}/scm/{project_lower}/{repo}.git` + +The repository format for Bitbucket Data Center is `PROJECT/repo_slug` (project key, slash, repo slug). + +Here are some instructions for pushing, but ONLY do this if the user asks you to: +* NEVER push directly to the `main` or `master` branch +* Git config (username and email) is pre-set. Do not modify. +* You may already be on a branch starting with `openhands-workspace`. Create a new branch with a better name before pushing. +* Use the `create_bitbucket_data_center_pr` tool to create a pull request, if you haven't already +* Once you've created your own branch or a pull request, continue to update it. Do NOT create a new one unless you are explicitly asked to. Update the PR title and description as necessary, but don't change the branch name. +* Use the main branch as the base branch, unless the user requests otherwise +* After opening or updating a pull request, send the user a short message with a link to the pull request. +* Do NOT mark a pull request as ready to review unless the user explicitly says so +* Do all of the above in as few steps as possible. E.g. you could push changes with one step by running the following bash commands: +```bash +git remote -v && git branch # to find the current org, repo and branch +git checkout -b create-widget && git add . && git commit -m "Create widget" && git push -u origin create-widget +``` diff --git a/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc.py b/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc.py new file mode 100644 index 0000000000..8df2783cf9 --- /dev/null +++ b/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc.py @@ -0,0 +1,258 @@ +"""Tests for BitbucketDCService core: init, headers, get_user, pagination, email.""" + +import base64 +from unittest.mock import patch + +import pytest +from pydantic import SecretStr + +from openhands.integrations.bitbucket_data_center.bitbucket_dc_service import ( + BitbucketDCService, +) +from openhands.integrations.service_types import AuthenticationError, User +from openhands.server.types import AppMode + +# ── init / BASE_URL ─────────────────────────────────────────────────────────── + + +def test_init_plain_domain(): + svc = BitbucketDCService(token=SecretStr('tok'), base_domain='host.example.com') + assert svc.BASE_URL == 'https://host.example.com/rest/api/1.0' + + +def test_init_no_domain(): + svc = BitbucketDCService(token=SecretStr('tok'), base_domain=None) + assert svc.BASE_URL == '' + + +# ── token wrapping ──────────────────────────────────────────────────────────── + + +def test_token_wraps_simple_token(): + svc = BitbucketDCService(token=SecretStr('mytoken')) + assert svc.token.get_secret_value() == 'x-token-auth:mytoken' + + +def test_token_preserves_colon_token(): + svc = BitbucketDCService(token=SecretStr('alice:secret')) + assert svc.token.get_secret_value() == 'alice:secret' + + +# ── user_id derivation ──────────────────────────────────────────────────────── + + +def test_user_id_derived_from_username_password_token(): + svc = BitbucketDCService(token=SecretStr('alice:secret')) + assert svc.user_id == 'alice' + + +def test_user_id_not_derived_from_xtoken_auth_token(): + svc = BitbucketDCService(token=SecretStr('x-token-auth:mytoken')) + assert svc.user_id is None + + +def test_explicit_user_id_not_overridden(): + svc = BitbucketDCService(token=SecretStr('alice:secret'), user_id='bob') + assert svc.user_id == 'bob' + + +# ── _get_headers ────────────────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_get_headers_basic_auth(): + svc = BitbucketDCService( + token=SecretStr('user:pass'), base_domain='host.example.com' + ) + headers = await svc._get_headers() + expected = 'Basic ' + base64.b64encode(b'user:pass').decode() + assert headers['Authorization'] == expected + + +@pytest.mark.asyncio +async def test_get_headers_xtoken_auth(): + svc = BitbucketDCService( + token=SecretStr('plaintoken'), base_domain='host.example.com' + ) + # plaintoken has no ':' so it gets wrapped as x-token-auth:plaintoken + headers = await svc._get_headers() + expected = 'Basic ' + base64.b64encode(b'x-token-auth:plaintoken').decode() + assert headers['Authorization'] == expected + + +# ── get_user ────────────────────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_get_user_with_user_id(): + svc = BitbucketDCService( + token=SecretStr('tok'), + base_domain='host.example.com', + user_id='jdoe', + ) + mock_response = { + 'values': [ + { + 'id': 5, + 'slug': 'jdoe', + 'name': 'jdoe', + 'displayName': 'J Doe', + 'emailAddress': 'j@example.com', + 'avatarUrl': '', + } + ] + } + with patch.object(svc, '_make_request', return_value=(mock_response, {})): + user = await svc.get_user() + + assert user.id == '5' + assert user.login == 'jdoe' + assert user.name == 'J Doe' + assert user.email == 'j@example.com' + + +@pytest.mark.asyncio +async def test_get_user_without_user_id(): + # x-token-auth tokens don't have a derivable username, so user_id stays None + svc = BitbucketDCService( + token=SecretStr('x-token-auth:mytoken'), base_domain='host.example.com' + ) + with patch.object(svc, '_make_request') as mock_req: + user = await svc.get_user() + mock_req.assert_not_called() + + assert isinstance(user, User) + assert user.id == '' + assert user.login == '' + + +@pytest.mark.asyncio +async def test_get_user_raises_when_not_found(): + svc = BitbucketDCService( + token=SecretStr('tok'), + base_domain='host.example.com', + user_id='jdoe', + ) + mock_response = {'values': []} + with patch.object(svc, '_make_request', return_value=(mock_response, {})): + with pytest.raises(AuthenticationError): + await svc.get_user() + + +# ── _resolve_primary_email ──────────────────────────────────────────────────── + + +def test_resolve_primary_email_selects_primary_confirmed(): + from openhands.integrations.bitbucket_data_center.service.base import ( + BitbucketDCMixinBase, + ) + + emails = [ + {'email': 'secondary@example.com', 'is_primary': False, 'is_confirmed': True}, + {'email': 'primary@example.com', 'is_primary': True, 'is_confirmed': True}, + { + 'email': 'unconfirmed@example.com', + 'is_primary': False, + 'is_confirmed': False, + }, + ] + result = BitbucketDCMixinBase._resolve_primary_email(emails) + assert result == 'primary@example.com' + + +def test_resolve_primary_email_returns_none_when_no_primary(): + from openhands.integrations.bitbucket_data_center.service.base import ( + BitbucketDCMixinBase, + ) + + emails = [ + {'email': 'a@example.com', 'is_primary': False, 'is_confirmed': True}, + {'email': 'b@example.com', 'is_primary': False, 'is_confirmed': True}, + ] + result = BitbucketDCMixinBase._resolve_primary_email(emails) + assert result is None + + +def test_resolve_primary_email_returns_none_when_primary_not_confirmed(): + from openhands.integrations.bitbucket_data_center.service.base import ( + BitbucketDCMixinBase, + ) + + emails = [ + {'email': 'primary@example.com', 'is_primary': True, 'is_confirmed': False}, + {'email': 'other@example.com', 'is_primary': False, 'is_confirmed': True}, + ] + result = BitbucketDCMixinBase._resolve_primary_email(emails) + assert result is None + + +def test_resolve_primary_email_returns_none_for_empty_list(): + from openhands.integrations.bitbucket_data_center.service.base import ( + BitbucketDCMixinBase, + ) + + result = BitbucketDCMixinBase._resolve_primary_email([]) + assert result is None + + +# ── get_user_emails ─────────────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_get_user_emails(): + svc = BitbucketDCService(token=SecretStr('tok'), base_domain='host.example.com') + mock_response = { + 'values': [ + {'email': 'primary@example.com', 'is_primary': True, 'is_confirmed': True}, + { + 'email': 'secondary@example.com', + 'is_primary': False, + 'is_confirmed': True, + }, + ] + } + with patch.object(svc, '_make_request', return_value=(mock_response, {})): + emails = await svc.get_user_emails() + + assert emails == mock_response['values'] + + +# ── pagination (get_all_repositories iterates projects) ────────────────────── + + +@pytest.mark.asyncio +async def test_pagination_iterates_projects(): + svc = BitbucketDCService(token=SecretStr('tok'), base_domain='host.example.com') + + def _repo_dict(key='PROJ', slug='myrepo'): + return {'id': 1, 'slug': slug, 'project': {'key': key}, 'public': False} + + async def fake_fetch(url, params, max_items): + if '/projects' in url and '/repos' not in url: + return [{'key': 'PROJ1'}, {'key': 'PROJ2'}] + if 'PROJ1' in url: + return [_repo_dict('PROJ1', 'repo1')] + if 'PROJ2' in url: + return [_repo_dict('PROJ2', 'repo2')] + return [] + + with patch.object(svc, '_fetch_paginated_data', side_effect=fake_fetch): + repos = await svc.get_all_repositories('name', AppMode.SAAS) + + full_names = {r.full_name for r in repos} + assert 'PROJ1/repo1' in full_names + assert 'PROJ2/repo2' in full_names + + +# ── verify_access ───────────────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_verify_access_makes_request(): + svc = BitbucketDCService(token=SecretStr('tok'), base_domain='host.example.com') + with patch.object(svc, '_make_request', return_value=({}, {})) as mock_req: + await svc.verify_access() + + mock_req.assert_called_once() + call_url = mock_req.call_args[0][0] + assert call_url.endswith('/repos') diff --git a/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_branches.py b/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_branches.py new file mode 100644 index 0000000000..2e829110a9 --- /dev/null +++ b/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_branches.py @@ -0,0 +1,139 @@ +"""Tests for BitbucketDCBranchesMixin: get_paginated_branches, search_branches, get_branches.""" + +from unittest.mock import patch + +import pytest +from pydantic import SecretStr + +from openhands.integrations.bitbucket_data_center.bitbucket_dc_service import ( + BitbucketDCService, +) +from openhands.integrations.service_types import Branch, PaginatedBranchesResponse + + +def make_service(): + return BitbucketDCService(token=SecretStr('tok'), base_domain='host.example.com') + + +def _dc_branch(display_id='main', commit='abc123'): + return {'displayId': display_id, 'latestCommit': commit} + + +# ── get_paginated_branches ──────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_get_paginated_branches_parses_display_id_and_commit(): + svc = make_service() + mock_response = { + 'values': [ + _dc_branch('main', 'abc'), + _dc_branch('feature/x', 'def'), + ], + 'isLastPage': True, + 'size': 2, + } + + with patch.object( + svc, '_make_request', return_value=(mock_response, {}) + ) as mock_req: + res = await svc.get_paginated_branches('PROJ/myrepo', page=1, per_page=30) + + # Verify the URL uses the DC format + call_url = mock_req.call_args[0][0] + assert '/projects/PROJ/repos/myrepo/branches' in call_url + + assert isinstance(res, PaginatedBranchesResponse) + assert res.branches == [ + Branch(name='main', commit_sha='abc', protected=False, last_push_date=None), + Branch( + name='feature/x', commit_sha='def', protected=False, last_push_date=None + ), + ] + + +@pytest.mark.asyncio +async def test_get_paginated_branches_has_next_page(): + svc = make_service() + mock_response = { + 'values': [_dc_branch()], + 'isLastPage': False, + 'nextPageStart': 30, + 'size': 100, + } + + with patch.object(svc, '_make_request', return_value=(mock_response, {})): + res = await svc.get_paginated_branches('PROJ/myrepo', page=1, per_page=30) + + assert res.has_next_page is True + + +@pytest.mark.asyncio +async def test_get_paginated_branches_last_page(): + svc = make_service() + mock_response = { + 'values': [_dc_branch()], + 'isLastPage': True, + 'size': 1, + } + + with patch.object(svc, '_make_request', return_value=(mock_response, {})): + res = await svc.get_paginated_branches('PROJ/myrepo', page=1, per_page=30) + + assert res.has_next_page is False + + +@pytest.mark.asyncio +async def test_get_paginated_branches_total_count(): + svc = make_service() + mock_response = { + 'values': [_dc_branch()], + 'isLastPage': True, + 'size': 42, + } + + with patch.object(svc, '_make_request', return_value=(mock_response, {})): + res = await svc.get_paginated_branches('PROJ/myrepo', page=1, per_page=30) + + assert res.total_count == 42 + + +# ── search_branches ─────────────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_search_branches_uses_filter_text(): + svc = make_service() + mock_response = {'values': [_dc_branch('feature/my-thing', 'sha1')]} + + with patch.object( + svc, '_make_request', return_value=(mock_response, {}) + ) as mock_req: + branches = await svc.search_branches( + 'PROJ/myrepo', query='my-thing', per_page=15 + ) + + call_url, call_params = mock_req.call_args[0] + assert 'filterText' in call_params + assert call_params['filterText'] == 'my-thing' + assert 'q' not in call_params + assert len(branches) == 1 + assert branches[0].name == 'feature/my-thing' + + +# ── get_branches (all pages via _fetch_paginated_data) ─────────────────────── + + +@pytest.mark.asyncio +async def test_get_branches_returns_all_pages(): + svc = make_service() + + async def fake_fetch(url, params, max_items): + return [_dc_branch('main', 'a'), _dc_branch('dev', 'b')] + + with patch.object(svc, '_fetch_paginated_data', side_effect=fake_fetch): + branches = await svc.get_branches('PROJ/myrepo') + + assert len(branches) == 2 + assert branches[0].name == 'main' + assert branches[1].name == 'dev' diff --git a/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_prs.py b/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_prs.py new file mode 100644 index 0000000000..ad217821d6 --- /dev/null +++ b/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_prs.py @@ -0,0 +1,138 @@ +"""Tests for BitbucketDCPRsMixin: create_pr, get_pr_details, is_pr_open.""" + +from unittest.mock import AsyncMock, patch + +import pytest +from pydantic import SecretStr + +from openhands.integrations.bitbucket_data_center.bitbucket_dc_service import ( + BitbucketDCService, +) + + +def make_service(): + return BitbucketDCService(token=SecretStr('tok'), base_domain='host.example.com') + + +# ── create_pr ───────────────────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_create_pr_payload_structure(): + svc = make_service() + mock_response = { + 'id': 1, + 'links': {'self': [{'href': 'https://host.example.com/pr/1'}]}, + } + + with patch.object( + svc, '_make_request', return_value=(mock_response, {}) + ) as mock_req: + await svc.create_pr('PROJ/myrepo', 'feature', 'main', 'My PR') + + # The payload is passed as the 'params' positional arg + payload = mock_req.call_args[1].get('params') or mock_req.call_args[0][1] + assert payload['fromRef']['id'] == 'refs/heads/feature' + assert payload['toRef']['id'] == 'refs/heads/main' + assert payload['fromRef']['repository']['slug'] == 'myrepo' + assert payload['fromRef']['repository']['project']['key'] == 'PROJ' + + +@pytest.mark.asyncio +async def test_create_pr_returns_href(): + svc = make_service() + mock_response = { + 'id': 5, + 'links': {'self': [{'href': 'https://host.example.com/pr/5'}]}, + } + + with patch.object(svc, '_make_request', return_value=(mock_response, {})): + url = await svc.create_pr('PROJ/myrepo', 'feature', 'main', 'My PR') + + assert url == 'https://host.example.com/pr/5' + + +@pytest.mark.asyncio +async def test_create_pr_html_link_dict(): + svc = make_service() + mock_response = { + 'id': 5, + 'links': {'html': {'href': 'https://host.example.com/pr/5/html'}}, + } + + with patch.object(svc, '_make_request', return_value=(mock_response, {})): + url = await svc.create_pr('PROJ/myrepo', 'feature', 'main', 'My PR') + + assert url == 'https://host.example.com/pr/5/html' + + +@pytest.mark.asyncio +async def test_create_pr_no_link_returns_empty_string(): + svc = make_service() + mock_response = {'id': 5, 'links': {}} + + with patch.object(svc, '_make_request', return_value=(mock_response, {})): + url = await svc.create_pr('PROJ/myrepo', 'feature', 'main', 'My PR') + + assert url == '' + + +# ── get_pr_details ──────────────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_get_pr_details_returns_raw_data(): + svc = make_service() + mock_data = {'id': 3, 'state': 'OPEN', 'title': 'A PR'} + + with patch.object(svc, '_make_request', return_value=(mock_data, {})): + result = await svc.get_pr_details('PROJ/myrepo', 3) + + assert result == mock_data + + +# ── is_pr_open ──────────────────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_is_pr_open_returns_true(): + svc = make_service() + + with patch.object( + svc, 'get_pr_details', new=AsyncMock(return_value={'state': 'OPEN'}) + ): + assert await svc.is_pr_open('PROJ/myrepo', 1) is True + + +@pytest.mark.asyncio +async def test_is_pr_open_returns_false_for_merged(): + svc = make_service() + + with patch.object( + svc, 'get_pr_details', new=AsyncMock(return_value={'state': 'MERGED'}) + ): + assert await svc.is_pr_open('PROJ/myrepo', 1) is False + + +@pytest.mark.asyncio +async def test_is_pr_open_returns_false_for_declined(): + svc = make_service() + + with patch.object( + svc, 'get_pr_details', new=AsyncMock(return_value={'state': 'DECLINED'}) + ): + assert await svc.is_pr_open('PROJ/myrepo', 1) is False + + +@pytest.mark.asyncio +async def test_is_pr_open_returns_true_on_exception(): + """Current implementation catches all exceptions and returns True.""" + svc = make_service() + + with patch.object( + svc, + 'get_pr_details', + new=AsyncMock(side_effect=Exception('Some error')), + ): + result = await svc.is_pr_open('PROJ/myrepo', 999) + assert result is True diff --git a/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_repos.py b/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_repos.py new file mode 100644 index 0000000000..521dd61455 --- /dev/null +++ b/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_repos.py @@ -0,0 +1,355 @@ +"""Tests for BitbucketDCReposMixin: URL parsing, get_paginated_repos, get_all_repositories.""" + +from unittest.mock import AsyncMock, patch + +import pytest +from pydantic import SecretStr + +from openhands.integrations.bitbucket_data_center.bitbucket_dc_service import ( + BitbucketDCService, +) +from openhands.server.types import AppMode + + +def make_service(): + return BitbucketDCService(token=SecretStr('tok'), base_domain='host.example.com') + + +def _repo_dict(key='PROJ', slug='myrepo', name='My Repository'): + return { + 'id': 1, + 'slug': slug, + 'name': name, + 'project': {'key': key}, + 'public': False, + } + + +# ── search_repositories URL parsing ────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_search_repositories_projects_url(): + svc = make_service() + query = 'https://host.example.com/projects/PROJ/repos/myrepo' + + mock_repo_data = _repo_dict('PROJ', 'myrepo') + mock_response = {'id': 1, **mock_repo_data} + mock_default_branch = {'displayId': 'main'} + + with patch.object( + svc, + '_make_request', + side_effect=[ + (mock_response, {}), + (mock_default_branch, {}), + ], + ): + repos = await svc.search_repositories( + query, 25, 'name', 'asc', True, AppMode.SAAS + ) + + assert len(repos) == 1 + assert repos[0].full_name == 'PROJ/myrepo' + + +@pytest.mark.asyncio +async def test_search_repositories_projects_url_with_extra_segments(): + svc = make_service() + # URL with extra segments after repo name + query = 'https://host.example.com/projects/PROJ/repos/myrepo/browse/src/main.py' + + mock_repo_data = _repo_dict('PROJ', 'myrepo') + mock_default_branch = {'displayId': 'main'} + + with patch.object( + svc, + '_make_request', + side_effect=[ + (mock_repo_data, {}), + (mock_default_branch, {}), + ], + ): + repos = await svc.search_repositories( + query, 25, 'name', 'asc', True, AppMode.SAAS + ) + + assert len(repos) == 1 + assert repos[0].full_name == 'PROJ/myrepo' + + +@pytest.mark.asyncio +async def test_search_repositories_invalid_url(): + svc = make_service() + with patch.object(svc, '_make_request') as mock_req: + repos = await svc.search_repositories( + 'not-a-valid-url', 25, 'name', 'asc', True, AppMode.SAAS + ) + assert repos == [] + mock_req.assert_not_called() + + +@pytest.mark.asyncio +async def test_search_repositories_insufficient_path_segments(): + svc = make_service() + # URL with only one path segment (just a project, no repo) + with patch.object(svc, '_make_request') as mock_req: + repos = await svc.search_repositories( + 'https://host.example.com/projects/PROJ', + 25, + 'name', + 'asc', + True, + AppMode.SAAS, + ) + assert repos == [] + mock_req.assert_not_called() + + +@pytest.mark.asyncio +async def test_search_repositories_slash_query(): + svc = make_service() + query = 'PROJ/myrepo' + + mock_repo = _repo_dict('PROJ', slug='myrepo', name='My Repository') + mock_default_branch = {'displayId': 'main'} + + with patch.object( + svc, + '_fetch_paginated_data', + new=AsyncMock(return_value=[mock_repo]), + ) as mock_fetch: + with patch.object( + svc, + '_make_request', + new=AsyncMock(return_value=(mock_default_branch, {})), + ): + repos = await svc.search_repositories( + query, 25, 'name', 'asc', False, AppMode.SAAS + ) + + mock_fetch.assert_called_once_with( + 'https://host.example.com/rest/api/1.0/projects/PROJ/repos', + {'limit': 25}, + 1000, + ) + assert len(repos) == 1 + assert repos[0].full_name == 'PROJ/myrepo' + + +@pytest.mark.asyncio +async def test_search_repositories_slash_query_filters_by_name(): + """Filter matches the human-readable name when slug doesn't match.""" + svc = make_service() + matching = _repo_dict('PROJ', slug='proj-alpha', name='My Repository') + non_matching = _repo_dict('PROJ', slug='proj-beta', name='Other Repo') + mock_default_branch = {'displayId': 'main'} + + with patch.object( + svc, + '_fetch_paginated_data', + new=AsyncMock(return_value=[matching, non_matching]), + ): + with patch.object( + svc, + '_make_request', + new=AsyncMock(return_value=(mock_default_branch, {})), + ): + repos = await svc.search_repositories( + 'PROJ/my repository', 25, 'name', 'asc', False, AppMode.SAAS + ) + + assert len(repos) == 1 + assert repos[0].full_name == 'PROJ/proj-alpha' + + +@pytest.mark.asyncio +async def test_search_repositories_slash_query_filters_by_slug(): + """Filter matches the slug when the human-readable name doesn't match.""" + svc = make_service() + matching = _repo_dict('PROJ', slug='my-repo', name='My Repository') + non_matching = _repo_dict('PROJ', slug='other-repo', name='Other Repository') + mock_default_branch = {'displayId': 'main'} + + with patch.object( + svc, + '_fetch_paginated_data', + new=AsyncMock(return_value=[matching, non_matching]), + ): + with patch.object( + svc, + '_make_request', + new=AsyncMock(return_value=(mock_default_branch, {})), + ): + repos = await svc.search_repositories( + 'PROJ/my-repo', 25, 'name', 'asc', False, AppMode.SAAS + ) + + assert len(repos) == 1 + assert repos[0].full_name == 'PROJ/my-repo' + + +# ── get_paginated_repos ─────────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_get_paginated_repos_parses_values(): + svc = make_service() + mock_response = { + 'values': [_repo_dict()], + 'isLastPage': True, + } + mock_default_branch = {'displayId': 'main'} + + with patch.object( + svc, + '_make_request', + side_effect=[(mock_response, {}), (mock_default_branch, {})], + ): + repos = await svc.get_paginated_repos(1, 25, 'name', 'PROJ') + + assert len(repos) == 1 + assert repos[0].full_name == 'PROJ/myrepo' + assert repos[0].link_header == '' + + +@pytest.mark.asyncio +async def test_get_paginated_repos_has_next_page(): + svc = make_service() + mock_response = { + 'values': [_repo_dict()], + 'isLastPage': False, + 'nextPageStart': 25, + } + mock_default_branch = {'displayId': 'main'} + + with patch.object( + svc, + '_make_request', + side_effect=[(mock_response, {}), (mock_default_branch, {})], + ): + repos = await svc.get_paginated_repos(1, 25, 'name', 'PROJ') + + assert len(repos) == 1 + assert 'rel="next"' in repos[0].link_header + + +@pytest.mark.asyncio +async def test_get_paginated_repos_last_page(): + svc = make_service() + mock_response = { + 'values': [_repo_dict()], + 'isLastPage': True, + } + mock_default_branch = {'displayId': 'main'} + + with patch.object( + svc, + '_make_request', + side_effect=[(mock_response, {}), (mock_default_branch, {})], + ): + repos = await svc.get_paginated_repos(1, 25, 'name', 'PROJ') + + assert len(repos) == 1 + assert repos[0].link_header == '' + + +@pytest.mark.asyncio +async def test_get_paginated_repos_filters_by_slug(): + """Query matches slug when name doesn't contain the search term.""" + svc = make_service() + mock_response = { + 'values': [ + _repo_dict('PROJ', slug='my-repo', name='My Repository'), + _repo_dict('PROJ', slug='other-repo', name='Other Repository'), + ], + 'isLastPage': True, + } + mock_default_branch = {'displayId': 'main'} + + with patch.object( + svc, + '_make_request', + side_effect=[(mock_response, {}), (mock_default_branch, {})], + ): + repos = await svc.get_paginated_repos(1, 25, 'name', 'PROJ', query='my-repo') + + assert len(repos) == 1 + assert repos[0].full_name == 'PROJ/my-repo' + + +@pytest.mark.asyncio +async def test_get_paginated_repos_filters_by_name(): + """Query matches human-readable name when slug doesn't contain the search term.""" + svc = make_service() + mock_response = { + 'values': [ + _repo_dict('PROJ', slug='proj-alpha', name='My Repository'), + _repo_dict('PROJ', slug='proj-beta', name='Other Repository'), + ], + 'isLastPage': True, + } + mock_default_branch = {'displayId': 'main'} + + with patch.object( + svc, + '_make_request', + side_effect=[(mock_response, {}), (mock_default_branch, {})], + ): + repos = await svc.get_paginated_repos( + 1, 25, 'name', 'PROJ', query='my repository' + ) + + assert len(repos) == 1 + assert repos[0].full_name == 'PROJ/proj-alpha' + + +# ── get_all_repositories ────────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_get_all_repositories_iterates_projects(): + svc = make_service() + + async def fake_fetch(url, params, max_items): + if '/projects' in url and '/repos' not in url: + return [{'key': 'PROJ1'}, {'key': 'PROJ2'}] + if 'PROJ1' in url: + return [_repo_dict('PROJ1', 'repo1')] + if 'PROJ2' in url: + return [_repo_dict('PROJ2', 'repo2')] + return [] + + mock_default_branch = {'displayId': 'main'} + with patch.object(svc, '_fetch_paginated_data', side_effect=fake_fetch): + with patch.object(svc, '_make_request', return_value=(mock_default_branch, {})): + repos = await svc.get_all_repositories('name', AppMode.SAAS) + + full_names = {r.full_name for r in repos} + assert 'PROJ1/repo1' in full_names + assert 'PROJ2/repo2' in full_names + + +# ── get_installations ───────────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_get_installations_returns_project_keys(): + svc = make_service() + + async def fake_fetch(url, params, max_items): + return [{'key': 'PROJ1'}, {'key': 'PROJ2'}, {'name': 'no-key'}] + + with patch.object(svc, '_fetch_paginated_data', side_effect=fake_fetch): + keys = await svc.get_installations() + + assert keys == ['PROJ1', 'PROJ2'] + + +# ── helper ──────────────────────────────────────────────────────────────────── + + +async def _make_parsed_repo(svc, repo_dict): + """Helper to create a parsed Repository from a repo dict (with mocked default branch).""" + with patch.object(svc, '_make_request', return_value=({'displayId': 'main'}, {})): + return await svc._parse_repository(repo_dict) diff --git a/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_resolver.py b/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_resolver.py new file mode 100644 index 0000000000..fbc7078976 --- /dev/null +++ b/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_resolver.py @@ -0,0 +1,179 @@ +"""Tests for BitbucketDCResolverMixin: get_pr_title_and_body, get_pr_comments, _process_raw_comments.""" + +from unittest.mock import patch + +import pytest +from pydantic import SecretStr + +from openhands.integrations.bitbucket_data_center.bitbucket_dc_service import ( + BitbucketDCService, +) +from openhands.integrations.service_types import Comment + + +@pytest.fixture +def svc(): + return BitbucketDCService( + token=SecretStr('user:pass'), base_domain='host.example.com' + ) + + +# ── get_pr_title_and_body ───────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_get_pr_title_and_body(svc): + mock_response = {'title': 'Fix the bug', 'description': 'Detailed description'} + with patch.object( + svc, '_make_request', return_value=(mock_response, {}) + ) as mock_req: + title, body = await svc.get_pr_title_and_body('PROJ', 'myrepo', 42) + + assert title == 'Fix the bug' + assert body == 'Detailed description' + called_url = mock_req.call_args[0][0] + assert '/projects/PROJ/repos/myrepo/pull-requests/42' in called_url + + +@pytest.mark.asyncio +async def test_get_pr_title_and_body_missing_fields(svc): + with patch.object(svc, '_make_request', return_value=({}, {})): + title, body = await svc.get_pr_title_and_body('PROJ', 'myrepo', 1) + + assert title == '' + assert body == '' + + +# ── get_pr_comments ─────────────────────────────────────────────────────────── + + +@pytest.mark.asyncio +async def test_get_pr_comments_returns_comments(svc): + activities = { + 'values': [ + { + 'action': 'COMMENTED', + 'comment': { + 'id': 10, + 'text': 'Looks good!', + 'author': {'slug': 'alice', 'name': 'Alice'}, + 'createdDate': 1_700_000_000_000, + 'updatedDate': 1_700_000_000_000, + }, + }, + { + 'action': 'APPROVED', # should be ignored + 'comment': {}, + }, + { + 'action': 'COMMENTED', + 'comment': { + 'id': 11, + 'text': 'Please fix tests', + 'author': {'slug': 'bob', 'name': 'Bob'}, + 'createdDate': 1_700_000_001_000, + 'updatedDate': 1_700_000_001_000, + }, + }, + ], + 'isLastPage': True, + } + + with patch.object(svc, '_make_request', return_value=(activities, {})): + comments = await svc.get_pr_comments('PROJ', 'myrepo', 42, max_comments=10) + + assert len(comments) == 2 + assert all(isinstance(c, Comment) for c in comments) + assert comments[0].author == 'alice' + assert comments[0].body == 'Looks good!' + assert comments[1].author == 'bob' + + +@pytest.mark.asyncio +async def test_get_pr_comments_respects_max(svc): + activities = { + 'values': [ + { + 'action': 'COMMENTED', + 'comment': { + 'id': i, + 'text': f'comment {i}', + 'author': {'slug': f'user{i}'}, + 'createdDate': 1_700_000_000_000 + i * 1000, + 'updatedDate': 1_700_000_000_000 + i * 1000, + }, + } + for i in range(10) + ], + 'isLastPage': True, + } + + with patch.object(svc, '_make_request', return_value=(activities, {})): + comments = await svc.get_pr_comments('PROJ', 'myrepo', 1, max_comments=3) + + assert len(comments) == 3 + + +@pytest.mark.asyncio +async def test_get_pr_comments_empty(svc): + with patch.object( + svc, '_make_request', return_value=({'values': [], 'isLastPage': True}, {}) + ): + comments = await svc.get_pr_comments('PROJ', 'myrepo', 1) + + assert comments == [] + + +# ── _process_raw_comments ───────────────────────────────────────────────────── + + +def test_process_raw_comments_sorts_by_date(svc): + raw = [ + { + 'id': 2, + 'text': 'second', + 'author': {'slug': 'bob'}, + 'createdDate': 1_700_000_002_000, + 'updatedDate': 1_700_000_002_000, + }, + { + 'id': 1, + 'text': 'first', + 'author': {'slug': 'alice'}, + 'createdDate': 1_700_000_001_000, + 'updatedDate': 1_700_000_001_000, + }, + ] + comments = svc._process_raw_comments(raw, max_comments=10) + assert comments[0].id == '1' + assert comments[1].id == '2' + + +def test_process_raw_comments_missing_timestamps(svc): + raw = [{'id': 5, 'text': 'no dates', 'author': {'slug': 'eve'}}] + comments = svc._process_raw_comments(raw) + assert len(comments) == 1 + assert comments[0].id == '5' + + +# ── MRO check ───────────────────────────────────────────────────────────────── + + +def test_mro_includes_resolver_mixin_and_base_git_service(): + from openhands.integrations.bitbucket_data_center.service.resolver import ( + BitbucketDCResolverMixin, + ) + from openhands.integrations.service_types import BaseGitService + + mro_names = [cls.__name__ for cls in BitbucketDCService.__mro__] + assert 'BitbucketDCResolverMixin' in mro_names + assert 'BaseGitService' in mro_names + + # Resolver mixin should appear before BaseGitService + assert mro_names.index('BitbucketDCResolverMixin') < mro_names.index( + 'BaseGitService' + ) + + # Verify instances + assert issubclass(BitbucketDCService, BitbucketDCResolverMixin) + assert issubclass(BitbucketDCService, BaseGitService) diff --git a/tests/unit/resolver/bitbucket_dc/test_bitbucket_dc_issue_handler.py b/tests/unit/resolver/bitbucket_dc/test_bitbucket_dc_issue_handler.py new file mode 100644 index 0000000000..617a0db8f7 --- /dev/null +++ b/tests/unit/resolver/bitbucket_dc/test_bitbucket_dc_issue_handler.py @@ -0,0 +1,357 @@ +import base64 +from unittest.mock import AsyncMock, MagicMock, patch + +import pytest +from pydantic import SecretStr + +from openhands.core.config import LLMConfig +from openhands.integrations.service_types import ProviderType +from openhands.resolver.interfaces.bitbucket_data_center import ( + BitbucketDCIssueHandler, + BitbucketDCPRHandler, +) +from openhands.resolver.interfaces.issue_definitions import ( + ServiceContextIssue, + ServiceContextPR, +) +from openhands.resolver.issue_handler_factory import IssueHandlerFactory + + +@pytest.fixture +def handler(): + return BitbucketDCIssueHandler( + owner='PROJ', + repo='my-repo', + token='user:secret', + base_domain='bitbucket.example.com', + ) + + +@pytest.fixture +def llm_config(): + return LLMConfig(model='test-model', api_key=SecretStr('test-key')) + + +# --------------------------------------------------------------------------- +# URL / attribute tests +# --------------------------------------------------------------------------- + + +def test_init_sets_correct_urls(handler): + assert handler.base_url == 'https://bitbucket.example.com/rest/api/1.0' + assert ( + handler.download_url + == 'https://bitbucket.example.com/rest/api/latest/projects/PROJ/repos/my-repo/archive?format=zip' + ) + assert handler.clone_url == 'https://bitbucket.example.com/scm/proj/my-repo.git' + + +def test_get_headers_returns_basic_auth(handler): + expected = base64.b64encode(b'user:secret').decode() + headers = handler.get_headers() + assert headers['Authorization'] == f'Basic {expected}' + assert headers['Accept'] == 'application/json' + + +def test_get_headers_bare_token_with_username(): + h = BitbucketDCIssueHandler( + owner='PROJ', + repo='my-repo', + token='mytoken', + username='myuser', + base_domain='dc.example.com', + ) + expected = base64.b64encode(b'myuser:mytoken').decode() + assert h.headers['Authorization'] == f'Basic {expected}' + + +def test_get_repo_url(handler): + assert ( + handler.get_repo_url() + == 'https://bitbucket.example.com/projects/PROJ/repos/my-repo' + ) + + +def test_get_issue_url_returns_pr_url(handler): + assert ( + handler.get_issue_url(42) + == 'https://bitbucket.example.com/projects/PROJ/repos/my-repo/pull-requests/42' + ) + + +def test_get_branch_url(handler): + assert ( + handler.get_branch_url('feature/x') + == 'https://bitbucket.example.com/projects/PROJ/repos/my-repo/browse?at=refs/heads/feature/x' + ) + + +def test_get_authorize_url_with_colon_token(handler): + url = handler.get_authorize_url() + assert url == 'https://user:secret@bitbucket.example.com/' + + +def test_get_authorize_url_with_username_and_bare_token(): + h = BitbucketDCIssueHandler( + owner='PROJ', + repo='my-repo', + token='baretoken', + username='john', + base_domain='dc.example.com', + ) + assert h.get_authorize_url() == 'https://john:baretoken@dc.example.com/' + + +# --------------------------------------------------------------------------- +# get_compare_url (requires get_default_branch_name) +# --------------------------------------------------------------------------- + + +def test_get_compare_url(handler): + with patch.object(handler, 'get_default_branch_name', return_value='main'): + url = handler.get_compare_url('feature/fix') + assert url == ( + 'https://bitbucket.example.com/projects/PROJ/repos/my-repo/compare/commits' + '?sourceBranch=refs/heads/feature/fix&targetBranch=refs/heads/main' + ) + + +# --------------------------------------------------------------------------- +# API methods (mock httpx) +# --------------------------------------------------------------------------- + + +@pytest.mark.asyncio +async def test_get_issue_fetches_pr_endpoint(handler): + mock_response = MagicMock() + mock_response.json.return_value = { + 'id': 7, + 'title': 'Fix the thing', + 'description': 'Some body', + 'fromRef': {'displayId': 'feature/fix'}, + 'toRef': {'displayId': 'main'}, + } + mock_response.raise_for_status = MagicMock() + + mock_client = AsyncMock() + mock_client.get = AsyncMock(return_value=mock_response) + mock_client.__aenter__ = AsyncMock(return_value=mock_client) + mock_client.__aexit__ = AsyncMock(return_value=None) + + with patch('httpx.AsyncClient', return_value=mock_client): + issue = await handler.get_issue(7) + + expected_url = ( + 'https://bitbucket.example.com/rest/api/1.0' + '/projects/PROJ/repos/my-repo/pull-requests/7' + ) + mock_client.get.assert_called_once_with(expected_url, headers=handler.headers) + assert issue.number == 7 + assert issue.title == 'Fix the thing' + assert issue.body == 'Some body' + assert issue.head_branch == 'feature/fix' + assert issue.base_branch == 'main' + + +def test_create_pr_uses_from_to_ref(handler): + mock_response = MagicMock() + mock_response.json.return_value = { + 'id': 3, + 'links': { + 'self': [ + { + 'href': 'https://bitbucket.example.com/projects/PROJ/repos/my-repo/pull-requests/3' + } + ] + }, + } + mock_response.raise_for_status = MagicMock() + + with patch('httpx.post', return_value=mock_response) as mock_post: + url = handler.create_pr('Title', 'Body', 'feature/src', 'main') + + _, kwargs = mock_post.call_args + payload = kwargs['json'] + assert payload['fromRef']['id'] == 'refs/heads/feature/src' + assert payload['toRef']['id'] == 'refs/heads/main' + assert payload['fromRef']['repository']['slug'] == 'my-repo' + assert payload['fromRef']['repository']['project']['key'] == 'PROJ' + assert ( + url + == 'https://bitbucket.example.com/projects/PROJ/repos/my-repo/pull-requests/3' + ) + + +def test_create_pull_request_returns_html_url_and_number(handler): + mock_response = MagicMock() + mock_response.json.return_value = { + 'id': 5, + 'links': { + 'self': [ + { + 'href': 'https://bitbucket.example.com/projects/PROJ/repos/my-repo/pull-requests/5' + } + ] + }, + } + mock_response.raise_for_status = MagicMock() + + with patch('httpx.post', return_value=mock_response): + result = handler.create_pull_request( + { + 'title': 'My PR', + 'description': 'desc', + 'source_branch': 'feature/x', + 'target_branch': 'main', + } + ) + + assert result['number'] == 5 + assert result['html_url'] == ( + 'https://bitbucket.example.com/projects/PROJ/repos/my-repo/pull-requests/5' + ) + + +def test_send_comment_msg_uses_text_field(handler): + mock_response = MagicMock() + mock_response.raise_for_status = MagicMock() + + with patch('httpx.post', return_value=mock_response) as mock_post: + handler.send_comment_msg(7, 'Hello from OpenHands') + + _, kwargs = mock_post.call_args + assert kwargs['json'] == {'text': 'Hello from OpenHands'} + + +def test_reply_to_comment_posts_with_parent_id(handler): + mock_response = MagicMock() + mock_response.raise_for_status = MagicMock() + + with patch('httpx.post', return_value=mock_response) as mock_post: + handler.reply_to_comment(7, '42', 'My reply') + + _, kwargs = mock_post.call_args + assert kwargs['json']['text'] == 'My reply' + assert kwargs['json']['parent'] == {'id': 42} + + +def test_branch_exists_true(handler): + mock_response = MagicMock() + mock_response.json.return_value = { + 'values': [{'displayId': 'feature/fix', 'id': 'refs/heads/feature/fix'}] + } + mock_response.raise_for_status = MagicMock() + + with patch('httpx.get', return_value=mock_response): + assert handler.branch_exists('feature/fix') is True + + +def test_branch_exists_false(handler): + mock_response = MagicMock() + mock_response.json.return_value = {'values': []} + mock_response.raise_for_status = MagicMock() + + with patch('httpx.get', return_value=mock_response): + assert handler.branch_exists('nonexistent') is False + + +def test_branch_exists_no_match(handler): + mock_response = MagicMock() + # filterText returns similar but not exact match + mock_response.json.return_value = { + 'values': [{'displayId': 'feature/fix-extended'}] + } + mock_response.raise_for_status = MagicMock() + + with patch('httpx.get', return_value=mock_response): + assert handler.branch_exists('feature/fix') is False + + +def test_get_default_branch_name_reads_display_id(handler): + mock_response = MagicMock() + mock_response.json.return_value = { + 'defaultBranch': {'displayId': 'main', 'id': 'refs/heads/main'} + } + mock_response.raise_for_status = MagicMock() + + with patch('httpx.get', return_value=mock_response): + assert handler.get_default_branch_name() == 'main' + + +def test_get_default_branch_name_strips_refs_heads_prefix(handler): + mock_response = MagicMock() + mock_response.json.return_value = { + 'defaultBranch': {'displayId': 'refs/heads/develop'} + } + mock_response.raise_for_status = MagicMock() + + with patch('httpx.get', return_value=mock_response): + assert handler.get_default_branch_name() == 'develop' + + +def test_get_default_branch_name_fallback_to_master(handler): + import httpx as httpx_module + + with patch('httpx.get', side_effect=httpx_module.HTTPError('connection refused')): + assert handler.get_default_branch_name() == 'master' + + +def test_get_context_returns_early(handler): + """get_context_from_external_issues_references should return closing_issues without API calls.""" + closing_issues = ['issue body 1'] + with patch('httpx.get') as mock_get: + result = handler.get_context_from_external_issues_references( + closing_issues=closing_issues, + closing_issue_numbers=[1], + issue_body='some body', + review_comments=None, + review_threads=[], + thread_comments=None, + ) + mock_get.assert_not_called() + assert result == ['issue body 1'] + + +def test_download_issues_returns_empty(handler): + result = handler.download_issues() + assert result == [] + + +# --------------------------------------------------------------------------- +# Factory integration tests +# --------------------------------------------------------------------------- + + +def test_factory_creates_dc_issue_handler(llm_config): + factory = IssueHandlerFactory( + owner='PROJ', + repo='my-repo', + token='user:secret', + username='user', + platform=ProviderType.BITBUCKET_DATA_CENTER, + base_domain='bitbucket.example.com', + issue_type='issue', + llm_config=llm_config, + ) + ctx = factory.create() + assert isinstance(ctx, ServiceContextIssue) + assert isinstance(ctx._strategy, BitbucketDCIssueHandler) + assert ctx._strategy.owner == 'PROJ' + assert ctx._strategy.repo == 'my-repo' + assert ctx._strategy.base_domain == 'bitbucket.example.com' + + +def test_factory_creates_dc_pr_handler(llm_config): + factory = IssueHandlerFactory( + owner='PROJ', + repo='my-repo', + token='user:secret', + username='user', + platform=ProviderType.BITBUCKET_DATA_CENTER, + base_domain='bitbucket.example.com', + issue_type='pr', + llm_config=llm_config, + ) + ctx = factory.create() + assert isinstance(ctx, ServiceContextPR) + assert isinstance(ctx._strategy, BitbucketDCPRHandler) From 8aa730105a5d2a5279a6c2498ad74a6f273df5e9 Mon Sep 17 00:00:00 2001 From: aivong-openhands Date: Tue, 3 Mar 2026 10:01:43 -0600 Subject: [PATCH 07/67] Fix CVE-2023-36464 update openhands-aci in enterprise poetry lock to remove pypdf2 (#13170) --- enterprise/poetry.lock | 28 ++++------------------------ 1 file changed, 4 insertions(+), 24 deletions(-) diff --git a/enterprise/poetry.lock b/enterprise/poetry.lock index f617080882..d4a06c9980 100644 --- a/enterprise/poetry.lock +++ b/enterprise/poetry.lock @@ -6032,14 +6032,14 @@ numpy = {version = ">=2,<2.3.0", markers = "python_version >= \"3.9\""} [[package]] name = "openhands-aci" -version = "0.3.2" +version = "0.3.3" description = "An Agent-Computer Interface (ACI) designed for software development agents OpenHands." optional = false python-versions = "<4.0,>=3.12" groups = ["main"] files = [ - {file = "openhands_aci-0.3.2-py3-none-any.whl", hash = "sha256:a3ff6fe3dd50124598b8bc3aff8d9742d6e75f933f7e7635a9d0b37d45eb826e"}, - {file = "openhands_aci-0.3.2.tar.gz", hash = "sha256:df7b64df6acb70b45b23e88c13508e7af8f27725bed30c3e88691a0f3d1f7a44"}, + {file = "openhands_aci-0.3.3-py3-none-any.whl", hash = "sha256:35795a4d6f5939290f74b26190d5b4cd7477b06ffb7c7f0b505166739461d651"}, + {file = "openhands_aci-0.3.3.tar.gz", hash = "sha256:567fc65bb881e3ea56c987f4251c8f703d3c88fae99402b46ea7dcc48d85adb2"}, ] [package.dependencies] @@ -6062,7 +6062,6 @@ puremagic = ">=1.28" pydantic = ">=2.11.3,<3.0.0" pydub = ">=0.25.1,<0.26.0" pypdf = ">=5.1.0" -pypdf2 = ">=3.0.1,<4.0.0" python-pptx = ">=1.0.2,<2.0.0" rapidfuzz = ">=3.13.0,<4.0.0" requests = ">=2.32.3" @@ -6144,7 +6143,7 @@ lmnr = ">=0.7.20" memory-profiler = ">=0.61" numpy = "*" openai = "2.8" -openhands-aci = "0.3.2" +openhands-aci = "0.3.3" openhands-agent-server = "1.11.5" openhands-sdk = "1.11.5" openhands-tools = "1.11.5" @@ -11572,25 +11571,6 @@ docs = ["myst_parser", "sphinx", "sphinx_rtd_theme"] full = ["Pillow (>=8.0.0)", "cryptography"] image = ["Pillow (>=8.0.0)"] -[[package]] -name = "pypdf2" -version = "3.0.1" -description = "A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files" -optional = false -python-versions = ">=3.6" -groups = ["main"] -files = [ - {file = "PyPDF2-3.0.1.tar.gz", hash = "sha256:a74408f69ba6271f71b9352ef4ed03dc53a31aa404d29b5d31f53bfecfee1440"}, - {file = "pypdf2-3.0.1-py3-none-any.whl", hash = "sha256:d16e4205cfee272fbdc0568b68d82be796540b1537508cef59388f839c191928"}, -] - -[package.extras] -crypto = ["PyCryptodome"] -dev = ["black", "flit", "pip-tools", "pre-commit (<2.18.0)", "pytest-cov", "wheel"] -docs = ["myst_parser", "sphinx", "sphinx_rtd_theme"] -full = ["Pillow", "PyCryptodome"] -image = ["Pillow"] - [[package]] name = "pyperclip" version = "1.11.0" From b890e53a6e8a0e58568d3c9d468e89b12afd564e Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Tue, 3 Mar 2026 11:14:10 -0500 Subject: [PATCH 08/67] Fix UserAuth vs SaasUserAuth type annotations (#13149) Co-authored-by: openhands --- enterprise/server/middleware.py | 11 +++++++---- enterprise/server/routes/auth.py | 6 +++--- enterprise/server/routes/email.py | 5 +++-- enterprise/server/routes/integration/jira.py | 11 ++++++----- enterprise/server/routes/integration/jira_dc.py | 9 +++++---- enterprise/server/routes/integration/linear.py | 11 ++++++----- 6 files changed, 30 insertions(+), 23 deletions(-) diff --git a/enterprise/server/middleware.py b/enterprise/server/middleware.py index a312d501e6..c1c11d6f49 100644 --- a/enterprise/server/middleware.py +++ b/enterprise/server/middleware.py @@ -1,4 +1,4 @@ -from typing import Callable +from typing import Callable, cast import jwt from fastapi import Request, Response, status @@ -19,7 +19,7 @@ from server.routes.auth import ( ) from openhands.core.logger import openhands_logger as logger -from openhands.server.user_auth.user_auth import AuthType, get_user_auth +from openhands.server.user_auth.user_auth import AuthType, UserAuth, get_user_auth from openhands.server.utils import config @@ -97,7 +97,10 @@ class SetAuthCookieMiddleware: return response def _get_user_auth(self, request: Request) -> SaasUserAuth | None: - return getattr(request.state, 'user_auth', None) + user_auth: UserAuth | None = getattr(request.state, 'user_auth', None) + if user_auth is None: + return None + return cast(SaasUserAuth, user_auth) def _check_tos(self, request: Request): keycloak_auth_cookie = request.cookies.get('keycloak_auth') @@ -187,7 +190,7 @@ class SetAuthCookieMiddleware: async def _logout(self, request: Request): # Log out of keycloak - this prevents issues where you did not log in with the idp you believe you used try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) if user_auth and user_auth.refresh_token: await token_manager.logout(user_auth.refresh_token.get_secret_value()) except Exception: diff --git a/enterprise/server/routes/auth.py b/enterprise/server/routes/auth.py index a04a563f34..df9b85cfa2 100644 --- a/enterprise/server/routes/auth.py +++ b/enterprise/server/routes/auth.py @@ -3,7 +3,7 @@ import json import uuid import warnings from datetime import datetime, timezone -from typing import Annotated, Literal, Optional +from typing import Annotated, Literal, Optional, cast from urllib.parse import quote from uuid import UUID as parse_uuid @@ -591,7 +591,7 @@ async def authenticate(request: Request): @api_router.post('/accept_tos') async def accept_tos(request: Request): - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) access_token = await user_auth.get_access_token() refresh_token = user_auth.refresh_token user_id = await user_auth.get_user_id() @@ -660,7 +660,7 @@ async def logout(request: Request): # Try to properly logout from Keycloak, but don't fail if it doesn't work try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) if user_auth and user_auth.refresh_token: refresh_token = user_auth.refresh_token.get_secret_value() await token_manager.logout(refresh_token) diff --git a/enterprise/server/routes/email.py b/enterprise/server/routes/email.py index a2fe613a5f..273712751f 100644 --- a/enterprise/server/routes/email.py +++ b/enterprise/server/routes/email.py @@ -1,4 +1,5 @@ import re +from typing import cast from fastapi import APIRouter, Depends, HTTPException, Request, status from fastapi.responses import JSONResponse, RedirectResponse @@ -67,7 +68,7 @@ async def update_email( user_id=user_id, email=email, email_verified=False ) - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) await user_auth.refresh() # refresh so access token has updated email user_auth.email = email user_auth.email_verified = False @@ -146,7 +147,7 @@ async def resend_email_verification( @api_router.get('/verified') async def verified_email(request: Request): - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) await user_auth.refresh() # refresh so access token has updated email user_auth.email_verified = True await UserStore.update_user_email(user_id=user_auth.user_id, email_verified=True) diff --git a/enterprise/server/routes/integration/jira.py b/enterprise/server/routes/integration/jira.py index 3096734f5d..56ae395e18 100644 --- a/enterprise/server/routes/integration/jira.py +++ b/enterprise/server/routes/integration/jira.py @@ -4,6 +4,7 @@ import json import os import re import uuid +from typing import cast from urllib.parse import urlencode, urlparse import requests @@ -332,7 +333,7 @@ async def jira_events( async def create_jira_workspace(request: Request, workspace_data: JiraWorkspaceCreate): """Create a new Jira workspace registration.""" try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() user_email = await user_auth.get_user_email() @@ -396,7 +397,7 @@ async def create_jira_workspace(request: Request, workspace_data: JiraWorkspaceC async def create_workspace_link(request: Request, link_data: JiraLinkCreate): """Register a user mapping to a Jira workspace.""" try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() user_email = await user_auth.get_user_email() @@ -597,7 +598,7 @@ async def jira_callback(request: Request, code: str, state: str): async def get_current_workspace_link(request: Request): """Get current user's Jira integration details.""" try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() user = await jira_manager.integration_store.get_user_by_active_workspace( @@ -650,7 +651,7 @@ async def get_current_workspace_link(request: Request): async def unlink_workspace(request: Request): """Unlink user from Jira integration by setting status to inactive.""" try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() user = await jira_manager.integration_store.get_user_by_active_workspace( @@ -706,7 +707,7 @@ async def validate_workspace_integration(request: Request, workspace_name: str): detail='workspace_name can only contain alphanumeric characters, hyphens, underscores, and periods', ) - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_email = await user_auth.get_user_email() if not user_email: raise HTTPException( diff --git a/enterprise/server/routes/integration/jira_dc.py b/enterprise/server/routes/integration/jira_dc.py index c842da5465..88c8196071 100644 --- a/enterprise/server/routes/integration/jira_dc.py +++ b/enterprise/server/routes/integration/jira_dc.py @@ -2,6 +2,7 @@ import json import os import re import uuid +from typing import cast from urllib.parse import urlencode, urlparse import requests @@ -276,7 +277,7 @@ async def create_jira_dc_workspace( ): """Create a new Jira DC workspace registration.""" try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() user_email = await user_auth.get_user_email() @@ -399,7 +400,7 @@ async def create_jira_dc_workspace( async def create_workspace_link(request: Request, link_data: JiraDcLinkCreate): """Register a user mapping to a Jira DC workspace.""" try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() user_email = await user_auth.get_user_email() @@ -589,7 +590,7 @@ async def jira_dc_callback(request: Request, code: str, state: str): async def get_current_workspace_link(request: Request): """Get current user's Jira DC integration details.""" try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() user = await jira_dc_manager.integration_store.get_user_by_active_workspace( @@ -641,7 +642,7 @@ async def get_current_workspace_link(request: Request): async def unlink_workspace(request: Request): """Unlink user from Jira DC integration by setting status to inactive.""" try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() user = await jira_dc_manager.integration_store.get_user_by_active_workspace( diff --git a/enterprise/server/routes/integration/linear.py b/enterprise/server/routes/integration/linear.py index 1d8363be02..9d47c04b0c 100644 --- a/enterprise/server/routes/integration/linear.py +++ b/enterprise/server/routes/integration/linear.py @@ -2,6 +2,7 @@ import json import os import re import uuid +from typing import cast import requests from fastapi import APIRouter, BackgroundTasks, HTTPException, Request, status @@ -269,7 +270,7 @@ async def create_linear_workspace( ): """Create a new Linear workspace registration.""" try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() user_email = await user_auth.get_user_email() @@ -331,7 +332,7 @@ async def create_linear_workspace( async def create_workspace_link(request: Request, link_data: LinearLinkCreate): """Register a user mapping to a Linear workspace.""" try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() user_email = await user_auth.get_user_email() @@ -520,7 +521,7 @@ async def linear_callback(request: Request, code: str, state: str): async def get_current_workspace_link(request: Request): """Get current user's Linear integration details.""" try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() user = await linear_manager.integration_store.get_user_by_active_workspace( @@ -573,7 +574,7 @@ async def get_current_workspace_link(request: Request): async def unlink_workspace(request: Request): """Unlink user from Linear integration by setting status to inactive.""" try: - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() user = await linear_manager.integration_store.get_user_by_active_workspace( @@ -629,7 +630,7 @@ async def validate_workspace_integration(request: Request, workspace_name: str): detail='workspace_name can only contain alphanumeric characters, hyphens, underscores, and periods', ) - user_auth: SaasUserAuth = await get_user_auth(request) + user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_email = await user_auth.get_user_email() if not user_email: raise HTTPException( From 4fe3da498ad51308550509a461cb1b1249978ba0 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Tue, 3 Mar 2026 12:19:05 -0500 Subject: [PATCH 09/67] Fix GitLab integration type errors for mypy compliance (#13172) Co-authored-by: openhands --- .../integrations/gitlab/gitlab_manager.py | 39 ++++++++++--------- .../integrations/gitlab/gitlab_service.py | 25 ++++++++++++ enterprise/integrations/gitlab/gitlab_view.py | 2 +- .../gitlab/webhook_installation.py | 24 ++++++------ enterprise/server/middleware.py | 6 +-- .../server/routes/integration/gitlab.py | 6 +++ enterprise/sync/install_gitlab_webhooks.py | 31 ++++++++------- .../unit/sync/test_install_gitlab_webhooks.py | 4 +- 8 files changed, 87 insertions(+), 50 deletions(-) diff --git a/enterprise/integrations/gitlab/gitlab_manager.py b/enterprise/integrations/gitlab/gitlab_manager.py index 9574e7ff44..914823f8f5 100644 --- a/enterprise/integrations/gitlab/gitlab_manager.py +++ b/enterprise/integrations/gitlab/gitlab_manager.py @@ -1,4 +1,7 @@ +from __future__ import annotations + from types import MappingProxyType +from typing import cast from integrations.gitlab.gitlab_view import ( GitlabFactory, @@ -67,11 +70,11 @@ class GitlabManager(Manager): logger.warning(f'Got invalid keyloak user id for GitLab User {user_id}') return False - # Importing here prevents circular import + # GitLabServiceImpl returns SaaSGitLabService in enterprise context from integrations.gitlab.gitlab_service import SaaSGitLabService - gitlab_service: SaaSGitLabService = GitLabServiceImpl( - external_auth_id=keycloak_user_id + gitlab_service = cast( + SaaSGitLabService, GitLabServiceImpl(external_auth_id=keycloak_user_id) ) return await gitlab_service.user_has_write_access(project_id) @@ -130,36 +133,36 @@ class GitlabManager(Manager): """ keycloak_user_id = gitlab_view.user_info.keycloak_user_id - # Importing here prevents circular import + # GitLabServiceImpl returns SaaSGitLabService in enterprise context from integrations.gitlab.gitlab_service import SaaSGitLabService - gitlab_service: SaaSGitLabService = GitLabServiceImpl( - external_auth_id=keycloak_user_id + gitlab_service = cast( + SaaSGitLabService, GitLabServiceImpl(external_auth_id=keycloak_user_id) ) if isinstance(gitlab_view, GitlabInlineMRComment) or isinstance( gitlab_view, GitlabMRComment ): await gitlab_service.reply_to_mr( - gitlab_view.project_id, - gitlab_view.issue_number, - gitlab_view.discussion_id, - message, + project_id=str(gitlab_view.project_id), + merge_request_iid=str(gitlab_view.issue_number), + discussion_id=gitlab_view.discussion_id, + body=message, ) elif isinstance(gitlab_view, GitlabIssueComment): await gitlab_service.reply_to_issue( - gitlab_view.project_id, - gitlab_view.issue_number, - gitlab_view.discussion_id, - message, + project_id=str(gitlab_view.project_id), + issue_number=str(gitlab_view.issue_number), + discussion_id=gitlab_view.discussion_id, + body=message, ) elif isinstance(gitlab_view, GitlabIssue): await gitlab_service.reply_to_issue( - gitlab_view.project_id, - gitlab_view.issue_number, - None, # no discussion id, issue is tagged - message, + project_id=str(gitlab_view.project_id), + issue_number=str(gitlab_view.issue_number), + discussion_id=None, # no discussion id, issue is tagged + body=message, ) else: logger.warning( diff --git a/enterprise/integrations/gitlab/gitlab_service.py b/enterprise/integrations/gitlab/gitlab_service.py index e5c6ce5272..558cc15058 100644 --- a/enterprise/integrations/gitlab/gitlab_service.py +++ b/enterprise/integrations/gitlab/gitlab_service.py @@ -185,6 +185,31 @@ class SaaSGitLabService(GitLabService): users_personal_projects: List of personal projects owned by the user repositories: List of Repository objects to store """ + # If external_auth_id is not set, try to determine it from the Keycloak token + if not self.external_auth_id and self.external_auth_token: + try: + user_info = await self.token_manager.get_user_info( + self.external_auth_token.get_secret_value() + ) + keycloak_user_id = user_info.get('sub') + if keycloak_user_id: + self.external_auth_id = keycloak_user_id + logger.info( + f'Determined external_auth_id from Keycloak token: {self.external_auth_id}' + ) + except Exception: + logger.warning( + 'Cannot store repository data: external_auth_id is not set and could not be determined from token', + exc_info=True, + ) + return + + if not self.external_auth_id: + logger.warning( + 'Cannot store repository data: external_auth_id could not be determined' + ) + return + try: # First, add owned projects and groups to the database await self.add_owned_projects_and_groups_to_db(users_personal_projects) diff --git a/enterprise/integrations/gitlab/gitlab_view.py b/enterprise/integrations/gitlab/gitlab_view.py index bad7e7b451..924d18dcd6 100644 --- a/enterprise/integrations/gitlab/gitlab_view.py +++ b/enterprise/integrations/gitlab/gitlab_view.py @@ -303,7 +303,7 @@ class GitlabFactory: @staticmethod async def create_gitlab_view_from_payload( message: Message, token_manager: TokenManager - ) -> ResolverViewInterface: + ) -> GitlabViewType: payload = message.message['payload'] installation_id = message.message['installation_id'] user = payload['user'] diff --git a/enterprise/integrations/gitlab/webhook_installation.py b/enterprise/integrations/gitlab/webhook_installation.py index 123ec21079..71cb427ae7 100644 --- a/enterprise/integrations/gitlab/webhook_installation.py +++ b/enterprise/integrations/gitlab/webhook_installation.py @@ -4,7 +4,9 @@ This module contains reusable functions and classes for installing GitLab webhoo that can be used by both the cron job and API routes. """ -from typing import cast +from __future__ import annotations + +from typing import TYPE_CHECKING from uuid import uuid4 from integrations.types import GitLabResourceType @@ -13,7 +15,9 @@ from storage.gitlab_webhook import GitlabWebhook, WebhookStatus from storage.gitlab_webhook_store import GitlabWebhookStore from openhands.core.logger import openhands_logger as logger -from openhands.integrations.service_types import GitService + +if TYPE_CHECKING: + from integrations.gitlab.gitlab_service import SaaSGitLabService # Webhook configuration constants WEBHOOK_NAME = 'OpenHands Resolver' @@ -35,7 +39,7 @@ class BreakLoopException(Exception): async def verify_webhook_conditions( - gitlab_service: type[GitService], + gitlab_service: SaaSGitLabService, resource_type: GitLabResourceType, resource_id: str, webhook_store: GitlabWebhookStore, @@ -52,10 +56,6 @@ async def verify_webhook_conditions( webhook_store: Webhook store instance webhook: Webhook object to verify """ - from integrations.gitlab.gitlab_service import SaaSGitLabService - - gitlab_service = cast(type[SaaSGitLabService], gitlab_service) - # Check if resource exists does_resource_exist, status = await gitlab_service.check_resource_exists( resource_type, resource_id @@ -106,7 +106,9 @@ async def verify_webhook_conditions( does_webhook_exist_on_resource, status, ) = await gitlab_service.check_webhook_exists_on_resource( - resource_type, resource_id, GITLAB_WEBHOOK_URL + resource_type=resource_type, + resource_id=resource_id, + webhook_url=GITLAB_WEBHOOK_URL, ) logger.info( @@ -131,7 +133,7 @@ async def verify_webhook_conditions( async def install_webhook_on_resource( - gitlab_service: type[GitService], + gitlab_service: SaaSGitLabService, resource_type: GitLabResourceType, resource_id: str, webhook_store: GitlabWebhookStore, @@ -150,10 +152,6 @@ async def install_webhook_on_resource( Returns: Tuple of (webhook_id, status) """ - from integrations.gitlab.gitlab_service import SaaSGitLabService - - gitlab_service = cast(type[SaaSGitLabService], gitlab_service) - webhook_secret = f'{webhook.user_id}-{str(uuid4())}' webhook_uuid = f'{str(uuid4())}' diff --git a/enterprise/server/middleware.py b/enterprise/server/middleware.py index c1c11d6f49..726c552d3b 100644 --- a/enterprise/server/middleware.py +++ b/enterprise/server/middleware.py @@ -53,9 +53,9 @@ class SetAuthCookieMiddleware: ) # On re-authentication (token refresh), kick off background sync for GitLab repos - schedule_gitlab_repo_sync( - await user_auth.get_user_id(), - ) + user_id = await user_auth.get_user_id() + if user_id: + schedule_gitlab_repo_sync(user_id) if ( self._should_attach(request) diff --git a/enterprise/server/routes/integration/gitlab.py b/enterprise/server/routes/integration/gitlab.py index a67c0c9742..acdb93c6fa 100644 --- a/enterprise/server/routes/integration/gitlab.py +++ b/enterprise/server/routes/integration/gitlab.py @@ -329,6 +329,12 @@ async def reinstall_gitlab_webhook( resource_type, resource_id ) + if not webhook: + raise HTTPException( + status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, + detail='Failed to create or fetch webhook record', + ) + # Verify conditions and install webhook try: await verify_webhook_conditions( diff --git a/enterprise/sync/install_gitlab_webhooks.py b/enterprise/sync/install_gitlab_webhooks.py index e11085e300..bf1f9f7f42 100644 --- a/enterprise/sync/install_gitlab_webhooks.py +++ b/enterprise/sync/install_gitlab_webhooks.py @@ -1,5 +1,7 @@ +from __future__ import annotations + import asyncio -from typing import cast +from typing import TYPE_CHECKING, cast from integrations.gitlab.webhook_installation import ( BreakLoopException, @@ -15,7 +17,9 @@ from storage.gitlab_webhook_store import GitlabWebhookStore from openhands.core.logger import openhands_logger as logger from openhands.integrations.gitlab.gitlab_service import GitLabServiceImpl -from openhands.integrations.service_types import GitService + +if TYPE_CHECKING: + from integrations.gitlab.gitlab_service import SaaSGitLabService CHUNK_SIZE = 100 @@ -35,7 +39,7 @@ class VerifyWebhookStatus: async def check_if_webhook_already_exists_on_resource( self, - gitlab_service: type[GitService], + gitlab_service: SaaSGitLabService, resource_type: GitLabResourceType, resource_id: str, webhook_store: GitlabWebhookStore, @@ -44,14 +48,13 @@ class VerifyWebhookStatus: """ Check whether webhook already exists on resource """ - from integrations.gitlab.gitlab_service import SaaSGitLabService - - gitlab_service = cast(type[SaaSGitLabService], gitlab_service) ( does_webhook_exist_on_resource, status, ) = await gitlab_service.check_webhook_exists_on_resource( - resource_type, resource_id, GITLAB_WEBHOOK_URL + resource_type=resource_type, + resource_id=resource_id, + webhook_url=GITLAB_WEBHOOK_URL, ) logger.info( @@ -75,7 +78,7 @@ class VerifyWebhookStatus: async def verify_conditions_are_met( self, - gitlab_service: type[GitService], + gitlab_service: SaaSGitLabService, resource_type: GitLabResourceType, resource_id: str, webhook_store: GitlabWebhookStore, @@ -92,7 +95,7 @@ class VerifyWebhookStatus: async def create_new_webhook( self, - gitlab_service: type[GitService], + gitlab_service: SaaSGitLabService, resource_type: GitLabResourceType, resource_id: str, webhook_store: GitlabWebhookStore, @@ -165,12 +168,12 @@ class VerifyWebhookStatus: webhook ) - gitlab_service_impl = GitLabServiceImpl(external_auth_id=user_id) + # GitLabServiceImpl returns SaaSGitLabService in enterprise context + from integrations.gitlab.gitlab_service import SaaSGitLabService - if not isinstance(gitlab_service_impl, SaaSGitLabService): - raise Exception('Only SaaSGitLabService is supported') - # Cast needed when mypy can see OpenHands - gitlab_service = cast(type[SaaSGitLabService], gitlab_service_impl) + gitlab_service = cast( + SaaSGitLabService, GitLabServiceImpl(external_auth_id=user_id) + ) await self.verify_conditions_are_met( gitlab_service=gitlab_service, diff --git a/enterprise/tests/unit/sync/test_install_gitlab_webhooks.py b/enterprise/tests/unit/sync/test_install_gitlab_webhooks.py index 3d8d91a965..b1027c842b 100644 --- a/enterprise/tests/unit/sync/test_install_gitlab_webhooks.py +++ b/enterprise/tests/unit/sync/test_install_gitlab_webhooks.py @@ -75,7 +75,9 @@ class TestVerifyWebhookConditions: resource_type, resource_id ) mock_gitlab_service.check_webhook_exists_on_resource.assert_called_once_with( - resource_type, resource_id, GITLAB_WEBHOOK_URL + resource_type=resource_type, + resource_id=resource_id, + webhook_url=GITLAB_WEBHOOK_URL, ) mock_webhook_store.delete_webhook.assert_not_called() From a051f7d6f603e1dd44cce1e2a70f59941b5f0b19 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Tue, 3 Mar 2026 12:19:12 -0500 Subject: [PATCH 10/67] Add generic type hints to manager class declarations (#13174) Co-authored-by: openhands --- .../integrations/github/github_manager.py | 5 +++-- .../integrations/gitlab/gitlab_manager.py | 2 +- enterprise/integrations/jira/jira_manager.py | 2 +- .../integrations/jira_dc/jira_dc_manager.py | 2 +- .../integrations/linear/linear_manager.py | 2 +- enterprise/integrations/manager.py | 17 +++++++++++++---- enterprise/integrations/slack/slack_manager.py | 2 +- 7 files changed, 21 insertions(+), 11 deletions(-) diff --git a/enterprise/integrations/github/github_manager.py b/enterprise/integrations/github/github_manager.py index 88d31b8850..7d0501dc46 100644 --- a/enterprise/integrations/github/github_manager.py +++ b/enterprise/integrations/github/github_manager.py @@ -10,6 +10,7 @@ from integrations.github.github_view import ( GithubIssue, GithubIssueComment, GithubPRComment, + GithubViewType, ) from integrations.manager import Manager from integrations.models import ( @@ -43,7 +44,7 @@ from openhands.storage.data_models.secrets import Secrets from openhands.utils.async_utils import call_sync_from_async -class GithubManager(Manager): +class GithubManager(Manager[GithubViewType]): def __init__( self, token_manager: TokenManager, data_collector: GitHubDataCollector ): @@ -236,7 +237,7 @@ class GithubManager(Manager): logger.warning('Unsupported location') return - async def start_job(self, github_view: ResolverViewInterface): + async def start_job(self, github_view: GithubViewType): """Kick off a job with openhands agent. 1. Get user credential diff --git a/enterprise/integrations/gitlab/gitlab_manager.py b/enterprise/integrations/gitlab/gitlab_manager.py index 914823f8f5..be6cb49a6f 100644 --- a/enterprise/integrations/gitlab/gitlab_manager.py +++ b/enterprise/integrations/gitlab/gitlab_manager.py @@ -36,7 +36,7 @@ from openhands.server.types import ( from openhands.storage.data_models.secrets import Secrets -class GitlabManager(Manager): +class GitlabManager(Manager[GitlabViewType]): def __init__(self, token_manager: TokenManager, data_collector: None = None): self.token_manager = token_manager diff --git a/enterprise/integrations/jira/jira_manager.py b/enterprise/integrations/jira/jira_manager.py index 05e255651c..9223bcfa36 100644 --- a/enterprise/integrations/jira/jira_manager.py +++ b/enterprise/integrations/jira/jira_manager.py @@ -57,7 +57,7 @@ JIRA_CLOUD_API_URL = 'https://api.atlassian.com/ex/jira' OH_LABEL, INLINE_OH_LABEL = get_oh_labels(HOST) -class JiraManager(Manager): +class JiraManager(Manager[JiraViewInterface]): """Manager for processing Jira webhook events. This class orchestrates the flow from webhook receipt to conversation creation, diff --git a/enterprise/integrations/jira_dc/jira_dc_manager.py b/enterprise/integrations/jira_dc/jira_dc_manager.py index acbd1dfead..5adc1fbc75 100644 --- a/enterprise/integrations/jira_dc/jira_dc_manager.py +++ b/enterprise/integrations/jira_dc/jira_dc_manager.py @@ -42,7 +42,7 @@ from openhands.server.user_auth.user_auth import UserAuth from openhands.utils.http_session import httpx_verify_option -class JiraDcManager(Manager): +class JiraDcManager(Manager[JiraDcViewInterface]): def __init__(self, token_manager: TokenManager): self.token_manager = token_manager self.integration_store = JiraDcIntegrationStore.get_instance() diff --git a/enterprise/integrations/linear/linear_manager.py b/enterprise/integrations/linear/linear_manager.py index 1e78c2bc97..10f1b63c52 100644 --- a/enterprise/integrations/linear/linear_manager.py +++ b/enterprise/integrations/linear/linear_manager.py @@ -39,7 +39,7 @@ from openhands.server.user_auth.user_auth import UserAuth from openhands.utils.http_session import httpx_verify_option -class LinearManager(Manager): +class LinearManager(Manager[LinearViewInterface]): def __init__(self, token_manager: TokenManager): self.token_manager = token_manager self.integration_store = LinearIntegrationStore.get_instance() diff --git a/enterprise/integrations/manager.py b/enterprise/integrations/manager.py index f27804b1e8..550b4ca5c1 100644 --- a/enterprise/integrations/manager.py +++ b/enterprise/integrations/manager.py @@ -1,10 +1,13 @@ from abc import ABC, abstractmethod -from typing import Any +from typing import Any, Generic, TypeVar from integrations.models import Message, SourceType +# TypeVar for view types - each manager subclass specifies its own view type +ViewT = TypeVar('ViewT') -class Manager(ABC): + +class Manager(ABC, Generic[ViewT]): manager_type: SourceType @abstractmethod @@ -22,6 +25,12 @@ class Manager(ABC): raise NotImplementedError @abstractmethod - def start_job(self): - "Kick off a job with openhands agent" + def start_job(self, view: ViewT) -> None: + """Kick off a job with openhands agent. + + Args: + view: Integration-specific view object containing job context. + Each manager subclass accepts its own view type + (e.g., SlackViewInterface, JiraViewInterface, etc.) + """ raise NotImplementedError diff --git a/enterprise/integrations/slack/slack_manager.py b/enterprise/integrations/slack/slack_manager.py index 16a60d9e3a..34ee33b535 100644 --- a/enterprise/integrations/slack/slack_manager.py +++ b/enterprise/integrations/slack/slack_manager.py @@ -45,7 +45,7 @@ authorize_url_generator = AuthorizeUrlGenerator( ) -class SlackManager(Manager): +class SlackManager(Manager[SlackViewInterface]): def __init__(self, token_manager): self.token_manager = token_manager self.login_link = ( From 35024aeffe138e0c9548820e748e90a45a2fe0fe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Mar 2026 12:45:43 -0600 Subject: [PATCH 11/67] chore(deps): bump pypdf from 6.7.3 to 6.7.5 (#13157) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: openhands Co-authored-by: aivong-openhands --- enterprise/poetry.lock | 6 +++--- poetry.lock | 6 +++--- uv.lock | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/enterprise/poetry.lock b/enterprise/poetry.lock index d4a06c9980..4fadd7372f 100644 --- a/enterprise/poetry.lock +++ b/enterprise/poetry.lock @@ -11553,14 +11553,14 @@ diagrams = ["jinja2", "railroad-diagrams"] [[package]] name = "pypdf" -version = "6.7.3" +version = "6.7.5" description = "A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files" optional = false python-versions = ">=3.9" groups = ["main"] files = [ - {file = "pypdf-6.7.3-py3-none-any.whl", hash = "sha256:cd25ac508f20b554a9fafd825186e3ba29591a69b78c156783c5d8a2d63a1c0a"}, - {file = "pypdf-6.7.3.tar.gz", hash = "sha256:eca55c78d0ec7baa06f9288e2be5c4e8242d5cbb62c7a4b94f2716f8e50076d2"}, + {file = "pypdf-6.7.5-py3-none-any.whl", hash = "sha256:07ba7f1d6e6d9aa2a17f5452e320a84718d4ce863367f7ede2fd72280349ab13"}, + {file = "pypdf-6.7.5.tar.gz", hash = "sha256:40bb2e2e872078655f12b9b89e2f900888bb505e88a82150b64f9f34fa25651d"}, ] [package.extras] diff --git a/poetry.lock b/poetry.lock index d8cb26a1fa..206b3bbc13 100644 --- a/poetry.lock +++ b/poetry.lock @@ -11390,14 +11390,14 @@ diagrams = ["jinja2", "railroad-diagrams"] [[package]] name = "pypdf" -version = "6.7.3" +version = "6.7.5" description = "A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files" optional = false python-versions = ">=3.9" groups = ["main"] files = [ - {file = "pypdf-6.7.3-py3-none-any.whl", hash = "sha256:cd25ac508f20b554a9fafd825186e3ba29591a69b78c156783c5d8a2d63a1c0a"}, - {file = "pypdf-6.7.3.tar.gz", hash = "sha256:eca55c78d0ec7baa06f9288e2be5c4e8242d5cbb62c7a4b94f2716f8e50076d2"}, + {file = "pypdf-6.7.5-py3-none-any.whl", hash = "sha256:07ba7f1d6e6d9aa2a17f5452e320a84718d4ce863367f7ede2fd72280349ab13"}, + {file = "pypdf-6.7.5.tar.gz", hash = "sha256:40bb2e2e872078655f12b9b89e2f900888bb505e88a82150b64f9f34fa25651d"}, ] [package.extras] diff --git a/uv.lock b/uv.lock index 9faf603f89..7b0dc7b4c6 100644 --- a/uv.lock +++ b/uv.lock @@ -7314,11 +7314,11 @@ wheels = [ [[package]] name = "pypdf" -version = "6.7.3" +version = "6.7.5" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/53/9b/63e767042fc852384dc71e5ff6f990ee4e1b165b1526cf3f9c23a4eebb47/pypdf-6.7.3.tar.gz", hash = "sha256:eca55c78d0ec7baa06f9288e2be5c4e8242d5cbb62c7a4b94f2716f8e50076d2", size = 5303304, upload-time = "2026-02-24T17:23:11.42Z" } +sdist = { url = "https://files.pythonhosted.org/packages/f6/52/37cc0aa9e9d1bf7729a737a0d83f8b3f851c8eb137373d9f71eafb0a3405/pypdf-6.7.5.tar.gz", hash = "sha256:40bb2e2e872078655f12b9b89e2f900888bb505e88a82150b64f9f34fa25651d", size = 5304278, upload-time = "2026-03-02T09:05:21.464Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/b0/90/3308a9b8b46c1424181fdf3f4580d2b423c5471425799e7fc62f92d183f4/pypdf-6.7.3-py3-none-any.whl", hash = "sha256:cd25ac508f20b554a9fafd825186e3ba29591a69b78c156783c5d8a2d63a1c0a", size = 331263, upload-time = "2026-02-24T17:23:09.932Z" }, + { url = "https://files.pythonhosted.org/packages/05/89/336673efd0a88956562658aba4f0bbef7cb92a6fbcbcaf94926dbc82b408/pypdf-6.7.5-py3-none-any.whl", hash = "sha256:07ba7f1d6e6d9aa2a17f5452e320a84718d4ce863367f7ede2fd72280349ab13", size = 331421, upload-time = "2026-03-02T09:05:19.722Z" }, ] [[package]] From 6822169594b7710d30d64a6ce80190f2f51ed627 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Tue, 3 Mar 2026 15:03:45 -0500 Subject: [PATCH 12/67] Fix type signatures for mypy compliance + V1 GitLab Support (#13171) Co-authored-by: openhands --- .../integrations/gitlab/gitlab_manager.py | 34 +- .../gitlab/gitlab_v1_callback_processor.py | 277 +++++++++++++ enterprise/integrations/gitlab/gitlab_view.py | 216 ++++++++-- enterprise/integrations/types.py | 42 +- enterprise/integrations/utils.py | 8 +- .../server/routes/integration/gitlab.py | 11 +- .../gitlab/test_gitlab_manager.py | 286 +++++++++++++ .../test_gitlab_v1_callback_processor.py | 376 ++++++++++++++++++ .../unit/test_gitlab_callback_processor.py | 1 + 9 files changed, 1196 insertions(+), 55 deletions(-) create mode 100644 enterprise/integrations/gitlab/gitlab_v1_callback_processor.py create mode 100644 enterprise/tests/unit/integrations/gitlab/test_gitlab_manager.py create mode 100644 enterprise/tests/unit/integrations/gitlab/test_gitlab_v1_callback_processor.py diff --git a/enterprise/integrations/gitlab/gitlab_manager.py b/enterprise/integrations/gitlab/gitlab_manager.py index be6cb49a6f..9fbe5d46eb 100644 --- a/enterprise/integrations/gitlab/gitlab_manager.py +++ b/enterprise/integrations/gitlab/gitlab_manager.py @@ -20,6 +20,7 @@ from integrations.utils import ( OPENHANDS_RESOLVER_TEMPLATES_DIR, get_session_expired_message, ) +from integrations.v1_utils import get_saas_user_auth from jinja2 import Environment, FileSystemLoader from pydantic import SecretStr from server.auth.token_manager import TokenManager @@ -214,8 +215,18 @@ class GitlabManager(Manager[GitlabViewType]): ) ) + # Initialize conversation and get metadata (following GitHub pattern) + convo_metadata = await gitlab_view.initialize_new_conversation() + + saas_user_auth = await get_saas_user_auth( + gitlab_view.user_info.keycloak_user_id, self.token_manager + ) + await gitlab_view.create_new_conversation( - self.jinja_env, secret_store.provider_tokens + self.jinja_env, + secret_store.provider_tokens, + convo_metadata, + saas_user_auth, ) conversation_id = gitlab_view.conversation_id @@ -224,18 +235,19 @@ class GitlabManager(Manager[GitlabViewType]): f'[GitLab] Created conversation {conversation_id} for user {user_info.username}' ) - # Create a GitlabCallbackProcessor for this conversation - processor = GitlabCallbackProcessor( - gitlab_view=gitlab_view, - send_summary_instruction=True, - ) + if not gitlab_view.v1_enabled: + # Create a GitlabCallbackProcessor for this conversation + processor = GitlabCallbackProcessor( + gitlab_view=gitlab_view, + send_summary_instruction=True, + ) - # Register the callback processor - register_callback_processor(conversation_id, processor) + # Register the callback processor + register_callback_processor(conversation_id, processor) - logger.info( - f'[GitLab] Created callback processor for conversation {conversation_id}' - ) + logger.info( + f'[GitLab] Created callback processor for conversation {conversation_id}' + ) conversation_link = CONVERSATION_URL.format(conversation_id) msg_info = f"I'm on it! {user_info.username} can [track my progress at all-hands.dev]({conversation_link})" diff --git a/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py b/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py new file mode 100644 index 0000000000..fcb3c24cb2 --- /dev/null +++ b/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py @@ -0,0 +1,277 @@ +import logging +from typing import Any +from uuid import UUID + +import httpx +from integrations.utils import CONVERSATION_URL, get_summary_instruction +from pydantic import Field + +from openhands.agent_server.models import AskAgentRequest, AskAgentResponse +from openhands.app_server.event_callback.event_callback_models import ( + EventCallback, + EventCallbackProcessor, +) +from openhands.app_server.event_callback.event_callback_result_models import ( + EventCallbackResult, + EventCallbackResultStatus, +) +from openhands.app_server.event_callback.util import ( + ensure_conversation_found, + ensure_running_sandbox, + get_agent_server_url_from_sandbox, +) +from openhands.sdk import Event +from openhands.sdk.event import ConversationStateUpdateEvent + +_logger = logging.getLogger(__name__) + + +class GitlabV1CallbackProcessor(EventCallbackProcessor): + """Callback processor for GitLab V1 integrations.""" + + gitlab_view_data: dict[str, Any] = Field(default_factory=dict) + should_request_summary: bool = Field(default=True) + inline_mr_comment: bool = Field(default=False) + + async def __call__( + self, + conversation_id: UUID, + callback: EventCallback, + event: Event, + ) -> EventCallbackResult | None: + """Process events for GitLab V1 integration.""" + # Only handle ConversationStateUpdateEvent + if not isinstance(event, ConversationStateUpdateEvent): + return None + + # Only act when execution has finished + if not (event.key == 'execution_status' and event.value == 'finished'): + return None + + _logger.info('[GitLab V1] Callback agent state was %s', event) + _logger.info( + '[GitLab V1] Should request summary: %s', self.should_request_summary + ) + + if not self.should_request_summary: + return None + + self.should_request_summary = False + + try: + _logger.info(f'[GitLab V1] Requesting summary {conversation_id}') + summary = await self._request_summary(conversation_id) + _logger.info( + f'[GitLab V1] Posting summary {conversation_id}', + extra={'summary': summary}, + ) + await self._post_summary_to_gitlab(summary) + + return EventCallbackResult( + status=EventCallbackResultStatus.SUCCESS, + event_callback_id=callback.id, + event_id=event.id, + conversation_id=conversation_id, + detail=summary, + ) + except Exception as e: + _logger.exception('[GitLab V1] Error processing callback: %s', e) + + # Only try to post error to GitLab if we have basic requirements + try: + if self.gitlab_view_data.get('keycloak_user_id'): + await self._post_summary_to_gitlab( + f'OpenHands encountered an error: **{str(e)}**.\n\n' + f'[See the conversation]({CONVERSATION_URL.format(conversation_id)}) ' + 'for more information.' + ) + except Exception as post_error: + _logger.warning( + '[GitLab V1] Failed to post error message to GitLab: %s', post_error + ) + + return EventCallbackResult( + status=EventCallbackResultStatus.ERROR, + event_callback_id=callback.id, + event_id=event.id, + conversation_id=conversation_id, + detail=str(e), + ) + + # ------------------------------------------------------------------------- + # GitLab helpers + # ------------------------------------------------------------------------- + + async def _post_summary_to_gitlab(self, summary: str) -> None: + """Post a summary comment to the configured GitLab issue or MR.""" + # Import here to avoid circular imports + from integrations.gitlab.gitlab_service import SaaSGitLabService + + from openhands.integrations.gitlab.gitlab_service import GitLabServiceImpl + + keycloak_user_id = self.gitlab_view_data.get('keycloak_user_id') + if not keycloak_user_id: + raise RuntimeError('Missing keycloak user ID for GitLab') + + gitlab_service: SaaSGitLabService = GitLabServiceImpl( + external_auth_id=keycloak_user_id + ) + + project_id = self.gitlab_view_data['project_id'] + issue_number = self.gitlab_view_data['issue_number'] + discussion_id = self.gitlab_view_data.get('discussion_id') + is_mr = self.gitlab_view_data.get('is_mr', False) + + if is_mr: + await gitlab_service.reply_to_mr( + project_id, + issue_number, + discussion_id, + summary, + ) + else: + await gitlab_service.reply_to_issue( + project_id, + issue_number, + discussion_id, + summary, + ) + + # ------------------------------------------------------------------------- + # Agent / sandbox helpers + # ------------------------------------------------------------------------- + + async def _ask_question( + self, + httpx_client: httpx.AsyncClient, + agent_server_url: str, + conversation_id: UUID, + session_api_key: str, + message_content: str, + ) -> str: + """Send a message to the agent server via the V1 API and return response text.""" + send_message_request = AskAgentRequest(question=message_content) + + url = ( + f'{agent_server_url.rstrip("/")}' + f'/api/conversations/{conversation_id}/ask_agent' + ) + headers = {'X-Session-API-Key': session_api_key} + payload = send_message_request.model_dump() + + try: + response = await httpx_client.post( + url, + json=payload, + headers=headers, + timeout=30.0, + ) + response.raise_for_status() + + agent_response = AskAgentResponse.model_validate(response.json()) + return agent_response.response + + except httpx.HTTPStatusError as e: + error_detail = f'HTTP {e.response.status_code} error' + try: + error_body = e.response.text + if error_body: + error_detail += f': {error_body}' + except Exception: # noqa: BLE001 + pass + + _logger.error( + '[GitLab V1] HTTP error sending message to %s: %s. ' + 'Request payload: %s. Response headers: %s', + url, + error_detail, + payload, + dict(e.response.headers), + exc_info=True, + ) + raise Exception(f'Failed to send message to agent server: {error_detail}') + + except httpx.TimeoutException: + error_detail = f'Request timeout after 30 seconds to {url}' + _logger.error( + '[GitLab V1] %s. Request payload: %s', + error_detail, + payload, + exc_info=True, + ) + raise Exception(error_detail) + + except httpx.RequestError as e: + error_detail = f'Request error to {url}: {str(e)}' + _logger.error( + '[GitLab V1] %s. Request payload: %s', + error_detail, + payload, + exc_info=True, + ) + raise Exception(error_detail) + + # ------------------------------------------------------------------------- + # Summary orchestration + # ------------------------------------------------------------------------- + + async def _request_summary(self, conversation_id: UUID) -> str: + """Ask the agent to produce a summary of its work and return the agent response. + + NOTE: This method now returns a string (the agent server's response text) + and raises exceptions on errors. The wrapping into EventCallbackResult + is handled by __call__. + """ + # Import services within the method to avoid circular imports + from openhands.app_server.config import ( + get_app_conversation_info_service, + get_httpx_client, + get_sandbox_service, + ) + from openhands.app_server.services.injector import InjectorState + from openhands.app_server.user.specifiy_user_context import ( + ADMIN, + USER_CONTEXT_ATTR, + ) + + # Create injector state for dependency injection + state = InjectorState() + setattr(state, USER_CONTEXT_ATTR, ADMIN) + + async with ( + get_app_conversation_info_service(state) as app_conversation_info_service, + get_sandbox_service(state) as sandbox_service, + get_httpx_client(state) as httpx_client, + ): + # 1. Conversation lookup + app_conversation_info = ensure_conversation_found( + await app_conversation_info_service.get_app_conversation_info( + conversation_id + ), + conversation_id, + ) + + # 2. Sandbox lookup + validation + sandbox = ensure_running_sandbox( + await sandbox_service.get_sandbox(app_conversation_info.sandbox_id), + app_conversation_info.sandbox_id, + ) + + assert ( + sandbox.session_api_key is not None + ), f'No session API key for sandbox: {sandbox.id}' + + # 3. URL + instruction + agent_server_url = get_agent_server_url_from_sandbox(sandbox) + + # Prepare message based on agent state + message_content = get_summary_instruction() + + # Ask the agent and return the response text + return await self._ask_question( + httpx_client=httpx_client, + agent_server_url=agent_server_url, + conversation_id=conversation_id, + session_api_key=sandbox.session_api_key, + message_content=message_content, + ) diff --git a/enterprise/integrations/gitlab/gitlab_view.py b/enterprise/integrations/gitlab/gitlab_view.py index 924d18dcd6..8bb0f22868 100644 --- a/enterprise/integrations/gitlab/gitlab_view.py +++ b/enterprise/integrations/gitlab/gitlab_view.py @@ -1,24 +1,53 @@ from dataclasses import dataclass +from uuid import UUID, uuid4 from integrations.models import Message +from integrations.resolver_context import ResolverUserContext from integrations.types import ResolverViewInterface, UserData -from integrations.utils import HOST, get_oh_labels, has_exact_mention +from integrations.utils import ( + ENABLE_V1_GITLAB_RESOLVER, + HOST, + get_oh_labels, + get_user_v1_enabled_setting, + has_exact_mention, +) from jinja2 import Environment from server.auth.token_manager import TokenManager from server.config import get_config from storage.saas_secrets_store import SaasSecretsStore +from openhands.agent_server.models import SendMessageRequest +from openhands.app_server.app_conversation.app_conversation_models import ( + AppConversationStartRequest, + AppConversationStartTaskStatus, +) +from openhands.app_server.config import get_app_conversation_service +from openhands.app_server.services.injector import InjectorState +from openhands.app_server.user.specifiy_user_context import USER_CONTEXT_ATTR from openhands.core.logger import openhands_logger as logger from openhands.integrations.gitlab.gitlab_service import GitLabServiceImpl from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderType from openhands.integrations.service_types import Comment -from openhands.server.services.conversation_service import create_new_conversation -from openhands.storage.data_models.conversation_metadata import ConversationTrigger +from openhands.sdk import TextContent +from openhands.server.services.conversation_service import ( + initialize_conversation, + start_conversation, +) +from openhands.server.user_auth.user_auth import UserAuth +from openhands.storage.data_models.conversation_metadata import ( + ConversationMetadata, + ConversationTrigger, +) OH_LABEL, INLINE_OH_LABEL = get_oh_labels(HOST) CONFIDENTIAL_NOTE = 'confidential_note' NOTE_TYPES = ['note', CONFIDENTIAL_NOTE] + +async def is_v1_enabled_for_gitlab_resolver(user_id: str) -> bool: + return await get_user_v1_enabled_setting(user_id) and ENABLE_V1_GITLAB_RESOLVER + + # ================================================= # SECTION: Factory to create appriorate Gitlab view # ================================================= @@ -40,6 +69,10 @@ class GitlabIssue(ResolverViewInterface): description: str previous_comments: list[Comment] is_mr: bool + v1_enabled: bool + + def _get_branch_name(self) -> str | None: + return getattr(self, 'branch_name', None) async def _load_resolver_context(self): gitlab_service = GitLabServiceImpl( @@ -82,28 +115,153 @@ class GitlabIssue(ResolverViewInterface): return user_secrets.custom_secrets if user_secrets else None + async def initialize_new_conversation(self) -> ConversationMetadata: + # v1_enabled is already set at construction time in the factory method + # This is the source of truth for the conversation type + if self.v1_enabled: + # Create dummy conversation metadata + # Don't save to conversation store + # V1 conversations are stored in a separate table + self.conversation_id = uuid4().hex + return ConversationMetadata( + conversation_id=self.conversation_id, + selected_repository=self.full_repo_name, + ) + + conversation_metadata: ConversationMetadata = await initialize_conversation( # type: ignore[assignment] + user_id=self.user_info.keycloak_user_id, + conversation_id=None, + selected_repository=self.full_repo_name, + selected_branch=self._get_branch_name(), + conversation_trigger=ConversationTrigger.RESOLVER, + git_provider=ProviderType.GITLAB, + ) + + self.conversation_id = conversation_metadata.conversation_id + return conversation_metadata + async def create_new_conversation( - self, jinja_env: Environment, git_provider_tokens: PROVIDER_TOKEN_TYPE + self, + jinja_env: Environment, + git_provider_tokens: PROVIDER_TOKEN_TYPE, + conversation_metadata: ConversationMetadata, + saas_user_auth: UserAuth, ): + # v1_enabled is already set at construction time in the factory method + if self.v1_enabled: + # Use V1 app conversation service + await self._create_v1_conversation( + jinja_env, saas_user_auth, conversation_metadata + ) + else: + await self._create_v0_conversation( + jinja_env, git_provider_tokens, conversation_metadata + ) + + async def _create_v0_conversation( + self, + jinja_env: Environment, + git_provider_tokens: PROVIDER_TOKEN_TYPE, + conversation_metadata: ConversationMetadata, + ): + """Create conversation using the legacy V0 system.""" + logger.info('[GitLab]: Creating V0 conversation') custom_secrets = await self._get_user_secrets() user_instructions, conversation_instructions = await self._get_instructions( jinja_env ) - agent_loop_info = await create_new_conversation( + + await start_conversation( user_id=self.user_info.keycloak_user_id, git_provider_tokens=git_provider_tokens, custom_secrets=custom_secrets, - selected_repository=self.full_repo_name, - selected_branch=None, initial_user_msg=user_instructions, - conversation_instructions=conversation_instructions, image_urls=None, - conversation_trigger=ConversationTrigger.RESOLVER, replay_json=None, + conversation_id=conversation_metadata.conversation_id, + conversation_metadata=conversation_metadata, + conversation_instructions=conversation_instructions, + ) + + async def _create_v1_conversation( + self, + jinja_env: Environment, + saas_user_auth: UserAuth, + conversation_metadata: ConversationMetadata, + ): + """Create conversation using the new V1 app conversation system.""" + logger.info('[GitLab V1]: Creating V1 conversation') + + user_instructions, conversation_instructions = await self._get_instructions( + jinja_env + ) + + # Create the initial message request + initial_message = SendMessageRequest( + role='user', content=[TextContent(text=user_instructions)] + ) + + # Create the GitLab V1 callback processor + gitlab_callback_processor = self._create_gitlab_v1_callback_processor() + + # Get the app conversation service and start the conversation + injector_state = InjectorState() + + # Determine the title based on whether it's an MR or issue + title_prefix = 'GitLab MR' if self.is_mr else 'GitLab Issue' + title = f'{title_prefix} #{self.issue_number}: {self.title}' + + # Create the V1 conversation start request with the callback processor + start_request = AppConversationStartRequest( + conversation_id=UUID(conversation_metadata.conversation_id), + system_message_suffix=conversation_instructions, + initial_message=initial_message, + selected_repository=self.full_repo_name, + selected_branch=self._get_branch_name(), + git_provider=ProviderType.GITLAB, + title=title, + trigger=ConversationTrigger.RESOLVER, + processors=[ + gitlab_callback_processor + ], # Pass the callback processor directly + ) + + # Set up the GitLab user context for the V1 system + gitlab_user_context = ResolverUserContext(saas_user_auth=saas_user_auth) + setattr(injector_state, USER_CONTEXT_ATTR, gitlab_user_context) + + async with get_app_conversation_service( + injector_state + ) as app_conversation_service: + async for task in app_conversation_service.start_app_conversation( + start_request + ): + if task.status == AppConversationStartTaskStatus.ERROR: + logger.error(f'Failed to start V1 conversation: {task.detail}') + raise RuntimeError( + f'Failed to start V1 conversation: {task.detail}' + ) + + def _create_gitlab_v1_callback_processor(self): + """Create a V1 callback processor for GitLab integration.""" + from integrations.gitlab.gitlab_v1_callback_processor import ( + GitlabV1CallbackProcessor, + ) + + # Create and return the GitLab V1 callback processor + return GitlabV1CallbackProcessor( + gitlab_view_data={ + 'issue_number': self.issue_number, + 'project_id': self.project_id, + 'full_repo_name': self.full_repo_name, + 'installation_id': self.installation_id, + 'keycloak_user_id': self.user_info.keycloak_user_id, + 'is_mr': self.is_mr, + 'discussion_id': getattr(self, 'discussion_id', None), + }, + send_summary_instruction=self.send_summary_instruction, ) - self.conversation_id = agent_loop_info.conversation_id - return self.conversation_id @dataclass @@ -138,6 +296,9 @@ class GitlabIssueComment(GitlabIssue): class GitlabMRComment(GitlabIssueComment): branch_name: str + def _get_branch_name(self) -> str | None: + return self.branch_name + async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]: user_instructions_template = jinja_env.get_template('mr_update_prompt.j2') await self._load_resolver_context() @@ -159,29 +320,6 @@ class GitlabMRComment(GitlabIssueComment): return user_instructions, conversation_instructions - async def create_new_conversation( - self, jinja_env: Environment, git_provider_tokens: PROVIDER_TOKEN_TYPE - ): - custom_secrets = await self._get_user_secrets() - - user_instructions, conversation_instructions = await self._get_instructions( - jinja_env - ) - agent_loop_info = await create_new_conversation( - user_id=self.user_info.keycloak_user_id, - git_provider_tokens=git_provider_tokens, - custom_secrets=custom_secrets, - selected_repository=self.full_repo_name, - selected_branch=self.branch_name, - initial_user_msg=user_instructions, - conversation_instructions=conversation_instructions, - image_urls=None, - conversation_trigger=ConversationTrigger.RESOLVER, - replay_json=None, - ) - self.conversation_id = agent_loop_info.conversation_id - return self.conversation_id - @dataclass class GitlabInlineMRComment(GitlabMRComment): @@ -322,6 +460,12 @@ class GitlabFactory: user_id=user_id, username=username, keycloak_user_id=keycloak_user_id ) + # Check v1_enabled at construction time - this is the source of truth + v1_enabled = await is_v1_enabled_for_gitlab_resolver(keycloak_user_id) + logger.info( + f'[GitLab V1]: User flag found for {keycloak_user_id} is {v1_enabled}' + ) + if GitlabFactory.is_labeled_issue(message): issue_iid = payload['object_attributes']['iid'] @@ -343,6 +487,7 @@ class GitlabFactory: description='', previous_comments=[], is_mr=False, + v1_enabled=v1_enabled, ) elif GitlabFactory.is_issue_comment(message): @@ -373,6 +518,7 @@ class GitlabFactory: description='', previous_comments=[], is_mr=False, + v1_enabled=v1_enabled, ) elif GitlabFactory.is_mr_comment(message): @@ -405,6 +551,7 @@ class GitlabFactory: description='', previous_comments=[], is_mr=True, + v1_enabled=v1_enabled, ) elif GitlabFactory.is_mr_comment(message, inline=True): @@ -445,6 +592,7 @@ class GitlabFactory: description='', previous_comments=[], is_mr=True, + v1_enabled=v1_enabled, ) raise ValueError(f'Unhandled GitLab webhook event: {message}') diff --git a/enterprise/integrations/types.py b/enterprise/integrations/types.py index 7b7446fe82..6ecd83a93e 100644 --- a/enterprise/integrations/types.py +++ b/enterprise/integrations/types.py @@ -1,9 +1,17 @@ from dataclasses import dataclass from enum import Enum +from typing import TYPE_CHECKING from jinja2 import Environment from pydantic import BaseModel +if TYPE_CHECKING: + from integrations.models import Message + + from openhands.integrations.provider import PROVIDER_TOKEN_TYPE + from openhands.server.user_auth.user_auth import UserAuth + from openhands.storage.data_models.conversation_metadata import ConversationMetadata + class GitLabResourceType(Enum): GROUP = 'group' @@ -31,17 +39,41 @@ class SummaryExtractionTracker: @dataclass class ResolverViewInterface(SummaryExtractionTracker): - installation_id: int + # installation_id type varies by provider: + # - GitHub: int (GitHub App installation ID) + # - GitLab: str (webhook installation ID from our DB) + installation_id: int | str user_info: UserData issue_number: int full_repo_name: str is_public_repo: bool - raw_payload: dict + raw_payload: 'Message' async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]: - "Instructions passed when conversation is first initialized" + """Instructions passed when conversation is first initialized.""" raise NotImplementedError() - async def create_new_conversation(self, jinja_env: Environment, token: str): - "Create a new conversation" + async def initialize_new_conversation(self) -> 'ConversationMetadata': + """Initialize a new conversation and return metadata. + + For V1 conversations, creates a dummy ConversationMetadata. + For V0 conversations, initializes through the conversation store. + """ + raise NotImplementedError() + + async def create_new_conversation( + self, + jinja_env: Environment, + git_provider_tokens: 'PROVIDER_TOKEN_TYPE', + conversation_metadata: 'ConversationMetadata', + saas_user_auth: 'UserAuth', + ) -> None: + """Create a new conversation. + + Args: + jinja_env: Jinja2 environment for template rendering + git_provider_tokens: Token mapping for git providers + conversation_metadata: Metadata for the conversation + saas_user_auth: User authentication for SaaS + """ raise NotImplementedError() diff --git a/enterprise/integrations/utils.py b/enterprise/integrations/utils.py index 6b2cbcd042..b038c0c542 100644 --- a/enterprise/integrations/utils.py +++ b/enterprise/integrations/utils.py @@ -32,7 +32,8 @@ if TYPE_CHECKING: HOST = WEB_HOST # ---- DO NOT REMOVE ---- -HOST_URL = f'https://{HOST}' if 'localhost' not in HOST else f'http://{HOST}' +IS_LOCAL_DEPLOYMENT = 'localhost' in HOST +HOST_URL = f'https://{HOST}' if not IS_LOCAL_DEPLOYMENT else f'http://{HOST}' GITHUB_WEBHOOK_URL = f'{HOST_URL}/integration/github/events' GITLAB_WEBHOOK_URL = f'{HOST_URL}/integration/gitlab/events' conversation_prefix = 'conversations/{}' @@ -78,6 +79,11 @@ ENABLE_V1_SLACK_RESOLVER = ( os.getenv('ENABLE_V1_SLACK_RESOLVER', 'false').lower() == 'true' ) +# Toggle for V1 GitLab resolver feature +ENABLE_V1_GITLAB_RESOLVER = ( + os.getenv('ENABLE_V1_GITLAB_RESOLVER', 'false').lower() == 'true' +) + OPENHANDS_RESOLVER_TEMPLATES_DIR = ( os.getenv('OPENHANDS_RESOLVER_TEMPLATES_DIR') or 'openhands/integrations/templates/resolver/' diff --git a/enterprise/server/routes/integration/gitlab.py b/enterprise/server/routes/integration/gitlab.py index acdb93c6fa..2b6cbe6fd5 100644 --- a/enterprise/server/routes/integration/gitlab.py +++ b/enterprise/server/routes/integration/gitlab.py @@ -13,7 +13,7 @@ from integrations.gitlab.webhook_installation import ( ) from integrations.models import Message, SourceType from integrations.types import GitLabResourceType -from integrations.utils import GITLAB_WEBHOOK_URL +from integrations.utils import GITLAB_WEBHOOK_URL, IS_LOCAL_DEPLOYMENT from pydantic import BaseModel from server.auth.token_manager import TokenManager from storage.gitlab_webhook import GitlabWebhook @@ -68,9 +68,12 @@ async def verify_gitlab_signature( if not header_webhook_secret or not webhook_uuid or not user_id: raise HTTPException(status_code=403, detail='Required payload headers missing!') - webhook_secret = await webhook_store.get_webhook_secret( - webhook_uuid=webhook_uuid, user_id=user_id - ) + if IS_LOCAL_DEPLOYMENT: + webhook_secret = 'localdeploymentwebhooktesttoken' + else: + webhook_secret = await webhook_store.get_webhook_secret( + webhook_uuid=webhook_uuid, user_id=user_id + ) if header_webhook_secret != webhook_secret: raise HTTPException(status_code=403, detail="Request signatures didn't match!") diff --git a/enterprise/tests/unit/integrations/gitlab/test_gitlab_manager.py b/enterprise/tests/unit/integrations/gitlab/test_gitlab_manager.py new file mode 100644 index 0000000000..535f44a0e1 --- /dev/null +++ b/enterprise/tests/unit/integrations/gitlab/test_gitlab_manager.py @@ -0,0 +1,286 @@ +""" +Tests for GitlabManager V0/V1 conditional job creation flow. + +Covers: +- V0 path: register_callback_processor is called +- V1 path: register_callback_processor is NOT called (V1 uses event callbacks instead) +""" + +from unittest.mock import AsyncMock, MagicMock, patch + +import pytest +from integrations.gitlab.gitlab_view import GitlabIssue +from integrations.types import UserData + +from openhands.storage.data_models.conversation_metadata import ConversationMetadata + + +@pytest.fixture +def mock_gitlab_view_v0(): + """Create a mock GitlabIssue view with V1 disabled (V0 path).""" + return GitlabIssue( + installation_id='test_installation', + issue_number=42, + project_id=12345, + full_repo_name='test-group/test-repo', + is_public_repo=True, + user_info=UserData( + user_id='123', + username='test_user', + keycloak_user_id='keycloak_test_user', + ), + raw_payload={'source': 'gitlab', 'message': {'test': 'data'}}, + conversation_id='test_conversation_v0', + should_extract=True, + send_summary_instruction=True, + title='Test Issue', + description='Test description', + previous_comments=[], + is_mr=False, + v1_enabled=False, + ) + + +@pytest.fixture +def mock_gitlab_view_v1(): + """Create a mock GitlabIssue view with V1 enabled.""" + return GitlabIssue( + installation_id='test_installation', + issue_number=42, + project_id=12345, + full_repo_name='test-group/test-repo', + is_public_repo=True, + user_info=UserData( + user_id='123', + username='test_user', + keycloak_user_id='keycloak_test_user', + ), + raw_payload={'source': 'gitlab', 'message': {'test': 'data'}}, + conversation_id='test_conversation_v1', + should_extract=True, + send_summary_instruction=True, + title='Test Issue', + description='Test description', + previous_comments=[], + is_mr=False, + v1_enabled=True, + ) + + +@pytest.fixture +def mock_token_manager(): + """Create a mock TokenManager.""" + token_manager = MagicMock() + token_manager.get_idp_token_from_idp_user_id = AsyncMock(return_value='test_token') + token_manager.get_user_id_from_idp_user_id = AsyncMock( + return_value='keycloak_test_user' + ) + return token_manager + + +@pytest.fixture +def mock_saas_user_auth(): + """Create a mock SaasUserAuth.""" + return MagicMock() + + +@pytest.fixture +def mock_convo_metadata(): + """Create a mock ConversationMetadata.""" + return ConversationMetadata( + conversation_id='test_conversation_id', + selected_repository='test-group/test-repo', + ) + + +class TestGitlabManagerV0V1ConditionalJobCreation: + """Test the conditional V0/V1 job creation flow in GitlabManager.start_job().""" + + @pytest.mark.asyncio + @patch('integrations.gitlab.gitlab_manager.register_callback_processor') + @patch('integrations.gitlab.gitlab_manager.get_saas_user_auth') + @patch( + 'integrations.gitlab.gitlab_manager.GitlabManager.send_message', + new_callable=AsyncMock, + ) + async def test_v0_path_registers_callback_processor( + self, + mock_send_message, + mock_get_saas_user_auth, + mock_register_callback_processor, + mock_token_manager, + mock_gitlab_view_v0, + mock_saas_user_auth, + mock_convo_metadata, + ): + """Test that V0 path calls register_callback_processor for legacy callback handling.""" + from integrations.gitlab.gitlab_manager import GitlabManager + + # Setup mocks + mock_get_saas_user_auth.return_value = mock_saas_user_auth + + # Mock the view's methods + mock_gitlab_view_v0.initialize_new_conversation = AsyncMock( + return_value=mock_convo_metadata + ) + mock_gitlab_view_v0.create_new_conversation = AsyncMock() + + # Create manager instance + manager = GitlabManager(token_manager=mock_token_manager, data_collector=None) + + # Call start_job + await manager.start_job(mock_gitlab_view_v0) + + # Assert: V0 path should register callback processor + mock_register_callback_processor.assert_called_once() + + # Verify the callback processor was created with correct conversation_id + call_args = mock_register_callback_processor.call_args + assert call_args[0][0] == 'test_conversation_v0' + + # Verify acknowledgment message was sent + mock_send_message.assert_called_once() + + @pytest.mark.asyncio + @patch('integrations.gitlab.gitlab_manager.register_callback_processor') + @patch('integrations.gitlab.gitlab_manager.get_saas_user_auth') + @patch( + 'integrations.gitlab.gitlab_manager.GitlabManager.send_message', + new_callable=AsyncMock, + ) + async def test_v1_path_does_not_register_callback_processor( + self, + mock_send_message, + mock_get_saas_user_auth, + mock_register_callback_processor, + mock_token_manager, + mock_gitlab_view_v1, + mock_saas_user_auth, + mock_convo_metadata, + ): + """Test that V1 path does NOT call register_callback_processor. + + V1 uses the new event callback system instead of the legacy + register_callback_processor mechanism. + """ + from integrations.gitlab.gitlab_manager import GitlabManager + + # Setup mocks + mock_get_saas_user_auth.return_value = mock_saas_user_auth + + # Mock the view's methods + mock_gitlab_view_v1.initialize_new_conversation = AsyncMock( + return_value=mock_convo_metadata + ) + mock_gitlab_view_v1.create_new_conversation = AsyncMock() + + # Create manager instance + manager = GitlabManager(token_manager=mock_token_manager, data_collector=None) + + # Call start_job + await manager.start_job(mock_gitlab_view_v1) + + # Assert: V1 path should NOT register callback processor + mock_register_callback_processor.assert_not_called() + + # Verify acknowledgment message was still sent + mock_send_message.assert_called_once() + + @pytest.mark.asyncio + @patch('integrations.gitlab.gitlab_manager.register_callback_processor') + @patch('integrations.gitlab.gitlab_manager.get_saas_user_auth') + @patch( + 'integrations.gitlab.gitlab_manager.GitlabManager.send_message', + new_callable=AsyncMock, + ) + async def test_v1_enabled_flag_determines_callback_registration( + self, + mock_send_message, + mock_get_saas_user_auth, + mock_register_callback_processor, + mock_token_manager, + mock_gitlab_view_v0, + mock_saas_user_auth, + mock_convo_metadata, + ): + """Test that the v1_enabled flag on the view determines the callback registration path. + + This test verifies the conditional logic: + - if not gitlab_view.v1_enabled: register_callback_processor is called + - else: register_callback_processor is NOT called + """ + from integrations.gitlab.gitlab_manager import GitlabManager + + # Setup mocks + mock_get_saas_user_auth.return_value = mock_saas_user_auth + mock_gitlab_view_v0.initialize_new_conversation = AsyncMock( + return_value=mock_convo_metadata + ) + mock_gitlab_view_v0.create_new_conversation = AsyncMock() + + manager = GitlabManager(token_manager=mock_token_manager, data_collector=None) + + # Test with v1_enabled = False (V0 path) + mock_gitlab_view_v0.v1_enabled = False + await manager.start_job(mock_gitlab_view_v0) + assert mock_register_callback_processor.call_count == 1 + + # Reset mocks + mock_register_callback_processor.reset_mock() + mock_send_message.reset_mock() + + # Test with v1_enabled = True (V1 path) + mock_gitlab_view_v0.v1_enabled = True + mock_gitlab_view_v0.conversation_id = 'test_conversation_v1_toggled' + await manager.start_job(mock_gitlab_view_v0) + assert mock_register_callback_processor.call_count == 0 + + @pytest.mark.asyncio + @patch('integrations.gitlab.gitlab_manager.register_callback_processor') + @patch('integrations.gitlab.gitlab_manager.get_saas_user_auth') + @patch( + 'integrations.gitlab.gitlab_manager.GitlabManager.send_message', + new_callable=AsyncMock, + ) + async def test_callback_processor_receives_correct_gitlab_view( + self, + mock_send_message, + mock_get_saas_user_auth, + mock_register_callback_processor, + mock_token_manager, + mock_gitlab_view_v0, + mock_saas_user_auth, + mock_convo_metadata, + ): + """Test that the GitlabCallbackProcessor receives the correct gitlab_view.""" + from integrations.gitlab.gitlab_manager import GitlabManager + from server.conversation_callback_processor.gitlab_callback_processor import ( + GitlabCallbackProcessor, + ) + + # Setup mocks + mock_get_saas_user_auth.return_value = mock_saas_user_auth + mock_gitlab_view_v0.initialize_new_conversation = AsyncMock( + return_value=mock_convo_metadata + ) + mock_gitlab_view_v0.create_new_conversation = AsyncMock() + + manager = GitlabManager(token_manager=mock_token_manager, data_collector=None) + + # Call start_job + await manager.start_job(mock_gitlab_view_v0) + + # Verify register_callback_processor was called with correct arguments + mock_register_callback_processor.assert_called_once() + call_args = mock_register_callback_processor.call_args + + # First argument should be conversation_id + conversation_id = call_args[0][0] + assert conversation_id == 'test_conversation_v0' + + # Second argument should be a GitlabCallbackProcessor instance + processor = call_args[0][1] + assert isinstance(processor, GitlabCallbackProcessor) + assert processor.gitlab_view.issue_number == mock_gitlab_view_v0.issue_number + assert processor.gitlab_view.project_id == mock_gitlab_view_v0.project_id + assert processor.send_summary_instruction is True diff --git a/enterprise/tests/unit/integrations/gitlab/test_gitlab_v1_callback_processor.py b/enterprise/tests/unit/integrations/gitlab/test_gitlab_v1_callback_processor.py new file mode 100644 index 0000000000..edc50f1477 --- /dev/null +++ b/enterprise/tests/unit/integrations/gitlab/test_gitlab_v1_callback_processor.py @@ -0,0 +1,376 @@ +""" +Tests for the GitlabV1CallbackProcessor. + +Covers: +- Event filtering +- Successful summary + GitLab posting +- Error conditions (missing keycloak_user_id) +- Post to issue vs MR +""" + +from unittest.mock import AsyncMock, MagicMock, patch +from uuid import uuid4 + +import pytest +from integrations.gitlab.gitlab_v1_callback_processor import ( + GitlabV1CallbackProcessor, +) + +from openhands.app_server.app_conversation.app_conversation_models import ( + AppConversationInfo, +) +from openhands.app_server.event_callback.event_callback_models import EventCallback +from openhands.app_server.event_callback.event_callback_result_models import ( + EventCallbackResultStatus, +) +from openhands.app_server.sandbox.sandbox_models import ( + ExposedUrl, + SandboxInfo, + SandboxStatus, +) +from openhands.events.action.message import MessageAction +from openhands.sdk.event import ConversationStateUpdateEvent + +# --------------------------------------------------------------------------- +# Fixtures +# --------------------------------------------------------------------------- + + +@pytest.fixture +def gitlab_callback_processor(): + return GitlabV1CallbackProcessor( + gitlab_view_data={ + 'keycloak_user_id': 'test_keycloak_user', + 'project_id': '12345', + 'issue_number': '42', + 'discussion_id': 'discussion_123', + 'is_mr': False, + }, + should_request_summary=True, + inline_mr_comment=False, + ) + + +@pytest.fixture +def gitlab_callback_processor_mr(): + return GitlabV1CallbackProcessor( + gitlab_view_data={ + 'keycloak_user_id': 'test_keycloak_user', + 'project_id': '12345', + 'issue_number': '42', + 'discussion_id': 'discussion_123', + 'is_mr': True, + }, + should_request_summary=True, + inline_mr_comment=True, + ) + + +@pytest.fixture +def conversation_state_update_event(): + return ConversationStateUpdateEvent(key='execution_status', value='finished') + + +@pytest.fixture +def wrong_event(): + return MessageAction(content='Hello world') + + +@pytest.fixture +def wrong_state_event(): + return ConversationStateUpdateEvent(key='execution_status', value='running') + + +@pytest.fixture +def event_callback(): + return EventCallback( + id=uuid4(), + conversation_id=uuid4(), + processor=GitlabV1CallbackProcessor(), + event_kind='ConversationStateUpdateEvent', + ) + + +@pytest.fixture +def mock_app_conversation_info(): + return AppConversationInfo( + conversation_id=uuid4(), + sandbox_id='sandbox_123', + title='Test Conversation', + created_by_user_id='test_user_123', + ) + + +@pytest.fixture +def mock_sandbox_info(): + return SandboxInfo( + id='sandbox_123', + status=SandboxStatus.RUNNING, + session_api_key='test_api_key', + created_by_user_id='test_user_123', + sandbox_spec_id='spec_123', + exposed_urls=[ + ExposedUrl(name='AGENT_SERVER', url='http://localhost:8000', port=8000), + ], + ) + + +# --------------------------------------------------------------------------- +# Helper for common service mocks +# --------------------------------------------------------------------------- + + +async def _setup_happy_path_services( + mock_get_app_conversation_info_service, + mock_get_sandbox_service, + mock_get_httpx_client, + app_conversation_info, + sandbox_info, + agent_response_text='Test summary from agent', +): + # app_conversation_info_service + mock_app_conversation_info_service = AsyncMock() + mock_app_conversation_info_service.get_app_conversation_info.return_value = ( + app_conversation_info + ) + mock_get_app_conversation_info_service.return_value.__aenter__.return_value = ( + mock_app_conversation_info_service + ) + + # sandbox_service + mock_sandbox_service = AsyncMock() + mock_sandbox_service.get_sandbox.return_value = sandbox_info + mock_get_sandbox_service.return_value.__aenter__.return_value = mock_sandbox_service + + # httpx_client + mock_httpx_client = AsyncMock() + mock_response = MagicMock() + mock_response.json.return_value = {'response': agent_response_text} + mock_response.raise_for_status.return_value = None + mock_httpx_client.post.return_value = mock_response + mock_get_httpx_client.return_value.__aenter__.return_value = mock_httpx_client + + return mock_httpx_client + + +# --------------------------------------------------------------------------- +# Tests +# --------------------------------------------------------------------------- + + +class TestGitlabV1CallbackProcessor: + async def test_call_with_wrong_event_type( + self, gitlab_callback_processor, wrong_event, event_callback + ): + result = await gitlab_callback_processor( + conversation_id=uuid4(), + callback=event_callback, + event=wrong_event, + ) + assert result is None + + async def test_call_with_wrong_state_event( + self, gitlab_callback_processor, wrong_state_event, event_callback + ): + result = await gitlab_callback_processor( + conversation_id=uuid4(), + callback=event_callback, + event=wrong_state_event, + ) + assert result is None + + async def test_call_should_request_summary_false( + self, gitlab_callback_processor, conversation_state_update_event, event_callback + ): + gitlab_callback_processor.should_request_summary = False + + result = await gitlab_callback_processor( + conversation_id=uuid4(), + callback=event_callback, + event=conversation_state_update_event, + ) + assert result is None + + # ------------------------------------------------------------------ # + # Successful paths + # ------------------------------------------------------------------ # + + @patch('openhands.app_server.config.get_app_conversation_info_service') + @patch('openhands.app_server.config.get_sandbox_service') + @patch('openhands.app_server.config.get_httpx_client') + @patch('integrations.gitlab.gitlab_v1_callback_processor.get_summary_instruction') + @patch('openhands.integrations.gitlab.gitlab_service.GitLabServiceImpl') + async def test_successful_callback_execution_issue( + self, + mock_gitlab_service_impl, + mock_get_summary_instruction, + mock_get_httpx_client, + mock_get_sandbox_service, + mock_get_app_conversation_info_service, + gitlab_callback_processor, + conversation_state_update_event, + event_callback, + mock_app_conversation_info, + mock_sandbox_info, + ): + conversation_id = uuid4() + + # Common service mocks + mock_httpx_client = await _setup_happy_path_services( + mock_get_app_conversation_info_service, + mock_get_sandbox_service, + mock_get_httpx_client, + mock_app_conversation_info, + mock_sandbox_info, + ) + + mock_get_summary_instruction.return_value = 'Please provide a summary' + + # GitLab service mock + mock_gitlab_service = AsyncMock() + mock_gitlab_service_impl.return_value = mock_gitlab_service + + result = await gitlab_callback_processor( + conversation_id=conversation_id, + callback=event_callback, + event=conversation_state_update_event, + ) + + assert result is not None + assert result.status == EventCallbackResultStatus.SUCCESS + assert result.event_callback_id == event_callback.id + assert result.event_id == conversation_state_update_event.id + assert result.conversation_id == conversation_id + assert result.detail == 'Test summary from agent' + assert gitlab_callback_processor.should_request_summary is False + + # Verify GitLab service was called correctly for issue + mock_gitlab_service_impl.assert_called_once_with( + external_auth_id='test_keycloak_user' + ) + mock_gitlab_service.reply_to_issue.assert_called_once_with( + '12345', '42', 'discussion_123', 'Test summary from agent' + ) + mock_gitlab_service.reply_to_mr.assert_not_called() + + # Verify httpx call + mock_httpx_client.post.assert_called_once() + url_arg, kwargs = mock_httpx_client.post.call_args + url = url_arg[0] if url_arg else kwargs['url'] + assert 'ask_agent' in url + assert kwargs['headers']['X-Session-API-Key'] == 'test_api_key' + assert kwargs['json']['question'] == 'Please provide a summary' + + @patch('openhands.app_server.config.get_app_conversation_info_service') + @patch('openhands.app_server.config.get_sandbox_service') + @patch('openhands.app_server.config.get_httpx_client') + @patch('integrations.gitlab.gitlab_v1_callback_processor.get_summary_instruction') + @patch('openhands.integrations.gitlab.gitlab_service.GitLabServiceImpl') + async def test_successful_callback_execution_mr( + self, + mock_gitlab_service_impl, + mock_get_summary_instruction, + mock_get_httpx_client, + mock_get_sandbox_service, + mock_get_app_conversation_info_service, + gitlab_callback_processor_mr, + conversation_state_update_event, + event_callback, + mock_app_conversation_info, + mock_sandbox_info, + ): + conversation_id = uuid4() + + await _setup_happy_path_services( + mock_get_app_conversation_info_service, + mock_get_sandbox_service, + mock_get_httpx_client, + mock_app_conversation_info, + mock_sandbox_info, + ) + + mock_get_summary_instruction.return_value = 'Please provide a summary' + + # GitLab service mock + mock_gitlab_service = AsyncMock() + mock_gitlab_service_impl.return_value = mock_gitlab_service + + result = await gitlab_callback_processor_mr( + conversation_id=conversation_id, + callback=event_callback, + event=conversation_state_update_event, + ) + + assert result is not None + assert result.status == EventCallbackResultStatus.SUCCESS + + # Verify GitLab service was called correctly for MR + mock_gitlab_service.reply_to_mr.assert_called_once_with( + '12345', '42', 'discussion_123', 'Test summary from agent' + ) + mock_gitlab_service.reply_to_issue.assert_not_called() + + # ------------------------------------------------------------------ # + # Error paths + # ------------------------------------------------------------------ # + + async def test_post_summary_to_gitlab_missing_keycloak_user_id( + self, gitlab_callback_processor + ): + gitlab_callback_processor.gitlab_view_data['keycloak_user_id'] = None + + with pytest.raises(RuntimeError, match='Missing keycloak user ID for GitLab'): + await gitlab_callback_processor._post_summary_to_gitlab('Test summary') + + @patch('openhands.app_server.config.get_app_conversation_info_service') + @patch('openhands.app_server.config.get_sandbox_service') + @patch('openhands.app_server.config.get_httpx_client') + @patch('integrations.gitlab.gitlab_v1_callback_processor.get_summary_instruction') + @patch('openhands.integrations.gitlab.gitlab_service.GitLabServiceImpl') + async def test_exception_handling_posts_error_to_gitlab( + self, + mock_gitlab_service_impl, + mock_get_summary_instruction, + mock_get_httpx_client, + mock_get_sandbox_service, + mock_get_app_conversation_info_service, + gitlab_callback_processor, + conversation_state_update_event, + event_callback, + mock_app_conversation_info, + mock_sandbox_info, + ): + conversation_id = uuid4() + + # Setup services, but make httpx fail + mock_httpx_client = await _setup_happy_path_services( + mock_get_app_conversation_info_service, + mock_get_sandbox_service, + mock_get_httpx_client, + mock_app_conversation_info, + mock_sandbox_info, + ) + mock_httpx_client.post.side_effect = Exception('Simulated agent server error') + mock_get_summary_instruction.return_value = 'Please provide a summary' + + # GitLab service mock + mock_gitlab_service = AsyncMock() + mock_gitlab_service_impl.return_value = mock_gitlab_service + + result = await gitlab_callback_processor( + conversation_id=conversation_id, + callback=event_callback, + event=conversation_state_update_event, + ) + + assert result is not None + assert result.status == EventCallbackResultStatus.ERROR + assert 'Simulated agent server error' in result.detail + + # Verify error was posted to GitLab + mock_gitlab_service.reply_to_issue.assert_called_once() + call_args = mock_gitlab_service.reply_to_issue.call_args + error_comment = call_args[0][3] # 4th positional arg is the body + assert 'OpenHands encountered an error' in error_comment + assert 'Simulated agent server error' in error_comment + assert f'conversations/{conversation_id}' in error_comment diff --git a/enterprise/tests/unit/test_gitlab_callback_processor.py b/enterprise/tests/unit/test_gitlab_callback_processor.py index 3eac13b3d0..629c8cd72c 100644 --- a/enterprise/tests/unit/test_gitlab_callback_processor.py +++ b/enterprise/tests/unit/test_gitlab_callback_processor.py @@ -40,6 +40,7 @@ def mock_gitlab_view(): comment_body='sdfs', discussion_id='test_discussion', confidential=False, + v1_enabled=False, ) From 117ea0466ddcb31efd6c8d17c866eb84dd17136d Mon Sep 17 00:00:00 2001 From: mamoodi Date: Tue, 3 Mar 2026 15:18:55 -0500 Subject: [PATCH 13/67] Add script that outputs the PRs between two commits (#13175) --- .github/scripts/find_prs_between_commits.py | 330 ++++++++++++++++++++ 1 file changed, 330 insertions(+) create mode 100644 .github/scripts/find_prs_between_commits.py diff --git a/.github/scripts/find_prs_between_commits.py b/.github/scripts/find_prs_between_commits.py new file mode 100644 index 0000000000..2b7f57e048 --- /dev/null +++ b/.github/scripts/find_prs_between_commits.py @@ -0,0 +1,330 @@ +#!/usr/bin/env python3 +""" +Find all PRs that went in between two commits in the OpenHands/OpenHands repository. +Handles cherry-picks and different merge strategies. + +This script is designed to run from within the OpenHands repository under .github/scripts: + .github/scripts/find_prs_between_commits.py + +Usage: find_prs_between_commits [--repo ] +""" + +import json +import os +import re +import subprocess +import sys +from collections import defaultdict +from pathlib import Path +from typing import Optional + + +def find_openhands_repo() -> Optional[Path]: + """ + Find the OpenHands repository. + Since this script is designed to live in .github/scripts/, it assumes + the repository root is two levels up from the script location. + Tries: + 1. Repository root (../../ from script location) + 2. Current directory + 3. Environment variable OPENHANDS_REPO + """ + # Check repository root (assuming script is in .github/scripts/) + script_dir = Path(__file__).parent.absolute() + repo_root = ( + script_dir.parent.parent + ) # Go up two levels: scripts -> .github -> repo root + if (repo_root / '.git').exists(): + return repo_root + + # Check current directory + if (Path.cwd() / '.git').exists(): + return Path.cwd() + + # Check environment variable + if 'OPENHANDS_REPO' in os.environ: + repo_path = Path(os.environ['OPENHANDS_REPO']) + if (repo_path / '.git').exists(): + return repo_path + + return None + + +def run_git_command(cmd: list[str], repo_path: Path) -> str: + """Run a git command in the repository directory and return its output.""" + try: + result = subprocess.run( + cmd, capture_output=True, text=True, check=True, cwd=str(repo_path) + ) + return result.stdout.strip() + except subprocess.CalledProcessError as e: + print(f'Error running git command: {" ".join(cmd)}', file=sys.stderr) + print(f'Error: {e.stderr}', file=sys.stderr) + sys.exit(1) + + +def extract_pr_numbers_from_message(message: str) -> set[int]: + """Extract PR numbers from commit message in any common format.""" + # Match #12345 anywhere, including in patterns like (#12345) or "Merge pull request #12345" + matches = re.findall(r'#(\d+)', message) + return set(int(m) for m in matches) + + +def get_commit_info(commit_hash: str, repo_path: Path) -> tuple[str, str, str]: + """Get commit subject, body, and author from a commit hash.""" + subject = run_git_command( + ['git', 'log', '-1', '--format=%s', commit_hash], repo_path + ) + body = run_git_command(['git', 'log', '-1', '--format=%b', commit_hash], repo_path) + author = run_git_command( + ['git', 'log', '-1', '--format=%an <%ae>', commit_hash], repo_path + ) + return subject, body, author + + +def get_commits_between( + older_commit: str, newer_commit: str, repo_path: Path +) -> list[str]: + """Get all commit hashes between two commits.""" + commits_output = run_git_command( + ['git', 'rev-list', f'{older_commit}..{newer_commit}'], repo_path + ) + + if not commits_output: + return [] + + return commits_output.split('\n') + + +def get_pr_info_from_github(pr_number: int, repo_path: Path) -> Optional[dict]: + """Get PR information from GitHub API if GITHUB_TOKEN is available.""" + try: + # Set up environment with GitHub token + env = os.environ.copy() + if 'GITHUB_TOKEN' in env: + env['GH_TOKEN'] = env['GITHUB_TOKEN'] + + result = subprocess.run( + [ + 'gh', + 'pr', + 'view', + str(pr_number), + '--json', + 'number,title,author,mergedAt,baseRefName,headRefName,url', + ], + capture_output=True, + text=True, + check=True, + env=env, + cwd=str(repo_path), + ) + return json.loads(result.stdout) + except (subprocess.CalledProcessError, FileNotFoundError, json.JSONDecodeError): + return None + + +def find_prs_between_commits( + older_commit: str, newer_commit: str, repo_path: Path +) -> dict[int, dict]: + """ + Find all PRs that went in between two commits. + Returns a dictionary mapping PR numbers to their information. + """ + print(f'Repository: {repo_path}', file=sys.stderr) + print('Finding PRs between commits:', file=sys.stderr) + print(f' Older: {older_commit}', file=sys.stderr) + print(f' Newer: {newer_commit}', file=sys.stderr) + print(file=sys.stderr) + + # Verify commits exist + try: + run_git_command(['git', 'rev-parse', '--verify', older_commit], repo_path) + run_git_command(['git', 'rev-parse', '--verify', newer_commit], repo_path) + except SystemExit: + print('Error: One or both commits not found in repository', file=sys.stderr) + sys.exit(1) + + # Extract PRs from the older commit itself (to exclude from results) + # These PRs are already included at or before the older commit + older_subject, older_body, _ = get_commit_info(older_commit, repo_path) + older_message = f'{older_subject}\n{older_body}' + excluded_prs = extract_pr_numbers_from_message(older_message) + + if excluded_prs: + print( + f'Excluding PRs already in older commit: {", ".join(f"#{pr}" for pr in sorted(excluded_prs))}', + file=sys.stderr, + ) + print(file=sys.stderr) + + # Get all commits between the two + commits = get_commits_between(older_commit, newer_commit, repo_path) + print(f'Found {len(commits)} commits to analyze', file=sys.stderr) + print(file=sys.stderr) + + # Extract PR numbers from all commits + pr_info: dict[int, dict] = {} + commits_by_pr: dict[int, list[str]] = defaultdict(list) + + for commit_hash in commits: + subject, body, author = get_commit_info(commit_hash, repo_path) + full_message = f'{subject}\n{body}' + + pr_numbers = extract_pr_numbers_from_message(full_message) + + for pr_num in pr_numbers: + # Skip PRs that are already in the older commit + if pr_num in excluded_prs: + continue + + commits_by_pr[pr_num].append(commit_hash) + + if pr_num not in pr_info: + pr_info[pr_num] = { + 'number': pr_num, + 'first_commit': commit_hash[:8], + 'first_commit_subject': subject, + 'commits': [], + 'github_info': None, + } + + pr_info[pr_num]['commits'].append( + {'hash': commit_hash[:8], 'subject': subject, 'author': author} + ) + + # Try to get additional info from GitHub API + print('Fetching additional info from GitHub API...', file=sys.stderr) + for pr_num in pr_info.keys(): + github_info = get_pr_info_from_github(pr_num, repo_path) + if github_info: + pr_info[pr_num]['github_info'] = github_info + + print(file=sys.stderr) + + return pr_info + + +def print_results(pr_info: dict[int, dict]): + """Print the results in a readable format.""" + sorted_prs = sorted(pr_info.items(), key=lambda x: x[0]) + + print(f'{"=" * 80}') + print(f'Found {len(sorted_prs)} PRs') + print(f'{"=" * 80}') + print() + + for pr_num, info in sorted_prs: + print(f'PR #{pr_num}') + + if info['github_info']: + gh = info['github_info'] + print(f' Title: {gh["title"]}') + print(f' Author: {gh["author"]["login"]}') + print(f' URL: {gh["url"]}') + if gh.get('mergedAt'): + print(f' Merged: {gh["mergedAt"]}') + if gh.get('baseRefName'): + print(f' Base: {gh["baseRefName"]} ← {gh["headRefName"]}') + else: + print(f' Subject: {info["first_commit_subject"]}') + + # Show if this PR has multiple commits (cherry-picked or multiple commits) + commit_count = len(info['commits']) + if commit_count > 1: + print( + f' ⚠️ Found {commit_count} commits (possible cherry-pick or multi-commit PR):' + ) + for commit in info['commits'][:3]: # Show first 3 + print(f' {commit["hash"]}: {commit["subject"][:60]}') + if commit_count > 3: + print(f' ... and {commit_count - 3} more') + else: + print(f' Commit: {info["first_commit"]}') + + print() + + +def main(): + if len(sys.argv) < 3: + print('Usage: find_prs_between_commits [options]') + print() + print('Arguments:') + print(' The older commit hash (or ref)') + print(' The newer commit hash (or ref)') + print() + print('Options:') + print(' --json Output results in JSON format') + print(' --repo Path to OpenHands repository (default: auto-detect)') + print() + print('Example:') + print( + ' find_prs_between_commits c79e0cd3c7a2501a719c9296828d7a31e4030585 35bddb14f15124a3dc448a74651a6592911d99e9' + ) + print() + print('Repository Detection:') + print(' The script will try to find the OpenHands repository in this order:') + print(' 1. --repo argument') + print(' 2. Repository root (../../ from script location)') + print(' 3. Current directory') + print(' 4. OPENHANDS_REPO environment variable') + print() + print('Environment variables:') + print( + ' GITHUB_TOKEN Optional. If set, will fetch additional PR info from GitHub API' + ) + print(' OPENHANDS_REPO Optional. Path to OpenHands repository') + sys.exit(1) + + older_commit = sys.argv[1] + newer_commit = sys.argv[2] + json_output = '--json' in sys.argv + + # Check for --repo argument + repo_path = None + if '--repo' in sys.argv: + repo_idx = sys.argv.index('--repo') + if repo_idx + 1 < len(sys.argv): + repo_path = Path(sys.argv[repo_idx + 1]) + if not (repo_path / '.git').exists(): + print(f'Error: {repo_path} is not a git repository', file=sys.stderr) + sys.exit(1) + + # Auto-detect repository if not specified + if repo_path is None: + repo_path = find_openhands_repo() + if repo_path is None: + print('Error: Could not find OpenHands repository', file=sys.stderr) + print('Please either:', file=sys.stderr) + print( + ' 1. Place this script in .github/scripts/ within the OpenHands repository', + file=sys.stderr, + ) + print(' 2. Run from the OpenHands repository directory', file=sys.stderr) + print( + ' 3. Use --repo to specify the repository location', + file=sys.stderr, + ) + print(' 4. Set OPENHANDS_REPO environment variable', file=sys.stderr) + sys.exit(1) + + # Find PRs + pr_info = find_prs_between_commits(older_commit, newer_commit, repo_path) + + if json_output: + # Output as JSON + print(json.dumps(pr_info, indent=2)) + else: + # Print results in human-readable format + print_results(pr_info) + + # Also print a simple list for easy copying + print(f'{"=" * 80}') + print('PR Numbers (for easy copying):') + print(f'{"=" * 80}') + sorted_pr_nums = sorted(pr_info.keys()) + print(', '.join(f'#{pr}' for pr in sorted_pr_nums)) + + +if __name__ == '__main__': + main() From 6dff07ea355d516d19de719c843f7ddcfa294441 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Tue, 3 Mar 2026 15:22:54 -0500 Subject: [PATCH 14/67] Fix union-attr mypy errors in enterprise code (#13176) Co-authored-by: openhands --- .../integrations/github/github_solvability.py | 5 +++++ enterprise/server/middleware.py | 4 +++- enterprise/server/routes/billing.py | 4 ++++ enterprise/server/routes/email.py | 13 +++++++++++-- enterprise/storage/api_key_store.py | 6 ++++++ enterprise/storage/saas_secrets_store.py | 2 ++ enterprise/storage/user_store.py | 4 ++++ 7 files changed, 35 insertions(+), 3 deletions(-) diff --git a/enterprise/integrations/github/github_solvability.py b/enterprise/integrations/github/github_solvability.py index 52cd4ffe40..c7aaddd184 100644 --- a/enterprise/integrations/github/github_solvability.py +++ b/enterprise/integrations/github/github_solvability.py @@ -106,6 +106,11 @@ async def summarize_issue_solvability( f'Solvability analysis disabled for user {github_view.user_info.user_id}' ) + if user_settings.llm_api_key is None: + raise ValueError( + f'[Solvability] No LLM API key found for user {github_view.user_info.user_id}' + ) + try: llm_config = LLMConfig( model=user_settings.llm_model, diff --git a/enterprise/server/middleware.py b/enterprise/server/middleware.py index 726c552d3b..561b106418 100644 --- a/enterprise/server/middleware.py +++ b/enterprise/server/middleware.py @@ -43,13 +43,15 @@ class SetAuthCookieMiddleware: if not user_auth or user_auth.auth_type != AuthType.COOKIE: return response if user_auth.refreshed: + if user_auth.access_token is None: + return response set_response_cookie( request=request, response=response, keycloak_access_token=user_auth.access_token.get_secret_value(), keycloak_refresh_token=user_auth.refresh_token.get_secret_value(), secure=False if request.url.hostname == 'localhost' else True, - accepted_tos=user_auth.accepted_tos, + accepted_tos=user_auth.accepted_tos or False, ) # On re-authentication (token refresh), kick off background sync for GitLab repos diff --git a/enterprise/server/routes/billing.py b/enterprise/server/routes/billing.py index bdf4b66b15..942b843cb5 100644 --- a/enterprise/server/routes/billing.py +++ b/enterprise/server/routes/billing.py @@ -91,6 +91,8 @@ async def get_credits(user_id: str = Depends(get_user_id)) -> GetCreditsResponse if not stripe_service.STRIPE_API_KEY: return GetCreditsResponse() user = await UserStore.get_user_by_id_async(user_id) + if user is None: + raise HTTPException(status.HTTP_404_NOT_FOUND, detail='User not found') user_team_info = await LiteLlmManager.get_user_team_info( user_id, str(user.current_org_id) ) @@ -247,6 +249,8 @@ async def success_callback(session_id: str, request: Request): raise HTTPException(status.HTTP_400_BAD_REQUEST) user = await UserStore.get_user_by_id_async(billing_session.user_id) + if user is None: + raise HTTPException(status.HTTP_404_NOT_FOUND, detail='User not found') user_team_info = await LiteLlmManager.get_user_team_info( billing_session.user_id, str(user.current_org_id) ) diff --git a/enterprise/server/routes/email.py b/enterprise/server/routes/email.py index 273712751f..7571b619b2 100644 --- a/enterprise/server/routes/email.py +++ b/enterprise/server/routes/email.py @@ -77,13 +77,18 @@ async def update_email( ) # need to set auth cookie to the new tokens + if user_auth.access_token is None: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail='Access token not found', + ) set_response_cookie( request=request, response=response, keycloak_access_token=user_auth.access_token.get_secret_value(), keycloak_refresh_token=user_auth.refresh_token.get_secret_value(), secure=False if request.url.hostname == 'localhost' else True, - accepted_tos=user_auth.accepted_tos, + accepted_tos=user_auth.accepted_tos or False, ) await verify_email(request=request, user_id=user_id) @@ -156,13 +161,17 @@ async def verified_email(request: Request): response = RedirectResponse(redirect_uri, status_code=302) # need to set auth cookie to the new tokens + if user_auth.access_token is None: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, detail='Access token not found' + ) set_response_cookie( request=request, response=response, keycloak_access_token=user_auth.access_token.get_secret_value(), keycloak_refresh_token=user_auth.refresh_token.get_secret_value(), secure=False if request.url.hostname == 'localhost' else True, - accepted_tos=user_auth.accepted_tos, + accepted_tos=user_auth.accepted_tos or False, ) logger.info(f'Email {user_auth.email} verified.') diff --git a/enterprise/storage/api_key_store.py b/enterprise/storage/api_key_store.py index 3af7424e65..c6a4cbd05d 100644 --- a/enterprise/storage/api_key_store.py +++ b/enterprise/storage/api_key_store.py @@ -38,6 +38,8 @@ class ApiKeyStore: """ api_key = self.generate_api_key() user = await UserStore.get_user_by_id_async(user_id) + if user is None: + raise ValueError(f'User not found: {user_id}') org_id = user.current_org_id async with a_session_maker() as session: @@ -116,6 +118,8 @@ class ApiKeyStore: async def list_api_keys(self, user_id: str) -> list[ApiKey]: """List all API keys for a user.""" user = await UserStore.get_user_by_id_async(user_id) + if user is None: + raise ValueError(f'User not found: {user_id}') org_id = user.current_org_id async with a_session_maker() as session: @@ -129,6 +133,8 @@ class ApiKeyStore: async def retrieve_mcp_api_key(self, user_id: str) -> str | None: user = await UserStore.get_user_by_id_async(user_id) + if user is None: + raise ValueError(f'User not found: {user_id}') org_id = user.current_org_id async with a_session_maker() as session: diff --git a/enterprise/storage/saas_secrets_store.py b/enterprise/storage/saas_secrets_store.py index 0af7fe1745..ccde502cc6 100644 --- a/enterprise/storage/saas_secrets_store.py +++ b/enterprise/storage/saas_secrets_store.py @@ -53,6 +53,8 @@ class SaasSecretsStore(SecretsStore): async def store(self, item: Secrets): user = await UserStore.get_user_by_id_async(self.user_id) + if user is None: + raise ValueError(f'User not found: {self.user_id}') org_id = user.current_org_id async with a_session_maker() as session: diff --git a/enterprise/storage/user_store.py b/enterprise/storage/user_store.py index 1289619a69..67585f154d 100644 --- a/enterprise/storage/user_store.py +++ b/enterprise/storage/user_store.py @@ -88,6 +88,8 @@ class UserStore: session.add(user) role = RoleStore.get_role_by_name('owner') + if role is None: + raise ValueError('Owner role not found in database') from storage.org_member_store import OrgMemberStore @@ -269,6 +271,8 @@ class UserStore: 'user_store:migrate_user:done_get_role_by_name', extra={'user_id': user_id}, ) + if role is None: + raise ValueError('Owner role not found in database') from storage.org_member_store import OrgMemberStore From 5cad59a6610d824fae5b2ca76026b832ea0ae5b8 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Tue, 3 Mar 2026 15:22:57 -0500 Subject: [PATCH 15/67] Fix UserData validation error when GitHub user has no OpenHands account (#13135) Co-authored-by: openhands --- .../integrations/github/github_manager.py | 82 +++ enterprise/integrations/utils.py | 19 + .../github/test_github_manager.py | 599 ++++++++++++++++++ .../tests/unit/integrations/test_utils.py | 67 ++ 4 files changed, 767 insertions(+) create mode 100644 enterprise/tests/unit/integrations/github/test_github_manager.py diff --git a/enterprise/integrations/github/github_manager.py b/enterprise/integrations/github/github_manager.py index 7d0501dc46..2447b12894 100644 --- a/enterprise/integrations/github/github_manager.py +++ b/enterprise/integrations/github/github_manager.py @@ -23,6 +23,7 @@ from integrations.utils import ( HOST_URL, OPENHANDS_RESOLVER_TEMPLATES_DIR, get_session_expired_message, + get_user_not_found_message, ) from integrations.v1_utils import get_saas_user_auth from jinja2 import Environment, FileSystemLoader @@ -127,6 +128,76 @@ class GithubManager(Manager[GithubViewType]): return False + def _get_issue_number_from_payload(self, message: Message) -> int | None: + """Extract issue/PR number from a GitHub webhook payload. + + Supports all event types that can trigger jobs: + - Labeled issues: payload['issue']['number'] + - Issue comments: payload['issue']['number'] + - PR comments: payload['issue']['number'] (PRs are accessed via issue endpoint) + - Inline PR comments: payload['pull_request']['number'] + + Args: + message: The incoming GitHub webhook message + + Returns: + The issue/PR number, or None if not found + """ + payload = message.message.get('payload', {}) + + # Labeled issues, issue comments, and PR comments all have 'issue' in payload + if 'issue' in payload: + return payload['issue']['number'] + + # Inline PR comments have 'pull_request' directly in payload + if 'pull_request' in payload: + return payload['pull_request']['number'] + + return None + + def _send_user_not_found_message(self, message: Message, username: str): + """Send a message to the user informing them they need to create an OpenHands account. + + This method handles all supported trigger types: + - Labeled issues (action='labeled' with openhands label) + - Issue comments (comment containing @openhands) + - PR comments (comment containing @openhands on a PR) + - Inline PR review comments (comment containing @openhands) + + Args: + message: The incoming GitHub webhook message + username: The GitHub username to mention in the response + """ + payload = message.message.get('payload', {}) + installation_id = message.message['installation'] + repo_obj = payload['repository'] + full_repo_name = self._get_full_repo_name(repo_obj) + + # Get installation token to post the comment + installation_token = self._get_installation_access_token(installation_id) + + # Determine the issue/PR number based on the event type + issue_number = self._get_issue_number_from_payload(message) + + if not issue_number: + logger.warning( + f'[GitHub] Could not determine issue/PR number to send user not found message for {username}. ' + f'Payload keys: {list(payload.keys())}' + ) + return + + # Post the comment + try: + with Github(auth=Auth.Token(installation_token)) as github_client: + repo = github_client.get_repo(full_repo_name) + issue = repo.get_issue(number=issue_number) + issue.create_comment(get_user_not_found_message(username)) + except Exception as e: + logger.error( + f'[GitHub] Failed to send user not found message to {username} ' + f'on {full_repo_name}#{issue_number}: {e}' + ) + async def is_job_requested(self, message: Message) -> bool: self._confirm_incoming_source_type(message) @@ -180,9 +251,20 @@ class GithubManager(Manager[GithubViewType]): if await self.is_job_requested(message): payload = message.message.get('payload', {}) user_id = payload['sender']['id'] + username = payload['sender']['login'] keycloak_user_id = await self.token_manager.get_user_id_from_idp_user_id( user_id, ProviderType.GITHUB ) + + # Check if the user has an OpenHands account + if not keycloak_user_id: + logger.warning( + f'[GitHub] User {username} (id={user_id}) not found in Keycloak. ' + f'User must create an OpenHands account first.' + ) + self._send_user_not_found_message(message, username) + return + github_view = await GithubFactory.create_github_view_from_payload( message, keycloak_user_id ) diff --git a/enterprise/integrations/utils.py b/enterprise/integrations/utils.py index b038c0c542..9adadd5ae6 100644 --- a/enterprise/integrations/utils.py +++ b/enterprise/integrations/utils.py @@ -65,6 +65,25 @@ def get_session_expired_message(username: str | None = None) -> str: return f'Your session has expired. Please login again at [OpenHands Cloud]({HOST_URL}) and try again.' +def get_user_not_found_message(username: str | None = None) -> str: + """Get a user-friendly message when a user hasn't created an OpenHands account. + + Used by integrations to notify users when they try to use OpenHands features + but haven't logged into OpenHands Cloud yet (no Keycloak account exists). + + Args: + username: Optional username to mention in the message. If provided, + the message will include @username prefix (used by Git providers + like GitHub, GitLab, Slack). If None, returns a generic message. + + Returns: + A formatted user not found message + """ + if username: + return f"@{username} it looks like you haven't created an OpenHands account yet. Please sign up at [OpenHands Cloud]({HOST_URL}) and try again." + return f"It looks like you haven't created an OpenHands account yet. Please sign up at [OpenHands Cloud]({HOST_URL}) and try again." + + # Toggle for solvability report feature ENABLE_SOLVABILITY_ANALYSIS = ( os.getenv('ENABLE_SOLVABILITY_ANALYSIS', 'false').lower() == 'true' diff --git a/enterprise/tests/unit/integrations/github/test_github_manager.py b/enterprise/tests/unit/integrations/github/test_github_manager.py new file mode 100644 index 0000000000..864be4ef38 --- /dev/null +++ b/enterprise/tests/unit/integrations/github/test_github_manager.py @@ -0,0 +1,599 @@ +""" +Tests for the GithubManager class. + +Covers: +- User not found scenario when a GitHub user hasn't created an OpenHands account +- Sign-up message posting to GitHub issues/PRs +- All supported trigger types: labeled issues, issue comments, PR comments, inline PR comments +""" + +from unittest.mock import AsyncMock, MagicMock, patch + +import pytest +from integrations.github.github_manager import GithubManager +from integrations.models import Message, SourceType +from integrations.utils import HOST_URL, get_user_not_found_message + + +class TestGithubManagerUserNotFound: + """Test cases for when a valid GitHub user hasn't created an OpenHands account.""" + + @pytest.fixture + def mock_token_manager(self): + """Create a mock token manager.""" + token_manager = MagicMock() + token_manager.get_user_id_from_idp_user_id = AsyncMock(return_value=None) + return token_manager + + @pytest.fixture + def mock_data_collector(self): + """Create a mock data collector.""" + data_collector = MagicMock() + data_collector.process_payload = MagicMock() + return data_collector + + @pytest.fixture + def github_issue_comment_message(self): + """Create a sample GitHub issue comment message with an @openhands mention.""" + return Message( + source=SourceType.GITHUB, + message={ + 'installation': 12345, + 'payload': { + 'action': 'created', + 'sender': { + 'id': 67890, + 'login': 'testuser', + }, + 'repository': { + 'owner': {'login': 'test-owner'}, + 'name': 'test-repo', + }, + 'issue': { + 'number': 42, + }, + 'comment': { + 'body': '@openhands please help with this issue', + }, + }, + }, + ) + + # Alias for backward compatibility with existing tests + @pytest.fixture + def github_issue_message(self, github_issue_comment_message): + """Alias for github_issue_comment_message for backward compatibility.""" + return github_issue_comment_message + + @pytest.fixture + def github_labeled_issue_message(self): + """Create a sample GitHub labeled issue message (when openhands label is added).""" + return Message( + source=SourceType.GITHUB, + message={ + 'installation': 12345, + 'payload': { + 'action': 'labeled', + 'sender': { + 'id': 67890, + 'login': 'labeluser', + }, + 'repository': { + 'owner': {'login': 'test-owner'}, + 'name': 'test-repo', + }, + 'issue': { + 'number': 55, + }, + 'label': { + 'name': 'openhands', + }, + }, + }, + ) + + @pytest.fixture + def github_pr_comment_message(self): + """Create a sample GitHub PR comment message (comment on a PR, accessed via issue endpoint).""" + return Message( + source=SourceType.GITHUB, + message={ + 'installation': 12345, + 'payload': { + 'action': 'created', + 'sender': { + 'id': 67890, + 'login': 'prcommentuser', + }, + 'repository': { + 'owner': {'login': 'test-owner'}, + 'name': 'test-repo', + }, + 'issue': { + 'number': 77, + 'pull_request': { + 'url': 'https://api.github.com/repos/test-owner/test-repo/pulls/77', + }, + }, + 'comment': { + 'body': '@openhands please review this PR', + }, + }, + }, + ) + + @pytest.fixture + def github_inline_pr_comment_message(self): + """Create a sample GitHub inline PR review comment message.""" + return Message( + source=SourceType.GITHUB, + message={ + 'installation': 12345, + 'payload': { + 'action': 'created', + 'sender': { + 'id': 67890, + 'login': 'inlineuser', + }, + 'repository': { + 'owner': {'login': 'test-owner'}, + 'name': 'test-repo', + }, + 'pull_request': { + 'number': 100, + 'head': { + 'ref': 'feature-branch', + }, + }, + 'comment': { + 'id': 12345, + 'node_id': 'PRRC_abc123', + 'body': '@openhands fix this code', + 'path': 'src/main.py', + 'line': 42, + }, + }, + }, + ) + + # Alias for backward compatibility + @pytest.fixture + def github_pr_message(self, github_inline_pr_comment_message): + """Alias for github_inline_pr_comment_message for backward compatibility.""" + return github_inline_pr_comment_message + + @patch('integrations.github.github_manager.Auth') + @patch('integrations.github.github_manager.GithubIntegration') + @patch('integrations.github.github_manager.Github') + def test_send_user_not_found_message_for_issue( + self, + mock_github_class, + mock_github_integration, + mock_auth, + mock_token_manager, + mock_data_collector, + github_issue_message, + ): + """Test that a sign-up message is sent when a valid user hasn't created an OpenHands account on an issue.""" + # Set up mocks + mock_github_instance = MagicMock() + mock_github_class.return_value.__enter__ = MagicMock( + return_value=mock_github_instance + ) + mock_github_class.return_value.__exit__ = MagicMock(return_value=False) + + mock_repo = MagicMock() + mock_issue = MagicMock() + mock_github_instance.get_repo.return_value = mock_repo + mock_repo.get_issue.return_value = mock_issue + + mock_integration_instance = MagicMock() + mock_github_integration.return_value = mock_integration_instance + mock_integration_instance.get_access_token.return_value = MagicMock( + token='fake-token' + ) + + # Create manager and call the method + manager = GithubManager(mock_token_manager, mock_data_collector) + + manager._send_user_not_found_message(github_issue_message, 'testuser') + + # Verify the comment was posted + mock_github_instance.get_repo.assert_called_once_with('test-owner/test-repo') + mock_repo.get_issue.assert_called_once_with(number=42) + + # Verify the comment contains the expected sign-up message + mock_issue.create_comment.assert_called_once() + comment_text = mock_issue.create_comment.call_args[0][0] + assert '@testuser' in comment_text + assert "haven't created an OpenHands account" in comment_text + assert 'sign up' in comment_text.lower() + assert HOST_URL in comment_text + + @patch('integrations.github.github_manager.Auth') + @patch('integrations.github.github_manager.GithubIntegration') + @patch('integrations.github.github_manager.Github') + def test_send_user_not_found_message_for_pr( + self, + mock_github_class, + mock_github_integration, + mock_auth, + mock_token_manager, + mock_data_collector, + github_pr_message, + ): + """Test that a sign-up message is sent when a valid user hasn't created an OpenHands account on a PR.""" + # Set up mocks + mock_github_instance = MagicMock() + mock_github_class.return_value.__enter__ = MagicMock( + return_value=mock_github_instance + ) + mock_github_class.return_value.__exit__ = MagicMock(return_value=False) + + mock_repo = MagicMock() + mock_issue = MagicMock() + mock_github_instance.get_repo.return_value = mock_repo + mock_repo.get_issue.return_value = mock_issue + + mock_integration_instance = MagicMock() + mock_github_integration.return_value = mock_integration_instance + mock_integration_instance.get_access_token.return_value = MagicMock( + token='fake-token' + ) + + # Create manager and call the method + manager = GithubManager(mock_token_manager, mock_data_collector) + + manager._send_user_not_found_message(github_pr_message, 'pruser') + + # Verify the comment was posted with PR number + mock_github_instance.get_repo.assert_called_once_with('test-owner/test-repo') + mock_repo.get_issue.assert_called_once_with(number=100) + + # Verify the comment contains the expected sign-up message + mock_issue.create_comment.assert_called_once() + comment_text = mock_issue.create_comment.call_args[0][0] + assert '@pruser' in comment_text + assert "haven't created an OpenHands account" in comment_text + + @pytest.mark.asyncio + @patch('integrations.github.github_manager.Auth') + @patch('integrations.github.github_manager.GithubIntegration') + @patch('integrations.github.github_manager.Github') + async def test_receive_message_sends_user_not_found_when_keycloak_user_id_is_none( + self, + mock_github_class, + mock_github_integration, + mock_auth, + mock_token_manager, + mock_data_collector, + github_issue_message, + ): + """Test that receive_message sends a sign-up message when get_user_id_from_idp_user_id returns None.""" + # Set up mocks + mock_github_instance = MagicMock() + mock_github_class.return_value.__enter__ = MagicMock( + return_value=mock_github_instance + ) + mock_github_class.return_value.__exit__ = MagicMock(return_value=False) + + mock_repo = MagicMock() + mock_issue = MagicMock() + mock_github_instance.get_repo.return_value = mock_repo + mock_repo.get_issue.return_value = mock_issue + + mock_integration_instance = MagicMock() + mock_github_integration.return_value = mock_integration_instance + mock_integration_instance.get_access_token.return_value = MagicMock( + token='fake-token' + ) + mock_integration_instance.get_github_for_installation.return_value.__enter__ = ( + MagicMock(return_value=mock_github_instance) + ) + mock_integration_instance.get_github_for_installation.return_value.__exit__ = ( + MagicMock(return_value=False) + ) + + # Mock user having write access (so is_job_requested returns True) + mock_repo.get_collaborator_permission.return_value = 'write' + + # Token manager returns None for keycloak_user_id (user hasn't created an account) + mock_token_manager.get_user_id_from_idp_user_id = AsyncMock(return_value=None) + + # Create manager + manager = GithubManager(mock_token_manager, mock_data_collector) + + # Call receive_message + await manager.receive_message(github_issue_message) + + # Verify get_user_id_from_idp_user_id was called + mock_token_manager.get_user_id_from_idp_user_id.assert_called_once() + + # Verify the sign-up message was posted + mock_issue.create_comment.assert_called_once() + comment_text = mock_issue.create_comment.call_args[0][0] + assert '@testuser' in comment_text + assert "haven't created an OpenHands account" in comment_text + assert 'sign up' in comment_text.lower() + + @patch('integrations.github.github_manager.Auth') + @patch('integrations.github.github_manager.GithubIntegration') + @patch('integrations.github.github_manager.logger') + def test_send_user_not_found_message_logs_warning_when_no_issue_number( + self, + mock_logger, + mock_github_integration, + mock_auth, + mock_token_manager, + mock_data_collector, + ): + """Test that a warning is logged when issue/PR number cannot be determined.""" + mock_integration_instance = MagicMock() + mock_github_integration.return_value = mock_integration_instance + mock_integration_instance.get_access_token.return_value = MagicMock( + token='fake-token' + ) + + # Create a message without issue or pull_request + message_without_issue = Message( + source=SourceType.GITHUB, + message={ + 'installation': 12345, + 'payload': { + 'action': 'created', + 'sender': { + 'id': 67890, + 'login': 'testuser', + }, + 'repository': { + 'owner': {'login': 'test-owner'}, + 'name': 'test-repo', + }, + }, + }, + ) + + manager = GithubManager(mock_token_manager, mock_data_collector) + + manager._send_user_not_found_message(message_without_issue, 'testuser') + + # Verify warning was logged + mock_logger.warning.assert_called_once() + assert 'Could not determine issue/PR number' in str( + mock_logger.warning.call_args + ) + + @patch('integrations.github.github_manager.Auth') + @patch('integrations.github.github_manager.GithubIntegration') + @patch('integrations.github.github_manager.Github') + def test_send_user_not_found_message_for_labeled_issue( + self, + mock_github_class, + mock_github_integration, + mock_auth, + mock_token_manager, + mock_data_collector, + github_labeled_issue_message, + ): + """Test that a sign-up message is sent for labeled issue events.""" + # Set up mocks + mock_github_instance = MagicMock() + mock_github_class.return_value.__enter__ = MagicMock( + return_value=mock_github_instance + ) + mock_github_class.return_value.__exit__ = MagicMock(return_value=False) + + mock_repo = MagicMock() + mock_issue = MagicMock() + mock_github_instance.get_repo.return_value = mock_repo + mock_repo.get_issue.return_value = mock_issue + + mock_integration_instance = MagicMock() + mock_github_integration.return_value = mock_integration_instance + mock_integration_instance.get_access_token.return_value = MagicMock( + token='fake-token' + ) + + # Create manager and call the method + manager = GithubManager(mock_token_manager, mock_data_collector) + + manager._send_user_not_found_message(github_labeled_issue_message, 'labeluser') + + # Verify the comment was posted with correct issue number + mock_github_instance.get_repo.assert_called_once_with('test-owner/test-repo') + mock_repo.get_issue.assert_called_once_with(number=55) + + # Verify the comment contains the expected sign-up message + mock_issue.create_comment.assert_called_once() + comment_text = mock_issue.create_comment.call_args[0][0] + assert '@labeluser' in comment_text + assert "haven't created an OpenHands account" in comment_text + assert 'sign up' in comment_text.lower() + + @patch('integrations.github.github_manager.Auth') + @patch('integrations.github.github_manager.GithubIntegration') + @patch('integrations.github.github_manager.Github') + def test_send_user_not_found_message_for_pr_comment_via_issue_endpoint( + self, + mock_github_class, + mock_github_integration, + mock_auth, + mock_token_manager, + mock_data_collector, + github_pr_comment_message, + ): + """Test that a sign-up message is sent for PR comments (accessed via issue endpoint).""" + # Set up mocks + mock_github_instance = MagicMock() + mock_github_class.return_value.__enter__ = MagicMock( + return_value=mock_github_instance + ) + mock_github_class.return_value.__exit__ = MagicMock(return_value=False) + + mock_repo = MagicMock() + mock_issue = MagicMock() + mock_github_instance.get_repo.return_value = mock_repo + mock_repo.get_issue.return_value = mock_issue + + mock_integration_instance = MagicMock() + mock_github_integration.return_value = mock_integration_instance + mock_integration_instance.get_access_token.return_value = MagicMock( + token='fake-token' + ) + + # Create manager and call the method + manager = GithubManager(mock_token_manager, mock_data_collector) + + manager._send_user_not_found_message(github_pr_comment_message, 'prcommentuser') + + # Verify the comment was posted with correct PR number (from issue.number) + mock_github_instance.get_repo.assert_called_once_with('test-owner/test-repo') + mock_repo.get_issue.assert_called_once_with(number=77) + + # Verify the comment contains the expected sign-up message + mock_issue.create_comment.assert_called_once() + comment_text = mock_issue.create_comment.call_args[0][0] + assert '@prcommentuser' in comment_text + assert "haven't created an OpenHands account" in comment_text + assert 'sign up' in comment_text.lower() + + +class TestGetIssueNumberFromPayload: + """Test cases for the _get_issue_number_from_payload helper method.""" + + @pytest.fixture + def mock_token_manager(self): + """Create a mock token manager.""" + token_manager = MagicMock() + return token_manager + + @pytest.fixture + def mock_data_collector(self): + """Create a mock data collector.""" + data_collector = MagicMock() + return data_collector + + @patch('integrations.github.github_manager.Auth') + @patch('integrations.github.github_manager.GithubIntegration') + def test_extracts_issue_number_from_issue_payload( + self, + mock_github_integration, + mock_auth, + mock_token_manager, + mock_data_collector, + ): + """Test extraction from payload with 'issue' key (labeled issues, issue comments, PR comments).""" + message = Message( + source=SourceType.GITHUB, + message={ + 'installation': 12345, + 'payload': { + 'issue': {'number': 42}, + 'repository': {'owner': {'login': 'owner'}, 'name': 'repo'}, + }, + }, + ) + + manager = GithubManager(mock_token_manager, mock_data_collector) + result = manager._get_issue_number_from_payload(message) + + assert result == 42 + + @patch('integrations.github.github_manager.Auth') + @patch('integrations.github.github_manager.GithubIntegration') + def test_extracts_pr_number_from_pull_request_payload( + self, + mock_github_integration, + mock_auth, + mock_token_manager, + mock_data_collector, + ): + """Test extraction from payload with 'pull_request' key (inline PR comments).""" + message = Message( + source=SourceType.GITHUB, + message={ + 'installation': 12345, + 'payload': { + 'pull_request': {'number': 100}, + 'repository': {'owner': {'login': 'owner'}, 'name': 'repo'}, + }, + }, + ) + + manager = GithubManager(mock_token_manager, mock_data_collector) + result = manager._get_issue_number_from_payload(message) + + assert result == 100 + + @patch('integrations.github.github_manager.Auth') + @patch('integrations.github.github_manager.GithubIntegration') + def test_prefers_issue_over_pull_request_when_both_present( + self, + mock_github_integration, + mock_auth, + mock_token_manager, + mock_data_collector, + ): + """Test that issue takes precedence over pull_request (edge case).""" + message = Message( + source=SourceType.GITHUB, + message={ + 'installation': 12345, + 'payload': { + 'issue': {'number': 42}, + 'pull_request': {'number': 100}, + 'repository': {'owner': {'login': 'owner'}, 'name': 'repo'}, + }, + }, + ) + + manager = GithubManager(mock_token_manager, mock_data_collector) + result = manager._get_issue_number_from_payload(message) + + assert result == 42 + + @patch('integrations.github.github_manager.Auth') + @patch('integrations.github.github_manager.GithubIntegration') + def test_returns_none_when_no_issue_or_pr( + self, + mock_github_integration, + mock_auth, + mock_token_manager, + mock_data_collector, + ): + """Test that None is returned when neither issue nor pull_request is in payload.""" + message = Message( + source=SourceType.GITHUB, + message={ + 'installation': 12345, + 'payload': { + 'repository': {'owner': {'login': 'owner'}, 'name': 'repo'}, + }, + }, + ) + + manager = GithubManager(mock_token_manager, mock_data_collector) + result = manager._get_issue_number_from_payload(message) + + assert result is None + + +class TestGetUserNotFoundMessageIntegration: + """Integration tests to verify the user not found message content matches expectations.""" + + def test_message_mentions_openhands_cloud(self): + """Test that the message directs users to OpenHands Cloud.""" + message = get_user_not_found_message('testuser') + assert 'OpenHands Cloud' in message + + def test_message_contains_actionable_instruction(self): + """Test that the message tells users to sign up.""" + message = get_user_not_found_message('testuser') + assert 'sign up' in message.lower() + assert 'try again' in message.lower() + + def test_message_is_friendly_and_informative(self): + """Test that the message is friendly and explains the situation.""" + message = get_user_not_found_message('testuser') + assert 'it looks like' in message.lower() + assert "haven't created an openhands account" in message.lower() diff --git a/enterprise/tests/unit/integrations/test_utils.py b/enterprise/tests/unit/integrations/test_utils.py index 38710af083..e3e5c5e6e6 100644 --- a/enterprise/tests/unit/integrations/test_utils.py +++ b/enterprise/tests/unit/integrations/test_utils.py @@ -8,6 +8,7 @@ from integrations.utils import ( append_conversation_footer, get_session_expired_message, get_summary_for_agent_state, + get_user_not_found_message, ) from openhands.core.schema.agent import AgentState @@ -228,6 +229,72 @@ class TestGetSessionExpiredMessage: assert 'Your session' in result +class TestGetUserNotFoundMessage: + """Test cases for get_user_not_found_message function. + + This function is used to notify users when they try to use OpenHands features + but haven't created an OpenHands account yet (no Keycloak account exists). + """ + + def test_message_with_username_contains_at_prefix(self): + """Test that the message contains the username with @ prefix.""" + result = get_user_not_found_message('testuser') + assert '@testuser' in result + + def test_message_with_username_contains_sign_up_text(self): + """Test that the message contains sign up text.""" + result = get_user_not_found_message('testuser') + assert "haven't created an OpenHands account" in result + + def test_message_with_username_contains_sign_up_instruction(self): + """Test that the message contains sign up instruction.""" + result = get_user_not_found_message('testuser') + assert 'sign up' in result.lower() + + def test_message_with_username_contains_host_url(self): + """Test that the message contains the OpenHands Cloud URL.""" + result = get_user_not_found_message('testuser') + assert HOST_URL in result + assert 'OpenHands Cloud' in result + + def test_different_usernames(self): + """Test that different usernames produce different messages.""" + result1 = get_user_not_found_message('user1') + result2 = get_user_not_found_message('user2') + assert '@user1' in result1 + assert '@user2' in result2 + assert '@user1' not in result2 + assert '@user2' not in result1 + + def test_message_without_username_contains_sign_up_text(self): + """Test that the message without username contains sign up text.""" + result = get_user_not_found_message() + assert "haven't created an OpenHands account" in result + + def test_message_without_username_contains_sign_up_instruction(self): + """Test that the message without username contains sign up instruction.""" + result = get_user_not_found_message() + assert 'sign up' in result.lower() + + def test_message_without_username_contains_host_url(self): + """Test that the message without username contains the OpenHands Cloud URL.""" + result = get_user_not_found_message() + assert HOST_URL in result + assert 'OpenHands Cloud' in result + + def test_message_without_username_does_not_contain_at_prefix(self): + """Test that the message without username does not contain @ prefix.""" + result = get_user_not_found_message() + assert not result.startswith('@') + assert 'It looks like' in result + + def test_message_with_none_username(self): + """Test that passing None explicitly works the same as no argument.""" + result = get_user_not_found_message(None) + assert not result.startswith('@') + assert 'It looks like' in result + + class TestAppendConversationFooter: """Test cases for append_conversation_footer function.""" From 2f11f6a39a6bb653bc4aad4406da30f420e85a48 Mon Sep 17 00:00:00 2001 From: Tim O'Farrell Date: Tue, 3 Mar 2026 13:26:07 -0700 Subject: [PATCH 16/67] refactor(enterprise): Convert OrgMemberStore to fully async (#13173) Co-authored-by: openhands --- enterprise/server/auth/authorization.py | 35 +- enterprise/server/routes/api_keys.py | 2 +- enterprise/server/routes/orgs.py | 2 +- .../server/services/org_invitation_service.py | 22 +- .../server/services/org_member_service.py | 285 ++++++------ enterprise/storage/org_member_store.py | 108 ++--- enterprise/storage/org_service.py | 22 +- .../tests/unit/server/routes/test_orgs.py | 89 ++-- .../services/test_org_member_service.py | 408 ++++++++++++------ enterprise/tests/unit/test_authorization.py | 57 ++- .../tests/unit/test_org_invitation_service.py | 30 +- .../tests/unit/test_org_member_store.py | 130 +++--- enterprise/tests/unit/test_org_service.py | 61 ++- 13 files changed, 696 insertions(+), 555 deletions(-) diff --git a/enterprise/server/auth/authorization.py b/enterprise/server/auth/authorization.py index 522ef47631..4595ea07a3 100644 --- a/enterprise/server/auth/authorization.py +++ b/enterprise/server/auth/authorization.py @@ -157,9 +157,9 @@ ROLE_PERMISSIONS: dict[RoleName, frozenset[Permission]] = { } -def get_user_org_role(user_id: str, org_id: UUID | None) -> Role | None: +async def get_user_org_role(user_id: str, org_id: UUID | None) -> Role | None: """ - Get the user's role in an organization (synchronous version). + Get the user's role in an organization. Args: user_id: User ID (string that will be converted to UUID) @@ -171,36 +171,11 @@ def get_user_org_role(user_id: str, org_id: UUID | None) -> Role | None: from uuid import UUID as parse_uuid if org_id is None: - org_member = OrgMemberStore.get_org_member_for_current_org(parse_uuid(user_id)) - else: - org_member = OrgMemberStore.get_org_member(org_id, parse_uuid(user_id)) - if not org_member: - return None - - return RoleStore.get_role_by_id(org_member.role_id) - - -async def get_user_org_role_async(user_id: str, org_id: UUID | None) -> Role | None: - """ - Get the user's role in an organization (async version). - - Args: - user_id: User ID (string that will be converted to UUID) - org_id: Organization ID, or None to use the user's current organization - - Returns: - Role object if user is a member, None otherwise - """ - from uuid import UUID as parse_uuid - - if org_id is None: - org_member = await OrgMemberStore.get_org_member_for_current_org_async( + org_member = await OrgMemberStore.get_org_member_for_current_org( parse_uuid(user_id) ) else: - org_member = await OrgMemberStore.get_org_member_async( - org_id, parse_uuid(user_id) - ) + org_member = await OrgMemberStore.get_org_member(org_id, parse_uuid(user_id)) if not org_member: return None @@ -274,7 +249,7 @@ def require_permission(permission: Permission): detail='User not authenticated', ) - user_role = await get_user_org_role_async(user_id, org_id) + user_role = await get_user_org_role(user_id, org_id) if not user_role: logger.warning( diff --git a/enterprise/server/routes/api_keys.py b/enterprise/server/routes/api_keys.py index 57394850ac..5b433aef98 100644 --- a/enterprise/server/routes/api_keys.py +++ b/enterprise/server/routes/api_keys.py @@ -49,7 +49,7 @@ async def store_byor_key_in_db(user_id: str, key: str) -> None: if not current_org_member: return None current_org_member.llm_api_key_for_byor = key - OrgMemberStore.update_org_member(current_org_member) + await OrgMemberStore.update_org_member(current_org_member) async def generate_byor_key(user_id: str) -> str | None: diff --git a/enterprise/server/routes/orgs.py b/enterprise/server/routes/orgs.py index b9c39a0925..8c1abb18ed 100644 --- a/enterprise/server/routes/orgs.py +++ b/enterprise/server/routes/orgs.py @@ -497,7 +497,7 @@ async def get_me( try: user_uuid = UUID(user_id) - return OrgMemberService.get_me(org_id, user_uuid) + return await OrgMemberService.get_me(org_id, user_uuid) except OrgMemberNotFoundError: raise HTTPException( diff --git a/enterprise/server/services/org_invitation_service.py b/enterprise/server/services/org_invitation_service.py index 2c1ba62f9b..5518ab5dd0 100644 --- a/enterprise/server/services/org_invitation_service.py +++ b/enterprise/server/services/org_invitation_service.py @@ -85,13 +85,13 @@ class OrgInvitationService: ) # Step 3: Check inviter is a member and has permission - inviter_member = OrgMemberStore.get_org_member(org_id, inviter_id) + inviter_member = await OrgMemberStore.get_org_member(org_id, inviter_id) if not inviter_member: raise InsufficientPermissionError( 'You are not a member of this organization' ) - inviter_role = RoleStore.get_role_by_id(inviter_member.role_id) + inviter_role = await RoleStore.get_role_by_id_async(inviter_member.role_id) if not inviter_role or inviter_role.name not in [ROLE_OWNER, ROLE_ADMIN]: raise InsufficientPermissionError('Only owners and admins can invite users') @@ -101,14 +101,16 @@ class OrgInvitationService: raise InsufficientPermissionError('Only owners can invite with owner role') # Get the target role - target_role = RoleStore.get_role_by_name(role_name_lower) + target_role = await RoleStore.get_role_by_name_async(role_name_lower) if not target_role: raise ValueError(f'Invalid role: {role_name}') # Step 5: Check if user is already a member (by email) existing_user = await UserStore.get_user_by_email_async(email) if existing_user: - existing_member = OrgMemberStore.get_org_member(org_id, existing_user.id) + existing_member = await OrgMemberStore.get_org_member( + org_id, existing_user.id + ) if existing_member: raise UserAlreadyMemberError( 'User is already a member of this organization' @@ -196,13 +198,13 @@ class OrgInvitationService: 'Cannot invite users to a personal workspace' ) - inviter_member = OrgMemberStore.get_org_member(org_id, inviter_id) + inviter_member = await OrgMemberStore.get_org_member(org_id, inviter_id) if not inviter_member: raise InsufficientPermissionError( 'You are not a member of this organization' ) - inviter_role = RoleStore.get_role_by_id(inviter_member.role_id) + inviter_role = await RoleStore.get_role_by_id_async(inviter_member.role_id) if not inviter_role or inviter_role.name not in [ROLE_OWNER, ROLE_ADMIN]: raise InsufficientPermissionError('Only owners and admins can invite users') @@ -210,7 +212,7 @@ class OrgInvitationService: if role_name_lower == ROLE_OWNER and inviter_role.name != ROLE_OWNER: raise InsufficientPermissionError('Only owners can invite with owner role') - target_role = RoleStore.get_role_by_name(role_name_lower) + target_role = await RoleStore.get_role_by_name_async(role_name_lower) if not target_role: raise ValueError(f'Invalid role: {role_name}') @@ -336,7 +338,9 @@ class OrgInvitationService: raise EmailMismatchError() # Step 3: Check if user is already a member - existing_member = OrgMemberStore.get_org_member(invitation.org_id, user_id) + existing_member = await OrgMemberStore.get_org_member( + invitation.org_id, user_id + ) if existing_member: raise UserAlreadyMemberError( 'You are already a member of this organization' @@ -369,7 +373,7 @@ class OrgInvitationService: org_member_kwargs.pop('llm_model', None) org_member_kwargs.pop('llm_base_url', None) - OrgMemberStore.add_user_to_org( + await OrgMemberStore.add_user_to_org( org_id=invitation.org_id, user_id=user_id, role_id=invitation.role_id, diff --git a/enterprise/server/services/org_member_service.py b/enterprise/server/services/org_member_service.py index 5777ab0d5a..264d8fa135 100644 --- a/enterprise/server/services/org_member_service.py +++ b/enterprise/server/services/org_member_service.py @@ -22,14 +22,13 @@ from storage.role_store import RoleStore from storage.user_store import UserStore from openhands.core.logger import openhands_logger as logger -from openhands.utils.async_utils import call_sync_from_async class OrgMemberService: """Service for organization member operations.""" @staticmethod - def get_me(org_id: UUID, user_id: UUID) -> MeResponse: + async def get_me(org_id: UUID, user_id: UUID) -> MeResponse: """Get the current user's membership record for an organization. Retrieves the authenticated user's role, status, email, and LLM override @@ -47,17 +46,17 @@ class OrgMemberService: RoleNotFoundError: If the role associated with the member is not found """ # Look up the user's membership in this org - org_member = OrgMemberStore.get_org_member(org_id, user_id) + org_member = await OrgMemberStore.get_org_member(org_id, user_id) if org_member is None: raise OrgMemberNotFoundError(str(org_id), str(user_id)) # Resolve role name from role_id - role = RoleStore.get_role_by_id(org_member.role_id) + role = await RoleStore.get_role_by_id_async(org_member.role_id) if role is None: raise RoleNotFoundError(org_member.role_id) # Get user email - user = UserStore.get_user_by_id(str(user_id)) + user = await UserStore.get_user_by_id_async(str(user_id)) email = user.email if user and user.email else '' return MeResponse.from_org_member(org_member, role, email) @@ -83,7 +82,9 @@ class OrgMemberService: Tuple of (success, error_code, data). If success is True, error_code is None. """ # Verify current user is a member of the organization - requester_membership = OrgMemberStore.get_org_member(org_id, current_user_id) + requester_membership = await OrgMemberStore.get_org_member( + org_id, current_user_id + ) if not requester_membership: return False, 'not_a_member', None @@ -156,7 +157,9 @@ class OrgMemberService: OrgMemberNotFoundError: If requesting user is not a member of the organization. """ # Verify current user is a member of the organization - requester_membership = OrgMemberStore.get_org_member(org_id, current_user_id) + requester_membership = await OrgMemberStore.get_org_member( + org_id, current_user_id + ) if not requester_membership: raise OrgMemberNotFoundError(str(org_id), str(current_user_id)) @@ -176,82 +179,75 @@ class OrgMemberService: Returns: Tuple of (success, error_message). If success is True, error_message is None. """ + # Get current user's membership in the org + requester_membership = await OrgMemberStore.get_org_member( + org_id, current_user_id + ) + if not requester_membership: + return False, 'not_a_member' - def _remove_member(): - # Get current user's membership in the org - requester_membership = OrgMemberStore.get_org_member( - org_id, current_user_id - ) - if not requester_membership: - return False, 'not_a_member' + # Check if trying to remove self + if str(current_user_id) == str(target_user_id): + return False, 'cannot_remove_self' - # Check if trying to remove self - if str(current_user_id) == str(target_user_id): - return False, 'cannot_remove_self' + # Get target user's membership + target_membership = await OrgMemberStore.get_org_member(org_id, target_user_id) + if not target_membership: + return False, 'member_not_found' - # Get target user's membership - target_membership = OrgMemberStore.get_org_member(org_id, target_user_id) - if not target_membership: - return False, 'member_not_found' + requester_role = await RoleStore.get_role_by_id_async( + requester_membership.role_id + ) + target_role = await RoleStore.get_role_by_id_async(target_membership.role_id) - requester_role = RoleStore.get_role_by_id(requester_membership.role_id) - target_role = RoleStore.get_role_by_id(target_membership.role_id) + if not requester_role or not target_role: + return False, 'role_not_found' - if not requester_role or not target_role: - return False, 'role_not_found' + # Check permission based on roles + if not OrgMemberService._can_remove_member( + requester_role.name, target_role.name + ): + return False, 'insufficient_permission' - # Check permission based on roles - if not OrgMemberService._can_remove_member( - requester_role.name, target_role.name - ): - return False, 'insufficient_permission' + # Check if removing the last owner + if target_role.name == ROLE_OWNER: + if await OrgMemberService._is_last_owner(org_id, target_user_id): + return False, 'cannot_remove_last_owner' - # Check if removing the last owner - if target_role.name == ROLE_OWNER: - if OrgMemberService._is_last_owner(org_id, target_user_id): - return False, 'cannot_remove_last_owner' + # Perform the removal + success = await OrgMemberStore.remove_user_from_org(org_id, target_user_id) + if not success: + return False, 'removal_failed' - # Perform the removal - success = OrgMemberStore.remove_user_from_org(org_id, target_user_id) - if not success: - return False, 'removal_failed' - - # Update user's current_org_id if it points to the org they were removed from - user = UserStore.get_user_by_id(str(target_user_id)) - if user and user.current_org_id == org_id: - # Set current_org_id to personal workspace (org.id == user.id) - UserStore.update_current_org(str(target_user_id), target_user_id) - - return True, None - - success, error = await call_sync_from_async(_remove_member) + # Update user's current_org_id if it points to the org they were removed from + user = await UserStore.get_user_by_id_async(str(target_user_id)) + if user and user.current_org_id == org_id: + # Set current_org_id to personal workspace (org.id == user.id) + UserStore.update_current_org(str(target_user_id), target_user_id) # If database removal succeeded, also remove from LiteLLM team - if success: - try: - await LiteLlmManager.remove_user_from_team( - str(target_user_id), str(org_id) - ) - logger.info( - 'Successfully removed user from LiteLLM team', - extra={ - 'user_id': str(target_user_id), - 'org_id': str(org_id), - }, - ) - except Exception as e: - # Log but don't fail the operation - database removal already succeeded - # LiteLLM state will be eventually consistent - logger.warning( - 'Failed to remove user from LiteLLM team', - extra={ - 'user_id': str(target_user_id), - 'org_id': str(org_id), - 'error': str(e), - }, - ) + try: + await LiteLlmManager.remove_user_from_team(str(target_user_id), str(org_id)) + logger.info( + 'Successfully removed user from LiteLLM team', + extra={ + 'user_id': str(target_user_id), + 'org_id': str(org_id), + }, + ) + except Exception as e: + # Log but don't fail the operation - database removal already succeeded + # LiteLLM state will be eventually consistent + logger.warning( + 'Failed to remove user from LiteLLM team', + extra={ + 'user_id': str(target_user_id), + 'org_id': str(org_id), + 'error': str(e), + }, + ) - return success, error + return True, None @staticmethod async def update_org_member( @@ -287,85 +283,84 @@ class OrgMemberService: """ new_role_name = update_data.role - def _update_member(): - # Get current user's membership in the org - requester_membership = OrgMemberStore.get_org_member( - org_id, current_user_id - ) - if not requester_membership: - raise OrgMemberNotFoundError(str(org_id), str(current_user_id)) + # Get current user's membership in the org + requester_membership = await OrgMemberStore.get_org_member( + org_id, current_user_id + ) + if not requester_membership: + raise OrgMemberNotFoundError(str(org_id), str(current_user_id)) - # Check if trying to modify self - if str(current_user_id) == str(target_user_id): - raise CannotModifySelfError('modify') + # Check if trying to modify self + if str(current_user_id) == str(target_user_id): + raise CannotModifySelfError('modify') - # Get target user's membership - target_membership = OrgMemberStore.get_org_member(org_id, target_user_id) - if not target_membership: - raise OrgMemberNotFoundError(str(org_id), str(target_user_id)) + # Get target user's membership + target_membership = await OrgMemberStore.get_org_member(org_id, target_user_id) + if not target_membership: + raise OrgMemberNotFoundError(str(org_id), str(target_user_id)) - # Get roles - requester_role = RoleStore.get_role_by_id(requester_membership.role_id) - target_role = RoleStore.get_role_by_id(target_membership.role_id) + # Get roles + requester_role = await RoleStore.get_role_by_id_async( + requester_membership.role_id + ) + target_role = await RoleStore.get_role_by_id_async(target_membership.role_id) - if not requester_role: - raise RoleNotFoundError(requester_membership.role_id) - if not target_role: - raise RoleNotFoundError(target_membership.role_id) - - # If no role change requested, return current state - if new_role_name is None: - user = UserStore.get_user_by_id(str(target_user_id)) - return OrgMemberResponse( - user_id=str(target_membership.user_id), - email=user.email if user else None, - role_id=target_membership.role_id, - role=target_role.name, - role_rank=target_role.rank, - status=target_membership.status, - ) - - # Validate new role exists - new_role = RoleStore.get_role_by_name(new_role_name.lower()) - if not new_role: - raise InvalidRoleError(new_role_name) - - # Check permission to modify target - if not OrgMemberService._can_update_member_role( - requester_role.name, target_role.name, new_role.name - ): - raise InsufficientPermissionError( - 'You do not have permission to modify this member' - ) - - # Check if demoting the last owner - if ( - target_role.name == ROLE_OWNER - and new_role.name != ROLE_OWNER - and OrgMemberService._is_last_owner(org_id, target_user_id) - ): - raise LastOwnerError('demote') - - # Perform the update - updated_member = OrgMemberStore.update_user_role_in_org( - org_id, target_user_id, new_role.id - ) - if not updated_member: - raise MemberUpdateError('Failed to update member') - - # Get user email for response - user = UserStore.get_user_by_id(str(target_user_id)) + if not requester_role: + raise RoleNotFoundError(requester_membership.role_id) + if not target_role: + raise RoleNotFoundError(target_membership.role_id) + # If no role change requested, return current state + if new_role_name is None: + user = await UserStore.get_user_by_id_async(str(target_user_id)) return OrgMemberResponse( - user_id=str(updated_member.user_id), + user_id=str(target_membership.user_id), email=user.email if user else None, - role_id=updated_member.role_id, - role=new_role.name, - role_rank=new_role.rank, - status=updated_member.status, + role_id=target_membership.role_id, + role=target_role.name, + role_rank=target_role.rank, + status=target_membership.status, ) - return await call_sync_from_async(_update_member) + # Validate new role exists + new_role = await RoleStore.get_role_by_name_async(new_role_name.lower()) + if not new_role: + raise InvalidRoleError(new_role_name) + + # Check permission to modify target + if not OrgMemberService._can_update_member_role( + requester_role.name, target_role.name, new_role.name + ): + raise InsufficientPermissionError( + 'You do not have permission to modify this member' + ) + + # Check if demoting the last owner + if ( + target_role.name == ROLE_OWNER + and new_role.name != ROLE_OWNER + and await OrgMemberService._is_last_owner(org_id, target_user_id) + ): + raise LastOwnerError('demote') + + # Perform the update + updated_member = await OrgMemberStore.update_user_role_in_org( + org_id, target_user_id, new_role.id + ) + if not updated_member: + raise MemberUpdateError('Failed to update member') + + # Get user email for response + user = await UserStore.get_user_by_id_async(str(target_user_id)) + + return OrgMemberResponse( + user_id=str(updated_member.user_id), + email=user.email if user else None, + role_id=updated_member.role_id, + role=new_role.name, + role_rank=new_role.rank, + status=updated_member.status, + ) @staticmethod def _can_update_member_role( @@ -405,13 +400,13 @@ class OrgMemberService: return False @staticmethod - def _is_last_owner(org_id: UUID, user_id: UUID) -> bool: + async def _is_last_owner(org_id: UUID, user_id: UUID) -> bool: """Check if user is the last owner of the organization.""" - members = OrgMemberStore.get_org_members(org_id) + members = await OrgMemberStore.get_org_members(org_id) owners = [] for m in members: # Use role_id (column) instead of role (relationship) to avoid DetachedInstanceError - role = RoleStore.get_role_by_id(m.role_id) + role = await RoleStore.get_role_by_id_async(m.role_id) if role and role.name == ROLE_OWNER: owners.append(m) return len(owners) == 1 and str(owners[0].user_id) == str(user_id) diff --git a/enterprise/storage/org_member_store.py b/enterprise/storage/org_member_store.py index c92d7ba867..1f32c2e8b5 100644 --- a/enterprise/storage/org_member_store.py +++ b/enterprise/storage/org_member_store.py @@ -9,7 +9,7 @@ from server.routes.org_models import OrgMemberLLMSettings from sqlalchemy import func, select, update from sqlalchemy.ext.asyncio import AsyncSession from sqlalchemy.orm import joinedload -from storage.database import a_session_maker, session_maker +from storage.database import a_session_maker from storage.encrypt_utils import encrypt_value from storage.org_member import OrgMember from storage.user import User @@ -22,7 +22,7 @@ class OrgMemberStore: """Store for managing organization-member relationships.""" @staticmethod - def add_user_to_org( + async def add_user_to_org( org_id: UUID, user_id: UUID, role_id: int, @@ -30,7 +30,7 @@ class OrgMemberStore: status: Optional[str] = None, ) -> OrgMember: """Add a user to an organization with a specific role.""" - with session_maker() as session: + async with a_session_maker() as session: org_member = OrgMember( org_id=org_id, user_id=user_id, @@ -39,22 +39,12 @@ class OrgMemberStore: status=status, ) session.add(org_member) - session.commit() - session.refresh(org_member) + await session.commit() + await session.refresh(org_member) return org_member @staticmethod - def get_org_member(org_id: UUID, user_id: UUID) -> Optional[OrgMember]: - """Get organization-user relationship.""" - with session_maker() as session: - return ( - session.query(OrgMember) - .filter(OrgMember.org_id == org_id, OrgMember.user_id == user_id) - .first() - ) - - @staticmethod - async def get_org_member_async(org_id: UUID, user_id: UUID) -> Optional[OrgMember]: + async def get_org_member(org_id: UUID, user_id: UUID) -> Optional[OrgMember]: """Get organization-user relationship.""" async with a_session_maker() as session: result = await session.execute( @@ -65,33 +55,9 @@ class OrgMemberStore: return result.scalars().first() @staticmethod - def get_org_member_for_current_org(user_id: UUID) -> Optional[OrgMember]: + async def get_org_member_for_current_org(user_id: UUID) -> Optional[OrgMember]: """Get the org member for a user's current organization. - Args: - user_id: The user's UUID. - - Returns: - The OrgMember for the user's current organization, or None if not found. - """ - with session_maker() as session: - result = ( - session.query(OrgMember) - .join(User, User.id == OrgMember.user_id) - .filter( - User.id == user_id, - OrgMember.org_id == User.current_org_id, - ) - .first() - ) - return result - - @staticmethod - async def get_org_member_for_current_org_async( - user_id: UUID, - ) -> Optional[OrgMember]: - """Get the org member for a user's current organization (async version). - Args: user_id: The user's UUID. @@ -110,35 +76,42 @@ class OrgMemberStore: return result.scalars().first() @staticmethod - def get_user_orgs(user_id: UUID) -> list[OrgMember]: + async def get_user_orgs(user_id: UUID) -> list[OrgMember]: """Get all organizations for a user.""" - with session_maker() as session: - return session.query(OrgMember).filter(OrgMember.user_id == user_id).all() + async with a_session_maker() as session: + result = await session.execute( + select(OrgMember).filter(OrgMember.user_id == user_id) + ) + return list(result.scalars().all()) @staticmethod - def get_org_members(org_id: UUID) -> list[OrgMember]: + async def get_org_members(org_id: UUID) -> list[OrgMember]: """Get all users in an organization.""" - with session_maker() as session: - return session.query(OrgMember).filter(OrgMember.org_id == org_id).all() + async with a_session_maker() as session: + result = await session.execute( + select(OrgMember).filter(OrgMember.org_id == org_id) + ) + return list(result.scalars().all()) @staticmethod - def update_org_member(org_member: OrgMember) -> None: + async def update_org_member(org_member: OrgMember) -> None: """Update an organization-member relationship.""" - with session_maker() as session: - session.merge(org_member) - session.commit() + async with a_session_maker() as session: + await session.merge(org_member) + await session.commit() @staticmethod - def update_user_role_in_org( + async def update_user_role_in_org( org_id: UUID, user_id: UUID, role_id: int, status: Optional[str] = None ) -> Optional[OrgMember]: """Update user's role in an organization.""" - with session_maker() as session: - org_member = ( - session.query(OrgMember) - .filter(OrgMember.org_id == org_id, OrgMember.user_id == user_id) - .first() + async with a_session_maker() as session: + result = await session.execute( + select(OrgMember).filter( + OrgMember.org_id == org_id, OrgMember.user_id == user_id + ) ) + org_member = result.scalars().first() if not org_member: return None @@ -147,25 +120,26 @@ class OrgMemberStore: if status is not None: org_member.status = status - session.commit() - session.refresh(org_member) + await session.commit() + await session.refresh(org_member) return org_member @staticmethod - def remove_user_from_org(org_id: UUID, user_id: UUID) -> bool: + async def remove_user_from_org(org_id: UUID, user_id: UUID) -> bool: """Remove a user from an organization.""" - with session_maker() as session: - org_member = ( - session.query(OrgMember) - .filter(OrgMember.org_id == org_id, OrgMember.user_id == user_id) - .first() + async with a_session_maker() as session: + result = await session.execute( + select(OrgMember).filter( + OrgMember.org_id == org_id, OrgMember.user_id == user_id + ) ) + org_member = result.scalars().first() if not org_member: return False - session.delete(org_member) - session.commit() + await session.delete(org_member) + await session.commit() return True @staticmethod diff --git a/enterprise/storage/org_service.py b/enterprise/storage/org_service.py index 3d328b3ff6..780fca890e 100644 --- a/enterprise/storage/org_service.py +++ b/enterprise/storage/org_service.py @@ -398,7 +398,7 @@ class OrgService: return e @staticmethod - def has_admin_or_owner_role(user_id: str, org_id: UUID) -> bool: + async def has_admin_or_owner_role(user_id: str, org_id: UUID) -> bool: """ Check if user has admin or owner role in the specified organization. @@ -415,12 +415,12 @@ class OrgService: # Get the user's membership in this organization # Note: The type annotation says int but the actual column is UUID - org_member = OrgMemberStore.get_org_member(org_id, user_uuid) + org_member = await OrgMemberStore.get_org_member(org_id, user_uuid) if not org_member: return False # Get the role details - role = RoleStore.get_role_by_id(org_member.role_id) + role = await RoleStore.get_role_by_id_async(org_member.role_id) if not role: return False @@ -440,7 +440,7 @@ class OrgService: return False @staticmethod - def is_org_member(user_id: str, org_id: UUID) -> bool: + async def is_org_member(user_id: str, org_id: UUID) -> bool: """ Check if user is a member of the specified organization. @@ -453,7 +453,7 @@ class OrgService: """ try: user_uuid = parse_uuid(user_id) - org_member = OrgMemberStore.get_org_member(org_id, user_uuid) + org_member = await OrgMemberStore.get_org_member(org_id, user_uuid) return org_member is not None except Exception as e: logger.warning( @@ -540,7 +540,7 @@ class OrgService: raise ValueError(f'Organization with ID {org_id} not found') # Check if user is a member of this organization - if not OrgService.is_org_member(user_id, org_id): + if not await OrgService.is_org_member(user_id, org_id): logger.warning( 'Non-member attempted to update organization', extra={ @@ -574,7 +574,7 @@ class OrgService: llm_fields_being_updated = OrgService._has_llm_settings_updates(update_data) if llm_fields_being_updated: # Verify user has admin or owner role - has_permission = OrgService.has_admin_or_owner_role(user_id, org_id) + has_permission = await OrgService.has_admin_or_owner_role(user_id, org_id) if not has_permission: logger.warning( 'User attempted to update LLM settings without permission', @@ -745,7 +745,7 @@ class OrgService: ) # Verify user is a member of the organization - org_member = OrgMemberStore.get_org_member(org_id, parse_uuid(user_id)) + org_member = await OrgMemberStore.get_org_member(org_id, parse_uuid(user_id)) if not org_member: logger.warning( 'User is not a member of organization or organization does not exist', @@ -792,12 +792,12 @@ class OrgService: raise OrgNotFoundError(str(org_id)) # Check if user is a member of the organization - org_member = OrgMemberStore.get_org_member(org_id, parse_uuid(user_id)) + org_member = await OrgMemberStore.get_org_member(org_id, parse_uuid(user_id)) if not org_member: raise OrgAuthorizationError('User is not a member of this organization') # Check if user has owner role - role = RoleStore.get_role_by_id(org_member.role_id) + role = await RoleStore.get_role_by_id_async(org_member.role_id) if not role or role.name != 'owner': raise OrgAuthorizationError( 'Only organization owners can delete organizations' @@ -918,7 +918,7 @@ class OrgService: raise OrgNotFoundError(str(org_id)) # Step 2: Validate user is a member of the organization - if not OrgService.is_org_member(user_id, org_id): + if not await OrgService.is_org_member(user_id, org_id): logger.warning( 'User attempted to switch to organization they are not a member of', extra={'user_id': user_id, 'org_id': str(org_id)}, diff --git a/enterprise/tests/unit/server/routes/test_orgs.py b/enterprise/tests/unit/server/routes/test_orgs.py index 8462249dde..7aec94c847 100644 --- a/enterprise/tests/unit/server/routes/test_orgs.py +++ b/enterprise/tests/unit/server/routes/test_orgs.py @@ -1027,7 +1027,7 @@ async def test_get_org_success(mock_app_with_get_user_id, mock_owner_role): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1067,7 +1067,7 @@ async def test_get_org_user_not_member(mock_app_with_get_user_id): # When user is not a member, get_user_org_role returns None with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=None), ): client = TestClient(mock_app_with_get_user_id) @@ -1092,7 +1092,7 @@ async def test_get_org_not_found(mock_app_with_get_user_id, mock_owner_role): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1167,7 +1167,7 @@ async def test_get_org_unexpected_error(mock_app_with_get_user_id, mock_owner_ro with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1218,7 +1218,7 @@ async def test_get_org_personal_workspace(): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ), patch( @@ -1260,7 +1260,7 @@ async def test_get_org_team_workspace(mock_app_with_get_user_id, mock_owner_role with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1305,7 +1305,7 @@ async def test_get_org_with_credits_none(mock_app_with_get_user_id, mock_owner_r with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1354,7 +1354,7 @@ async def test_get_org_sensitive_fields_not_exposed( with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1404,7 +1404,7 @@ async def test_delete_org_success(mock_app, mock_owner_role): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1439,7 +1439,7 @@ async def test_delete_org_not_found(mock_app, mock_owner_role): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1469,7 +1469,7 @@ async def test_delete_org_not_owner(mock_app, mock_owner_role): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1503,7 +1503,7 @@ async def test_delete_org_not_member(mock_app): # When user is not a member, get_user_org_role returns None with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=None), ): client = TestClient(mock_app) @@ -1528,7 +1528,7 @@ async def test_delete_org_database_failure(mock_app, mock_owner_role): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1558,7 +1558,7 @@ async def test_delete_org_unexpected_error(mock_app, mock_owner_role): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1606,7 +1606,7 @@ async def test_delete_org_unauthorized(mock_app, mock_owner_role): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1636,7 +1636,7 @@ async def test_delete_org_orphaned_users(mock_app, mock_owner_role): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1708,7 +1708,7 @@ async def test_update_org_personal_workspace_preserved(): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ), patch( @@ -1769,7 +1769,7 @@ async def test_update_org_team_workspace_preserved(): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ), patch( @@ -1809,7 +1809,7 @@ async def test_update_org_not_found(mock_update_app, mock_owner_role): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1845,7 +1845,7 @@ async def test_update_org_permission_denied_non_member(mock_update_app): # When user is not a member, get_user_org_role returns None with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=None), ): async with httpx.AsyncClient( @@ -1876,7 +1876,7 @@ async def test_update_org_permission_denied_llm_settings( with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1917,7 +1917,7 @@ async def test_update_org_duplicate_name_returns_409(mock_update_app, mock_owner with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1951,7 +1951,7 @@ async def test_update_org_database_error(mock_update_app, mock_owner_role): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -1985,7 +1985,7 @@ async def test_update_org_unexpected_error(mock_update_app, mock_owner_role): with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ), patch( @@ -2041,7 +2041,7 @@ async def test_update_org_invalid_field_values(mock_update_app, mock_owner_role) update_data = {'default_max_iterations': -1} # Invalid: must be > 0 with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ): async with httpx.AsyncClient( @@ -2068,7 +2068,7 @@ async def test_update_org_empty_name_returns_422(mock_update_app, mock_owner_rol update_data = {'name': ' '} with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ): async with httpx.AsyncClient( @@ -2095,7 +2095,7 @@ async def test_update_org_invalid_email_format(mock_update_app, mock_owner_role) update_data = {'contact_email': 'invalid-email'} # Missing @ with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_owner_role), ): async with httpx.AsyncClient( @@ -3031,6 +3031,7 @@ class TestGetMeEndpoint: with patch( 'server.routes.orgs.OrgMemberService.get_me', + new_callable=AsyncMock, return_value=me_response, ): client = TestClient(mock_me_app) @@ -3066,6 +3067,7 @@ class TestGetMeEndpoint: with patch( 'server.routes.orgs.OrgMemberService.get_me', + new_callable=AsyncMock, return_value=me_response, ): client = TestClient(mock_me_app) @@ -3086,6 +3088,7 @@ class TestGetMeEndpoint: """ with patch( 'server.routes.orgs.OrgMemberService.get_me', + new_callable=AsyncMock, side_effect=OrgMemberNotFoundError(str(test_org_id), 'user-id'), ): client = TestClient(mock_me_app) @@ -3131,6 +3134,7 @@ class TestGetMeEndpoint: """ with patch( 'server.routes.orgs.OrgMemberService.get_me', + new_callable=AsyncMock, side_effect=RuntimeError('Database connection failed'), ): client = TestClient(mock_me_app) @@ -3157,6 +3161,7 @@ class TestGetMeEndpoint: with patch( 'server.routes.orgs.OrgMemberService.get_me', + new_callable=AsyncMock, return_value=me_response, ): client = TestClient(mock_me_app) @@ -3185,6 +3190,7 @@ class TestGetMeEndpoint: with patch( 'server.routes.orgs.OrgMemberService.get_me', + new_callable=AsyncMock, return_value=me_response, ): client = TestClient(mock_me_app) @@ -3210,6 +3216,7 @@ class TestGetMeEndpoint: with patch( 'server.routes.orgs.OrgMemberService.get_me', + new_callable=AsyncMock, return_value=me_response, ): client = TestClient(mock_me_app) @@ -3230,6 +3237,7 @@ class TestGetMeEndpoint: """ with patch( 'server.routes.orgs.OrgMemberService.get_me', + new_callable=AsyncMock, side_effect=RoleNotFoundError(role_id=999), ): client = TestClient(mock_me_app) @@ -3250,6 +3258,7 @@ class TestGetMeEndpoint: with patch( 'server.routes.orgs.OrgMemberService.get_me', + new_callable=AsyncMock, return_value=me_response, ): result = await get_me(org_id=test_org_id, user_id=test_user_id) @@ -3266,6 +3275,7 @@ class TestGetMeEndpoint: """Test direct function call to get_me raises HTTPException on member not found.""" with patch( 'server.routes.orgs.OrgMemberService.get_me', + new_callable=AsyncMock, side_effect=OrgMemberNotFoundError(str(test_org_id), test_user_id), ): with pytest.raises(HTTPException) as exc_info: @@ -3281,6 +3291,7 @@ class TestGetMeEndpoint: """Test direct function call to get_me raises HTTPException on role not found.""" with patch( 'server.routes.orgs.OrgMemberService.get_me', + new_callable=AsyncMock, side_effect=RoleNotFoundError(role_id=999), ): with pytest.raises(HTTPException) as exc_info: @@ -3453,7 +3464,7 @@ async def test_get_org_app_settings_success( with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_member_role), ), patch( @@ -3493,7 +3504,7 @@ async def test_get_org_app_settings_with_null_values( with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_member_role), ), patch( @@ -3527,7 +3538,7 @@ async def test_get_org_app_settings_not_found( # Arrange with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_member_role), ), patch( @@ -3554,7 +3565,7 @@ async def test_get_org_app_settings_user_not_member(mock_app_with_get_user_id): """ # Arrange - user has no role (not a member) with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=None), ): client = TestClient(mock_app_with_get_user_id) @@ -3585,7 +3596,7 @@ async def test_update_org_app_settings_success( with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_member_role), ), patch( @@ -3632,7 +3643,7 @@ async def test_update_org_app_settings_partial_update( with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_member_role), ), patch( @@ -3675,7 +3686,7 @@ async def test_update_org_app_settings_set_null( with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_member_role), ), patch( @@ -3708,7 +3719,7 @@ async def test_update_org_app_settings_invalid_max_budget( """ # Arrange with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_member_role), ): client = TestClient(mock_app_with_get_user_id) @@ -3734,7 +3745,7 @@ async def test_update_org_app_settings_zero_max_budget( """ # Arrange with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_member_role), ): client = TestClient(mock_app_with_get_user_id) @@ -3761,7 +3772,7 @@ async def test_update_org_app_settings_not_found( # Arrange with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_member_role), ), patch( @@ -3794,7 +3805,7 @@ async def test_update_org_app_settings_database_error( # Arrange with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_member_role), ), patch( @@ -3824,7 +3835,7 @@ async def test_update_org_app_settings_user_not_member(mock_app_with_get_user_id """ # Arrange - user has no role (not a member) with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=None), ): client = TestClient(mock_app_with_get_user_id) diff --git a/enterprise/tests/unit/server/services/test_org_member_service.py b/enterprise/tests/unit/server/services/test_org_member_service.py index f3f4aadc13..f992787b0c 100644 --- a/enterprise/tests/unit/server/services/test_org_member_service.py +++ b/enterprise/tests/unit/server/services/test_org_member_service.py @@ -150,7 +150,8 @@ class TestOrgMemberServiceGetOrgMembers: with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_member_service.OrgMemberStore.get_org_members_paginated', @@ -188,7 +189,8 @@ class TestOrgMemberServiceGetOrgMembers: """Test that retrieval fails when user is not a member.""" # Arrange with patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member: mock_get_member.return_value = None @@ -212,7 +214,8 @@ class TestOrgMemberServiceGetOrgMembers: """Test that negative page_id returns error.""" # Arrange with patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member: mock_get_member.return_value = requester_membership_owner @@ -236,7 +239,8 @@ class TestOrgMemberServiceGetOrgMembers: """Test that non-integer page_id returns error.""" # Arrange with patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member: mock_get_member.return_value = requester_membership_owner @@ -261,7 +265,8 @@ class TestOrgMemberServiceGetOrgMembers: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_member_service.OrgMemberStore.get_org_members_paginated', @@ -295,7 +300,8 @@ class TestOrgMemberServiceGetOrgMembers: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_member_service.OrgMemberStore.get_org_members_paginated', @@ -329,7 +335,8 @@ class TestOrgMemberServiceGetOrgMembers: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_member_service.OrgMemberStore.get_org_members_paginated', @@ -360,7 +367,8 @@ class TestOrgMemberServiceGetOrgMembers: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_member_service.OrgMemberStore.get_org_members_paginated', @@ -399,7 +407,8 @@ class TestOrgMemberServiceGetOrgMembers: with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_member_service.OrgMemberStore.get_org_members_paginated', @@ -439,7 +448,8 @@ class TestOrgMemberServiceGetOrgMembers: with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_member_service.OrgMemberStore.get_org_members_paginated', @@ -488,7 +498,8 @@ class TestOrgMemberServiceGetOrgMembers: with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_member_service.OrgMemberStore.get_org_members_paginated', @@ -519,7 +530,8 @@ class TestOrgMemberServiceGetOrgMembers: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_member_service.OrgMemberStore.get_org_members_paginated', @@ -551,7 +563,8 @@ class TestOrgMemberServiceGetOrgMembers: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_member_service.OrgMemberStore.get_org_members_paginated', @@ -596,7 +609,8 @@ class TestOrgMemberServiceGetOrgMembersCount: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_member_service.OrgMemberStore.get_org_members_count', @@ -624,7 +638,8 @@ class TestOrgMemberServiceGetOrgMembersCount: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_member_service.OrgMemberStore.get_org_members_count', @@ -650,7 +665,8 @@ class TestOrgMemberServiceGetOrgMembersCount: """Test that non-member raises OrgMemberNotFoundError.""" # Arrange with patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member: mock_get_member.return_value = None @@ -690,16 +706,20 @@ class TestOrgMemberServiceRemoveOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.remove_user_from_org' + 'server.services.org_member_service.OrgMemberStore.remove_user_from_org', + new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, ): mock_get_member.side_effect = [ @@ -735,16 +755,20 @@ class TestOrgMemberServiceRemoveOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.remove_user_from_org' + 'server.services.org_member_service.OrgMemberStore.remove_user_from_org', + new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, ): mock_get_member.side_effect = [ @@ -779,16 +803,20 @@ class TestOrgMemberServiceRemoveOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.remove_user_from_org' + 'server.services.org_member_service.OrgMemberStore.remove_user_from_org', + new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, ): mock_get_member.side_effect = [ @@ -815,7 +843,8 @@ class TestOrgMemberServiceRemoveOrgMember: """Test that removing fails when requester is not a member of the organization.""" # Arrange with patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member: mock_get_member.return_value = None @@ -835,7 +864,8 @@ class TestOrgMemberServiceRemoveOrgMember: """Test that removing fails when trying to remove oneself.""" # Arrange with patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member: mock_get_member.return_value = requester_membership_owner @@ -860,7 +890,8 @@ class TestOrgMemberServiceRemoveOrgMember: """Test that removing fails when target member is not found.""" # Arrange with patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member: mock_get_member.side_effect = [requester_membership_owner, None] @@ -887,10 +918,12 @@ class TestOrgMemberServiceRemoveOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, ): mock_get_member.side_effect = [ @@ -922,16 +955,20 @@ class TestOrgMemberServiceRemoveOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.remove_user_from_org' + 'server.services.org_member_service.OrgMemberStore.remove_user_from_org', + new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, patch( 'server.services.org_member_service.LiteLlmManager.remove_user_from_team' @@ -970,10 +1007,12 @@ class TestOrgMemberServiceRemoveOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, ): mock_get_member.side_effect = [ @@ -1010,10 +1049,12 @@ class TestOrgMemberServiceRemoveOrgMember: with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, ): mock_get_member.side_effect = [ @@ -1045,13 +1086,16 @@ class TestOrgMemberServiceRemoveOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.get_org_members' + 'server.services.org_member_service.OrgMemberStore.get_org_members', + new_callable=AsyncMock, ) as mock_get_members, ): mock_get_member.side_effect = [ @@ -1089,19 +1133,24 @@ class TestOrgMemberServiceRemoveOrgMember: with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.get_org_members' + 'server.services.org_member_service.OrgMemberStore.get_org_members', + new_callable=AsyncMock, ) as mock_get_members, patch( - 'server.services.org_member_service.OrgMemberStore.remove_user_from_org' + 'server.services.org_member_service.OrgMemberStore.remove_user_from_org', + new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, ): mock_get_member.side_effect = [ @@ -1142,13 +1191,16 @@ class TestOrgMemberServiceRemoveOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.remove_user_from_org' + 'server.services.org_member_service.OrgMemberStore.remove_user_from_org', + new_callable=AsyncMock, ) as mock_remove, ): mock_get_member.side_effect = [ @@ -1187,16 +1239,20 @@ class TestOrgMemberServiceRemoveOrgMember: with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.remove_user_from_org' + 'server.services.org_member_service.OrgMemberStore.remove_user_from_org', + new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, patch( 'server.services.org_member_service.UserStore.update_current_org' @@ -1239,16 +1295,20 @@ class TestOrgMemberServiceRemoveOrgMember: with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.remove_user_from_org' + 'server.services.org_member_service.OrgMemberStore.remove_user_from_org', + new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, patch( 'server.services.org_member_service.UserStore.update_current_org' @@ -1287,16 +1347,20 @@ class TestOrgMemberServiceRemoveOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.remove_user_from_org' + 'server.services.org_member_service.OrgMemberStore.remove_user_from_org', + new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, patch( 'server.services.org_member_service.UserStore.update_current_org' @@ -1335,16 +1399,20 @@ class TestOrgMemberServiceRemoveOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.remove_user_from_org' + 'server.services.org_member_service.OrgMemberStore.remove_user_from_org', + new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, patch( 'server.services.org_member_service.LiteLlmManager.remove_user_from_team', @@ -1385,16 +1453,20 @@ class TestOrgMemberServiceRemoveOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.remove_user_from_org' + 'server.services.org_member_service.OrgMemberStore.remove_user_from_org', + new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, patch( 'server.services.org_member_service.LiteLlmManager.remove_user_from_team', @@ -1434,13 +1506,16 @@ class TestOrgMemberServiceRemoveOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.OrgMemberStore.remove_user_from_org' + 'server.services.org_member_service.OrgMemberStore.remove_user_from_org', + new_callable=AsyncMock, ) as mock_remove, patch( 'server.services.org_member_service.LiteLlmManager.remove_user_from_team', @@ -1541,19 +1616,24 @@ class TestOrgMemberServiceUpdateOrgMember: mock_user.email = 'target@example.com' with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.RoleStore.get_role_by_name' + 'server.services.org_member_service.RoleStore.get_role_by_name_async', + new_callable=AsyncMock, ) as mock_get_role_by_name, patch( - 'server.services.org_member_service.OrgMemberStore.update_user_role_in_org' + 'server.services.org_member_service.OrgMemberStore.update_user_role_in_org', + new_callable=AsyncMock, ) as mock_update, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, ): mock_get_member.side_effect = [ @@ -1597,19 +1677,24 @@ class TestOrgMemberServiceUpdateOrgMember: mock_user.email = 'target@example.com' with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.RoleStore.get_role_by_name' + 'server.services.org_member_service.RoleStore.get_role_by_name_async', + new_callable=AsyncMock, ) as mock_get_role_by_name, patch( - 'server.services.org_member_service.OrgMemberStore.update_user_role_in_org' + 'server.services.org_member_service.OrgMemberStore.update_user_role_in_org', + new_callable=AsyncMock, ) as mock_update, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, ): mock_get_member.side_effect = [ @@ -1651,19 +1736,24 @@ class TestOrgMemberServiceUpdateOrgMember: mock_user.email = 'target@example.com' with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.RoleStore.get_role_by_name' + 'server.services.org_member_service.RoleStore.get_role_by_name_async', + new_callable=AsyncMock, ) as mock_get_role_by_name, patch( - 'server.services.org_member_service.OrgMemberStore.update_user_role_in_org' + 'server.services.org_member_service.OrgMemberStore.update_user_role_in_org', + new_callable=AsyncMock, ) as mock_update, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, ): mock_get_member.side_effect = [ @@ -1709,21 +1799,31 @@ class TestOrgMemberServiceUpdateOrgMember: mock_user.email = 'target@example.com' with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.RoleStore.get_role_by_name' + 'server.services.org_member_service.RoleStore.get_role_by_name_async', + new_callable=AsyncMock, ) as mock_get_role_by_name, patch( - 'server.services.org_member_service.OrgMemberStore.update_user_role_in_org' + 'server.services.org_member_service.OrgMemberStore.update_user_role_in_org', + new_callable=AsyncMock, ) as mock_update, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, - patch.object(OrgMemberService, '_is_last_owner', return_value=False), + patch.object( + OrgMemberService, + '_is_last_owner', + new_callable=AsyncMock, + return_value=False, + ), ): mock_get_member.side_effect = [ requester_membership_owner, @@ -1754,7 +1854,8 @@ class TestOrgMemberServiceUpdateOrgMember: """GIVEN requester not in org WHEN update_org_member THEN raises OrgMemberNotFoundError.""" # Arrange with patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member: mock_get_member.return_value = None @@ -1774,7 +1875,8 @@ class TestOrgMemberServiceUpdateOrgMember: """GIVEN requester updates self WHEN update_org_member THEN raises CannotModifySelfError.""" # Arrange with patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member: mock_get_member.return_value = requester_membership_owner @@ -1799,7 +1901,8 @@ class TestOrgMemberServiceUpdateOrgMember: """GIVEN target not in org WHEN update_org_member THEN raises OrgMemberNotFoundError.""" # Arrange with patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member: mock_get_member.side_effect = [requester_membership_owner, None] @@ -1827,13 +1930,16 @@ class TestOrgMemberServiceUpdateOrgMember: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.RoleStore.get_role_by_name' + 'server.services.org_member_service.RoleStore.get_role_by_name_async', + new_callable=AsyncMock, ) as mock_get_role_by_name, ): mock_get_member.side_effect = [ @@ -1867,19 +1973,23 @@ class TestOrgMemberServiceUpdateOrgMember: # Arrange: patch _can_update_member_role so we reach the last-owner check (owner cannot normally modify owner) with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.RoleStore.get_role_by_name' + 'server.services.org_member_service.RoleStore.get_role_by_name_async', + new_callable=AsyncMock, ) as mock_get_role_by_name, patch( 'server.services.org_member_service.OrgMemberService._can_update_member_role' ) as mock_can_update, patch( - 'server.services.org_member_service.OrgMemberService._is_last_owner' + 'server.services.org_member_service.OrgMemberService._is_last_owner', + new_callable=AsyncMock, ) as mock_is_last_owner, ): mock_get_member.side_effect = [ @@ -1918,13 +2028,16 @@ class TestOrgMemberServiceUpdateOrgMember: target_membership_user.status = 'active' with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, ): mock_get_member.side_effect = [ @@ -2006,7 +2119,7 @@ class TestOrgMemberServiceCanUpdateMemberRole: class TestOrgMemberServiceIsLastOwner: """Test cases for OrgMemberService._is_last_owner.""" - def test_is_last_owner_when_only_one_owner( + async def test_is_last_owner_when_only_one_owner( self, org_id, target_user_id, owner_role ): """Test that returns True when user is the only owner.""" @@ -2017,22 +2130,24 @@ class TestOrgMemberServiceIsLastOwner: with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_members' + 'server.services.org_member_service.OrgMemberStore.get_org_members', + new_callable=AsyncMock, ) as mock_get_members, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, ): mock_get_members.return_value = [target_membership] mock_get_role.return_value = owner_role # Act - result = OrgMemberService._is_last_owner(org_id, target_user_id) + result = await OrgMemberService._is_last_owner(org_id, target_user_id) # Assert assert result is True - def test_is_not_last_owner_when_multiple_owners( + async def test_is_not_last_owner_when_multiple_owners( self, org_id, target_user_id, owner_role ): """Test that returns False when there are multiple owners.""" @@ -2047,22 +2162,24 @@ class TestOrgMemberServiceIsLastOwner: with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_members' + 'server.services.org_member_service.OrgMemberStore.get_org_members', + new_callable=AsyncMock, ) as mock_get_members, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, ): mock_get_members.return_value = [target_membership, another_owner] mock_get_role.return_value = owner_role # Act - result = OrgMemberService._is_last_owner(org_id, target_user_id) + result = await OrgMemberService._is_last_owner(org_id, target_user_id) # Assert assert result is False - def test_is_not_last_owner_when_user_is_not_owner( + async def test_is_not_last_owner_when_user_is_not_owner( self, org_id, target_user_id, member_role ): """Test that returns False when user is not an owner.""" @@ -2073,17 +2190,19 @@ class TestOrgMemberServiceIsLastOwner: with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_members' + 'server.services.org_member_service.OrgMemberStore.get_org_members', + new_callable=AsyncMock, ) as mock_get_members, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, ): mock_get_members.return_value = [target_membership] mock_get_role.return_value = member_role # Act - result = OrgMemberService._is_last_owner(org_id, target_user_id) + result = await OrgMemberService._is_last_owner(org_id, target_user_id) # Assert assert result is False @@ -2115,7 +2234,8 @@ class TestOrgMemberServiceGetMe: user.email = 'test@example.com' return user - def test_get_me_success_returns_me_response( + @pytest.mark.asyncio + async def test_get_me_success_returns_me_response( self, org_id, current_user_id, mock_org_member, mock_user, owner_role ): """GIVEN: User is a member of the organization @@ -2125,13 +2245,16 @@ class TestOrgMemberServiceGetMe: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, ): mock_get_member.return_value = mock_org_member @@ -2139,7 +2262,7 @@ class TestOrgMemberServiceGetMe: mock_get_user.return_value = mock_user # Act - result = OrgMemberService.get_me(org_id, current_user_id) + result = await OrgMemberService.get_me(org_id, current_user_id) # Assert assert isinstance(result, MeResponse) @@ -2151,24 +2274,27 @@ class TestOrgMemberServiceGetMe: assert result.max_iterations == 50 assert result.status == 'active' - def test_get_me_member_not_found_raises_error(self, org_id, current_user_id): + @pytest.mark.asyncio + async def test_get_me_member_not_found_raises_error(self, org_id, current_user_id): """GIVEN: User is not a member of the organization WHEN: get_me is called THEN: Raises OrgMemberNotFoundError """ # Arrange with patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member: mock_get_member.return_value = None # Act & Assert with pytest.raises(OrgMemberNotFoundError) as exc_info: - OrgMemberService.get_me(org_id, current_user_id) + await OrgMemberService.get_me(org_id, current_user_id) assert str(org_id) in str(exc_info.value) - def test_get_me_role_not_found_raises_error( + @pytest.mark.asyncio + async def test_get_me_role_not_found_raises_error( self, org_id, current_user_id, mock_org_member ): """GIVEN: Member exists but role lookup fails @@ -2178,10 +2304,12 @@ class TestOrgMemberServiceGetMe: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, ): mock_get_member.return_value = mock_org_member @@ -2189,11 +2317,12 @@ class TestOrgMemberServiceGetMe: # Act & Assert with pytest.raises(RoleNotFoundError) as exc_info: - OrgMemberService.get_me(org_id, current_user_id) + await OrgMemberService.get_me(org_id, current_user_id) assert exc_info.value.role_id == mock_org_member.role_id - def test_get_me_user_not_found_returns_empty_email( + @pytest.mark.asyncio + async def test_get_me_user_not_found_returns_empty_email( self, org_id, current_user_id, mock_org_member, owner_role ): """GIVEN: Member exists but user lookup returns None @@ -2203,13 +2332,16 @@ class TestOrgMemberServiceGetMe: # Arrange with ( patch( - 'server.services.org_member_service.OrgMemberStore.get_org_member' + 'server.services.org_member_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id' + 'server.services.org_member_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.UserStore.get_user_by_id' + 'server.services.org_member_service.UserStore.get_user_by_id_async', + new_callable=AsyncMock, ) as mock_get_user, ): mock_get_member.return_value = mock_org_member @@ -2217,7 +2349,7 @@ class TestOrgMemberServiceGetMe: mock_get_user.return_value = None # Act - result = OrgMemberService.get_me(org_id, current_user_id) + result = await OrgMemberService.get_me(org_id, current_user_id) # Assert assert result.email == '' diff --git a/enterprise/tests/unit/test_authorization.py b/enterprise/tests/unit/test_authorization.py index 237f34c6f3..748389d178 100644 --- a/enterprise/tests/unit/test_authorization.py +++ b/enterprise/tests/unit/test_authorization.py @@ -336,7 +336,8 @@ class TestHasPermission: class TestGetUserOrgRole: """Tests for get_user_org_role function.""" - def test_returns_role_when_member_exists(self): + @pytest.mark.asyncio + async def test_returns_role_when_member_exists(self): """ GIVEN: User is a member of organization with role WHEN: get_user_org_role is called @@ -354,17 +355,20 @@ class TestGetUserOrgRole: with ( patch( 'server.auth.authorization.OrgMemberStore.get_org_member', + new_callable=AsyncMock, return_value=mock_org_member, ), patch( - 'server.auth.authorization.RoleStore.get_role_by_id', + 'server.auth.authorization.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, return_value=mock_role, ), ): - result = get_user_org_role(user_id, org_id) + result = await get_user_org_role(user_id, org_id) assert result == mock_role - def test_returns_none_when_not_member(self): + @pytest.mark.asyncio + async def test_returns_none_when_not_member(self): """ GIVEN: User is not a member of organization WHEN: get_user_org_role is called @@ -375,12 +379,14 @@ class TestGetUserOrgRole: with patch( 'server.auth.authorization.OrgMemberStore.get_org_member', + new_callable=AsyncMock, return_value=None, ): - result = get_user_org_role(user_id, org_id) + result = await get_user_org_role(user_id, org_id) assert result is None - def test_returns_role_when_org_id_is_none(self): + @pytest.mark.asyncio + async def test_returns_role_when_org_id_is_none(self): """ GIVEN: User with a current organization WHEN: get_user_org_role is called with org_id=None @@ -397,22 +403,26 @@ class TestGetUserOrgRole: with ( patch( 'server.auth.authorization.OrgMemberStore.get_org_member_for_current_org', + new_callable=AsyncMock, return_value=mock_org_member, ) as mock_get_current, patch( 'server.auth.authorization.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_org_member, patch( - 'server.auth.authorization.RoleStore.get_role_by_id', + 'server.auth.authorization.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, return_value=mock_role, ), ): - result = get_user_org_role(user_id, None) + result = await get_user_org_role(user_id, None) assert result == mock_role mock_get_current.assert_called_once() mock_get_org_member.assert_not_called() - def test_returns_none_when_org_id_is_none_and_no_current_org(self): + @pytest.mark.asyncio + async def test_returns_none_when_org_id_is_none_and_no_current_org(self): """ GIVEN: User with no current organization membership WHEN: get_user_org_role is called with org_id=None @@ -422,9 +432,10 @@ class TestGetUserOrgRole: with patch( 'server.auth.authorization.OrgMemberStore.get_org_member_for_current_org', + new_callable=AsyncMock, return_value=None, ): - result = get_user_org_role(user_id, None) + result = await get_user_org_role(user_id, None) assert result is None @@ -450,7 +461,7 @@ class TestRequirePermission: mock_role.name = 'admin' with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ): permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS) @@ -484,7 +495,7 @@ class TestRequirePermission: org_id = uuid4() with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=None), ): permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS) @@ -508,7 +519,7 @@ class TestRequirePermission: mock_role.name = 'member' with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ): permission_checker = require_permission(Permission.DELETE_ORGANIZATION) @@ -532,7 +543,7 @@ class TestRequirePermission: mock_role.name = 'owner' with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ): permission_checker = require_permission(Permission.DELETE_ORGANIZATION) @@ -553,7 +564,7 @@ class TestRequirePermission: mock_role.name = 'admin' with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ): permission_checker = require_permission(Permission.DELETE_ORGANIZATION) @@ -577,7 +588,7 @@ class TestRequirePermission: with ( patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ), patch('server.auth.authorization.logger') as mock_logger, @@ -605,7 +616,7 @@ class TestRequirePermission: mock_role.name = 'admin' with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ) as mock_get_role: permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS) @@ -623,7 +634,7 @@ class TestRequirePermission: user_id = str(uuid4()) with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=None), ): permission_checker = require_permission(Permission.VIEW_LLM_SETTINGS) @@ -656,7 +667,7 @@ class TestPermissionScenarios: mock_role.name = 'member' with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ): permission_checker = require_permission(Permission.MANAGE_SECRETS) @@ -677,7 +688,7 @@ class TestPermissionScenarios: mock_role.name = 'member' with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ): permission_checker = require_permission( @@ -702,7 +713,7 @@ class TestPermissionScenarios: mock_role.name = 'admin' with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ): permission_checker = require_permission( @@ -725,7 +736,7 @@ class TestPermissionScenarios: mock_role.name = 'admin' with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ): permission_checker = require_permission(Permission.CHANGE_USER_ROLE_OWNER) @@ -748,7 +759,7 @@ class TestPermissionScenarios: mock_role.name = 'owner' with patch( - 'server.auth.authorization.get_user_org_role_async', + 'server.auth.authorization.get_user_org_role', AsyncMock(return_value=mock_role), ): permission_checker = require_permission(Permission.CHANGE_USER_ROLE_OWNER) diff --git a/enterprise/tests/unit/test_org_invitation_service.py b/enterprise/tests/unit/test_org_invitation_service.py index 06c0d258ed..822fd5c5a6 100644 --- a/enterprise/tests/unit/test_org_invitation_service.py +++ b/enterprise/tests/unit/test_org_invitation_service.py @@ -113,14 +113,16 @@ class TestAcceptInvitationEmailValidation: 'server.services.org_invitation_service.TokenManager' ) as mock_token_manager_class, patch( - 'server.services.org_invitation_service.OrgMemberStore.get_org_member' + 'server.services.org_invitation_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_invitation_service.OrgService.create_litellm_integration', new_callable=AsyncMock, ) as mock_create_litellm, patch( - 'server.services.org_invitation_service.OrgMemberStore.add_user_to_org' + 'server.services.org_invitation_service.OrgMemberStore.add_user_to_org', + new_callable=AsyncMock, ), patch( 'server.services.org_invitation_service.OrgInvitationStore.update_invitation_status', @@ -222,14 +224,16 @@ class TestAcceptInvitationEmailValidation: new_callable=AsyncMock, ) as mock_get_user, patch( - 'server.services.org_invitation_service.OrgMemberStore.get_org_member' + 'server.services.org_invitation_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, ) as mock_get_member, patch( 'server.services.org_invitation_service.OrgService.create_litellm_integration', new_callable=AsyncMock, ) as mock_create_litellm, patch( - 'server.services.org_invitation_service.OrgMemberStore.add_user_to_org' + 'server.services.org_invitation_service.OrgMemberStore.add_user_to_org', + new_callable=AsyncMock, ), patch( 'server.services.org_invitation_service.OrgInvitationStore.update_invitation_status', @@ -323,11 +327,13 @@ class TestCreateInvitationsBatch: return_value=mock_inviter_member, ), patch( - 'server.services.org_invitation_service.RoleStore.get_role_by_id', + 'server.services.org_invitation_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, return_value=mock_owner_role, ), patch( - 'server.services.org_invitation_service.RoleStore.get_role_by_name', + 'server.services.org_invitation_service.RoleStore.get_role_by_name_async', + new_callable=AsyncMock, return_value=mock_member_role, ), patch.object( @@ -377,11 +383,13 @@ class TestCreateInvitationsBatch: return_value=mock_inviter_member, ), patch( - 'server.services.org_invitation_service.RoleStore.get_role_by_id', + 'server.services.org_invitation_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, return_value=mock_owner_role, ), patch( - 'server.services.org_invitation_service.RoleStore.get_role_by_name', + 'server.services.org_invitation_service.RoleStore.get_role_by_name_async', + new_callable=AsyncMock, return_value=mock_member_role, ), patch.object( @@ -444,11 +452,13 @@ class TestCreateInvitationsBatch: return_value=mock_inviter_member, ), patch( - 'server.services.org_invitation_service.RoleStore.get_role_by_id', + 'server.services.org_invitation_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, return_value=mock_owner_role, ), patch( - 'server.services.org_invitation_service.RoleStore.get_role_by_name', + 'server.services.org_invitation_service.RoleStore.get_role_by_name_async', + new_callable=AsyncMock, return_value=None, # Invalid role ), ): diff --git a/enterprise/tests/unit/test_org_member_store.py b/enterprise/tests/unit/test_org_member_store.py index 26a0b27ab8..c2901358a8 100644 --- a/enterprise/tests/unit/test_org_member_store.py +++ b/enterprise/tests/unit/test_org_member_store.py @@ -37,19 +37,20 @@ async def async_session_maker(async_engine): return async_sessionmaker(async_engine, class_=AsyncSession, expire_on_commit=False) -def test_get_org_members(session_maker): +@pytest.mark.asyncio +async def test_get_org_members(async_session_maker): # Test getting org_members by org ID - with session_maker() as session: + async with async_session_maker() as session: # Create test data org = Org(name='test-org') session.add(org) - session.flush() + await session.flush() user1 = User(id=uuid.uuid4(), current_org_id=org.id) user2 = User(id=uuid.uuid4(), current_org_id=org.id) role = Role(name='admin', rank=1) session.add_all([user1, user2, role]) - session.flush() + await session.flush() org_member1 = OrgMember( org_id=org.id, @@ -66,31 +67,32 @@ def test_get_org_members(session_maker): status='active', ) session.add_all([org_member1, org_member2]) - session.commit() + await session.commit() org_id = org.id # Test retrieval - with patch('storage.org_member_store.session_maker', session_maker): - org_members = OrgMemberStore.get_org_members(org_id) + with patch('storage.org_member_store.a_session_maker', async_session_maker): + org_members = await OrgMemberStore.get_org_members(org_id) assert len(org_members) == 2 api_keys = [om.llm_api_key.get_secret_value() for om in org_members] assert 'test-key-1' in api_keys assert 'test-key-2' in api_keys -def test_get_user_orgs(session_maker): +@pytest.mark.asyncio +async def test_get_user_orgs(async_session_maker): # Test getting org_members by user ID - with session_maker() as session: + async with async_session_maker() as session: # Create test data org1 = Org(name='test-org-1') org2 = Org(name='test-org-2') session.add_all([org1, org2]) - session.flush() + await session.flush() user = User(id=uuid.uuid4(), current_org_id=org1.id) role = Role(name='admin', rank=1) session.add_all([user, role]) - session.flush() + await session.flush() org_member1 = OrgMember( org_id=org1.id, @@ -107,30 +109,31 @@ def test_get_user_orgs(session_maker): status='active', ) session.add_all([org_member1, org_member2]) - session.commit() + await session.commit() user_id = user.id # Test retrieval - with patch('storage.org_member_store.session_maker', session_maker): - org_members = OrgMemberStore.get_user_orgs(user_id) + with patch('storage.org_member_store.a_session_maker', async_session_maker): + org_members = await OrgMemberStore.get_user_orgs(user_id) assert len(org_members) == 2 api_keys = [ou.llm_api_key.get_secret_value() for ou in org_members] assert 'test-key-1' in api_keys assert 'test-key-2' in api_keys -def test_get_org_member(session_maker): +@pytest.mark.asyncio +async def test_get_org_member(async_session_maker): # Test getting org_member by org and user ID - with session_maker() as session: + async with async_session_maker() as session: # Create test data org = Org(name='test-org') session.add(org) - session.flush() + await session.flush() user = User(id=uuid.uuid4(), current_org_id=org.id) role = Role(name='admin', rank=1) session.add_all([user, role]) - session.flush() + await session.flush() org_member = OrgMember( org_id=org.id, @@ -140,32 +143,33 @@ def test_get_org_member(session_maker): status='active', ) session.add(org_member) - session.commit() + await session.commit() org_id = org.id user_id = user.id # Test retrieval - with patch('storage.org_member_store.session_maker', session_maker): - retrieved_org_member = OrgMemberStore.get_org_member(org_id, user_id) + with patch('storage.org_member_store.a_session_maker', async_session_maker): + retrieved_org_member = await OrgMemberStore.get_org_member(org_id, user_id) assert retrieved_org_member is not None assert retrieved_org_member.org_id == org_id assert retrieved_org_member.user_id == user_id assert retrieved_org_member.llm_api_key.get_secret_value() == 'test-key' -def test_get_org_member_for_current_org(session_maker): +@pytest.mark.asyncio +async def test_get_org_member_for_current_org(async_session_maker): # Test getting org_member for user's current organization - with session_maker() as session: + async with async_session_maker() as session: # Create test data - user belongs to two orgs but current_org is org1 org1 = Org(name='test-org-1') org2 = Org(name='test-org-2') session.add_all([org1, org2]) - session.flush() + await session.flush() user = User(id=uuid.uuid4(), current_org_id=org1.id) role = Role(name='admin', rank=1) session.add_all([user, role]) - session.flush() + await session.flush() org_member1 = OrgMember( org_id=org1.id, @@ -182,47 +186,51 @@ def test_get_org_member_for_current_org(session_maker): status='active', ) session.add_all([org_member1, org_member2]) - session.commit() + await session.commit() user_id = user.id org1_id = org1.id # Test retrieval - should return org_member for current_org (org1) - with patch('storage.org_member_store.session_maker', session_maker): - retrieved_org_member = OrgMemberStore.get_org_member_for_current_org(user_id) + with patch('storage.org_member_store.a_session_maker', async_session_maker): + retrieved_org_member = await OrgMemberStore.get_org_member_for_current_org( + user_id + ) assert retrieved_org_member is not None assert retrieved_org_member.org_id == org1_id assert retrieved_org_member.user_id == user_id assert retrieved_org_member.llm_api_key.get_secret_value() == 'test-key-1' -def test_get_org_member_for_current_org_user_not_found(session_maker): +@pytest.mark.asyncio +async def test_get_org_member_for_current_org_user_not_found(async_session_maker): # Test getting org_member for non-existent user - with patch('storage.org_member_store.session_maker', session_maker): - retrieved_org_member = OrgMemberStore.get_org_member_for_current_org( + with patch('storage.org_member_store.a_session_maker', async_session_maker): + retrieved_org_member = await OrgMemberStore.get_org_member_for_current_org( uuid.uuid4() ) assert retrieved_org_member is None -def test_add_user_to_org(session_maker): +@pytest.mark.asyncio +async def test_add_user_to_org(async_session_maker): # Test adding a user to an org - with session_maker() as session: + async with async_session_maker() as session: # Create test data org = Org(name='test-org') session.add(org) - session.flush() + await session.flush() user = User(id=uuid.uuid4(), current_org_id=org.id) role = Role(name='admin', rank=1) session.add_all([user, role]) - session.commit() + await session.commit() org_id = org.id user_id = user.id role_id = role.id # Test creation - with patch('storage.org_member_store.session_maker', session_maker): - org_member = OrgMemberStore.add_user_to_org( + with patch('storage.org_member_store.a_session_maker', async_session_maker): + org_member = await OrgMemberStore.add_user_to_org( org_id=org_id, user_id=user_id, role_id=role_id, @@ -238,19 +246,20 @@ def test_add_user_to_org(session_maker): assert org_member.status == 'active' -def test_update_user_role_in_org(session_maker): +@pytest.mark.asyncio +async def test_update_user_role_in_org(async_session_maker): # Test updating user role in org - with session_maker() as session: + async with async_session_maker() as session: # Create test data org = Org(name='test-org') session.add(org) - session.flush() + await session.flush() user = User(id=uuid.uuid4(), current_org_id=org.id) role1 = Role(name='admin', rank=1) role2 = Role(name='user', rank=2) session.add_all([user, role1, role2]) - session.flush() + await session.flush() org_member = OrgMember( org_id=org.id, @@ -260,14 +269,14 @@ def test_update_user_role_in_org(session_maker): status='active', ) session.add(org_member) - session.commit() + await session.commit() org_id = org.id user_id = user.id role2_id = role2.id # Test update - with patch('storage.org_member_store.session_maker', session_maker): - updated_org_member = OrgMemberStore.update_user_role_in_org( + with patch('storage.org_member_store.a_session_maker', async_session_maker): + updated_org_member = await OrgMemberStore.update_user_role_in_org( org_id=org_id, user_id=user_id, role_id=role2_id, status='inactive' ) @@ -276,29 +285,31 @@ def test_update_user_role_in_org(session_maker): assert updated_org_member.status == 'inactive' -def test_update_user_role_in_org_not_found(session_maker): +@pytest.mark.asyncio +async def test_update_user_role_in_org_not_found(async_session_maker): # Test updating org_member that doesn't exist from uuid import uuid4 - with patch('storage.org_member_store.session_maker', session_maker): - updated_org_member = OrgMemberStore.update_user_role_in_org( - org_id=uuid4(), user_id=99999, role_id=1 + with patch('storage.org_member_store.a_session_maker', async_session_maker): + updated_org_member = await OrgMemberStore.update_user_role_in_org( + org_id=uuid4(), user_id=uuid4(), role_id=1 ) assert updated_org_member is None -def test_remove_user_from_org(session_maker): +@pytest.mark.asyncio +async def test_remove_user_from_org(async_session_maker): # Test removing a user from an org - with session_maker() as session: + async with async_session_maker() as session: # Create test data org = Org(name='test-org') session.add(org) - session.flush() + await session.flush() user = User(id=uuid.uuid4(), current_org_id=org.id) role = Role(name='admin', rank=1) session.add_all([user, role]) - session.flush() + await session.flush() org_member = OrgMember( org_id=org.id, @@ -308,26 +319,27 @@ def test_remove_user_from_org(session_maker): status='active', ) session.add(org_member) - session.commit() + await session.commit() org_id = org.id user_id = user.id # Test removal - with patch('storage.org_member_store.session_maker', session_maker): - result = OrgMemberStore.remove_user_from_org(org_id, user_id) + with patch('storage.org_member_store.a_session_maker', async_session_maker): + result = await OrgMemberStore.remove_user_from_org(org_id, user_id) assert result is True # Verify it's removed - retrieved_org_member = OrgMemberStore.get_org_member(org_id, user_id) + retrieved_org_member = await OrgMemberStore.get_org_member(org_id, user_id) assert retrieved_org_member is None -def test_remove_user_from_org_not_found(session_maker): +@pytest.mark.asyncio +async def test_remove_user_from_org_not_found(async_session_maker): # Test removing user from org that doesn't exist from uuid import uuid4 - with patch('storage.org_member_store.session_maker', session_maker): - result = OrgMemberStore.remove_user_from_org(uuid4(), 99999) + with patch('storage.org_member_store.a_session_maker', async_session_maker): + result = await OrgMemberStore.remove_user_from_org(uuid4(), uuid4()) assert result is False diff --git a/enterprise/tests/unit/test_org_service.py b/enterprise/tests/unit/test_org_service.py index 3b823d9994..bf71d1c1d7 100644 --- a/enterprise/tests/unit/test_org_service.py +++ b/enterprise/tests/unit/test_org_service.py @@ -76,7 +76,7 @@ async def test_validate_name_uniqueness_with_unique_name(async_session_maker): # Act & Assert - should not raise with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker'), + patch('storage.org_member_store.a_session_maker'), patch('storage.role_store.session_maker'), ): await OrgService.validate_name_uniqueness(unique_name) @@ -591,7 +591,10 @@ async def test_get_org_by_id_success(session_maker, owner_role): ) with ( - patch('storage.org_service.OrgMemberStore.get_org_member') as mock_get_member, + patch( + 'storage.org_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, + ) as mock_get_member, patch( 'storage.org_service.OrgStore.get_org_by_id', new_callable=AsyncMock, @@ -624,6 +627,7 @@ async def test_get_org_by_id_user_not_member(): with patch( 'storage.org_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, return_value=None, ): # Act & Assert @@ -656,6 +660,7 @@ async def test_get_org_by_id_org_not_found(): with ( patch( 'storage.org_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, return_value=mock_org_member, ), patch( @@ -834,10 +839,13 @@ async def test_verify_owner_authorization_success(session_maker, owner_role): ), patch( 'storage.org_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, return_value=mock_org_member, ), patch( - 'storage.org_service.RoleStore.get_role_by_id', return_value=mock_owner_role + 'storage.org_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, + return_value=mock_owner_role, ), ): # Act & Assert - should not raise @@ -891,7 +899,11 @@ async def test_verify_owner_authorization_user_not_member(session_maker, owner_r new_callable=AsyncMock, return_value=mock_org, ), - patch('storage.org_service.OrgMemberStore.get_org_member', return_value=None), + patch( + 'storage.org_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, + return_value=None, + ), ): # Act & Assert with pytest.raises(OrgAuthorizationError) as exc_info: @@ -934,9 +946,14 @@ async def test_verify_owner_authorization_user_not_owner(session_maker): ), patch( 'storage.org_service.OrgMemberStore.get_org_member', + new_callable=AsyncMock, return_value=mock_org_member, ), - patch('storage.org_service.RoleStore.get_role_by_id', return_value=admin_role), + patch( + 'storage.org_service.RoleStore.get_role_by_id_async', + new_callable=AsyncMock, + return_value=admin_role, + ), ): # Act & Assert with pytest.raises(OrgAuthorizationError) as exc_info: @@ -1118,7 +1135,7 @@ async def test_update_org_with_permissions_success_non_llm_fields( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), patch('storage.role_store.session_maker', session_maker), ): # Act @@ -1181,8 +1198,8 @@ async def test_update_org_with_permissions_success_llm_fields_admin( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), ): # Act result = await OrgService.update_org_with_permissions( @@ -1243,8 +1260,8 @@ async def test_update_org_with_permissions_success_llm_fields_owner( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), ): # Act result = await OrgService.update_org_with_permissions( @@ -1306,8 +1323,8 @@ async def test_update_org_with_permissions_success_mixed_fields_admin( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), ): # Act result = await OrgService.update_org_with_permissions( @@ -1366,7 +1383,7 @@ async def test_update_org_with_permissions_empty_update( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), patch('storage.role_store.session_maker', session_maker), ): # Act @@ -1401,7 +1418,7 @@ async def test_update_org_with_permissions_org_not_found( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), patch('storage.role_store.session_maker', session_maker), ): # Act & Assert @@ -1449,7 +1466,7 @@ async def test_update_org_with_permissions_non_member( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), patch('storage.role_store.session_maker', session_maker), ): # Act & Assert @@ -1507,7 +1524,7 @@ async def test_update_org_with_permissions_llm_fields_insufficient_permission( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), patch('storage.role_store.session_maker', session_maker), ): # Act & Assert @@ -1567,7 +1584,7 @@ async def test_update_org_with_permissions_database_error( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), patch('storage.role_store.session_maker', session_maker), patch( 'storage.org_service.OrgStore.update_org', @@ -1622,7 +1639,7 @@ async def test_update_org_with_permissions_duplicate_name_raises_org_name_exists with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), patch('storage.role_store.session_maker', session_maker), patch( 'storage.org_service.OrgStore.get_org_by_id', @@ -1675,7 +1692,7 @@ async def test_update_org_with_permissions_same_name_allowed( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), patch('storage.role_store.session_maker', session_maker), patch( 'storage.org_service.OrgStore.get_org_by_id', @@ -1753,8 +1770,8 @@ async def test_update_org_with_permissions_only_llm_fields( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), ): # Act result = await OrgService.update_org_with_permissions( @@ -1817,7 +1834,7 @@ async def test_update_org_with_permissions_only_non_llm_fields( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.org_member_store.session_maker', session_maker), + patch('storage.org_member_store.a_session_maker', async_session_maker), patch('storage.role_store.session_maker', session_maker), ): # Act From 63654c4643e68f426b97055b68023df4ac3749b6 Mon Sep 17 00:00:00 2001 From: mamoodi Date: Tue, 3 Mar 2026 16:15:55 -0500 Subject: [PATCH 17/67] Add a new upcoming-release skill (#13180) --- .agents/skills/upcoming-release.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .agents/skills/upcoming-release.md diff --git a/.agents/skills/upcoming-release.md b/.agents/skills/upcoming-release.md new file mode 100644 index 0000000000..c0d01f853b --- /dev/null +++ b/.agents/skills/upcoming-release.md @@ -0,0 +1,21 @@ +--- +name: upcoming-release +description: Generate a concise summary of PRs included in the upcoming release. +triggers: +- /upcoming-release +--- + +We want to know what is part of the upcoming release. + +To do this, you need two commit SHAs. One SHA is what is currently running. The second SHA is what is going to be +released. The user must provide these. If the user does not provide these, ask the user to provide them before doing +anything. + +Once you have received the two SHAs: +1. Run the `.github/scripts/find_prs_between_commits.py` script from the repository root directory with the `--json` flag. The **first SHA** should be the older commit (current release), and the **second SHA** should be the newer commit (what's being released). +2. Do not show PRs that are chores, dependency updates, adding logs, refactors. +3. From the remaining PRs, split them into these categories: + - Features + - Bug fixes + - Security/CVE fixes + - Other From d19ba0d16628d913f6cf6cdd0ea41cb170086075 Mon Sep 17 00:00:00 2001 From: mamoodi Date: Tue, 3 Mar 2026 17:01:32 -0500 Subject: [PATCH 18/67] Clarify upcoming-release skill (#13185) --- .agents/skills/upcoming-release.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.agents/skills/upcoming-release.md b/.agents/skills/upcoming-release.md index c0d01f853b..b17a15785b 100644 --- a/.agents/skills/upcoming-release.md +++ b/.agents/skills/upcoming-release.md @@ -19,3 +19,4 @@ Once you have received the two SHAs: - Bug fixes - Security/CVE fixes - Other +4. The output should list the PRs under their category, including the PR number with a brief description of the PR. From 79a0cee7d930a2dfe16d0ffa1f262f270f2a98ef Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Tue, 3 Mar 2026 17:43:44 -0500 Subject: [PATCH 19/67] Fix mypy type errors in Jira integration (#13181) Co-authored-by: openhands --- .../integrations/jira_dc/jira_dc_view.py | 3 +++ enterprise/server/routes/integration/jira.py | 12 ++++++++++ .../server/routes/integration/jira_dc.py | 24 +++++++++++++++++++ 3 files changed, 39 insertions(+) diff --git a/enterprise/integrations/jira_dc/jira_dc_view.py b/enterprise/integrations/jira_dc/jira_dc_view.py index 6992748380..1364af4b6a 100644 --- a/enterprise/integrations/jira_dc/jira_dc_view.py +++ b/enterprise/integrations/jira_dc/jira_dc_view.py @@ -155,6 +155,9 @@ class JiraDcExistingConversationView(JiraDcViewInterface): self.conversation_id, conversation_init_data, user_id ) + if agent_loop_info.event_store is None: + raise StartingConvoException('Event store not available') + final_agent_observation = get_final_agent_observation( agent_loop_info.event_store ) diff --git a/enterprise/server/routes/integration/jira.py b/enterprise/server/routes/integration/jira.py index 56ae395e18..715128b193 100644 --- a/enterprise/server/routes/integration/jira.py +++ b/enterprise/server/routes/integration/jira.py @@ -601,6 +601,12 @@ async def get_current_workspace_link(request: Request): user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() + if not user_id: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail='User ID not found', + ) + user = await jira_manager.integration_store.get_user_by_active_workspace( user_id ) @@ -654,6 +660,12 @@ async def unlink_workspace(request: Request): user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() + if not user_id: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail='User ID not found', + ) + user = await jira_manager.integration_store.get_user_by_active_workspace( user_id ) diff --git a/enterprise/server/routes/integration/jira_dc.py b/enterprise/server/routes/integration/jira_dc.py index 88c8196071..b2f341dbf6 100644 --- a/enterprise/server/routes/integration/jira_dc.py +++ b/enterprise/server/routes/integration/jira_dc.py @@ -281,6 +281,12 @@ async def create_jira_dc_workspace( user_id = await user_auth.get_user_id() user_email = await user_auth.get_user_email() + if not user_id: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail='User ID not found', + ) + if JIRA_DC_ENABLE_OAUTH: # OAuth flow enabled - create session and redirect to OAuth state = str(uuid.uuid4()) @@ -404,6 +410,12 @@ async def create_workspace_link(request: Request, link_data: JiraDcLinkCreate): user_id = await user_auth.get_user_id() user_email = await user_auth.get_user_email() + if not user_id: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail='User ID not found', + ) + target_workspace = link_data.workspace_name if JIRA_DC_ENABLE_OAUTH: @@ -593,6 +605,12 @@ async def get_current_workspace_link(request: Request): user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() + if not user_id: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail='User ID not found', + ) + user = await jira_dc_manager.integration_store.get_user_by_active_workspace( user_id ) @@ -645,6 +663,12 @@ async def unlink_workspace(request: Request): user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() + if not user_id: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail='User ID not found', + ) + user = await jira_dc_manager.integration_store.get_user_by_active_workspace( user_id ) From 46887413249a2db51c86ac395954c8cc5f302af1 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Tue, 3 Mar 2026 17:44:20 -0500 Subject: [PATCH 20/67] Fix Slack integration mypy type errors (#13177) Co-authored-by: openhands --- .../integrations/slack/slack_manager.py | 12 +++- enterprise/integrations/slack/slack_types.py | 24 +++++-- .../slack/slack_v1_callback_processor.py | 7 ++- enterprise/integrations/slack/slack_view.py | 62 +++++++++---------- enterprise/server/routes/integration/slack.py | 2 +- 5 files changed, 63 insertions(+), 44 deletions(-) diff --git a/enterprise/integrations/slack/slack_manager.py b/enterprise/integrations/slack/slack_manager.py index 34ee33b535..27a892e8c4 100644 --- a/enterprise/integrations/slack/slack_manager.py +++ b/enterprise/integrations/slack/slack_manager.py @@ -4,7 +4,11 @@ from typing import Any import jwt from integrations.manager import Manager from integrations.models import Message, SourceType -from integrations.slack.slack_types import SlackViewInterface, StartingConvoException +from integrations.slack.slack_types import ( + SlackMessageView, + SlackViewInterface, + StartingConvoException, +) from integrations.slack.slack_view import ( SlackFactory, SlackNewConversationFromRepoFormView, @@ -214,7 +218,7 @@ class SlackManager(Manager[SlackViewInterface]): async def send_message( self, message: str | dict[str, Any], - slack_view: SlackViewInterface, + slack_view: SlackMessageView, ephemeral: bool = False, ): """Send a message to Slack. @@ -223,6 +227,8 @@ class SlackManager(Manager[SlackViewInterface]): message: The message content. Can be a string (for simple text) or a dict with 'text' and 'blocks' keys (for structured messages). slack_view: The Slack view object containing channel/thread info. + Can be either SlackMessageView (for unauthenticated users) + or SlackViewInterface (for authenticated users). ephemeral: If True, send as an ephemeral message visible only to the user. """ client = AsyncWebClient(token=slack_view.bot_access_token) @@ -305,7 +311,7 @@ class SlackManager(Manager[SlackViewInterface]): try: msg_info = None - user_info: SlackUser = slack_view.slack_to_openhands_user + user_info = slack_view.slack_to_openhands_user try: logger.info( f'[Slack] Starting job for user {user_info.slack_display_name} (id={user_info.slack_user_id})', diff --git a/enterprise/integrations/slack/slack_types.py b/enterprise/integrations/slack/slack_types.py index 17c375a24c..efa355da4f 100644 --- a/enterprise/integrations/slack/slack_types.py +++ b/enterprise/integrations/slack/slack_types.py @@ -7,15 +7,31 @@ from storage.slack_user import SlackUser from openhands.server.user_auth.user_auth import UserAuth -class SlackViewInterface(SummaryExtractionTracker, ABC): +class SlackMessageView(ABC): + """Minimal interface for sending messages to Slack. + + This base class contains only the fields needed to send messages, + without requiring user authentication. Used by both authenticated + and unauthenticated Slack views. + """ + bot_access_token: str - user_msg: str | None slack_user_id: str - slack_to_openhands_user: SlackUser | None - saas_user_auth: UserAuth | None channel_id: str message_ts: str thread_ts: str | None + + +class SlackViewInterface(SlackMessageView, SummaryExtractionTracker, ABC): + """Interface for authenticated Slack views that can create conversations. + + All fields are required (non-None) because this interface is only used + for users who have linked their Slack account to OpenHands. + """ + + user_msg: str + slack_to_openhands_user: SlackUser + saas_user_auth: UserAuth selected_repo: str | None should_extract: bool send_summary_instruction: bool diff --git a/enterprise/integrations/slack/slack_v1_callback_processor.py b/enterprise/integrations/slack/slack_v1_callback_processor.py index 05562aa1a8..e5724b1df5 100644 --- a/enterprise/integrations/slack/slack_v1_callback_processor.py +++ b/enterprise/integrations/slack/slack_v1_callback_processor.py @@ -89,10 +89,11 @@ class SlackV1CallbackProcessor(EventCallbackProcessor): # ------------------------------------------------------------------------- async def _get_bot_access_token(self) -> str | None: + team_id = self.slack_view_data.get('team_id') + if team_id is None: + return None slack_team_store = SlackTeamStore.get_instance() - bot_access_token = await slack_team_store.get_team_bot_token( - self.slack_view_data['team_id'] - ) + bot_access_token = await slack_team_store.get_team_bot_token(team_id) return bot_access_token diff --git a/enterprise/integrations/slack/slack_view.py b/enterprise/integrations/slack/slack_view.py index 6c94dfdae5..cd14137ebf 100644 --- a/enterprise/integrations/slack/slack_view.py +++ b/enterprise/integrations/slack/slack_view.py @@ -4,7 +4,11 @@ from uuid import UUID, uuid4 from integrations.models import Message from integrations.resolver_context import ResolverUserContext -from integrations.slack.slack_types import SlackViewInterface, StartingConvoException +from integrations.slack.slack_types import ( + SlackMessageView, + SlackViewInterface, + StartingConvoException, +) from integrations.slack.slack_v1_callback_processor import SlackV1CallbackProcessor from integrations.utils import ( CONVERSATION_URL, @@ -60,36 +64,25 @@ async def is_v1_enabled_for_slack_resolver(user_id: str) -> bool: @dataclass -class SlackUnkownUserView(SlackViewInterface): +class SlackUnkownUserView(SlackMessageView): + """View for unauthenticated Slack users who haven't linked their account. + + This view only contains the minimal fields needed to send a login link + message back to the user. It does not implement SlackViewInterface + because it cannot create conversations without user authentication. + """ + bot_access_token: str - user_msg: str | None slack_user_id: str - slack_to_openhands_user: SlackUser | None - saas_user_auth: UserAuth | None channel_id: str message_ts: str thread_ts: str | None - selected_repo: str | None - should_extract: bool - send_summary_instruction: bool - conversation_id: str - team_id: str - v1_enabled: bool - - async def _get_instructions(self, jinja_env: Environment) -> tuple[str, str]: - raise NotImplementedError - - async def create_or_update_conversation(self, jinja_env: Environment): - raise NotImplementedError - - def get_response_msg(self) -> str: - raise NotImplementedError @dataclass class SlackNewConversationView(SlackViewInterface): bot_access_token: str - user_msg: str | None + user_msg: str slack_user_id: str slack_to_openhands_user: SlackUser saas_user_auth: UserAuth @@ -394,6 +387,9 @@ class SlackUpdateExistingConversationView(SlackNewConversationView): self.conversation_id, conversation_init_data, user_id ) + if agent_loop_info.event_store is None: + raise StartingConvoException('Event store not available') + final_agent_observation = get_final_agent_observation( agent_loop_info.event_store ) @@ -550,6 +546,8 @@ class SlackFactory: return None # thread_ts in slack payloads in the parent's (root level msg's) message ID + if channel_id is None: + return None return await slack_conversation_store.get_slack_conversation( channel_id, thread_ts ) @@ -578,24 +576,22 @@ class SlackFactory: raise Exception('Did not find slack team') # Determine if this is a known slack user by openhands - if not slack_user or not saas_user_auth or not channel_id: + if not slack_user or not saas_user_auth or not channel_id or not message_ts: return SlackUnkownUserView( bot_access_token=bot_access_token, - user_msg=user_msg, slack_user_id=slack_user_id, - slack_to_openhands_user=slack_user, - saas_user_auth=saas_user_auth, - channel_id=channel_id, - message_ts=message_ts, + channel_id=channel_id or '', + message_ts=message_ts or '', thread_ts=thread_ts, - selected_repo=None, - should_extract=False, - send_summary_instruction=False, - conversation_id='', - team_id=team_id, - v1_enabled=False, ) + # At this point, we've verified slack_user, saas_user_auth, channel_id, and message_ts are set + # user_msg should always be present in Slack payloads + if not user_msg: + raise ValueError('user_msg is required but was not provided in payload') + assert channel_id is not None + assert message_ts is not None + conversation = await asyncio.wait_for( SlackFactory.determine_if_updating_existing_conversation(message), timeout=GENERAL_TIMEOUT, diff --git a/enterprise/server/routes/integration/slack.py b/enterprise/server/routes/integration/slack.py index c39d8ac838..8ada1a9679 100644 --- a/enterprise/server/routes/integration/slack.py +++ b/enterprise/server/routes/integration/slack.py @@ -171,7 +171,7 @@ async def keycloak_callback( state, config.jwt_secret.get_secret_value(), algorithms=['HS256'] ) slack_user_id = payload['slack_user_id'] - bot_access_token = payload['bot_access_token'] + bot_access_token: str | None = payload['bot_access_token'] team_id = payload['team_id'] # Retrieve the keycloak_user_id From 45b970c0dd4afd318af548632ec3441d05b09ccc Mon Sep 17 00:00:00 2001 From: Tim O'Farrell Date: Tue, 3 Mar 2026 16:01:20 -0700 Subject: [PATCH 21/67] Refactor RoleStore to fully async (#13184) Co-authored-by: openhands --- enterprise/server/auth/authorization.py | 2 +- .../server/services/org_invitation_service.py | 8 +- .../server/services/org_member_service.py | 18 +- enterprise/storage/org_service.py | 10 +- enterprise/storage/role_store.py | 81 ++++--- enterprise/storage/user_store.py | 4 +- .../services/test_org_member_service.py | 70 +++--- enterprise/tests/unit/test_authorization.py | 4 +- .../tests/unit/test_org_invitation_service.py | 12 +- enterprise/tests/unit/test_org_service.py | 30 +-- enterprise/tests/unit/test_role_store.py | 208 ++++++++++-------- 11 files changed, 243 insertions(+), 204 deletions(-) diff --git a/enterprise/server/auth/authorization.py b/enterprise/server/auth/authorization.py index 4595ea07a3..c8d72021c6 100644 --- a/enterprise/server/auth/authorization.py +++ b/enterprise/server/auth/authorization.py @@ -179,7 +179,7 @@ async def get_user_org_role(user_id: str, org_id: UUID | None) -> Role | None: if not org_member: return None - return await RoleStore.get_role_by_id_async(org_member.role_id) + return await RoleStore.get_role_by_id(org_member.role_id) def get_role_permissions(role_name: str) -> frozenset[Permission]: diff --git a/enterprise/server/services/org_invitation_service.py b/enterprise/server/services/org_invitation_service.py index 5518ab5dd0..3ef0d9d8fa 100644 --- a/enterprise/server/services/org_invitation_service.py +++ b/enterprise/server/services/org_invitation_service.py @@ -91,7 +91,7 @@ class OrgInvitationService: 'You are not a member of this organization' ) - inviter_role = await RoleStore.get_role_by_id_async(inviter_member.role_id) + inviter_role = await RoleStore.get_role_by_id(inviter_member.role_id) if not inviter_role or inviter_role.name not in [ROLE_OWNER, ROLE_ADMIN]: raise InsufficientPermissionError('Only owners and admins can invite users') @@ -101,7 +101,7 @@ class OrgInvitationService: raise InsufficientPermissionError('Only owners can invite with owner role') # Get the target role - target_role = await RoleStore.get_role_by_name_async(role_name_lower) + target_role = await RoleStore.get_role_by_name(role_name_lower) if not target_role: raise ValueError(f'Invalid role: {role_name}') @@ -204,7 +204,7 @@ class OrgInvitationService: 'You are not a member of this organization' ) - inviter_role = await RoleStore.get_role_by_id_async(inviter_member.role_id) + inviter_role = await RoleStore.get_role_by_id(inviter_member.role_id) if not inviter_role or inviter_role.name not in [ROLE_OWNER, ROLE_ADMIN]: raise InsufficientPermissionError('Only owners and admins can invite users') @@ -212,7 +212,7 @@ class OrgInvitationService: if role_name_lower == ROLE_OWNER and inviter_role.name != ROLE_OWNER: raise InsufficientPermissionError('Only owners can invite with owner role') - target_role = await RoleStore.get_role_by_name_async(role_name_lower) + target_role = await RoleStore.get_role_by_name(role_name_lower) if not target_role: raise ValueError(f'Invalid role: {role_name}') diff --git a/enterprise/server/services/org_member_service.py b/enterprise/server/services/org_member_service.py index 264d8fa135..7168d0954e 100644 --- a/enterprise/server/services/org_member_service.py +++ b/enterprise/server/services/org_member_service.py @@ -51,7 +51,7 @@ class OrgMemberService: raise OrgMemberNotFoundError(str(org_id), str(user_id)) # Resolve role name from role_id - role = await RoleStore.get_role_by_id_async(org_member.role_id) + role = await RoleStore.get_role_by_id(org_member.role_id) if role is None: raise RoleNotFoundError(org_member.role_id) @@ -195,10 +195,8 @@ class OrgMemberService: if not target_membership: return False, 'member_not_found' - requester_role = await RoleStore.get_role_by_id_async( - requester_membership.role_id - ) - target_role = await RoleStore.get_role_by_id_async(target_membership.role_id) + requester_role = await RoleStore.get_role_by_id(requester_membership.role_id) + target_role = await RoleStore.get_role_by_id(target_membership.role_id) if not requester_role or not target_role: return False, 'role_not_found' @@ -300,10 +298,8 @@ class OrgMemberService: raise OrgMemberNotFoundError(str(org_id), str(target_user_id)) # Get roles - requester_role = await RoleStore.get_role_by_id_async( - requester_membership.role_id - ) - target_role = await RoleStore.get_role_by_id_async(target_membership.role_id) + requester_role = await RoleStore.get_role_by_id(requester_membership.role_id) + target_role = await RoleStore.get_role_by_id(target_membership.role_id) if not requester_role: raise RoleNotFoundError(requester_membership.role_id) @@ -323,7 +319,7 @@ class OrgMemberService: ) # Validate new role exists - new_role = await RoleStore.get_role_by_name_async(new_role_name.lower()) + new_role = await RoleStore.get_role_by_name(new_role_name.lower()) if not new_role: raise InvalidRoleError(new_role_name) @@ -406,7 +402,7 @@ class OrgMemberService: owners = [] for m in members: # Use role_id (column) instead of role (relationship) to avoid DetachedInstanceError - role = await RoleStore.get_role_by_id_async(m.role_id) + role = await RoleStore.get_role_by_id(m.role_id) if role and role.name == ROLE_OWNER: owners.append(m) return len(owners) == 1 and str(owners[0].user_id) == str(user_id) diff --git a/enterprise/storage/org_service.py b/enterprise/storage/org_service.py index 780fca890e..a5108137dc 100644 --- a/enterprise/storage/org_service.py +++ b/enterprise/storage/org_service.py @@ -130,7 +130,7 @@ class OrgService: setattr(org, key, value) @staticmethod - def get_owner_role(): + async def get_owner_role(): """ Get the owner role from the database. @@ -140,7 +140,7 @@ class OrgService: Raises: Exception: If owner role not found """ - owner_role = RoleStore.get_role_by_name('owner') + owner_role = await RoleStore.get_role_by_name('owner') if not owner_role: raise Exception('Owner role not found in database') return owner_role @@ -237,7 +237,7 @@ class OrgService: OrgService.apply_litellm_settings_to_org(org, settings) # Step 6: Get owner role and create member entity - owner_role = OrgService.get_owner_role() + owner_role = await OrgService.get_owner_role() org_member = OrgService.create_org_member_entity( org_id=org_id, user_id=user_id, @@ -420,7 +420,7 @@ class OrgService: return False # Get the role details - role = await RoleStore.get_role_by_id_async(org_member.role_id) + role = await RoleStore.get_role_by_id(org_member.role_id) if not role: return False @@ -797,7 +797,7 @@ class OrgService: raise OrgAuthorizationError('User is not a member of this organization') # Check if user has owner role - role = await RoleStore.get_role_by_id_async(org_member.role_id) + role = await RoleStore.get_role_by_id(org_member.role_id) if not role or role.name != 'owner': raise OrgAuthorizationError( 'Only organization owners can delete organizations' diff --git a/enterprise/storage/role_store.py b/enterprise/storage/role_store.py index fa35cc461f..9f5d028b3d 100644 --- a/enterprise/storage/role_store.py +++ b/enterprise/storage/role_store.py @@ -2,11 +2,11 @@ Store class for managing roles. """ -from typing import List, Optional +from typing import Optional from sqlalchemy import select from sqlalchemy.ext.asyncio import AsyncSession -from storage.database import a_session_maker, session_maker +from storage.database import a_session_maker from storage.role import Role @@ -14,57 +14,70 @@ class RoleStore: """Store for managing roles.""" @staticmethod - def create_role(name: str, rank: int) -> Role: + async def _create_role(name: str, rank: int, session: AsyncSession) -> Role: + role = Role(name=name, rank=rank) + session.add(role) + await session.flush() + await session.refresh(role) + return role + + @staticmethod + async def create_role( + name: str, + rank: int, + session: Optional[AsyncSession] = None, + ) -> Role: """Create a new role.""" - with session_maker() as session: - role = Role(name=name, rank=rank) - session.add(role) - session.commit() - session.refresh(role) + if session is not None: + return await RoleStore._create_role(name, rank, session) + async with a_session_maker() as new_session: + role = await RoleStore._create_role(name, rank, new_session) + await new_session.commit() return role @staticmethod - def get_role_by_id(role_id: int) -> Optional[Role]: - """Get role by ID.""" - with session_maker() as session: - return session.query(Role).filter(Role.id == role_id).first() + async def _get_role_by_id(role_id: int, session: AsyncSession) -> Optional[Role]: + result = await session.execute(select(Role).where(Role.id == role_id)) + return result.scalars().first() @staticmethod - async def get_role_by_id_async( + async def get_role_by_id( role_id: int, session: Optional[AsyncSession] = None, ) -> Optional[Role]: - """Get role by ID (async version).""" + """Get role by ID.""" if session is not None: - result = await session.execute(select(Role).where(Role.id == role_id)) - return result.scalars().first() - - async with a_session_maker() as session: - result = await session.execute(select(Role).where(Role.id == role_id)) - return result.scalars().first() + return await RoleStore._get_role_by_id(role_id, session) + async with a_session_maker() as new_session: + return await RoleStore._get_role_by_id(role_id, new_session) @staticmethod - def get_role_by_name(name: str) -> Optional[Role]: - """Get role by name.""" - with session_maker() as session: - return session.query(Role).filter(Role.name == name).first() + async def _get_role_by_name(name: str, session: AsyncSession) -> Optional[Role]: + result = await session.execute(select(Role).where(Role.name == name)) + return result.scalars().first() @staticmethod - async def get_role_by_name_async( + async def get_role_by_name( name: str, session: Optional[AsyncSession] = None, ) -> Optional[Role]: """Get role by name.""" if session is not None: - result = await session.execute(select(Role).where(Role.name == name)) - return result.scalars().first() - - async with a_session_maker() as session: - result = await session.execute(select(Role).where(Role.name == name)) - return result.scalars().first() + return await RoleStore._get_role_by_name(name, session) + async with a_session_maker() as new_session: + return await RoleStore._get_role_by_name(name, new_session) @staticmethod - def list_roles() -> List[Role]: + async def _list_roles(session: AsyncSession) -> list[Role]: + result = await session.execute(select(Role).order_by(Role.rank)) + return list(result.scalars().all()) + + @staticmethod + async def list_roles( + session: Optional[AsyncSession] = None, + ) -> list[Role]: """List all roles.""" - with session_maker() as session: - return session.query(Role).order_by(Role.rank).all() + if session is not None: + return await RoleStore._list_roles(session) + async with a_session_maker() as new_session: + return await RoleStore._list_roles(new_session) diff --git a/enterprise/storage/user_store.py b/enterprise/storage/user_store.py index 67585f154d..8c20bd013c 100644 --- a/enterprise/storage/user_store.py +++ b/enterprise/storage/user_store.py @@ -87,7 +87,7 @@ class UserStore: user.email_verified = user_info.get('email_verified') session.add(user) - role = RoleStore.get_role_by_name('owner') + role = await RoleStore.get_role_by_name('owner') if role is None: raise ValueError('Owner role not found in database') @@ -266,7 +266,7 @@ class UserStore: 'user_store:migrate_user:calling_get_role_by_name', extra={'user_id': user_id}, ) - role = await RoleStore.get_role_by_name_async('owner') + role = await RoleStore.get_role_by_name('owner') logger.debug( 'user_store:migrate_user:done_get_role_by_name', extra={'user_id': user_id}, diff --git a/enterprise/tests/unit/server/services/test_org_member_service.py b/enterprise/tests/unit/server/services/test_org_member_service.py index f992787b0c..001b958c03 100644 --- a/enterprise/tests/unit/server/services/test_org_member_service.py +++ b/enterprise/tests/unit/server/services/test_org_member_service.py @@ -710,7 +710,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -759,7 +759,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -807,7 +807,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -922,7 +922,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, ): @@ -959,7 +959,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -1011,7 +1011,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, ): @@ -1053,7 +1053,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, ): @@ -1090,7 +1090,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -1137,7 +1137,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -1195,7 +1195,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -1243,7 +1243,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -1299,7 +1299,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -1351,7 +1351,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -1403,7 +1403,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -1457,7 +1457,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -1510,7 +1510,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -1620,11 +1620,11 @@ class TestOrgMemberServiceUpdateOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.RoleStore.get_role_by_name_async', + 'server.services.org_member_service.RoleStore.get_role_by_name', new_callable=AsyncMock, ) as mock_get_role_by_name, patch( @@ -1681,11 +1681,11 @@ class TestOrgMemberServiceUpdateOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.RoleStore.get_role_by_name_async', + 'server.services.org_member_service.RoleStore.get_role_by_name', new_callable=AsyncMock, ) as mock_get_role_by_name, patch( @@ -1740,11 +1740,11 @@ class TestOrgMemberServiceUpdateOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.RoleStore.get_role_by_name_async', + 'server.services.org_member_service.RoleStore.get_role_by_name', new_callable=AsyncMock, ) as mock_get_role_by_name, patch( @@ -1803,11 +1803,11 @@ class TestOrgMemberServiceUpdateOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.RoleStore.get_role_by_name_async', + 'server.services.org_member_service.RoleStore.get_role_by_name', new_callable=AsyncMock, ) as mock_get_role_by_name, patch( @@ -1934,11 +1934,11 @@ class TestOrgMemberServiceUpdateOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.RoleStore.get_role_by_name_async', + 'server.services.org_member_service.RoleStore.get_role_by_name', new_callable=AsyncMock, ) as mock_get_role_by_name, ): @@ -1977,11 +1977,11 @@ class TestOrgMemberServiceUpdateOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.RoleStore.get_role_by_name_async', + 'server.services.org_member_service.RoleStore.get_role_by_name', new_callable=AsyncMock, ) as mock_get_role_by_name, patch( @@ -2032,7 +2032,7 @@ class TestOrgMemberServiceUpdateOrgMember: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -2134,7 +2134,7 @@ class TestOrgMemberServiceIsLastOwner: new_callable=AsyncMock, ) as mock_get_members, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, ): @@ -2166,7 +2166,7 @@ class TestOrgMemberServiceIsLastOwner: new_callable=AsyncMock, ) as mock_get_members, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, ): @@ -2194,7 +2194,7 @@ class TestOrgMemberServiceIsLastOwner: new_callable=AsyncMock, ) as mock_get_members, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, ): @@ -2249,7 +2249,7 @@ class TestOrgMemberServiceGetMe: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( @@ -2308,7 +2308,7 @@ class TestOrgMemberServiceGetMe: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, ): @@ -2336,7 +2336,7 @@ class TestOrgMemberServiceGetMe: new_callable=AsyncMock, ) as mock_get_member, patch( - 'server.services.org_member_service.RoleStore.get_role_by_id_async', + 'server.services.org_member_service.RoleStore.get_role_by_id', new_callable=AsyncMock, ) as mock_get_role, patch( diff --git a/enterprise/tests/unit/test_authorization.py b/enterprise/tests/unit/test_authorization.py index 748389d178..c751e6454a 100644 --- a/enterprise/tests/unit/test_authorization.py +++ b/enterprise/tests/unit/test_authorization.py @@ -359,7 +359,7 @@ class TestGetUserOrgRole: return_value=mock_org_member, ), patch( - 'server.auth.authorization.RoleStore.get_role_by_id_async', + 'server.auth.authorization.RoleStore.get_role_by_id', new_callable=AsyncMock, return_value=mock_role, ), @@ -411,7 +411,7 @@ class TestGetUserOrgRole: new_callable=AsyncMock, ) as mock_get_org_member, patch( - 'server.auth.authorization.RoleStore.get_role_by_id_async', + 'server.auth.authorization.RoleStore.get_role_by_id', new_callable=AsyncMock, return_value=mock_role, ), diff --git a/enterprise/tests/unit/test_org_invitation_service.py b/enterprise/tests/unit/test_org_invitation_service.py index 822fd5c5a6..5f797dedde 100644 --- a/enterprise/tests/unit/test_org_invitation_service.py +++ b/enterprise/tests/unit/test_org_invitation_service.py @@ -327,12 +327,12 @@ class TestCreateInvitationsBatch: return_value=mock_inviter_member, ), patch( - 'server.services.org_invitation_service.RoleStore.get_role_by_id_async', + 'server.services.org_invitation_service.RoleStore.get_role_by_id', new_callable=AsyncMock, return_value=mock_owner_role, ), patch( - 'server.services.org_invitation_service.RoleStore.get_role_by_name_async', + 'server.services.org_invitation_service.RoleStore.get_role_by_name', new_callable=AsyncMock, return_value=mock_member_role, ), @@ -383,12 +383,12 @@ class TestCreateInvitationsBatch: return_value=mock_inviter_member, ), patch( - 'server.services.org_invitation_service.RoleStore.get_role_by_id_async', + 'server.services.org_invitation_service.RoleStore.get_role_by_id', new_callable=AsyncMock, return_value=mock_owner_role, ), patch( - 'server.services.org_invitation_service.RoleStore.get_role_by_name_async', + 'server.services.org_invitation_service.RoleStore.get_role_by_name', new_callable=AsyncMock, return_value=mock_member_role, ), @@ -452,12 +452,12 @@ class TestCreateInvitationsBatch: return_value=mock_inviter_member, ), patch( - 'server.services.org_invitation_service.RoleStore.get_role_by_id_async', + 'server.services.org_invitation_service.RoleStore.get_role_by_id', new_callable=AsyncMock, return_value=mock_owner_role, ), patch( - 'server.services.org_invitation_service.RoleStore.get_role_by_name_async', + 'server.services.org_invitation_service.RoleStore.get_role_by_name', new_callable=AsyncMock, return_value=None, # Invalid role ), diff --git a/enterprise/tests/unit/test_org_service.py b/enterprise/tests/unit/test_org_service.py index bf71d1c1d7..94edcbff3f 100644 --- a/enterprise/tests/unit/test_org_service.py +++ b/enterprise/tests/unit/test_org_service.py @@ -77,7 +77,7 @@ async def test_validate_name_uniqueness_with_unique_name(async_session_maker): with ( patch('storage.org_store.a_session_maker', async_session_maker), patch('storage.org_member_store.a_session_maker'), - patch('storage.role_store.session_maker'), + patch('storage.role_store.a_session_maker'), ): await OrgService.validate_name_uniqueness(unique_name) @@ -132,7 +132,7 @@ async def test_create_org_with_owner_success( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), patch( 'storage.org_service.UserStore.create_default_settings', AsyncMock(return_value=mock_settings), @@ -200,7 +200,7 @@ async def test_create_org_with_owner_duplicate_name( # Act & Assert with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), patch( 'storage.org_service.UserStore.create_default_settings', mock_create_settings, @@ -276,7 +276,7 @@ async def test_create_org_with_owner_database_failure_triggers_cleanup( with ( patch('storage.org_store.a_session_maker', async_session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), patch( 'storage.org_service.UserStore.create_default_settings', AsyncMock(return_value=mock_settings), @@ -843,7 +843,7 @@ async def test_verify_owner_authorization_success(session_maker, owner_role): return_value=mock_org_member, ), patch( - 'storage.org_service.RoleStore.get_role_by_id_async', + 'storage.org_service.RoleStore.get_role_by_id', new_callable=AsyncMock, return_value=mock_owner_role, ), @@ -950,7 +950,7 @@ async def test_verify_owner_authorization_user_not_owner(session_maker): return_value=mock_org_member, ), patch( - 'storage.org_service.RoleStore.get_role_by_id_async', + 'storage.org_service.RoleStore.get_role_by_id', new_callable=AsyncMock, return_value=admin_role, ), @@ -1136,7 +1136,7 @@ async def test_update_org_with_permissions_success_non_llm_fields( with ( patch('storage.org_store.a_session_maker', async_session_maker), patch('storage.org_member_store.a_session_maker', async_session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), ): # Act result = await OrgService.update_org_with_permissions( @@ -1384,7 +1384,7 @@ async def test_update_org_with_permissions_empty_update( with ( patch('storage.org_store.a_session_maker', async_session_maker), patch('storage.org_member_store.a_session_maker', async_session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), ): # Act result = await OrgService.update_org_with_permissions( @@ -1419,7 +1419,7 @@ async def test_update_org_with_permissions_org_not_found( with ( patch('storage.org_store.a_session_maker', async_session_maker), patch('storage.org_member_store.a_session_maker', async_session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), ): # Act & Assert with pytest.raises(ValueError) as exc_info: @@ -1467,7 +1467,7 @@ async def test_update_org_with_permissions_non_member( with ( patch('storage.org_store.a_session_maker', async_session_maker), patch('storage.org_member_store.a_session_maker', async_session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), ): # Act & Assert with pytest.raises(PermissionError) as exc_info: @@ -1525,7 +1525,7 @@ async def test_update_org_with_permissions_llm_fields_insufficient_permission( with ( patch('storage.org_store.a_session_maker', async_session_maker), patch('storage.org_member_store.a_session_maker', async_session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), ): # Act & Assert with pytest.raises(PermissionError) as exc_info: @@ -1585,7 +1585,7 @@ async def test_update_org_with_permissions_database_error( with ( patch('storage.org_store.a_session_maker', async_session_maker), patch('storage.org_member_store.a_session_maker', async_session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), patch( 'storage.org_service.OrgStore.update_org', new_callable=AsyncMock, @@ -1640,7 +1640,7 @@ async def test_update_org_with_permissions_duplicate_name_raises_org_name_exists with ( patch('storage.org_store.a_session_maker', async_session_maker), patch('storage.org_member_store.a_session_maker', async_session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), patch( 'storage.org_service.OrgStore.get_org_by_id', new_callable=AsyncMock, @@ -1693,7 +1693,7 @@ async def test_update_org_with_permissions_same_name_allowed( with ( patch('storage.org_store.a_session_maker', async_session_maker), patch('storage.org_member_store.a_session_maker', async_session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), patch( 'storage.org_service.OrgStore.get_org_by_id', new_callable=AsyncMock, @@ -1835,7 +1835,7 @@ async def test_update_org_with_permissions_only_non_llm_fields( with ( patch('storage.org_store.a_session_maker', async_session_maker), patch('storage.org_member_store.a_session_maker', async_session_maker), - patch('storage.role_store.session_maker', session_maker), + patch('storage.role_store.a_session_maker', async_session_maker), ): # Act result = await OrgService.update_org_with_permissions( diff --git a/enterprise/tests/unit/test_role_store.py b/enterprise/tests/unit/test_role_store.py index 6de5549062..9ed50ec1c6 100644 --- a/enterprise/tests/unit/test_role_store.py +++ b/enterprise/tests/unit/test_role_store.py @@ -33,86 +33,9 @@ async def async_session_maker(async_engine): return async_sessionmaker(async_engine, class_=AsyncSession, expire_on_commit=False) -def test_get_role_by_id(session_maker): - # Test getting role by ID - with session_maker() as session: - # Create a test role - role = Role(name='admin', rank=1) - session.add(role) - session.commit() - role_id = role.id - - # Test retrieval - with patch('storage.role_store.session_maker', session_maker): - retrieved_role = RoleStore.get_role_by_id(role_id) - assert retrieved_role is not None - assert retrieved_role.id == role_id - assert retrieved_role.name == 'admin' - - -def test_get_role_by_id_not_found(session_maker): - # Test getting role by ID when it doesn't exist - with patch('storage.role_store.session_maker', session_maker): - retrieved_role = RoleStore.get_role_by_id(99999) - assert retrieved_role is None - - -def test_get_role_by_name(session_maker): - # Test getting role by name - with session_maker() as session: - # Create a test role - role = Role(name='admin', rank=1) - session.add(role) - session.commit() - role_id = role.id - - # Test retrieval - with patch('storage.role_store.session_maker', session_maker): - retrieved_role = RoleStore.get_role_by_name('admin') - assert retrieved_role is not None - assert retrieved_role.id == role_id - assert retrieved_role.name == 'admin' - - -def test_get_role_by_name_not_found(session_maker): - # Test getting role by name when it doesn't exist - with patch('storage.role_store.session_maker', session_maker): - retrieved_role = RoleStore.get_role_by_name('nonexistent') - assert retrieved_role is None - - -def test_list_roles(session_maker): - # Test listing all roles - with session_maker() as session: - # Create test roles - role1 = Role(name='admin', rank=1) - role2 = Role(name='user', rank=2) - session.add_all([role1, role2]) - session.commit() - - # Test listing - with patch('storage.role_store.session_maker', session_maker): - roles = RoleStore.list_roles() - assert len(roles) >= 2 - role_names = [role.name for role in roles] - assert 'admin' in role_names - assert 'user' in role_names - - -def test_create_role(session_maker): - # Test creating a new role - with patch('storage.role_store.session_maker', session_maker): - role = RoleStore.create_role(name='moderator', rank=2) - - assert role is not None - assert role.name == 'moderator' - assert role.rank == 2 - assert role.id is not None - - @pytest.mark.asyncio -async def test_get_role_by_name_async_with_session(async_session_maker): - """Test getting role by name asynchronously with an explicit session.""" +async def test_get_role_by_id_with_session(async_session_maker): + """Test getting role by ID with an explicit session.""" # Create a test role async with async_session_maker() as session: role = Role(name='admin', rank=1) @@ -123,9 +46,53 @@ async def test_get_role_by_name_async_with_session(async_session_maker): # Test retrieval with explicit session async with async_session_maker() as session: - retrieved_role = await RoleStore.get_role_by_name_async( - 'admin', session=session - ) + retrieved_role = await RoleStore.get_role_by_id(role_id, session=session) + assert retrieved_role is not None + assert retrieved_role.id == role_id + assert retrieved_role.name == 'admin' + + +@pytest.mark.asyncio +async def test_get_role_by_id_without_session(async_session_maker): + """Test getting role by ID using internal session maker.""" + # Create a test role + async with async_session_maker() as session: + role = Role(name='admin', rank=1) + session.add(role) + await session.commit() + await session.refresh(role) + role_id = role.id + + # Test retrieval without explicit session (using patched a_session_maker) + with patch('storage.role_store.a_session_maker', async_session_maker): + retrieved_role = await RoleStore.get_role_by_id(role_id) + assert retrieved_role is not None + assert retrieved_role.id == role_id + assert retrieved_role.name == 'admin' + + +@pytest.mark.asyncio +async def test_get_role_by_id_not_found(async_session_maker): + """Test getting role by ID when it doesn't exist.""" + with patch('storage.role_store.a_session_maker', async_session_maker): + retrieved_role = await RoleStore.get_role_by_id(99999) + assert retrieved_role is None + + +@pytest.mark.asyncio +async def test_get_role_by_name_with_session(async_session_maker): + """Test getting role by name with an explicit session.""" + # Create a test role + async with async_session_maker() as session: + role = Role(name='admin', rank=1) + session.add(role) + await session.commit() + await session.refresh(role) + role_id = role.id + + # Test retrieval with explicit session + async with async_session_maker() as session: + retrieved_role = await RoleStore.get_role_by_name('admin', session=session) assert retrieved_role is not None assert retrieved_role.id == role_id assert retrieved_role.name == 'admin' @@ -133,8 +100,8 @@ async def test_get_role_by_name_async_with_session(async_session_maker): @pytest.mark.asyncio -async def test_get_role_by_name_async_without_session(async_session_maker): - """Test getting role by name asynchronously using internal session maker.""" +async def test_get_role_by_name_without_session(async_session_maker): + """Test getting role by name using internal session maker.""" # Create a test role async with async_session_maker() as session: role = Role(name='editor', rank=2) @@ -145,7 +112,7 @@ async def test_get_role_by_name_async_without_session(async_session_maker): # Test retrieval without explicit session (using patched a_session_maker) with patch('storage.role_store.a_session_maker', async_session_maker): - retrieved_role = await RoleStore.get_role_by_name_async('editor') + retrieved_role = await RoleStore.get_role_by_name('editor') assert retrieved_role is not None assert retrieved_role.id == role_id assert retrieved_role.name == 'editor' @@ -153,18 +120,81 @@ async def test_get_role_by_name_async_without_session(async_session_maker): @pytest.mark.asyncio -async def test_get_role_by_name_async_not_found_with_session(async_session_maker): +async def test_get_role_by_name_not_found_with_session(async_session_maker): """Test getting role by name when it doesn't exist (with explicit session).""" async with async_session_maker() as session: - retrieved_role = await RoleStore.get_role_by_name_async( + retrieved_role = await RoleStore.get_role_by_name( 'nonexistent', session=session ) assert retrieved_role is None @pytest.mark.asyncio -async def test_get_role_by_name_async_not_found_without_session(async_session_maker): +async def test_get_role_by_name_not_found_without_session(async_session_maker): """Test getting role by name when it doesn't exist (without explicit session).""" with patch('storage.role_store.a_session_maker', async_session_maker): - retrieved_role = await RoleStore.get_role_by_name_async('nonexistent') + retrieved_role = await RoleStore.get_role_by_name('nonexistent') assert retrieved_role is None + + +@pytest.mark.asyncio +async def test_list_roles_with_session(async_session_maker): + """Test listing all roles with an explicit session.""" + # Create test roles + async with async_session_maker() as session: + role1 = Role(name='admin', rank=1) + role2 = Role(name='user', rank=2) + session.add_all([role1, role2]) + await session.commit() + + # Test listing with explicit session + async with async_session_maker() as session: + roles = await RoleStore.list_roles(session=session) + assert len(roles) >= 2 + role_names = [role.name for role in roles] + assert 'admin' in role_names + assert 'user' in role_names + + +@pytest.mark.asyncio +async def test_list_roles_without_session(async_session_maker): + """Test listing all roles using internal session maker.""" + # Create test roles + async with async_session_maker() as session: + role1 = Role(name='admin', rank=1) + role2 = Role(name='user', rank=2) + session.add_all([role1, role2]) + await session.commit() + + # Test listing without explicit session (using patched a_session_maker) + with patch('storage.role_store.a_session_maker', async_session_maker): + roles = await RoleStore.list_roles() + assert len(roles) >= 2 + role_names = [role.name for role in roles] + assert 'admin' in role_names + assert 'user' in role_names + + +@pytest.mark.asyncio +async def test_create_role_with_session(async_session_maker): + """Test creating a new role with an explicit session.""" + async with async_session_maker() as session: + role = await RoleStore.create_role(name='moderator', rank=2, session=session) + await session.commit() + + assert role is not None + assert role.name == 'moderator' + assert role.rank == 2 + assert role.id is not None + + +@pytest.mark.asyncio +async def test_create_role_without_session(async_session_maker): + """Test creating a new role using internal session maker.""" + with patch('storage.role_store.a_session_maker', async_session_maker): + role = await RoleStore.create_role(name='moderator', rank=2) + + assert role is not None + assert role.name == 'moderator' + assert role.rank == 2 + assert role.id is not None From a1271dc129609456944112e536a5edc3e9e70f36 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Tue, 3 Mar 2026 18:37:38 -0500 Subject: [PATCH 22/67] Fix mypy type errors in token_manager.py and auth_token_store.py (#13179) Co-authored-by: openhands Co-authored-by: OpenHands Bot --- .../integrations/gitlab/gitlab_service.py | 11 +- enterprise/server/auth/token_manager.py | 59 ++- enterprise/server/routes/auth.py | 35 +- enterprise/server/routes/event_webhook.py | 10 + enterprise/server/routes/integration/slack.py | 4 +- enterprise/server/routes/user.py | 31 +- enterprise/storage/auth_token_store.py | 2 +- .../storage/saas_conversation_validator.py | 12 +- enterprise/tests/unit/conftest.py | 21 + enterprise/tests/unit/test_auth_routes.py | 454 ++++++++++-------- .../tests/unit/test_token_manager_extended.py | 24 +- .../tests/unit/test_user_route_fallback.py | 108 ++--- 12 files changed, 436 insertions(+), 335 deletions(-) diff --git a/enterprise/integrations/gitlab/gitlab_service.py b/enterprise/integrations/gitlab/gitlab_service.py index 558cc15058..ac4a947920 100644 --- a/enterprise/integrations/gitlab/gitlab_service.py +++ b/enterprise/integrations/gitlab/gitlab_service.py @@ -191,12 +191,11 @@ class SaaSGitLabService(GitLabService): user_info = await self.token_manager.get_user_info( self.external_auth_token.get_secret_value() ) - keycloak_user_id = user_info.get('sub') - if keycloak_user_id: - self.external_auth_id = keycloak_user_id - logger.info( - f'Determined external_auth_id from Keycloak token: {self.external_auth_id}' - ) + keycloak_user_id = user_info.sub + self.external_auth_id = keycloak_user_id + logger.info( + f'Determined external_auth_id from Keycloak token: {self.external_auth_id}' + ) except Exception: logger.warning( 'Cannot store repository data: external_auth_id is not set and could not be determined from token', diff --git a/enterprise/server/auth/token_manager.py b/enterprise/server/auth/token_manager.py index 80ed958412..b057968a0d 100644 --- a/enterprise/server/auth/token_manager.py +++ b/enterprise/server/auth/token_manager.py @@ -16,6 +16,7 @@ from keycloak.exceptions import ( KeycloakError, KeycloakPostError, ) +from pydantic import BaseModel from server.auth.auth_error import ExpiredError from server.auth.constants import ( BITBUCKET_APP_CLIENT_ID, @@ -49,6 +50,30 @@ from openhands.integrations.service_types import ProviderType from openhands.server.types import SessionExpiredError from openhands.utils.http_session import httpx_verify_option + +class KeycloakUserInfo(BaseModel): + """Pydantic model for Keycloak UserInfo endpoint response. + + Based on OIDC standard claims. 'sub' is always required per OIDC spec. + Additional fields from Keycloak are captured via model_config extra='allow'. + """ + + model_config = {'extra': 'allow'} + + sub: str + name: str | None = None + given_name: str | None = None + family_name: str | None = None + preferred_username: str | None = None + email: str | None = None + email_verified: bool | None = None + picture: str | None = None + attributes: dict[str, list[str]] | None = None + identity_provider: str | None = None + company: str | None = None + roles: list[str] | None = None + + # HTTP timeout for external IDP calls (in seconds) # This prevents indefinite blocking if an IDP is slow or unresponsive IDP_HTTP_TIMEOUT = 15.0 @@ -141,22 +166,22 @@ class TokenManager: new_keycloak_tokens['refresh_token'], ) - # UserInfo from Keycloak return a dictionary with the following format: - # { - # 'sub': '248289761001', - # 'name': 'Jane Doe', - # 'given_name': 'Jane', - # 'family_name': 'Doe', - # 'preferred_username': 'j.doe', - # 'email': 'janedoe@example.com', - # 'picture': 'http://example.com/janedoe/me.jpg' - # 'github_id': '354322532' - # } - async def get_user_info(self, access_token: str) -> dict: - if not access_token: - return {} + async def get_user_info(self, access_token: str) -> KeycloakUserInfo: + """Get user info from Keycloak userinfo endpoint. + + Args: + access_token: A valid Keycloak access token + + Returns: + KeycloakUserInfo with user claims. 'sub' is always present per OIDC spec. + + Raises: + KeycloakAuthenticationError: If the token is invalid + ValidationError: If the response is missing the required 'sub' field + """ user_info = await get_keycloak_openid(self.external).a_userinfo(access_token) - return user_info + # Pydantic validation will raise ValidationError if 'sub' is missing + return KeycloakUserInfo.model_validate(user_info) @retry( stop=stop_after_attempt(2), @@ -270,8 +295,8 @@ class TokenManager: ) -> str: # Get user info to determine user_id and idp user_info = await self.get_user_info(access_token=access_token) - user_id = user_info.get('sub') - username = user_info.get('preferred_username') + user_id = user_info.sub + username = user_info.preferred_username logger.info(f'Getting token for user {username} and IDP {idp}') token_store = await AuthTokenStore.get_instance( keycloak_user_id=user_id, idp=idp diff --git a/enterprise/server/routes/auth.py b/enterprise/server/routes/auth.py index df9b85cfa2..fa298f73e4 100644 --- a/enterprise/server/routes/auth.py +++ b/enterprise/server/routes/auth.py @@ -189,34 +189,35 @@ async def keycloak_callback( user_info = await token_manager.get_user_info(keycloak_access_token) logger.debug(f'user_info: {user_info}') - if ROLE_CHECK_ENABLED and 'roles' not in user_info: + if ROLE_CHECK_ENABLED and user_info.roles is None: return JSONResponse( status_code=status.HTTP_401_UNAUTHORIZED, content={'error': 'Missing required role'}, ) - if 'sub' not in user_info or 'preferred_username' not in user_info: + if user_info.preferred_username is None: return JSONResponse( status_code=status.HTTP_400_BAD_REQUEST, content={'error': 'Missing user ID or username in response'}, ) - email = user_info.get('email') - user_id = user_info['sub'] + email = user_info.email + user_id = user_info.sub + user_info_dict = user_info.model_dump(exclude_none=True) user = await UserStore.get_user_by_id_async(user_id) if not user: - user = await UserStore.create_user(user_id, user_info) + user = await UserStore.create_user(user_id, user_info_dict) else: # Existing user — gradually backfill contact_name if it still has a username-style value - await UserStore.backfill_contact_name(user_id, user_info) - await UserStore.backfill_user_email(user_id, user_info) + await UserStore.backfill_contact_name(user_id, user_info_dict) + await UserStore.backfill_user_email(user_id, user_info_dict) if not user: - logger.error(f'Failed to authenticate user {user_info["preferred_username"]}') + logger.error(f'Failed to authenticate user {user_info.preferred_username}') return JSONResponse( status_code=status.HTTP_401_UNAUTHORIZED, content={ - 'error': f'Failed to authenticate user {user_info["preferred_username"]}' + 'error': f'Failed to authenticate user {user_info.preferred_username}' }, ) @@ -323,7 +324,7 @@ async def keycloak_callback( ) # Check email verification status - email_verified = user_info.get('email_verified', False) + email_verified = user_info.email_verified or False if not email_verified: # Send verification email # Import locally to avoid circular import with email.py @@ -341,7 +342,7 @@ async def keycloak_callback( # default to github IDP for now. # TODO: remove default once Keycloak is updated universally with the new attribute. - idp: str = user_info.get('identity_provider', ProviderType.GITHUB.value) + idp: str = user_info.identity_provider or ProviderType.GITHUB.value logger.info(f'Full IDP is {idp}') idp_type = 'oidc' if ':' in idp: @@ -352,7 +353,7 @@ async def keycloak_callback( ProviderType(idp), user_id, keycloak_access_token ) - username = user_info['preferred_username'] + username = user_info.preferred_username if user_verifier.is_active() and not user_verifier.is_user_allowed(username): return JSONResponse( status_code=status.HTTP_401_UNAUTHORIZED, @@ -360,7 +361,7 @@ async def keycloak_callback( ) valid_offline_token = ( - await token_manager.validate_offline_token(user_id=user_info['sub']) + await token_manager.validate_offline_token(user_id=user_info.sub) if idp_type != 'saml' else True ) @@ -541,14 +542,10 @@ async def keycloak_offline_callback(code: str, state: str, request: Request): user_info = await token_manager.get_user_info(keycloak_access_token) logger.debug(f'user_info: {user_info}') - if 'sub' not in user_info: - return JSONResponse( - status_code=status.HTTP_400_BAD_REQUEST, - content={'error': 'Missing Keycloak ID in response'}, - ) + # sub is a required field in KeycloakUserInfo, validation happens in get_user_info await token_manager.store_offline_token( - user_id=user_info['sub'], offline_token=keycloak_refresh_token + user_id=user_info.sub, offline_token=keycloak_refresh_token ) redirect_url, _, _ = _extract_oauth_state(state) diff --git a/enterprise/server/routes/event_webhook.py b/enterprise/server/routes/event_webhook.py index 64d5572ad6..c308358f67 100644 --- a/enterprise/server/routes/event_webhook.py +++ b/enterprise/server/routes/event_webhook.py @@ -93,6 +93,16 @@ async def _process_batch_operations_background( ) continue # Skip this operation but continue with others + if user_id is None: + logger.error( + 'user_id_not_set_in_batch_webhook', + extra={ + 'conversation_id': conversation_id, + 'path': batch_op.path, + }, + ) + continue + if subpath == 'agent_state.pkl': update_agent_state(user_id, conversation_id, batch_op.get_content()) continue diff --git a/enterprise/server/routes/integration/slack.py b/enterprise/server/routes/integration/slack.py index 8ada1a9679..221c966eb1 100644 --- a/enterprise/server/routes/integration/slack.py +++ b/enterprise/server/routes/integration/slack.py @@ -196,7 +196,7 @@ async def keycloak_callback( ) user_info = await token_manager.get_user_info(keycloak_access_token) - keycloak_user_id = user_info['sub'] + keycloak_user_id = user_info.sub user = await UserStore.get_user_by_id_async(keycloak_user_id) if not user: return _html_response( @@ -208,7 +208,7 @@ async def keycloak_callback( # These tokens are offline access tokens - store them! await token_manager.store_offline_token(keycloak_user_id, keycloak_refresh_token) - idp: str = user_info.get('identity_provider', ProviderType.GITHUB) + idp: str = user_info.identity_provider or ProviderType.GITHUB.value idp_type = 'oidc' if ':' in idp: idp, idp_type = idp.rsplit(':', 1) diff --git a/enterprise/server/routes/user.py b/enterprise/server/routes/user.py index 31d1206cd6..b0e9a6de7b 100644 --- a/enterprise/server/routes/user.py +++ b/enterprise/server/routes/user.py @@ -111,30 +111,26 @@ async def saas_get_user( status_code=status.HTTP_401_UNAUTHORIZED, ) user_info = await token_manager.get_user_info(access_token.get_secret_value()) - if not user_info: - return JSONResponse( - content='Failed to retrieve user_info.', - status_code=status.HTTP_401_UNAUTHORIZED, - ) # Prefer email from DB; fall back to Keycloak if not yet persisted - email = user_info.get('email') if user_info else None - sub = user_info.get('sub') if user_info else '' + email = user_info.email + sub = user_info.sub if sub: db_user = await UserStore.get_user_by_id_async(sub) if db_user and db_user.email is not None: email = db_user.email + user_info_dict = user_info.model_dump(exclude_none=True) retval = await _check_idp( access_token=access_token, default_value=User( id=sub, - login=(user_info.get('preferred_username') if user_info else '') or '', + login=user_info.preferred_username or '', avatar_url='', email=email, - name=resolve_display_name(user_info) if user_info else None, - company=user_info.get('company') if user_info else None, + name=resolve_display_name(user_info_dict), + company=user_info.company, ), - user_info=user_info, + user_info=user_info_dict, ) if retval is not None: return retval @@ -364,16 +360,11 @@ async def _check_idp( content='User is not authenticated.', status_code=status.HTTP_401_UNAUTHORIZED, ) - user_info = ( - user_info - if user_info - else await token_manager.get_user_info(access_token.get_secret_value()) - ) - if not user_info: - return JSONResponse( - content='Failed to retrieve user_info.', - status_code=status.HTTP_401_UNAUTHORIZED, + if user_info is None: + user_info_model = await token_manager.get_user_info( + access_token.get_secret_value() ) + user_info = user_info_model.model_dump(exclude_none=True) idp: str | None = user_info.get('identity_provider') if not idp: return JSONResponse( diff --git a/enterprise/storage/auth_token_store.py b/enterprise/storage/auth_token_store.py index c9406f6d13..11ad668587 100644 --- a/enterprise/storage/auth_token_store.py +++ b/enterprise/storage/auth_token_store.py @@ -102,7 +102,7 @@ class AuthTokenStore: async def load_tokens( self, check_expiration_and_refresh: Callable[ - [ProviderType, str, int, int], Awaitable[Dict[str, str | int]] + [ProviderType, str, int, int], Awaitable[Dict[str, str | int] | None] ] | None = None, ) -> Dict[str, str | int] | None: diff --git a/enterprise/storage/saas_conversation_validator.py b/enterprise/storage/saas_conversation_validator.py index c164cf254c..bff4468011 100644 --- a/enterprise/storage/saas_conversation_validator.py +++ b/enterprise/storage/saas_conversation_validator.py @@ -136,15 +136,9 @@ class SaasConversationValidator(ConversationValidator): raise ConnectionRefusedError('SESSION$TIMEOUT_MESSAGE') if access_token is None: raise AuthError('no_access_token') - user_info_dict = await token_manager.get_user_info( - access_token.get_secret_value() - ) - if not user_info_dict or 'sub' not in user_info_dict: - logger.info( - f'Invalid user_info {user_info_dict} for access token {access_token}' - ) - raise RuntimeError('Invalid user_info') - user_id = user_info_dict['sub'] + user_info = await token_manager.get_user_info(access_token.get_secret_value()) + # sub is a required field in KeycloakUserInfo, validation happens in get_user_info + user_id = user_info.sub logger.info(f'User {user_id} is connecting to conversation {conversation_id}') diff --git a/enterprise/tests/unit/conftest.py b/enterprise/tests/unit/conftest.py index f848cbeb20..c273f81423 100644 --- a/enterprise/tests/unit/conftest.py +++ b/enterprise/tests/unit/conftest.py @@ -3,6 +3,7 @@ from datetime import datetime from uuid import UUID import pytest +from server.auth.token_manager import KeycloakUserInfo from server.constants import ORG_SETTINGS_VERSION from server.verified_models.verified_model_service import ( StoredVerifiedModel, # noqa: F401 @@ -36,6 +37,26 @@ from storage.stripe_customer import StripeCustomer from storage.user import User +@pytest.fixture +def create_keycloak_user_info(): + """Fixture that returns a factory function to create KeycloakUserInfo models. + + Usage: + def test_example(create_keycloak_user_info): + user_info = create_keycloak_user_info(sub='user123', email='test@example.com') + """ + + def _create(**kwargs) -> KeycloakUserInfo: + defaults = { + 'sub': 'test_user_id', + 'preferred_username': 'test_user', + } + defaults.update(kwargs) + return KeycloakUserInfo(**defaults) + + return _create + + @pytest.fixture(scope='function') def db_path(tmp_path): """Create a unique temp file path for each test.""" diff --git a/enterprise/tests/unit/test_auth_routes.py b/enterprise/tests/unit/test_auth_routes.py index 75cbbd9707..ce3d142ec4 100644 --- a/enterprise/tests/unit/test_auth_routes.py +++ b/enterprise/tests/unit/test_auth_routes.py @@ -105,15 +105,20 @@ async def test_keycloak_callback_token_retrieval_failure(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_missing_user_info(mock_request): - """Test keycloak_callback when user info is missing required fields.""" +async def test_keycloak_callback_missing_user_info( + mock_request, create_keycloak_user_info +): + """Test keycloak_callback when user info is missing preferred_username.""" with patch('server.routes.auth.token_manager') as mock_token_manager: mock_token_manager.get_keycloak_tokens = AsyncMock( return_value=('test_access_token', 'test_refresh_token') ) + # Return KeycloakUserInfo with sub but without preferred_username mock_token_manager.get_user_info = AsyncMock( - return_value={'some_field': 'value'} - ) # Missing 'sub' and 'preferred_username' + return_value=create_keycloak_user_info( + sub='test_user_id', preferred_username=None + ) + ) result = await keycloak_callback( code='test_code', state='test_state', request=mock_request @@ -126,7 +131,9 @@ async def test_keycloak_callback_missing_user_info(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_user_not_allowed(mock_request): +async def test_keycloak_callback_user_not_allowed( + mock_request, create_keycloak_user_info +): """Test keycloak_callback when user is not allowed by verifier.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, @@ -137,12 +144,12 @@ async def test_keycloak_callback_user_not_allowed(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() @@ -172,7 +179,9 @@ async def test_keycloak_callback_user_not_allowed(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_success_with_valid_offline_token(mock_request): +async def test_keycloak_callback_success_with_valid_offline_token( + mock_request, create_keycloak_user_info +): """Test successful keycloak_callback with valid offline token.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, @@ -198,12 +207,12 @@ async def test_keycloak_callback_success_with_valid_offline_token(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -234,7 +243,9 @@ async def test_keycloak_callback_success_with_valid_offline_token(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_email_not_verified(mock_request): +async def test_keycloak_callback_email_not_verified( + mock_request, create_keycloak_user_info +): """Test keycloak_callback when email is not verified.""" # Arrange mock_verify_email = AsyncMock() @@ -248,12 +259,12 @@ async def test_keycloak_callback_email_not_verified(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'identity_provider': 'github', - 'email_verified': False, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + identity_provider='github', + email_verified=False, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_verifier.is_active.return_value = False @@ -283,7 +294,9 @@ async def test_keycloak_callback_email_not_verified(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_email_not_verified_missing_field(mock_request): +async def test_keycloak_callback_email_not_verified_missing_field( + mock_request, create_keycloak_user_info +): """Test keycloak_callback when email_verified field is missing (defaults to False).""" # Arrange mock_verify_email = AsyncMock() @@ -297,12 +310,12 @@ async def test_keycloak_callback_email_not_verified_missing_field(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'identity_provider': 'github', + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + identity_provider='github', # email_verified field is missing - } + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_verifier.is_active.return_value = False @@ -332,7 +345,9 @@ async def test_keycloak_callback_email_not_verified_missing_field(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_success_without_offline_token(mock_request): +async def test_keycloak_callback_success_without_offline_token( + mock_request, create_keycloak_user_info +): """Test successful keycloak_callback without valid offline token.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, @@ -363,12 +378,12 @@ async def test_keycloak_callback_success_without_offline_token(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() # Set validate_offline_token to return False to test the "without offline token" scenario @@ -448,33 +463,42 @@ async def test_keycloak_offline_callback_token_retrieval_failure(mock_request): @pytest.mark.asyncio async def test_keycloak_offline_callback_missing_user_info(mock_request): """Test keycloak_offline_callback when user info is missing required fields.""" + from pydantic import ValidationError + with patch('server.routes.auth.token_manager') as mock_token_manager: mock_token_manager.get_keycloak_tokens = AsyncMock( return_value=('test_access_token', 'test_refresh_token') ) + # With Pydantic model, missing 'sub' raises ValidationError during get_user_info mock_token_manager.get_user_info = AsyncMock( - return_value={'some_field': 'value'} - ) # Missing 'sub' - - result = await keycloak_offline_callback( - 'test_code', 'test_state', mock_request + side_effect=ValidationError.from_exception_data( + 'KeycloakUserInfo', + [ + { + 'type': 'missing', + 'loc': ('sub',), + 'input': {'some_field': 'value'}, + } + ], + ) ) - assert isinstance(result, JSONResponse) - assert result.status_code == status.HTTP_400_BAD_REQUEST - assert 'error' in result.body.decode() - assert 'Missing Keycloak ID' in result.body.decode() + # The endpoint should propagate the error (or handle it gracefully) + with pytest.raises(ValidationError): + await keycloak_offline_callback('test_code', 'test_state', mock_request) @pytest.mark.asyncio -async def test_keycloak_offline_callback_success(mock_request): +async def test_keycloak_offline_callback_success( + mock_request, create_keycloak_user_info +): """Test successful keycloak_offline_callback.""" with patch('server.routes.auth.token_manager') as mock_token_manager: mock_token_manager.get_keycloak_tokens = AsyncMock( return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={'sub': 'test_user_id'} + return_value=create_keycloak_user_info(sub='test_user_id') ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.store_offline_token = AsyncMock() @@ -565,7 +589,9 @@ async def test_logout_without_refresh_token(): @pytest.mark.asyncio -async def test_keycloak_callback_blocked_email_domain(mock_request): +async def test_keycloak_callback_blocked_email_domain( + mock_request, create_keycloak_user_info +): """Test keycloak_callback when email domain is blocked.""" # Arrange with ( @@ -577,12 +603,12 @@ async def test_keycloak_callback_blocked_email_domain(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@colsch.us', - 'identity_provider': 'github', - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@colsch.us', + identity_provider='github', + ) ) mock_token_manager.disable_keycloak_user = AsyncMock() @@ -615,7 +641,9 @@ async def test_keycloak_callback_blocked_email_domain(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_allowed_email_domain(mock_request): +async def test_keycloak_callback_allowed_email_domain( + mock_request, create_keycloak_user_info +): """Test keycloak_callback when email domain is not blocked.""" # Arrange with ( @@ -639,13 +667,13 @@ async def test_keycloak_callback_allowed_email_domain(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@example.com', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@example.com', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -680,7 +708,9 @@ async def test_keycloak_callback_allowed_email_domain(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_domain_blocking_inactive(mock_request): +async def test_keycloak_callback_domain_blocking_inactive( + mock_request, create_keycloak_user_info +): """Test keycloak_callback when email domain is not blocked.""" # Arrange with ( @@ -704,13 +734,13 @@ async def test_keycloak_callback_domain_blocking_inactive(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@colsch.us', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@colsch.us', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -743,7 +773,7 @@ async def test_keycloak_callback_domain_blocking_inactive(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_missing_email(mock_request): +async def test_keycloak_callback_missing_email(mock_request, create_keycloak_user_info): """Test keycloak_callback when user info does not contain email.""" # Arrange with ( @@ -767,13 +797,13 @@ async def test_keycloak_callback_missing_email(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'identity_provider': 'github', - 'email_verified': True, + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + identity_provider='github', + email_verified=True, # No email field - } + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -805,7 +835,9 @@ async def test_keycloak_callback_missing_email(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_duplicate_email_detected(mock_request): +async def test_keycloak_callback_duplicate_email_detected( + mock_request, create_keycloak_user_info +): """Test keycloak_callback when duplicate email is detected.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, @@ -816,12 +848,12 @@ async def test_keycloak_callback_duplicate_email_detected(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'joe+test@example.com', - 'identity_provider': 'github', - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='joe+test@example.com', + identity_provider='github', + ) ) mock_token_manager.check_duplicate_base_email = AsyncMock(return_value=True) mock_token_manager.delete_keycloak_user = AsyncMock(return_value=True) @@ -851,7 +883,9 @@ async def test_keycloak_callback_duplicate_email_detected(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_duplicate_email_deletion_fails(mock_request): +async def test_keycloak_callback_duplicate_email_deletion_fails( + mock_request, create_keycloak_user_info +): """Test keycloak_callback when duplicate is detected but deletion fails.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, @@ -862,12 +896,12 @@ async def test_keycloak_callback_duplicate_email_deletion_fails(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'joe+test@example.com', - 'identity_provider': 'github', - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='joe+test@example.com', + identity_provider='github', + ) ) mock_token_manager.check_duplicate_base_email = AsyncMock(return_value=True) mock_token_manager.delete_keycloak_user = AsyncMock(return_value=False) @@ -894,7 +928,9 @@ async def test_keycloak_callback_duplicate_email_deletion_fails(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_duplicate_check_exception(mock_request): +async def test_keycloak_callback_duplicate_check_exception( + mock_request, create_keycloak_user_info +): """Test keycloak_callback when duplicate check raises exception.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, @@ -916,13 +952,13 @@ async def test_keycloak_callback_duplicate_check_exception(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'joe+test@example.com', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='joe+test@example.com', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.check_duplicate_base_email = AsyncMock( side_effect=Exception('Check failed') @@ -955,7 +991,9 @@ async def test_keycloak_callback_duplicate_check_exception(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_no_duplicate_email(mock_request): +async def test_keycloak_callback_no_duplicate_email( + mock_request, create_keycloak_user_info +): """Test keycloak_callback when no duplicate email is found.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, @@ -977,13 +1015,13 @@ async def test_keycloak_callback_no_duplicate_email(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'joe+test@example.com', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='joe+test@example.com', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.check_duplicate_base_email = AsyncMock(return_value=False) mock_token_manager.store_idp_tokens = AsyncMock() @@ -1018,7 +1056,9 @@ async def test_keycloak_callback_no_duplicate_email(mock_request): @pytest.mark.asyncio -async def test_keycloak_callback_no_email_in_user_info(mock_request): +async def test_keycloak_callback_no_email_in_user_info( + mock_request, create_keycloak_user_info +): """Test keycloak_callback when email is not in user_info.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, @@ -1040,13 +1080,13 @@ async def test_keycloak_callback_no_email_in_user_info(mock_request): return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', # No email field - 'identity_provider': 'github', - 'email_verified': True, - } + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -1154,7 +1194,7 @@ class TestKeycloakCallbackRecaptcha: @pytest.mark.asyncio async def test_should_verify_recaptcha_and_allow_login_when_score_is_high( - self, mock_request + self, mock_request, create_keycloak_user_info ): """Test that login proceeds when reCAPTCHA score is high.""" # Arrange @@ -1195,13 +1235,13 @@ class TestKeycloakCallbackRecaptcha: return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@example.com', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@example.com', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -1240,7 +1280,9 @@ class TestKeycloakCallbackRecaptcha: mock_recaptcha_service.create_assessment.assert_called_once() @pytest.mark.asyncio - async def test_should_block_login_when_recaptcha_score_is_low(self, mock_request): + async def test_should_block_login_when_recaptcha_score_is_low( + self, mock_request, create_keycloak_user_info + ): """Test that login is blocked and redirected when reCAPTCHA score is low.""" # Arrange state_data = { @@ -1266,11 +1308,11 @@ class TestKeycloakCallbackRecaptcha: return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@example.com', - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@example.com', + ) ) mock_token_manager.check_duplicate_base_email = AsyncMock( return_value=False @@ -1303,7 +1345,9 @@ class TestKeycloakCallbackRecaptcha: assert 'recaptcha_blocked=true' in result.headers['location'] @pytest.mark.asyncio - async def test_should_extract_ip_from_x_forwarded_for_header(self, mock_request): + async def test_should_extract_ip_from_x_forwarded_for_header( + self, mock_request, create_keycloak_user_info + ): """Test that IP is extracted from X-Forwarded-For header when present.""" # Arrange state_data = { @@ -1345,13 +1389,13 @@ class TestKeycloakCallbackRecaptcha: return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@example.com', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@example.com', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -1390,7 +1434,7 @@ class TestKeycloakCallbackRecaptcha: @pytest.mark.asyncio async def test_should_use_client_host_when_x_forwarded_for_missing( - self, mock_request + self, mock_request, create_keycloak_user_info ): """Test that client.host is used when X-Forwarded-For is missing.""" # Arrange @@ -1434,13 +1478,13 @@ class TestKeycloakCallbackRecaptcha: return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@example.com', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@example.com', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -1478,7 +1522,9 @@ class TestKeycloakCallbackRecaptcha: assert call_args[1]['user_ip'] == '192.168.1.2' @pytest.mark.asyncio - async def test_should_use_unknown_ip_when_client_is_none(self, mock_request): + async def test_should_use_unknown_ip_when_client_is_none( + self, mock_request, create_keycloak_user_info + ): """Test that 'unknown' IP is used when client is None.""" # Arrange state_data = { @@ -1520,13 +1566,13 @@ class TestKeycloakCallbackRecaptcha: return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@example.com', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@example.com', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -1565,7 +1611,7 @@ class TestKeycloakCallbackRecaptcha: @pytest.mark.asyncio async def test_should_include_email_in_assessment_when_available( - self, mock_request + self, mock_request, create_keycloak_user_info ): """Test that email is included in assessment when available.""" # Arrange @@ -1605,13 +1651,13 @@ class TestKeycloakCallbackRecaptcha: return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@example.com', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@example.com', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -1650,7 +1696,7 @@ class TestKeycloakCallbackRecaptcha: @pytest.mark.asyncio async def test_should_skip_recaptcha_when_site_key_not_configured( - self, mock_request + self, mock_request, create_keycloak_user_info ): """Test that reCAPTCHA is skipped when RECAPTCHA_SITE_KEY is not configured.""" # Arrange @@ -1687,13 +1733,13 @@ class TestKeycloakCallbackRecaptcha: return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@example.com', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@example.com', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -1725,7 +1771,9 @@ class TestKeycloakCallbackRecaptcha: mock_recaptcha_service.create_assessment.assert_not_called() @pytest.mark.asyncio - async def test_should_skip_recaptcha_when_token_is_missing(self, mock_request): + async def test_should_skip_recaptcha_when_token_is_missing( + self, mock_request, create_keycloak_user_info + ): """Test that reCAPTCHA is skipped when token is missing from state.""" # Arrange state = 'https://example.com' # Old format without token @@ -1755,13 +1803,13 @@ class TestKeycloakCallbackRecaptcha: return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@example.com', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@example.com', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -1792,7 +1840,7 @@ class TestKeycloakCallbackRecaptcha: @pytest.mark.asyncio async def test_should_fail_open_when_recaptcha_service_throws_exception( - self, mock_request + self, mock_request, create_keycloak_user_info ): """Test that login proceeds (fail open) when reCAPTCHA service throws exception.""" # Arrange @@ -1829,13 +1877,13 @@ class TestKeycloakCallbackRecaptcha: return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@example.com', - 'identity_provider': 'github', - 'email_verified': True, - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@example.com', + identity_provider='github', + email_verified=True, + ) ) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -1878,7 +1926,9 @@ class TestKeycloakCallbackRecaptcha: assert len(recaptcha_error_calls) > 0 @pytest.mark.asyncio - async def test_should_log_warning_when_recaptcha_blocks_user(self, mock_request): + async def test_should_log_warning_when_recaptcha_blocks_user( + self, mock_request, create_keycloak_user_info + ): """Test that warning is logged when reCAPTCHA blocks user.""" # Arrange state_data = { @@ -1906,11 +1956,11 @@ class TestKeycloakCallbackRecaptcha: return_value=('test_access_token', 'test_refresh_token') ) mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'email': 'user@example.com', - } + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + email='user@example.com', + ) ) mock_token_manager.check_duplicate_base_email = AsyncMock( return_value=False @@ -1947,16 +1997,16 @@ class TestKeycloakCallbackRecaptcha: @pytest.mark.asyncio async def test_keycloak_callback_calls_backfill_user_email_for_existing_user( - mock_request, + mock_request, create_keycloak_user_info ): """When an existing user logs in, backfill_user_email should be called.""" - user_info = { - 'sub': 'test_user_id', - 'preferred_username': 'test_user', - 'identity_provider': 'github', - 'email': 'test@example.com', - 'email_verified': True, - } + user_info = create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + identity_provider='github', + email='test@example.com', + email_verified=True, + ) with ( patch('server.routes.auth.token_manager') as mock_token_manager, @@ -1993,9 +2043,9 @@ async def test_keycloak_callback_calls_backfill_user_email_for_existing_user( assert isinstance(result, RedirectResponse) assert result.status_code == 302 - # backfill_user_email should have been called with the user_id and user_info + # backfill_user_email should have been called with the user_id and user_info dict mock_user_store.backfill_user_email.assert_called_once_with( - 'test_user_id', user_info + 'test_user_id', user_info.model_dump(exclude_none=True) ) diff --git a/enterprise/tests/unit/test_token_manager_extended.py b/enterprise/tests/unit/test_token_manager_extended.py index edaf1a2ff9..012fdaa08e 100644 --- a/enterprise/tests/unit/test_token_manager_extended.py +++ b/enterprise/tests/unit/test_token_manager_extended.py @@ -147,6 +147,8 @@ async def test_verify_keycloak_token_refresh(token_manager): @pytest.mark.asyncio async def test_get_user_info(token_manager): """Test getting user info from a Keycloak token.""" + from server.auth.token_manager import KeycloakUserInfo + mock_user_info = { 'sub': 'test_user_id', 'name': 'Test User', @@ -158,7 +160,11 @@ async def test_get_user_info(token_manager): user_info = await token_manager.get_user_info('test_access_token') - assert user_info == mock_user_info + # Now returns KeycloakUserInfo Pydantic model instead of dict + assert isinstance(user_info, KeycloakUserInfo) + assert user_info.sub == 'test_user_id' + assert user_info.name == 'Test User' + assert user_info.email == 'test@example.com' mock_keycloak.return_value.a_userinfo.assert_called_once_with( 'test_access_token' ) @@ -167,9 +173,17 @@ async def test_get_user_info(token_manager): @pytest.mark.asyncio async def test_get_user_info_empty_token(token_manager): """Test handling of empty token when getting user info.""" - user_info = await token_manager.get_user_info('') + from keycloak.exceptions import KeycloakAuthenticationError - assert user_info == {} + with patch('server.auth.token_manager.get_keycloak_openid') as mock_keycloak: + mock_keycloak.return_value.a_userinfo = AsyncMock( + side_effect=KeycloakAuthenticationError('Invalid token') + ) + + with pytest.raises(KeycloakAuthenticationError): + await token_manager.get_user_info('') + + mock_keycloak.return_value.a_userinfo.assert_called_once_with('') @pytest.mark.asyncio @@ -203,12 +217,12 @@ async def test_store_idp_tokens(token_manager): @pytest.mark.asyncio -async def test_get_idp_token(token_manager): +async def test_get_idp_token(token_manager, create_keycloak_user_info): """Test getting an identity provider token.""" with ( patch( 'server.auth.token_manager.TokenManager.get_user_info', - AsyncMock(return_value={'sub': 'test_user_id'}), + AsyncMock(return_value=create_keycloak_user_info(sub='test_user_id')), ), patch('server.auth.token_manager.AuthTokenStore') as mock_token_store_cls, ): diff --git a/enterprise/tests/unit/test_user_route_fallback.py b/enterprise/tests/unit/test_user_route_fallback.py index f51b73fbcb..23ae43dd7b 100644 --- a/enterprise/tests/unit/test_user_route_fallback.py +++ b/enterprise/tests/unit/test_user_route_fallback.py @@ -46,18 +46,18 @@ def mock_user_store(): @pytest.mark.asyncio async def test_fallback_user_includes_name_from_name_claim( - mock_token_manager, mock_check_idp, mock_user_store + mock_token_manager, mock_check_idp, mock_user_store, create_keycloak_user_info ): """When Keycloak provides a 'name' claim, the fallback User should include it.""" from server.routes.user import saas_get_user mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': '248289761001', - 'name': 'Jane Doe', - 'preferred_username': 'j.doe', - 'email': 'jane@example.com', - } + return_value=create_keycloak_user_info( + sub='248289761001', + name='Jane Doe', + preferred_username='j.doe', + email='jane@example.com', + ) ) result = await saas_get_user( @@ -73,19 +73,19 @@ async def test_fallback_user_includes_name_from_name_claim( @pytest.mark.asyncio async def test_fallback_user_combines_given_and_family_name( - mock_token_manager, mock_check_idp, mock_user_store + mock_token_manager, mock_check_idp, mock_user_store, create_keycloak_user_info ): """When 'name' is absent, combine given_name + family_name.""" from server.routes.user import saas_get_user mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': '248289761001', - 'given_name': 'Jane', - 'family_name': 'Doe', - 'preferred_username': 'j.doe', - 'email': 'jane@example.com', - } + return_value=create_keycloak_user_info( + sub='248289761001', + given_name='Jane', + family_name='Doe', + preferred_username='j.doe', + email='jane@example.com', + ) ) result = await saas_get_user( @@ -100,17 +100,17 @@ async def test_fallback_user_combines_given_and_family_name( @pytest.mark.asyncio async def test_fallback_user_name_is_none_when_no_name_claims( - mock_token_manager, mock_check_idp, mock_user_store + mock_token_manager, mock_check_idp, mock_user_store, create_keycloak_user_info ): """When no name claims exist, name should be None.""" from server.routes.user import saas_get_user mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': '248289761001', - 'preferred_username': 'j.doe', - 'email': 'jane@example.com', - } + return_value=create_keycloak_user_info( + sub='248289761001', + preferred_username='j.doe', + email='jane@example.com', + ) ) result = await saas_get_user( @@ -125,19 +125,19 @@ async def test_fallback_user_name_is_none_when_no_name_claims( @pytest.mark.asyncio async def test_fallback_user_includes_company_claim( - mock_token_manager, mock_check_idp, mock_user_store + mock_token_manager, mock_check_idp, mock_user_store, create_keycloak_user_info ): """When Keycloak provides a 'company' claim, include it in the User.""" from server.routes.user import saas_get_user mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': '248289761001', - 'name': 'Jane Doe', - 'preferred_username': 'j.doe', - 'email': 'jane@example.com', - 'company': 'Acme Corp', - } + return_value=create_keycloak_user_info( + sub='248289761001', + name='Jane Doe', + preferred_username='j.doe', + email='jane@example.com', + company='Acme Corp', + ) ) result = await saas_get_user( @@ -152,18 +152,18 @@ async def test_fallback_user_includes_company_claim( @pytest.mark.asyncio async def test_fallback_user_company_is_none_when_absent( - mock_token_manager, mock_check_idp, mock_user_store + mock_token_manager, mock_check_idp, mock_user_store, create_keycloak_user_info ): """When 'company' is not in Keycloak claims, company should be None.""" from server.routes.user import saas_get_user mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': '248289761001', - 'name': 'Jane Doe', - 'preferred_username': 'j.doe', - 'email': 'jane@example.com', - } + return_value=create_keycloak_user_info( + sub='248289761001', + name='Jane Doe', + preferred_username='j.doe', + email='jane@example.com', + ) ) result = await saas_get_user( @@ -178,17 +178,17 @@ async def test_fallback_user_company_is_none_when_absent( @pytest.mark.asyncio async def test_fallback_user_email_from_db_when_available( - mock_token_manager, mock_check_idp, mock_user_store + mock_token_manager, mock_check_idp, mock_user_store, create_keycloak_user_info ): """When User.email is stored in DB, use it instead of Keycloak's live email.""" from server.routes.user import saas_get_user mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': '248289761001', - 'preferred_username': 'j.doe', - 'email': 'keycloak@example.com', - } + return_value=create_keycloak_user_info( + sub='248289761001', + preferred_username='j.doe', + email='keycloak@example.com', + ) ) mock_db_user = MagicMock() @@ -207,17 +207,17 @@ async def test_fallback_user_email_from_db_when_available( @pytest.mark.asyncio async def test_fallback_user_email_falls_back_to_keycloak_when_db_null( - mock_token_manager, mock_check_idp, mock_user_store + mock_token_manager, mock_check_idp, mock_user_store, create_keycloak_user_info ): """When User.email is NULL in DB, fall back to Keycloak's email.""" from server.routes.user import saas_get_user mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': '248289761001', - 'preferred_username': 'j.doe', - 'email': 'keycloak@example.com', - } + return_value=create_keycloak_user_info( + sub='248289761001', + preferred_username='j.doe', + email='keycloak@example.com', + ) ) mock_db_user = MagicMock() @@ -236,17 +236,17 @@ async def test_fallback_user_email_falls_back_to_keycloak_when_db_null( @pytest.mark.asyncio async def test_fallback_user_email_falls_back_to_keycloak_when_no_db_user( - mock_token_manager, mock_check_idp, mock_user_store + mock_token_manager, mock_check_idp, mock_user_store, create_keycloak_user_info ): """When DB user doesn't exist, fall back to Keycloak's email.""" from server.routes.user import saas_get_user mock_token_manager.get_user_info = AsyncMock( - return_value={ - 'sub': '248289761001', - 'preferred_username': 'j.doe', - 'email': 'keycloak@example.com', - } + return_value=create_keycloak_user_info( + sub='248289761001', + preferred_username='j.doe', + email='keycloak@example.com', + ) ) # mock_user_store already returns None by default From 4fc5351ed7136fda15eff5a055704a5900171a0a Mon Sep 17 00:00:00 2001 From: Tim O'Farrell Date: Tue, 3 Mar 2026 16:38:41 -0700 Subject: [PATCH 23/67] Refactor openhands_pr_store.py to use async db sessions (#13186) Co-authored-by: openhands --- .../integrations/github/data_collector.py | 10 +-- .../integrations/github/github_manager.py | 3 +- enterprise/storage/openhands_pr_store.py | 73 +++++++++---------- .../sync/enrich_user_interaction_data.py | 8 +- .../github/test_github_manager.py | 2 +- 5 files changed, 45 insertions(+), 51 deletions(-) diff --git a/enterprise/integrations/github/data_collector.py b/enterprise/integrations/github/data_collector.py index c6a9b4d6ae..d0844b814e 100644 --- a/enterprise/integrations/github/data_collector.py +++ b/enterprise/integrations/github/data_collector.py @@ -569,7 +569,7 @@ class GitHubDataCollector: openhands_helped_author = openhands_commit_count > 0 # Update the PR with OpenHands statistics - update_success = store.update_pr_openhands_stats( + update_success = await store.update_pr_openhands_stats( repo_id=repo_id, pr_number=pr_number, original_updated_at=openhands_pr.updated_at, @@ -612,7 +612,7 @@ class GitHubDataCollector: action = payload.get('action', '') return action == 'closed' and 'pull_request' in payload - def _track_closed_or_merged_pr(self, payload): + async def _track_closed_or_merged_pr(self, payload): """ Track PR closed/merged event """ @@ -671,17 +671,17 @@ class GitHubDataCollector: num_general_comments=num_general_comments, ) - store.insert_pr(pr) + await store.insert_pr(pr) logger.info(f'Tracked PR {status}: {repo_id}#{pr_number}') - def process_payload(self, message: Message): + async def process_payload(self, message: Message): if not COLLECT_GITHUB_INTERACTIONS: return raw_payload = message.message.get('payload', {}) if self._is_pr_closed_or_merged(raw_payload): - self._track_closed_or_merged_pr(raw_payload) + await self._track_closed_or_merged_pr(raw_payload) async def save_data(self, github_view: ResolverViewInterface): if not COLLECT_GITHUB_INTERACTIONS: diff --git a/enterprise/integrations/github/github_manager.py b/enterprise/integrations/github/github_manager.py index 2447b12894..37b03a330d 100644 --- a/enterprise/integrations/github/github_manager.py +++ b/enterprise/integrations/github/github_manager.py @@ -42,7 +42,6 @@ from openhands.server.types import ( SessionExpiredError, ) from openhands.storage.data_models.secrets import Secrets -from openhands.utils.async_utils import call_sync_from_async class GithubManager(Manager[GithubViewType]): @@ -242,7 +241,7 @@ class GithubManager(Manager[GithubViewType]): async def receive_message(self, message: Message): self._confirm_incoming_source_type(message) try: - await call_sync_from_async(self.data_collector.process_payload, message) + await self.data_collector.process_payload(message) except Exception: logger.warning( '[Github]: Error processing payload for gh interaction', exc_info=True diff --git a/enterprise/storage/openhands_pr_store.py b/enterprise/storage/openhands_pr_store.py index 7bc52369f4..2bc3ad661f 100644 --- a/enterprise/storage/openhands_pr_store.py +++ b/enterprise/storage/openhands_pr_store.py @@ -1,44 +1,40 @@ -from dataclasses import dataclass +from __future__ import annotations + from datetime import datetime -from sqlalchemy import and_, desc -from sqlalchemy.orm import sessionmaker -from storage.database import session_maker +from sqlalchemy import and_, desc, select +from storage.database import a_session_maker from storage.openhands_pr import OpenhandsPR from openhands.core.logger import openhands_logger as logger from openhands.integrations.service_types import ProviderType -@dataclass class OpenhandsPRStore: - session_maker: sessionmaker - - def insert_pr(self, pr: OpenhandsPR) -> None: + async def insert_pr(self, pr: OpenhandsPR) -> None: """ Insert a new PR or delete and recreate if repo_id and pr_number already exist. """ - with self.session_maker() as session: + async with a_session_maker() as session: # Check if PR already exists - existing_pr = ( - session.query(OpenhandsPR) - .filter( + result = await session.execute( + select(OpenhandsPR).filter( OpenhandsPR.repo_id == pr.repo_id, OpenhandsPR.pr_number == pr.pr_number, OpenhandsPR.provider == pr.provider, ) - .first() ) + existing_pr = result.scalars().first() if existing_pr: # Delete existing PR - session.delete(existing_pr) - session.flush() + await session.delete(existing_pr) + await session.flush() session.add(pr) - session.commit() + await session.commit() - def increment_process_attempts(self, repo_id: str, pr_number: int) -> bool: + async def increment_process_attempts(self, repo_id: str, pr_number: int) -> bool: """ Increment the process attempts counter for a PR. @@ -49,23 +45,22 @@ class OpenhandsPRStore: Returns: True if PR was found and updated, False otherwise """ - with self.session_maker() as session: - pr = ( - session.query(OpenhandsPR) - .filter( + async with a_session_maker() as session: + result = await session.execute( + select(OpenhandsPR).filter( OpenhandsPR.repo_id == repo_id, OpenhandsPR.pr_number == pr_number ) - .first() ) + pr = result.scalars().first() if pr: pr.process_attempts += 1 - session.merge(pr) - session.commit() + await session.merge(pr) + await session.commit() return True return False - def update_pr_openhands_stats( + async def update_pr_openhands_stats( self, repo_id: str, pr_number: int, @@ -90,16 +85,16 @@ class OpenhandsPRStore: Returns: True if PR was found and updated, False if not found or timestamp changed """ - with self.session_maker() as session: + async with a_session_maker() as session: # Use row-level locking to prevent concurrent modifications - pr: OpenhandsPR | None = ( - session.query(OpenhandsPR) + result = await session.execute( + select(OpenhandsPR) .filter( OpenhandsPR.repo_id == repo_id, OpenhandsPR.pr_number == pr_number ) .with_for_update() - .first() ) + pr: OpenhandsPR | None = result.scalars().first() if not pr: # Current PR snapshot is stale @@ -109,7 +104,7 @@ class OpenhandsPRStore: # Check if the updated_at timestamp has changed (indicating concurrent modification) if pr.updated_at != original_updated_at: # Abort transaction - the PR was modified by another process - session.rollback() + await session.rollback() return False # Update the OpenHands statistics @@ -119,11 +114,11 @@ class OpenhandsPRStore: pr.num_openhands_general_comments = num_openhands_general_comments pr.processed = True - session.merge(pr) - session.commit() + await session.merge(pr) + await session.commit() return True - def get_unprocessed_prs( + async def get_unprocessed_prs( self, limit: int = 50, max_retries: int = 3 ) -> list[OpenhandsPR]: """ @@ -135,9 +130,9 @@ class OpenhandsPRStore: Returns: List of OpenhandsPR objects that need processing """ - with self.session_maker() as session: - unprocessed_prs = ( - session.query(OpenhandsPR) + async with a_session_maker() as session: + result = await session.execute( + select(OpenhandsPR) .filter( and_( ~OpenhandsPR.processed, @@ -147,12 +142,12 @@ class OpenhandsPRStore: ) .order_by(desc(OpenhandsPR.updated_at)) .limit(limit) - .all() ) + unprocessed_prs = list(result.scalars().all()) return unprocessed_prs @classmethod - def get_instance(cls): + def get_instance(cls) -> OpenhandsPRStore: """Get an instance of the OpenhandsPRStore.""" - return OpenhandsPRStore(session_maker) + return OpenhandsPRStore() diff --git a/enterprise/sync/enrich_user_interaction_data.py b/enterprise/sync/enrich_user_interaction_data.py index 184c1c40cc..611aeabf85 100644 --- a/enterprise/sync/enrich_user_interaction_data.py +++ b/enterprise/sync/enrich_user_interaction_data.py @@ -13,7 +13,7 @@ store = OpenhandsPRStore.get_instance() data_collector = GitHubDataCollector() -def get_unprocessed_prs() -> list[OpenhandsPR]: +async def get_unprocessed_prs() -> list[OpenhandsPR]: """ Get unprocessed PR entries from the OpenhandsPR table. @@ -23,7 +23,7 @@ def get_unprocessed_prs() -> list[OpenhandsPR]: Returns: List of OpenhandsPR objects that need processing """ - unprocessed_prs = store.get_unprocessed_prs(PROCESS_AMOUNT, MAX_RETRIES) + unprocessed_prs = await store.get_unprocessed_prs(PROCESS_AMOUNT, MAX_RETRIES) logger.info(f'Retrieved {len(unprocessed_prs)} unprocessed PRs for enrichment') return unprocessed_prs @@ -35,7 +35,7 @@ async def process_pr(pr: OpenhandsPR): logger.info(f'Processing PR #{pr.pr_number} from repo {pr.repo_name}') await data_collector.save_full_pr(pr) - store.increment_process_attempts(pr.repo_id, pr.pr_number) + await store.increment_process_attempts(pr.repo_id, pr.pr_number) async def main(): @@ -45,7 +45,7 @@ async def main(): logger.info('Starting PR data enrichment process') # Get unprocessed PRs - unprocessed_prs = get_unprocessed_prs() + unprocessed_prs = await get_unprocessed_prs() logger.info(f'Found {len(unprocessed_prs)} PRs to process') # Process each PR diff --git a/enterprise/tests/unit/integrations/github/test_github_manager.py b/enterprise/tests/unit/integrations/github/test_github_manager.py index 864be4ef38..18276bdaec 100644 --- a/enterprise/tests/unit/integrations/github/test_github_manager.py +++ b/enterprise/tests/unit/integrations/github/test_github_manager.py @@ -29,7 +29,7 @@ class TestGithubManagerUserNotFound: def mock_data_collector(self): """Create a mock data collector.""" data_collector = MagicMock() - data_collector.process_payload = MagicMock() + data_collector.process_payload = AsyncMock() return data_collector @pytest.fixture From 0ae9128ed7a054e067417ca14d4e98a37e2aa947 Mon Sep 17 00:00:00 2001 From: aivong-openhands Date: Tue, 3 Mar 2026 17:43:05 -0600 Subject: [PATCH 24/67] Fix CVE-2025-69223: Update aiohttp to 3.13.3 (#13008) Co-authored-by: OpenHands CVE Fix Bot --- enterprise/poetry.lock | 231 ++++++++++++++++++++++++----------------- poetry.lock | 231 ++++++++++++++++++++++++----------------- pyproject.toml | 4 +- uv.lock | 87 ++++++++-------- 4 files changed, 312 insertions(+), 241 deletions(-) diff --git a/enterprise/poetry.lock b/enterprise/poetry.lock index 4fadd7372f..a59c4f1b50 100644 --- a/enterprise/poetry.lock +++ b/enterprise/poetry.lock @@ -26,98 +26,132 @@ files = [ [[package]] name = "aiohttp" -version = "3.12.15" +version = "3.13.3" description = "Async http client/server framework (asyncio)" optional = false python-versions = ">=3.9" groups = ["main"] files = [ - {file = "aiohttp-3.12.15-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:b6fc902bff74d9b1879ad55f5404153e2b33a82e72a95c89cec5eb6cc9e92fbc"}, - {file = "aiohttp-3.12.15-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:098e92835b8119b54c693f2f88a1dec690e20798ca5f5fe5f0520245253ee0af"}, - {file = "aiohttp-3.12.15-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:40b3fee496a47c3b4a39a731954c06f0bd9bd3e8258c059a4beb76ac23f8e421"}, - {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2ce13fcfb0bb2f259fb42106cdc63fa5515fb85b7e87177267d89a771a660b79"}, - {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:3beb14f053222b391bf9cf92ae82e0171067cc9c8f52453a0f1ec7c37df12a77"}, - {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4c39e87afe48aa3e814cac5f535bc6199180a53e38d3f51c5e2530f5aa4ec58c"}, - {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d5f1b4ce5bc528a6ee38dbf5f39bbf11dd127048726323b72b8e85769319ffc4"}, - {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1004e67962efabbaf3f03b11b4c43b834081c9e3f9b32b16a7d97d4708a9abe6"}, - {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8faa08fcc2e411f7ab91d1541d9d597d3a90e9004180edb2072238c085eac8c2"}, - {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:fe086edf38b2222328cdf89af0dde2439ee173b8ad7cb659b4e4c6f385b2be3d"}, - {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:79b26fe467219add81d5e47b4a4ba0f2394e8b7c7c3198ed36609f9ba161aecb"}, - {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:b761bac1192ef24e16706d761aefcb581438b34b13a2f069a6d343ec8fb693a5"}, - {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:e153e8adacfe2af562861b72f8bc47f8a5c08e010ac94eebbe33dc21d677cd5b"}, - {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:fc49c4de44977aa8601a00edbf157e9a421f227aa7eb477d9e3df48343311065"}, - {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:2776c7ec89c54a47029940177e75c8c07c29c66f73464784971d6a81904ce9d1"}, - {file = "aiohttp-3.12.15-cp310-cp310-win32.whl", hash = "sha256:2c7d81a277fa78b2203ab626ced1487420e8c11a8e373707ab72d189fcdad20a"}, - {file = "aiohttp-3.12.15-cp310-cp310-win_amd64.whl", hash = "sha256:83603f881e11f0f710f8e2327817c82e79431ec976448839f3cd05d7afe8f830"}, - {file = "aiohttp-3.12.15-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:d3ce17ce0220383a0f9ea07175eeaa6aa13ae5a41f30bc61d84df17f0e9b1117"}, - {file = "aiohttp-3.12.15-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:010cc9bbd06db80fe234d9003f67e97a10fe003bfbedb40da7d71c1008eda0fe"}, - {file = "aiohttp-3.12.15-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:3f9d7c55b41ed687b9d7165b17672340187f87a773c98236c987f08c858145a9"}, - {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bc4fbc61bb3548d3b482f9ac7ddd0f18c67e4225aaa4e8552b9f1ac7e6bda9e5"}, - {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:7fbc8a7c410bb3ad5d595bb7118147dfbb6449d862cc1125cf8867cb337e8728"}, - {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:74dad41b3458dbb0511e760fb355bb0b6689e0630de8a22b1b62a98777136e16"}, - {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3b6f0af863cf17e6222b1735a756d664159e58855da99cfe965134a3ff63b0b0"}, - {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b5b7fe4972d48a4da367043b8e023fb70a04d1490aa7d68800e465d1b97e493b"}, - {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6443cca89553b7a5485331bc9bedb2342b08d073fa10b8c7d1c60579c4a7b9bd"}, - {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:6c5f40ec615e5264f44b4282ee27628cea221fcad52f27405b80abb346d9f3f8"}, - {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:2abbb216a1d3a2fe86dbd2edce20cdc5e9ad0be6378455b05ec7f77361b3ab50"}, - {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:db71ce547012a5420a39c1b744d485cfb823564d01d5d20805977f5ea1345676"}, - {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:ced339d7c9b5030abad5854aa5413a77565e5b6e6248ff927d3e174baf3badf7"}, - {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:7c7dd29c7b5bda137464dc9bfc738d7ceea46ff70309859ffde8c022e9b08ba7"}, - {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:421da6fd326460517873274875c6c5a18ff225b40da2616083c5a34a7570b685"}, - {file = "aiohttp-3.12.15-cp311-cp311-win32.whl", hash = "sha256:4420cf9d179ec8dfe4be10e7d0fe47d6d606485512ea2265b0d8c5113372771b"}, - {file = "aiohttp-3.12.15-cp311-cp311-win_amd64.whl", hash = "sha256:edd533a07da85baa4b423ee8839e3e91681c7bfa19b04260a469ee94b778bf6d"}, - {file = "aiohttp-3.12.15-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:802d3868f5776e28f7bf69d349c26fc0efadb81676d0afa88ed00d98a26340b7"}, - {file = "aiohttp-3.12.15-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:f2800614cd560287be05e33a679638e586a2d7401f4ddf99e304d98878c29444"}, - {file = "aiohttp-3.12.15-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:8466151554b593909d30a0a125d638b4e5f3836e5aecde85b66b80ded1cb5b0d"}, - {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2e5a495cb1be69dae4b08f35a6c4579c539e9b5706f606632102c0f855bcba7c"}, - {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:6404dfc8cdde35c69aaa489bb3542fb86ef215fc70277c892be8af540e5e21c0"}, - {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3ead1c00f8521a5c9070fcb88f02967b1d8a0544e6d85c253f6968b785e1a2ab"}, - {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6990ef617f14450bc6b34941dba4f12d5613cbf4e33805932f853fbd1cf18bfb"}, - {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fd736ed420f4db2b8148b52b46b88ed038d0354255f9a73196b7bbce3ea97545"}, - {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3c5092ce14361a73086b90c6efb3948ffa5be2f5b6fbcf52e8d8c8b8848bb97c"}, - {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:aaa2234bb60c4dbf82893e934d8ee8dea30446f0647e024074237a56a08c01bd"}, - {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:6d86a2fbdd14192e2f234a92d3b494dd4457e683ba07e5905a0b3ee25389ac9f"}, - {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:a041e7e2612041a6ddf1c6a33b883be6a421247c7afd47e885969ee4cc58bd8d"}, - {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:5015082477abeafad7203757ae44299a610e89ee82a1503e3d4184e6bafdd519"}, - {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:56822ff5ddfd1b745534e658faba944012346184fbfe732e0d6134b744516eea"}, - {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:b2acbbfff69019d9014508c4ba0401822e8bae5a5fdc3b6814285b71231b60f3"}, - {file = "aiohttp-3.12.15-cp312-cp312-win32.whl", hash = "sha256:d849b0901b50f2185874b9a232f38e26b9b3d4810095a7572eacea939132d4e1"}, - {file = "aiohttp-3.12.15-cp312-cp312-win_amd64.whl", hash = "sha256:b390ef5f62bb508a9d67cb3bba9b8356e23b3996da7062f1a57ce1a79d2b3d34"}, - {file = "aiohttp-3.12.15-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:9f922ffd05034d439dde1c77a20461cf4a1b0831e6caa26151fe7aa8aaebc315"}, - {file = "aiohttp-3.12.15-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:2ee8a8ac39ce45f3e55663891d4b1d15598c157b4d494a4613e704c8b43112cd"}, - {file = "aiohttp-3.12.15-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:3eae49032c29d356b94eee45a3f39fdf4b0814b397638c2f718e96cfadf4c4e4"}, - {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b97752ff12cc12f46a9b20327104448042fce5c33a624f88c18f66f9368091c7"}, - {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:894261472691d6fe76ebb7fcf2e5870a2ac284c7406ddc95823c8598a1390f0d"}, - {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5fa5d9eb82ce98959fc1031c28198b431b4d9396894f385cb63f1e2f3f20ca6b"}, - {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f0fa751efb11a541f57db59c1dd821bec09031e01452b2b6217319b3a1f34f3d"}, - {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5346b93e62ab51ee2a9d68e8f73c7cf96ffb73568a23e683f931e52450e4148d"}, - {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:049ec0360f939cd164ecbfd2873eaa432613d5e77d6b04535e3d1fbae5a9e645"}, - {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:b52dcf013b57464b6d1e51b627adfd69a8053e84b7103a7cd49c030f9ca44461"}, - {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:9b2af240143dd2765e0fb661fd0361a1b469cab235039ea57663cda087250ea9"}, - {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ac77f709a2cde2cc71257ab2d8c74dd157c67a0558a0d2799d5d571b4c63d44d"}, - {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:47f6b962246f0a774fbd3b6b7be25d59b06fdb2f164cf2513097998fc6a29693"}, - {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:760fb7db442f284996e39cf9915a94492e1896baac44f06ae551974907922b64"}, - {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:ad702e57dc385cae679c39d318def49aef754455f237499d5b99bea4ef582e51"}, - {file = "aiohttp-3.12.15-cp313-cp313-win32.whl", hash = "sha256:f813c3e9032331024de2eb2e32a88d86afb69291fbc37a3a3ae81cc9917fb3d0"}, - {file = "aiohttp-3.12.15-cp313-cp313-win_amd64.whl", hash = "sha256:1a649001580bdb37c6fdb1bebbd7e3bc688e8ec2b5c6f52edbb664662b17dc84"}, - {file = "aiohttp-3.12.15-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:691d203c2bdf4f4637792efbbcdcd157ae11e55eaeb5e9c360c1206fb03d4d98"}, - {file = "aiohttp-3.12.15-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:8e995e1abc4ed2a454c731385bf4082be06f875822adc4c6d9eaadf96e20d406"}, - {file = "aiohttp-3.12.15-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:bd44d5936ab3193c617bfd6c9a7d8d1085a8dc8c3f44d5f1dcf554d17d04cf7d"}, - {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:46749be6e89cd78d6068cdf7da51dbcfa4321147ab8e4116ee6678d9a056a0cf"}, - {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:0c643f4d75adea39e92c0f01b3fb83d57abdec8c9279b3078b68a3a52b3933b6"}, - {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0a23918fedc05806966a2438489dcffccbdf83e921a1170773b6178d04ade142"}, - {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:74bdd8c864b36c3673741023343565d95bfbd778ffe1eb4d412c135a28a8dc89"}, - {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0a146708808c9b7a988a4af3821379e379e0f0e5e466ca31a73dbdd0325b0263"}, - {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b7011a70b56facde58d6d26da4fec3280cc8e2a78c714c96b7a01a87930a9530"}, - {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:3bdd6e17e16e1dbd3db74d7f989e8af29c4d2e025f9828e6ef45fbdee158ec75"}, - {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:57d16590a351dfc914670bd72530fd78344b885a00b250e992faea565b7fdc05"}, - {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:bc9a0f6569ff990e0bbd75506c8d8fe7214c8f6579cca32f0546e54372a3bb54"}, - {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:536ad7234747a37e50e7b6794ea868833d5220b49c92806ae2d7e8a9d6b5de02"}, - {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:f0adb4177fa748072546fb650d9bd7398caaf0e15b370ed3317280b13f4083b0"}, - {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:14954a2988feae3987f1eb49c706bff39947605f4b6fa4027c1d75743723eb09"}, - {file = "aiohttp-3.12.15-cp39-cp39-win32.whl", hash = "sha256:b784d6ed757f27574dca1c336f968f4e81130b27595e458e69457e6878251f5d"}, - {file = "aiohttp-3.12.15-cp39-cp39-win_amd64.whl", hash = "sha256:86ceded4e78a992f835209e236617bffae649371c4a50d5e5a3987f237db84b8"}, - {file = "aiohttp-3.12.15.tar.gz", hash = "sha256:4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2"}, + {file = "aiohttp-3.13.3-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:d5a372fd5afd301b3a89582817fdcdb6c34124787c70dbcc616f259013e7eef7"}, + {file = "aiohttp-3.13.3-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:147e422fd1223005c22b4fe080f5d93ced44460f5f9c105406b753612b587821"}, + {file = "aiohttp-3.13.3-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:859bd3f2156e81dd01432f5849fc73e2243d4a487c4fd26609b1299534ee1845"}, + {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:dca68018bf48c251ba17c72ed479f4dafe9dbd5a73707ad8d28a38d11f3d42af"}, + {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:fee0c6bc7db1de362252affec009707a17478a00ec69f797d23ca256e36d5940"}, + {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:c048058117fd649334d81b4b526e94bde3ccaddb20463a815ced6ecbb7d11160"}, + {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:215a685b6fbbfcf71dfe96e3eba7a6f58f10da1dfdf4889c7dd856abe430dca7"}, + {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:de2c184bb1fe2cbd2cefba613e9db29a5ab559323f994b6737e370d3da0ac455"}, + {file = "aiohttp-3.13.3-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:75ca857eba4e20ce9f546cd59c7007b33906a4cd48f2ff6ccf1ccfc3b646f279"}, + {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:81e97251d9298386c2b7dbeb490d3d1badbdc69107fb8c9299dd04eb39bddc0e"}, + {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:c0e2d366af265797506f0283487223146af57815b388623f0357ef7eac9b209d"}, + {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:4e239d501f73d6db1522599e14b9b321a7e3b1de66ce33d53a765d975e9f4808"}, + {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:0db318f7a6f065d84cb1e02662c526294450b314a02bd9e2a8e67f0d8564ce40"}, + {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:bfc1cc2fe31a6026a8a88e4ecfb98d7f6b1fec150cfd708adbfd1d2f42257c29"}, + {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:af71fff7bac6bb7508956696dce8f6eec2bbb045eceb40343944b1ae62b5ef11"}, + {file = "aiohttp-3.13.3-cp310-cp310-win32.whl", hash = "sha256:37da61e244d1749798c151421602884db5270faf479cf0ef03af0ff68954c9dd"}, + {file = "aiohttp-3.13.3-cp310-cp310-win_amd64.whl", hash = "sha256:7e63f210bc1b57ef699035f2b4b6d9ce096b5914414a49b0997c839b2bd2223c"}, + {file = "aiohttp-3.13.3-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:5b6073099fb654e0a068ae678b10feff95c5cae95bbfcbfa7af669d361a8aa6b"}, + {file = "aiohttp-3.13.3-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:1cb93e166e6c28716c8c6aeb5f99dfb6d5ccf482d29fe9bf9a794110e6d0ab64"}, + {file = "aiohttp-3.13.3-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:28e027cf2f6b641693a09f631759b4d9ce9165099d2b5d92af9bd4e197690eea"}, + {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3b61b7169ababd7802f9568ed96142616a9118dd2be0d1866e920e77ec8fa92a"}, + {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:80dd4c21b0f6237676449c6baaa1039abae86b91636b6c91a7f8e61c87f89540"}, + {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:65d2ccb7eabee90ce0503c17716fc77226be026dcc3e65cce859a30db715025b"}, + {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5b179331a481cb5529fca8b432d8d3c7001cb217513c94cd72d668d1248688a3"}, + {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9d4c940f02f49483b18b079d1c27ab948721852b281f8b015c058100e9421dd1"}, + {file = "aiohttp-3.13.3-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:f9444f105664c4ce47a2a7171a2418bce5b7bae45fb610f4e2c36045d85911d3"}, + {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:694976222c711d1d00ba131904beb60534f93966562f64440d0c9d41b8cdb440"}, + {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:f33ed1a2bf1997a36661874b017f5c4b760f41266341af36febaf271d179f6d7"}, + {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:e636b3c5f61da31a92bf0d91da83e58fdfa96f178ba682f11d24f31944cdd28c"}, + {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:5d2d94f1f5fcbe40838ac51a6ab5704a6f9ea42e72ceda48de5e6b898521da51"}, + {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:2be0e9ccf23e8a94f6f0650ce06042cefc6ac703d0d7ab6c7a917289f2539ad4"}, + {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:9af5e68ee47d6534d36791bbe9b646d2a7c7deb6fc24d7943628edfbb3581f29"}, + {file = "aiohttp-3.13.3-cp311-cp311-win32.whl", hash = "sha256:a2212ad43c0833a873d0fb3c63fa1bacedd4cf6af2fee62bf4b739ceec3ab239"}, + {file = "aiohttp-3.13.3-cp311-cp311-win_amd64.whl", hash = "sha256:642f752c3eb117b105acbd87e2c143de710987e09860d674e068c4c2c441034f"}, + {file = "aiohttp-3.13.3-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:b903a4dfee7d347e2d87697d0713be59e0b87925be030c9178c5faa58ea58d5c"}, + {file = "aiohttp-3.13.3-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:a45530014d7a1e09f4a55f4f43097ba0fd155089372e105e4bff4ca76cb1b168"}, + {file = "aiohttp-3.13.3-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:27234ef6d85c914f9efeb77ff616dbf4ad2380be0cda40b4db086ffc7ddd1b7d"}, + {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d32764c6c9aafb7fb55366a224756387cd50bfa720f32b88e0e6fa45b27dcf29"}, + {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:b1a6102b4d3ebc07dad44fbf07b45bb600300f15b552ddf1851b5390202ea2e3"}, + {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:c014c7ea7fb775dd015b2d3137378b7be0249a448a1612268b5a90c2d81de04d"}, + {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2b8d8ddba8f95ba17582226f80e2de99c7a7948e66490ef8d947e272a93e9463"}, + {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9ae8dd55c8e6c4257eae3a20fd2c8f41edaea5992ed67156642493b8daf3cecc"}, + {file = "aiohttp-3.13.3-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:01ad2529d4b5035578f5081606a465f3b814c542882804e2e8cda61adf5c71bf"}, + {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:bb4f7475e359992b580559e008c598091c45b5088f28614e855e42d39c2f1033"}, + {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:c19b90316ad3b24c69cd78d5c9b4f3aa4497643685901185b65166293d36a00f"}, + {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:96d604498a7c782cb15a51c406acaea70d8c027ee6b90c569baa6e7b93073679"}, + {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:084911a532763e9d3dd95adf78a78f4096cd5f58cdc18e6fdbc1b58417a45423"}, + {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:7a4a94eb787e606d0a09404b9c38c113d3b099d508021faa615d70a0131907ce"}, + {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:87797e645d9d8e222e04160ee32aa06bc5c163e8499f24db719e7852ec23093a"}, + {file = "aiohttp-3.13.3-cp312-cp312-win32.whl", hash = "sha256:b04be762396457bef43f3597c991e192ee7da460a4953d7e647ee4b1c28e7046"}, + {file = "aiohttp-3.13.3-cp312-cp312-win_amd64.whl", hash = "sha256:e3531d63d3bdfa7e3ac5e9b27b2dd7ec9df3206a98e0b3445fa906f233264c57"}, + {file = "aiohttp-3.13.3-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:5dff64413671b0d3e7d5918ea490bdccb97a4ad29b3f311ed423200b2203e01c"}, + {file = "aiohttp-3.13.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:87b9aab6d6ed88235aa2970294f496ff1a1f9adcd724d800e9b952395a80ffd9"}, + {file = "aiohttp-3.13.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:425c126c0dc43861e22cb1c14ba4c8e45d09516d0a3ae0a3f7494b79f5f233a3"}, + {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:7f9120f7093c2a32d9647abcaf21e6ad275b4fbec5b55969f978b1a97c7c86bf"}, + {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:697753042d57f4bf7122cab985bf15d0cef23c770864580f5af4f52023a56bd6"}, + {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:6de499a1a44e7de70735d0b39f67c8f25eb3d91eb3103be99ca0fa882cdd987d"}, + {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:37239e9f9a7ea9ac5bf6b92b0260b01f8a22281996da609206a84df860bc1261"}, + {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:f76c1e3fe7d7c8afad7ed193f89a292e1999608170dcc9751a7462a87dfd5bc0"}, + {file = "aiohttp-3.13.3-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:fc290605db2a917f6e81b0e1e0796469871f5af381ce15c604a3c5c7e51cb730"}, + {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4021b51936308aeea0367b8f006dc999ca02bc118a0cc78c303f50a2ff6afb91"}, + {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:49a03727c1bba9a97d3e93c9f93ca03a57300f484b6e935463099841261195d3"}, + {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:3d9908a48eb7416dc1f4524e69f1d32e5d90e3981e4e37eb0aa1cd18f9cfa2a4"}, + {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:2712039939ec963c237286113c68dbad80a82a4281543f3abf766d9d73228998"}, + {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:7bfdc049127717581866fa4708791220970ce291c23e28ccf3922c700740fdc0"}, + {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:8057c98e0c8472d8846b9c79f56766bcc57e3e8ac7bfd510482332366c56c591"}, + {file = "aiohttp-3.13.3-cp313-cp313-win32.whl", hash = "sha256:1449ceddcdbcf2e0446957863af03ebaaa03f94c090f945411b61269e2cb5daf"}, + {file = "aiohttp-3.13.3-cp313-cp313-win_amd64.whl", hash = "sha256:693781c45a4033d31d4187d2436f5ac701e7bbfe5df40d917736108c1cc7436e"}, + {file = "aiohttp-3.13.3-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:ea37047c6b367fd4bd632bff8077449b8fa034b69e812a18e0132a00fae6e808"}, + {file = "aiohttp-3.13.3-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:6fc0e2337d1a4c3e6acafda6a78a39d4c14caea625124817420abceed36e2415"}, + {file = "aiohttp-3.13.3-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:c685f2d80bb67ca8c3837823ad76196b3694b0159d232206d1e461d3d434666f"}, + {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:48e377758516d262bde50c2584fc6c578af272559c409eecbdd2bae1601184d6"}, + {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:34749271508078b261c4abb1767d42b8d0c0cc9449c73a4df494777dc55f0687"}, + {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:82611aeec80eb144416956ec85b6ca45a64d76429c1ed46ae1b5f86c6e0c9a26"}, + {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2fff83cfc93f18f215896e3a190e8e5cb413ce01553901aca925176e7568963a"}, + {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:bbe7d4cecacb439e2e2a8a1a7b935c25b812af7a5fd26503a66dadf428e79ec1"}, + {file = "aiohttp-3.13.3-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:b928f30fe49574253644b1ca44b1b8adbd903aa0da4b9054a6c20fc7f4092a25"}, + {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:7b5e8fe4de30df199155baaf64f2fcd604f4c678ed20910db8e2c66dc4b11603"}, + {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_armv7l.whl", hash = "sha256:8542f41a62bcc58fc7f11cf7c90e0ec324ce44950003feb70640fc2a9092c32a"}, + {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:5e1d8c8b8f1d91cd08d8f4a3c2b067bfca6ec043d3ff36de0f3a715feeedf926"}, + {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:90455115e5da1c3c51ab619ac57f877da8fd6d73c05aacd125c5ae9819582aba"}, + {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_s390x.whl", hash = "sha256:042e9e0bcb5fba81886c8b4fbb9a09d6b8a00245fd8d88e4d989c1f96c74164c"}, + {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:2eb752b102b12a76ca02dff751a801f028b4ffbbc478840b473597fc91a9ed43"}, + {file = "aiohttp-3.13.3-cp314-cp314-win32.whl", hash = "sha256:b556c85915d8efaed322bf1bdae9486aa0f3f764195a0fb6ee962e5c71ef5ce1"}, + {file = "aiohttp-3.13.3-cp314-cp314-win_amd64.whl", hash = "sha256:9bf9f7a65e7aa20dd764151fb3d616c81088f91f8df39c3893a536e279b4b984"}, + {file = "aiohttp-3.13.3-cp314-cp314t-macosx_10_13_universal2.whl", hash = "sha256:05861afbbec40650d8a07ea324367cb93e9e8cc7762e04dd4405df99fa65159c"}, + {file = "aiohttp-3.13.3-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:2fc82186fadc4a8316768d61f3722c230e2c1dcab4200d52d2ebdf2482e47592"}, + {file = "aiohttp-3.13.3-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:0add0900ff220d1d5c5ebbf99ed88b0c1bbf87aa7e4262300ed1376a6b13414f"}, + {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:568f416a4072fbfae453dcf9a99194bbb8bdeab718e08ee13dfa2ba0e4bebf29"}, + {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:add1da70de90a2569c5e15249ff76a631ccacfe198375eead4aadf3b8dc849dc"}, + {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:10b47b7ba335d2e9b1239fa571131a87e2d8ec96b333e68b2a305e7a98b0bae2"}, + {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:3dd4dce1c718e38081c8f35f323209d4c1df7d4db4bab1b5c88a6b4d12b74587"}, + {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:34bac00a67a812570d4a460447e1e9e06fae622946955f939051e7cc895cfab8"}, + {file = "aiohttp-3.13.3-cp314-cp314t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:a19884d2ee70b06d9204b2727a7b9f983d0c684c650254679e716b0b77920632"}, + {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:5f8ca7f2bb6ba8348a3614c7918cc4bb73268c5ac2a207576b7afea19d3d9f64"}, + {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_armv7l.whl", hash = "sha256:b0d95340658b9d2f11d9697f59b3814a9d3bb4b7a7c20b131df4bcef464037c0"}, + {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_ppc64le.whl", hash = "sha256:a1e53262fd202e4b40b70c3aff944a8155059beedc8a89bba9dc1f9ef06a1b56"}, + {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_riscv64.whl", hash = "sha256:d60ac9663f44168038586cab2157e122e46bdef09e9368b37f2d82d354c23f72"}, + {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_s390x.whl", hash = "sha256:90751b8eed69435bac9ff4e3d2f6b3af1f57e37ecb0fbeee59c0174c9e2d41df"}, + {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:fc353029f176fd2b3ec6cfc71be166aba1936fe5d73dd1992ce289ca6647a9aa"}, + {file = "aiohttp-3.13.3-cp314-cp314t-win32.whl", hash = "sha256:2e41b18a58da1e474a057b3d35248d8320029f61d70a37629535b16a0c8f3767"}, + {file = "aiohttp-3.13.3-cp314-cp314t-win_amd64.whl", hash = "sha256:44531a36aa2264a1860089ffd4dce7baf875ee5a6079d5fb42e261c704ef7344"}, + {file = "aiohttp-3.13.3-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:31a83ea4aead760dfcb6962efb1d861db48c34379f2ff72db9ddddd4cda9ea2e"}, + {file = "aiohttp-3.13.3-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:988a8c5e317544fdf0d39871559e67b6341065b87fceac641108c2096d5506b7"}, + {file = "aiohttp-3.13.3-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:9b174f267b5cfb9a7dba9ee6859cecd234e9a681841eb85068059bc867fb8f02"}, + {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:947c26539750deeaee933b000fb6517cc770bbd064bad6033f1cff4803881e43"}, + {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:9ebf57d09e131f5323464bd347135a88622d1c0976e88ce15b670e7ad57e4bd6"}, + {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:4ae5b5a0e1926e504c81c5b84353e7a5516d8778fbbff00429fe7b05bb25cbce"}, + {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2ba0eea45eb5cc3172dbfc497c066f19c41bac70963ea1a67d51fc92e4cf9a80"}, + {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:bae5c2ed2eae26cc382020edad80d01f36cb8e746da40b292e68fec40421dc6a"}, + {file = "aiohttp-3.13.3-cp39-cp39-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:8a60e60746623925eab7d25823329941aee7242d559baa119ca2b253c88a7bd6"}, + {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:e50a2e1404f063427c9d027378472316201a2290959a295169bcf25992d04558"}, + {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:9a9dc347e5a3dc7dfdbc1f82da0ef29e388ddb2ed281bfce9dd8248a313e62b7"}, + {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:b46020d11d23fe16551466c77823df9cc2f2c1e63cc965daf67fa5eec6ca1877"}, + {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_riscv64.whl", hash = "sha256:69c56fbc1993fa17043e24a546959c0178fe2b5782405ad4559e6c13975c15e3"}, + {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:b99281b0704c103d4e11e72a76f1b543d4946fea7dd10767e7e1b5f00d4e5704"}, + {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:40c5e40ecc29ba010656c18052b877a1c28f84344825efa106705e835c28530f"}, + {file = "aiohttp-3.13.3-cp39-cp39-win32.whl", hash = "sha256:56339a36b9f1fc708260c76c87e593e2afb30d26de9ae1eb445b5e051b98a7a1"}, + {file = "aiohttp-3.13.3-cp39-cp39-win_amd64.whl", hash = "sha256:c6b8568a3bb5819a0ad087f16d40e5a3fb6099f39ea1d5625a3edc1e923fc538"}, + {file = "aiohttp-3.13.3.tar.gz", hash = "sha256:a949eee43d3782f2daae4f4a2819b2cb9b0c5d3b7f7a927067cc84dafdbb9f88"}, ] [package.dependencies] @@ -130,7 +164,7 @@ propcache = ">=0.2.0" yarl = ">=1.17.0,<2.0" [package.extras] -speedups = ["Brotli ; platform_python_implementation == \"CPython\"", "aiodns (>=3.3.0)", "brotlicffi ; platform_python_implementation != \"CPython\""] +speedups = ["Brotli (>=1.2) ; platform_python_implementation == \"CPython\"", "aiodns (>=3.3.0)", "backports.zstd ; platform_python_implementation == \"CPython\" and python_version < \"3.14\"", "brotlicffi (>=1.2) ; platform_python_implementation != \"CPython\""] [[package]] name = "aiosignal" @@ -703,24 +737,24 @@ crt = ["awscrt (==0.29.2)"] [[package]] name = "browser-use" -version = "0.11.2" +version = "0.11.13" description = "Make websites accessible for AI agents" optional = false python-versions = "<4.0,>=3.11" groups = ["main"] files = [ - {file = "browser_use-0.11.2-py3-none-any.whl", hash = "sha256:6ac57c0e2a495749fc83c1faee85001737567f8cd4301ebfcda2a886018a325b"}, - {file = "browser_use-0.11.2.tar.gz", hash = "sha256:543face2fd5662ee89526d2099a79e01468b51784cdcc85faa36a81fdae4aa68"}, + {file = "browser_use-0.11.13-py3-none-any.whl", hash = "sha256:f5232309213715e66e8f2079fb7097ac79a880728735968e4c7d41031ed15e83"}, + {file = "browser_use-0.11.13.tar.gz", hash = "sha256:c20d029f17c44add2047a72c836cb589b85e90a31a91cf3632a22a2de1928dfe"}, ] [package.dependencies] -aiohttp = "3.12.15" +aiohttp = ">=3.13.3" anthropic = ">=0.72.1,<1.0.0" anyio = ">=4.9.0" authlib = ">=1.6.0" browser-use-sdk = ">=2.0.12" bubus = ">=1.5.6" -cdp-use = ">=1.4.4" +cdp-use = ">=1.4.5" click = ">=8.1.8" cloudpickle = ">=3.1.1" google-api-core = ">=2.25.0" @@ -758,7 +792,7 @@ aws = ["boto3 (>=1.38.45)"] cli = ["textual (>=3.2.0)"] cli-oci = ["oci (>=2.126.4)", "textual (>=3.2.0)"] code = ["matplotlib (>=3.9.0)", "numpy (>=2.3.2)", "pandas (>=2.2.0)", "tabulate (>=0.9.0)"] -eval = ["anyio (>=4.9.0)", "datamodel-code-generator (>=0.26.0)", "lmnr[all] (==0.7.17)", "psutil (>=7.0.0)"] +eval = ["anyio (>=4.9.0)", "datamodel-code-generator (>=0.26.0)", "lmnr[all] (==0.7.42)", "psutil (>=7.0.0)"] examples = ["agentmail (==0.0.59)", "botocore (>=1.37.23)", "imgcat (>=0.6.0)", "langchain-openai (>=0.3.26)"] oci = ["oci (>=2.126.4)"] video = ["imageio[ffmpeg] (>=2.37.0)", "numpy (>=2.3.2)"] @@ -891,18 +925,19 @@ files = [ [[package]] name = "cdp-use" -version = "1.4.4" +version = "1.4.5" description = "Type safe generator/client library for CDP" optional = false python-versions = ">=3.11" groups = ["main"] files = [ - {file = "cdp_use-1.4.4-py3-none-any.whl", hash = "sha256:e37e80e067db2653d6fdf953d4ff9e5d80d75daa27b7c6d48c0261cccbef73e1"}, - {file = "cdp_use-1.4.4.tar.gz", hash = "sha256:330a848b517006eb9ad1dc468aa6434d913cf0c6918610760c36c3fdfdba0fab"}, + {file = "cdp_use-1.4.5-py3-none-any.whl", hash = "sha256:8f8e2435e3a20e4009d2974144192cf3c132f6c2971338e156198814d9b91ecb"}, + {file = "cdp_use-1.4.5.tar.gz", hash = "sha256:0da3a32df46336a03ff5a22bc6bc442cd7d2f2d50a118fd4856f29d37f6d26a0"}, ] [package.dependencies] httpx = ">=0.28.1" +typing-extensions = ">=4.12.2" websockets = ">=15.0.1" [[package]] @@ -6110,7 +6145,7 @@ files = [] develop = true [package.dependencies] -aiohttp = ">=3.9,<3.11.13 || >3.11.13" +aiohttp = ">=3.13.3" anthropic = {version = "*", extras = ["vertex"]} anyio = "4.9" asyncpg = ">=0.30" diff --git a/poetry.lock b/poetry.lock index 206b3bbc13..912f2d6d3d 100644 --- a/poetry.lock +++ b/poetry.lock @@ -26,98 +26,132 @@ files = [ [[package]] name = "aiohttp" -version = "3.12.15" +version = "3.13.3" description = "Async http client/server framework (asyncio)" optional = false python-versions = ">=3.9" groups = ["main"] files = [ - {file = "aiohttp-3.12.15-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:b6fc902bff74d9b1879ad55f5404153e2b33a82e72a95c89cec5eb6cc9e92fbc"}, - {file = "aiohttp-3.12.15-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:098e92835b8119b54c693f2f88a1dec690e20798ca5f5fe5f0520245253ee0af"}, - {file = "aiohttp-3.12.15-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:40b3fee496a47c3b4a39a731954c06f0bd9bd3e8258c059a4beb76ac23f8e421"}, - {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2ce13fcfb0bb2f259fb42106cdc63fa5515fb85b7e87177267d89a771a660b79"}, - {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:3beb14f053222b391bf9cf92ae82e0171067cc9c8f52453a0f1ec7c37df12a77"}, - {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4c39e87afe48aa3e814cac5f535bc6199180a53e38d3f51c5e2530f5aa4ec58c"}, - {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d5f1b4ce5bc528a6ee38dbf5f39bbf11dd127048726323b72b8e85769319ffc4"}, - {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1004e67962efabbaf3f03b11b4c43b834081c9e3f9b32b16a7d97d4708a9abe6"}, - {file = "aiohttp-3.12.15-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8faa08fcc2e411f7ab91d1541d9d597d3a90e9004180edb2072238c085eac8c2"}, - {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:fe086edf38b2222328cdf89af0dde2439ee173b8ad7cb659b4e4c6f385b2be3d"}, - {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:79b26fe467219add81d5e47b4a4ba0f2394e8b7c7c3198ed36609f9ba161aecb"}, - {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:b761bac1192ef24e16706d761aefcb581438b34b13a2f069a6d343ec8fb693a5"}, - {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:e153e8adacfe2af562861b72f8bc47f8a5c08e010ac94eebbe33dc21d677cd5b"}, - {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:fc49c4de44977aa8601a00edbf157e9a421f227aa7eb477d9e3df48343311065"}, - {file = "aiohttp-3.12.15-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:2776c7ec89c54a47029940177e75c8c07c29c66f73464784971d6a81904ce9d1"}, - {file = "aiohttp-3.12.15-cp310-cp310-win32.whl", hash = "sha256:2c7d81a277fa78b2203ab626ced1487420e8c11a8e373707ab72d189fcdad20a"}, - {file = "aiohttp-3.12.15-cp310-cp310-win_amd64.whl", hash = "sha256:83603f881e11f0f710f8e2327817c82e79431ec976448839f3cd05d7afe8f830"}, - {file = "aiohttp-3.12.15-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:d3ce17ce0220383a0f9ea07175eeaa6aa13ae5a41f30bc61d84df17f0e9b1117"}, - {file = "aiohttp-3.12.15-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:010cc9bbd06db80fe234d9003f67e97a10fe003bfbedb40da7d71c1008eda0fe"}, - {file = "aiohttp-3.12.15-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:3f9d7c55b41ed687b9d7165b17672340187f87a773c98236c987f08c858145a9"}, - {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bc4fbc61bb3548d3b482f9ac7ddd0f18c67e4225aaa4e8552b9f1ac7e6bda9e5"}, - {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:7fbc8a7c410bb3ad5d595bb7118147dfbb6449d862cc1125cf8867cb337e8728"}, - {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:74dad41b3458dbb0511e760fb355bb0b6689e0630de8a22b1b62a98777136e16"}, - {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3b6f0af863cf17e6222b1735a756d664159e58855da99cfe965134a3ff63b0b0"}, - {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b5b7fe4972d48a4da367043b8e023fb70a04d1490aa7d68800e465d1b97e493b"}, - {file = "aiohttp-3.12.15-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6443cca89553b7a5485331bc9bedb2342b08d073fa10b8c7d1c60579c4a7b9bd"}, - {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:6c5f40ec615e5264f44b4282ee27628cea221fcad52f27405b80abb346d9f3f8"}, - {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:2abbb216a1d3a2fe86dbd2edce20cdc5e9ad0be6378455b05ec7f77361b3ab50"}, - {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:db71ce547012a5420a39c1b744d485cfb823564d01d5d20805977f5ea1345676"}, - {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:ced339d7c9b5030abad5854aa5413a77565e5b6e6248ff927d3e174baf3badf7"}, - {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:7c7dd29c7b5bda137464dc9bfc738d7ceea46ff70309859ffde8c022e9b08ba7"}, - {file = "aiohttp-3.12.15-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:421da6fd326460517873274875c6c5a18ff225b40da2616083c5a34a7570b685"}, - {file = "aiohttp-3.12.15-cp311-cp311-win32.whl", hash = "sha256:4420cf9d179ec8dfe4be10e7d0fe47d6d606485512ea2265b0d8c5113372771b"}, - {file = "aiohttp-3.12.15-cp311-cp311-win_amd64.whl", hash = "sha256:edd533a07da85baa4b423ee8839e3e91681c7bfa19b04260a469ee94b778bf6d"}, - {file = "aiohttp-3.12.15-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:802d3868f5776e28f7bf69d349c26fc0efadb81676d0afa88ed00d98a26340b7"}, - {file = "aiohttp-3.12.15-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:f2800614cd560287be05e33a679638e586a2d7401f4ddf99e304d98878c29444"}, - {file = "aiohttp-3.12.15-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:8466151554b593909d30a0a125d638b4e5f3836e5aecde85b66b80ded1cb5b0d"}, - {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2e5a495cb1be69dae4b08f35a6c4579c539e9b5706f606632102c0f855bcba7c"}, - {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:6404dfc8cdde35c69aaa489bb3542fb86ef215fc70277c892be8af540e5e21c0"}, - {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3ead1c00f8521a5c9070fcb88f02967b1d8a0544e6d85c253f6968b785e1a2ab"}, - {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6990ef617f14450bc6b34941dba4f12d5613cbf4e33805932f853fbd1cf18bfb"}, - {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fd736ed420f4db2b8148b52b46b88ed038d0354255f9a73196b7bbce3ea97545"}, - {file = "aiohttp-3.12.15-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3c5092ce14361a73086b90c6efb3948ffa5be2f5b6fbcf52e8d8c8b8848bb97c"}, - {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:aaa2234bb60c4dbf82893e934d8ee8dea30446f0647e024074237a56a08c01bd"}, - {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:6d86a2fbdd14192e2f234a92d3b494dd4457e683ba07e5905a0b3ee25389ac9f"}, - {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:a041e7e2612041a6ddf1c6a33b883be6a421247c7afd47e885969ee4cc58bd8d"}, - {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:5015082477abeafad7203757ae44299a610e89ee82a1503e3d4184e6bafdd519"}, - {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:56822ff5ddfd1b745534e658faba944012346184fbfe732e0d6134b744516eea"}, - {file = "aiohttp-3.12.15-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:b2acbbfff69019d9014508c4ba0401822e8bae5a5fdc3b6814285b71231b60f3"}, - {file = "aiohttp-3.12.15-cp312-cp312-win32.whl", hash = "sha256:d849b0901b50f2185874b9a232f38e26b9b3d4810095a7572eacea939132d4e1"}, - {file = "aiohttp-3.12.15-cp312-cp312-win_amd64.whl", hash = "sha256:b390ef5f62bb508a9d67cb3bba9b8356e23b3996da7062f1a57ce1a79d2b3d34"}, - {file = "aiohttp-3.12.15-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:9f922ffd05034d439dde1c77a20461cf4a1b0831e6caa26151fe7aa8aaebc315"}, - {file = "aiohttp-3.12.15-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:2ee8a8ac39ce45f3e55663891d4b1d15598c157b4d494a4613e704c8b43112cd"}, - {file = "aiohttp-3.12.15-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:3eae49032c29d356b94eee45a3f39fdf4b0814b397638c2f718e96cfadf4c4e4"}, - {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b97752ff12cc12f46a9b20327104448042fce5c33a624f88c18f66f9368091c7"}, - {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:894261472691d6fe76ebb7fcf2e5870a2ac284c7406ddc95823c8598a1390f0d"}, - {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5fa5d9eb82ce98959fc1031c28198b431b4d9396894f385cb63f1e2f3f20ca6b"}, - {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f0fa751efb11a541f57db59c1dd821bec09031e01452b2b6217319b3a1f34f3d"}, - {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5346b93e62ab51ee2a9d68e8f73c7cf96ffb73568a23e683f931e52450e4148d"}, - {file = "aiohttp-3.12.15-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:049ec0360f939cd164ecbfd2873eaa432613d5e77d6b04535e3d1fbae5a9e645"}, - {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:b52dcf013b57464b6d1e51b627adfd69a8053e84b7103a7cd49c030f9ca44461"}, - {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:9b2af240143dd2765e0fb661fd0361a1b469cab235039ea57663cda087250ea9"}, - {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ac77f709a2cde2cc71257ab2d8c74dd157c67a0558a0d2799d5d571b4c63d44d"}, - {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:47f6b962246f0a774fbd3b6b7be25d59b06fdb2f164cf2513097998fc6a29693"}, - {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:760fb7db442f284996e39cf9915a94492e1896baac44f06ae551974907922b64"}, - {file = "aiohttp-3.12.15-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:ad702e57dc385cae679c39d318def49aef754455f237499d5b99bea4ef582e51"}, - {file = "aiohttp-3.12.15-cp313-cp313-win32.whl", hash = "sha256:f813c3e9032331024de2eb2e32a88d86afb69291fbc37a3a3ae81cc9917fb3d0"}, - {file = "aiohttp-3.12.15-cp313-cp313-win_amd64.whl", hash = "sha256:1a649001580bdb37c6fdb1bebbd7e3bc688e8ec2b5c6f52edbb664662b17dc84"}, - {file = "aiohttp-3.12.15-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:691d203c2bdf4f4637792efbbcdcd157ae11e55eaeb5e9c360c1206fb03d4d98"}, - {file = "aiohttp-3.12.15-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:8e995e1abc4ed2a454c731385bf4082be06f875822adc4c6d9eaadf96e20d406"}, - {file = "aiohttp-3.12.15-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:bd44d5936ab3193c617bfd6c9a7d8d1085a8dc8c3f44d5f1dcf554d17d04cf7d"}, - {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:46749be6e89cd78d6068cdf7da51dbcfa4321147ab8e4116ee6678d9a056a0cf"}, - {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:0c643f4d75adea39e92c0f01b3fb83d57abdec8c9279b3078b68a3a52b3933b6"}, - {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0a23918fedc05806966a2438489dcffccbdf83e921a1170773b6178d04ade142"}, - {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:74bdd8c864b36c3673741023343565d95bfbd778ffe1eb4d412c135a28a8dc89"}, - {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0a146708808c9b7a988a4af3821379e379e0f0e5e466ca31a73dbdd0325b0263"}, - {file = "aiohttp-3.12.15-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b7011a70b56facde58d6d26da4fec3280cc8e2a78c714c96b7a01a87930a9530"}, - {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:3bdd6e17e16e1dbd3db74d7f989e8af29c4d2e025f9828e6ef45fbdee158ec75"}, - {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:57d16590a351dfc914670bd72530fd78344b885a00b250e992faea565b7fdc05"}, - {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:bc9a0f6569ff990e0bbd75506c8d8fe7214c8f6579cca32f0546e54372a3bb54"}, - {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:536ad7234747a37e50e7b6794ea868833d5220b49c92806ae2d7e8a9d6b5de02"}, - {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:f0adb4177fa748072546fb650d9bd7398caaf0e15b370ed3317280b13f4083b0"}, - {file = "aiohttp-3.12.15-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:14954a2988feae3987f1eb49c706bff39947605f4b6fa4027c1d75743723eb09"}, - {file = "aiohttp-3.12.15-cp39-cp39-win32.whl", hash = "sha256:b784d6ed757f27574dca1c336f968f4e81130b27595e458e69457e6878251f5d"}, - {file = "aiohttp-3.12.15-cp39-cp39-win_amd64.whl", hash = "sha256:86ceded4e78a992f835209e236617bffae649371c4a50d5e5a3987f237db84b8"}, - {file = "aiohttp-3.12.15.tar.gz", hash = "sha256:4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2"}, + {file = "aiohttp-3.13.3-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:d5a372fd5afd301b3a89582817fdcdb6c34124787c70dbcc616f259013e7eef7"}, + {file = "aiohttp-3.13.3-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:147e422fd1223005c22b4fe080f5d93ced44460f5f9c105406b753612b587821"}, + {file = "aiohttp-3.13.3-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:859bd3f2156e81dd01432f5849fc73e2243d4a487c4fd26609b1299534ee1845"}, + {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:dca68018bf48c251ba17c72ed479f4dafe9dbd5a73707ad8d28a38d11f3d42af"}, + {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:fee0c6bc7db1de362252affec009707a17478a00ec69f797d23ca256e36d5940"}, + {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:c048058117fd649334d81b4b526e94bde3ccaddb20463a815ced6ecbb7d11160"}, + {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:215a685b6fbbfcf71dfe96e3eba7a6f58f10da1dfdf4889c7dd856abe430dca7"}, + {file = "aiohttp-3.13.3-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:de2c184bb1fe2cbd2cefba613e9db29a5ab559323f994b6737e370d3da0ac455"}, + {file = "aiohttp-3.13.3-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:75ca857eba4e20ce9f546cd59c7007b33906a4cd48f2ff6ccf1ccfc3b646f279"}, + {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:81e97251d9298386c2b7dbeb490d3d1badbdc69107fb8c9299dd04eb39bddc0e"}, + {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:c0e2d366af265797506f0283487223146af57815b388623f0357ef7eac9b209d"}, + {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:4e239d501f73d6db1522599e14b9b321a7e3b1de66ce33d53a765d975e9f4808"}, + {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:0db318f7a6f065d84cb1e02662c526294450b314a02bd9e2a8e67f0d8564ce40"}, + {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:bfc1cc2fe31a6026a8a88e4ecfb98d7f6b1fec150cfd708adbfd1d2f42257c29"}, + {file = "aiohttp-3.13.3-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:af71fff7bac6bb7508956696dce8f6eec2bbb045eceb40343944b1ae62b5ef11"}, + {file = "aiohttp-3.13.3-cp310-cp310-win32.whl", hash = "sha256:37da61e244d1749798c151421602884db5270faf479cf0ef03af0ff68954c9dd"}, + {file = "aiohttp-3.13.3-cp310-cp310-win_amd64.whl", hash = "sha256:7e63f210bc1b57ef699035f2b4b6d9ce096b5914414a49b0997c839b2bd2223c"}, + {file = "aiohttp-3.13.3-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:5b6073099fb654e0a068ae678b10feff95c5cae95bbfcbfa7af669d361a8aa6b"}, + {file = "aiohttp-3.13.3-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:1cb93e166e6c28716c8c6aeb5f99dfb6d5ccf482d29fe9bf9a794110e6d0ab64"}, + {file = "aiohttp-3.13.3-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:28e027cf2f6b641693a09f631759b4d9ce9165099d2b5d92af9bd4e197690eea"}, + {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3b61b7169ababd7802f9568ed96142616a9118dd2be0d1866e920e77ec8fa92a"}, + {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:80dd4c21b0f6237676449c6baaa1039abae86b91636b6c91a7f8e61c87f89540"}, + {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:65d2ccb7eabee90ce0503c17716fc77226be026dcc3e65cce859a30db715025b"}, + {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5b179331a481cb5529fca8b432d8d3c7001cb217513c94cd72d668d1248688a3"}, + {file = "aiohttp-3.13.3-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9d4c940f02f49483b18b079d1c27ab948721852b281f8b015c058100e9421dd1"}, + {file = "aiohttp-3.13.3-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:f9444f105664c4ce47a2a7171a2418bce5b7bae45fb610f4e2c36045d85911d3"}, + {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:694976222c711d1d00ba131904beb60534f93966562f64440d0c9d41b8cdb440"}, + {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:f33ed1a2bf1997a36661874b017f5c4b760f41266341af36febaf271d179f6d7"}, + {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:e636b3c5f61da31a92bf0d91da83e58fdfa96f178ba682f11d24f31944cdd28c"}, + {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:5d2d94f1f5fcbe40838ac51a6ab5704a6f9ea42e72ceda48de5e6b898521da51"}, + {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:2be0e9ccf23e8a94f6f0650ce06042cefc6ac703d0d7ab6c7a917289f2539ad4"}, + {file = "aiohttp-3.13.3-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:9af5e68ee47d6534d36791bbe9b646d2a7c7deb6fc24d7943628edfbb3581f29"}, + {file = "aiohttp-3.13.3-cp311-cp311-win32.whl", hash = "sha256:a2212ad43c0833a873d0fb3c63fa1bacedd4cf6af2fee62bf4b739ceec3ab239"}, + {file = "aiohttp-3.13.3-cp311-cp311-win_amd64.whl", hash = "sha256:642f752c3eb117b105acbd87e2c143de710987e09860d674e068c4c2c441034f"}, + {file = "aiohttp-3.13.3-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:b903a4dfee7d347e2d87697d0713be59e0b87925be030c9178c5faa58ea58d5c"}, + {file = "aiohttp-3.13.3-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:a45530014d7a1e09f4a55f4f43097ba0fd155089372e105e4bff4ca76cb1b168"}, + {file = "aiohttp-3.13.3-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:27234ef6d85c914f9efeb77ff616dbf4ad2380be0cda40b4db086ffc7ddd1b7d"}, + {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d32764c6c9aafb7fb55366a224756387cd50bfa720f32b88e0e6fa45b27dcf29"}, + {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:b1a6102b4d3ebc07dad44fbf07b45bb600300f15b552ddf1851b5390202ea2e3"}, + {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:c014c7ea7fb775dd015b2d3137378b7be0249a448a1612268b5a90c2d81de04d"}, + {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2b8d8ddba8f95ba17582226f80e2de99c7a7948e66490ef8d947e272a93e9463"}, + {file = "aiohttp-3.13.3-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9ae8dd55c8e6c4257eae3a20fd2c8f41edaea5992ed67156642493b8daf3cecc"}, + {file = "aiohttp-3.13.3-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:01ad2529d4b5035578f5081606a465f3b814c542882804e2e8cda61adf5c71bf"}, + {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:bb4f7475e359992b580559e008c598091c45b5088f28614e855e42d39c2f1033"}, + {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:c19b90316ad3b24c69cd78d5c9b4f3aa4497643685901185b65166293d36a00f"}, + {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:96d604498a7c782cb15a51c406acaea70d8c027ee6b90c569baa6e7b93073679"}, + {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:084911a532763e9d3dd95adf78a78f4096cd5f58cdc18e6fdbc1b58417a45423"}, + {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:7a4a94eb787e606d0a09404b9c38c113d3b099d508021faa615d70a0131907ce"}, + {file = "aiohttp-3.13.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:87797e645d9d8e222e04160ee32aa06bc5c163e8499f24db719e7852ec23093a"}, + {file = "aiohttp-3.13.3-cp312-cp312-win32.whl", hash = "sha256:b04be762396457bef43f3597c991e192ee7da460a4953d7e647ee4b1c28e7046"}, + {file = "aiohttp-3.13.3-cp312-cp312-win_amd64.whl", hash = "sha256:e3531d63d3bdfa7e3ac5e9b27b2dd7ec9df3206a98e0b3445fa906f233264c57"}, + {file = "aiohttp-3.13.3-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:5dff64413671b0d3e7d5918ea490bdccb97a4ad29b3f311ed423200b2203e01c"}, + {file = "aiohttp-3.13.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:87b9aab6d6ed88235aa2970294f496ff1a1f9adcd724d800e9b952395a80ffd9"}, + {file = "aiohttp-3.13.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:425c126c0dc43861e22cb1c14ba4c8e45d09516d0a3ae0a3f7494b79f5f233a3"}, + {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:7f9120f7093c2a32d9647abcaf21e6ad275b4fbec5b55969f978b1a97c7c86bf"}, + {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:697753042d57f4bf7122cab985bf15d0cef23c770864580f5af4f52023a56bd6"}, + {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:6de499a1a44e7de70735d0b39f67c8f25eb3d91eb3103be99ca0fa882cdd987d"}, + {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:37239e9f9a7ea9ac5bf6b92b0260b01f8a22281996da609206a84df860bc1261"}, + {file = "aiohttp-3.13.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:f76c1e3fe7d7c8afad7ed193f89a292e1999608170dcc9751a7462a87dfd5bc0"}, + {file = "aiohttp-3.13.3-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:fc290605db2a917f6e81b0e1e0796469871f5af381ce15c604a3c5c7e51cb730"}, + {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4021b51936308aeea0367b8f006dc999ca02bc118a0cc78c303f50a2ff6afb91"}, + {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:49a03727c1bba9a97d3e93c9f93ca03a57300f484b6e935463099841261195d3"}, + {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:3d9908a48eb7416dc1f4524e69f1d32e5d90e3981e4e37eb0aa1cd18f9cfa2a4"}, + {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:2712039939ec963c237286113c68dbad80a82a4281543f3abf766d9d73228998"}, + {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:7bfdc049127717581866fa4708791220970ce291c23e28ccf3922c700740fdc0"}, + {file = "aiohttp-3.13.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:8057c98e0c8472d8846b9c79f56766bcc57e3e8ac7bfd510482332366c56c591"}, + {file = "aiohttp-3.13.3-cp313-cp313-win32.whl", hash = "sha256:1449ceddcdbcf2e0446957863af03ebaaa03f94c090f945411b61269e2cb5daf"}, + {file = "aiohttp-3.13.3-cp313-cp313-win_amd64.whl", hash = "sha256:693781c45a4033d31d4187d2436f5ac701e7bbfe5df40d917736108c1cc7436e"}, + {file = "aiohttp-3.13.3-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:ea37047c6b367fd4bd632bff8077449b8fa034b69e812a18e0132a00fae6e808"}, + {file = "aiohttp-3.13.3-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:6fc0e2337d1a4c3e6acafda6a78a39d4c14caea625124817420abceed36e2415"}, + {file = "aiohttp-3.13.3-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:c685f2d80bb67ca8c3837823ad76196b3694b0159d232206d1e461d3d434666f"}, + {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:48e377758516d262bde50c2584fc6c578af272559c409eecbdd2bae1601184d6"}, + {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:34749271508078b261c4abb1767d42b8d0c0cc9449c73a4df494777dc55f0687"}, + {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:82611aeec80eb144416956ec85b6ca45a64d76429c1ed46ae1b5f86c6e0c9a26"}, + {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2fff83cfc93f18f215896e3a190e8e5cb413ce01553901aca925176e7568963a"}, + {file = "aiohttp-3.13.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:bbe7d4cecacb439e2e2a8a1a7b935c25b812af7a5fd26503a66dadf428e79ec1"}, + {file = "aiohttp-3.13.3-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:b928f30fe49574253644b1ca44b1b8adbd903aa0da4b9054a6c20fc7f4092a25"}, + {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:7b5e8fe4de30df199155baaf64f2fcd604f4c678ed20910db8e2c66dc4b11603"}, + {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_armv7l.whl", hash = "sha256:8542f41a62bcc58fc7f11cf7c90e0ec324ce44950003feb70640fc2a9092c32a"}, + {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:5e1d8c8b8f1d91cd08d8f4a3c2b067bfca6ec043d3ff36de0f3a715feeedf926"}, + {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:90455115e5da1c3c51ab619ac57f877da8fd6d73c05aacd125c5ae9819582aba"}, + {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_s390x.whl", hash = "sha256:042e9e0bcb5fba81886c8b4fbb9a09d6b8a00245fd8d88e4d989c1f96c74164c"}, + {file = "aiohttp-3.13.3-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:2eb752b102b12a76ca02dff751a801f028b4ffbbc478840b473597fc91a9ed43"}, + {file = "aiohttp-3.13.3-cp314-cp314-win32.whl", hash = "sha256:b556c85915d8efaed322bf1bdae9486aa0f3f764195a0fb6ee962e5c71ef5ce1"}, + {file = "aiohttp-3.13.3-cp314-cp314-win_amd64.whl", hash = "sha256:9bf9f7a65e7aa20dd764151fb3d616c81088f91f8df39c3893a536e279b4b984"}, + {file = "aiohttp-3.13.3-cp314-cp314t-macosx_10_13_universal2.whl", hash = "sha256:05861afbbec40650d8a07ea324367cb93e9e8cc7762e04dd4405df99fa65159c"}, + {file = "aiohttp-3.13.3-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:2fc82186fadc4a8316768d61f3722c230e2c1dcab4200d52d2ebdf2482e47592"}, + {file = "aiohttp-3.13.3-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:0add0900ff220d1d5c5ebbf99ed88b0c1bbf87aa7e4262300ed1376a6b13414f"}, + {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:568f416a4072fbfae453dcf9a99194bbb8bdeab718e08ee13dfa2ba0e4bebf29"}, + {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:add1da70de90a2569c5e15249ff76a631ccacfe198375eead4aadf3b8dc849dc"}, + {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:10b47b7ba335d2e9b1239fa571131a87e2d8ec96b333e68b2a305e7a98b0bae2"}, + {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:3dd4dce1c718e38081c8f35f323209d4c1df7d4db4bab1b5c88a6b4d12b74587"}, + {file = "aiohttp-3.13.3-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:34bac00a67a812570d4a460447e1e9e06fae622946955f939051e7cc895cfab8"}, + {file = "aiohttp-3.13.3-cp314-cp314t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:a19884d2ee70b06d9204b2727a7b9f983d0c684c650254679e716b0b77920632"}, + {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:5f8ca7f2bb6ba8348a3614c7918cc4bb73268c5ac2a207576b7afea19d3d9f64"}, + {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_armv7l.whl", hash = "sha256:b0d95340658b9d2f11d9697f59b3814a9d3bb4b7a7c20b131df4bcef464037c0"}, + {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_ppc64le.whl", hash = "sha256:a1e53262fd202e4b40b70c3aff944a8155059beedc8a89bba9dc1f9ef06a1b56"}, + {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_riscv64.whl", hash = "sha256:d60ac9663f44168038586cab2157e122e46bdef09e9368b37f2d82d354c23f72"}, + {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_s390x.whl", hash = "sha256:90751b8eed69435bac9ff4e3d2f6b3af1f57e37ecb0fbeee59c0174c9e2d41df"}, + {file = "aiohttp-3.13.3-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:fc353029f176fd2b3ec6cfc71be166aba1936fe5d73dd1992ce289ca6647a9aa"}, + {file = "aiohttp-3.13.3-cp314-cp314t-win32.whl", hash = "sha256:2e41b18a58da1e474a057b3d35248d8320029f61d70a37629535b16a0c8f3767"}, + {file = "aiohttp-3.13.3-cp314-cp314t-win_amd64.whl", hash = "sha256:44531a36aa2264a1860089ffd4dce7baf875ee5a6079d5fb42e261c704ef7344"}, + {file = "aiohttp-3.13.3-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:31a83ea4aead760dfcb6962efb1d861db48c34379f2ff72db9ddddd4cda9ea2e"}, + {file = "aiohttp-3.13.3-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:988a8c5e317544fdf0d39871559e67b6341065b87fceac641108c2096d5506b7"}, + {file = "aiohttp-3.13.3-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:9b174f267b5cfb9a7dba9ee6859cecd234e9a681841eb85068059bc867fb8f02"}, + {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:947c26539750deeaee933b000fb6517cc770bbd064bad6033f1cff4803881e43"}, + {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:9ebf57d09e131f5323464bd347135a88622d1c0976e88ce15b670e7ad57e4bd6"}, + {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:4ae5b5a0e1926e504c81c5b84353e7a5516d8778fbbff00429fe7b05bb25cbce"}, + {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2ba0eea45eb5cc3172dbfc497c066f19c41bac70963ea1a67d51fc92e4cf9a80"}, + {file = "aiohttp-3.13.3-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:bae5c2ed2eae26cc382020edad80d01f36cb8e746da40b292e68fec40421dc6a"}, + {file = "aiohttp-3.13.3-cp39-cp39-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:8a60e60746623925eab7d25823329941aee7242d559baa119ca2b253c88a7bd6"}, + {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:e50a2e1404f063427c9d027378472316201a2290959a295169bcf25992d04558"}, + {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:9a9dc347e5a3dc7dfdbc1f82da0ef29e388ddb2ed281bfce9dd8248a313e62b7"}, + {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:b46020d11d23fe16551466c77823df9cc2f2c1e63cc965daf67fa5eec6ca1877"}, + {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_riscv64.whl", hash = "sha256:69c56fbc1993fa17043e24a546959c0178fe2b5782405ad4559e6c13975c15e3"}, + {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:b99281b0704c103d4e11e72a76f1b543d4946fea7dd10767e7e1b5f00d4e5704"}, + {file = "aiohttp-3.13.3-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:40c5e40ecc29ba010656c18052b877a1c28f84344825efa106705e835c28530f"}, + {file = "aiohttp-3.13.3-cp39-cp39-win32.whl", hash = "sha256:56339a36b9f1fc708260c76c87e593e2afb30d26de9ae1eb445b5e051b98a7a1"}, + {file = "aiohttp-3.13.3-cp39-cp39-win_amd64.whl", hash = "sha256:c6b8568a3bb5819a0ad087f16d40e5a3fb6099f39ea1d5625a3edc1e923fc538"}, + {file = "aiohttp-3.13.3.tar.gz", hash = "sha256:a949eee43d3782f2daae4f4a2819b2cb9b0c5d3b7f7a927067cc84dafdbb9f88"}, ] [package.dependencies] @@ -130,7 +164,7 @@ propcache = ">=0.2.0" yarl = ">=1.17.0,<2.0" [package.extras] -speedups = ["Brotli ; platform_python_implementation == \"CPython\"", "aiodns (>=3.3.0)", "brotlicffi ; platform_python_implementation != \"CPython\""] +speedups = ["Brotli (>=1.2) ; platform_python_implementation == \"CPython\"", "aiodns (>=3.3.0)", "backports.zstd ; platform_python_implementation == \"CPython\" and python_version < \"3.14\"", "brotlicffi (>=1.2) ; platform_python_implementation != \"CPython\""] [[package]] name = "aiohttp-retry" @@ -715,24 +749,24 @@ files = [ [[package]] name = "browser-use" -version = "0.11.2" +version = "0.11.13" description = "Make websites accessible for AI agents" optional = false python-versions = "<4.0,>=3.11" groups = ["main"] files = [ - {file = "browser_use-0.11.2-py3-none-any.whl", hash = "sha256:6ac57c0e2a495749fc83c1faee85001737567f8cd4301ebfcda2a886018a325b"}, - {file = "browser_use-0.11.2.tar.gz", hash = "sha256:543face2fd5662ee89526d2099a79e01468b51784cdcc85faa36a81fdae4aa68"}, + {file = "browser_use-0.11.13-py3-none-any.whl", hash = "sha256:f5232309213715e66e8f2079fb7097ac79a880728735968e4c7d41031ed15e83"}, + {file = "browser_use-0.11.13.tar.gz", hash = "sha256:c20d029f17c44add2047a72c836cb589b85e90a31a91cf3632a22a2de1928dfe"}, ] [package.dependencies] -aiohttp = "3.12.15" +aiohttp = ">=3.13.3" anthropic = ">=0.72.1,<1.0.0" anyio = ">=4.9.0" authlib = ">=1.6.0" browser-use-sdk = ">=2.0.12" bubus = ">=1.5.6" -cdp-use = ">=1.4.4" +cdp-use = ">=1.4.5" click = ">=8.1.8" cloudpickle = ">=3.1.1" google-api-core = ">=2.25.0" @@ -770,7 +804,7 @@ aws = ["boto3 (>=1.38.45)"] cli = ["textual (>=3.2.0)"] cli-oci = ["oci (>=2.126.4)", "textual (>=3.2.0)"] code = ["matplotlib (>=3.9.0)", "numpy (>=2.3.2)", "pandas (>=2.2.0)", "tabulate (>=0.9.0)"] -eval = ["anyio (>=4.9.0)", "datamodel-code-generator (>=0.26.0)", "lmnr[all] (==0.7.17)", "psutil (>=7.0.0)"] +eval = ["anyio (>=4.9.0)", "datamodel-code-generator (>=0.26.0)", "lmnr[all] (==0.7.42)", "psutil (>=7.0.0)"] examples = ["agentmail (==0.0.59)", "botocore (>=1.37.23)", "imgcat (>=0.6.0)", "langchain-openai (>=0.3.26)"] oci = ["oci (>=2.126.4)"] video = ["imageio[ffmpeg] (>=2.37.0)", "numpy (>=2.3.2)"] @@ -891,18 +925,19 @@ files = [ [[package]] name = "cdp-use" -version = "1.4.4" +version = "1.4.5" description = "Type safe generator/client library for CDP" optional = false python-versions = ">=3.11" groups = ["main"] files = [ - {file = "cdp_use-1.4.4-py3-none-any.whl", hash = "sha256:e37e80e067db2653d6fdf953d4ff9e5d80d75daa27b7c6d48c0261cccbef73e1"}, - {file = "cdp_use-1.4.4.tar.gz", hash = "sha256:330a848b517006eb9ad1dc468aa6434d913cf0c6918610760c36c3fdfdba0fab"}, + {file = "cdp_use-1.4.5-py3-none-any.whl", hash = "sha256:8f8e2435e3a20e4009d2974144192cf3c132f6c2971338e156198814d9b91ecb"}, + {file = "cdp_use-1.4.5.tar.gz", hash = "sha256:0da3a32df46336a03ff5a22bc6bc442cd7d2f2d50a118fd4856f29d37f6d26a0"}, ] [package.dependencies] httpx = ">=0.28.1" +typing-extensions = ">=4.12.2" websockets = ">=15.0.1" [[package]] @@ -14656,4 +14691,4 @@ third-party-runtimes = ["daytona", "e2b-code-interpreter", "modal", "runloop-api [metadata] lock-version = "2.1" python-versions = "^3.12,<3.14" -content-hash = "3976934d4a0d1759399dc90318e580ce68b7beb8a8b494c465ee29893e1a1c1e" +content-hash = "8238ef4e4687e246f55f9d524b0b1d81df7187abdec0fc9f1b121ae0a9e0caa0" diff --git a/pyproject.toml b/pyproject.toml index 54162a32c7..e11b3b9b1d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -21,7 +21,7 @@ dynamic = [ "version" ] # Main dependencies (mirrors [tool.poetry.dependencies] for UV compatibility) dependencies = [ - "aiohttp>=3.9,!=3.11.13", + "aiohttp>=3.13.3", "anthropic[vertex]", "anyio==4.9", "asyncpg>=0.30", @@ -162,7 +162,7 @@ include = [ python = "^3.12,<3.14" litellm = ">=1.74.3, !=1.64.4, !=1.67.*" # avoid 1.64.4 (known bug) & 1.67.* (known bug #10272) openai = "2.8.0" # Pin due to litellm incompatibility with >=1.100.0 (BerriAI/litellm#13711) -aiohttp = ">=3.9.0,!=3.11.13" # Pin to avoid yanked version 3.11.13 +aiohttp = ">=3.13.3" # Pin to avoid CVE-2025-69223 (vulnerable versions < 3.13.3) google-genai = "*" # To use litellm with Gemini Pro API google-api-python-client = "^2.164.0" # For Google Sheets API google-auth-httplib2 = "*" # For Google Sheets authentication diff --git a/uv.lock b/uv.lock index 7b0dc7b4c6..993b868a7a 100644 --- a/uv.lock +++ b/uv.lock @@ -26,7 +26,7 @@ wheels = [ [[package]] name = "aiohttp" -version = "3.12.15" +version = "3.13.3" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "aiohappyeyeballs" }, @@ -37,42 +37,42 @@ dependencies = [ { name = "propcache" }, { name = "yarl" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/9b/e7/d92a237d8802ca88483906c388f7c201bbe96cd80a165ffd0ac2f6a8d59f/aiohttp-3.12.15.tar.gz", hash = "sha256:4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2", size = 7823716, upload-time = "2025-07-29T05:52:32.215Z" } +sdist = { url = "https://files.pythonhosted.org/packages/50/42/32cf8e7704ceb4481406eb87161349abb46a57fee3f008ba9cb610968646/aiohttp-3.13.3.tar.gz", hash = "sha256:a949eee43d3782f2daae4f4a2819b2cb9b0c5d3b7f7a927067cc84dafdbb9f88", size = 7844556, upload-time = "2026-01-03T17:33:05.204Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/63/97/77cb2450d9b35f517d6cf506256bf4f5bda3f93a66b4ad64ba7fc917899c/aiohttp-3.12.15-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:802d3868f5776e28f7bf69d349c26fc0efadb81676d0afa88ed00d98a26340b7", size = 702333, upload-time = "2025-07-29T05:50:46.507Z" }, - { url = "https://files.pythonhosted.org/packages/83/6d/0544e6b08b748682c30b9f65640d006e51f90763b41d7c546693bc22900d/aiohttp-3.12.15-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:f2800614cd560287be05e33a679638e586a2d7401f4ddf99e304d98878c29444", size = 476948, upload-time = "2025-07-29T05:50:48.067Z" }, - { url = "https://files.pythonhosted.org/packages/3a/1d/c8c40e611e5094330284b1aea8a4b02ca0858f8458614fa35754cab42b9c/aiohttp-3.12.15-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:8466151554b593909d30a0a125d638b4e5f3836e5aecde85b66b80ded1cb5b0d", size = 469787, upload-time = "2025-07-29T05:50:49.669Z" }, - { url = "https://files.pythonhosted.org/packages/38/7d/b76438e70319796bfff717f325d97ce2e9310f752a267bfdf5192ac6082b/aiohttp-3.12.15-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2e5a495cb1be69dae4b08f35a6c4579c539e9b5706f606632102c0f855bcba7c", size = 1716590, upload-time = "2025-07-29T05:50:51.368Z" }, - { url = "https://files.pythonhosted.org/packages/79/b1/60370d70cdf8b269ee1444b390cbd72ce514f0d1cd1a715821c784d272c9/aiohttp-3.12.15-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:6404dfc8cdde35c69aaa489bb3542fb86ef215fc70277c892be8af540e5e21c0", size = 1699241, upload-time = "2025-07-29T05:50:53.628Z" }, - { url = "https://files.pythonhosted.org/packages/a3/2b/4968a7b8792437ebc12186db31523f541943e99bda8f30335c482bea6879/aiohttp-3.12.15-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3ead1c00f8521a5c9070fcb88f02967b1d8a0544e6d85c253f6968b785e1a2ab", size = 1754335, upload-time = "2025-07-29T05:50:55.394Z" }, - { url = "https://files.pythonhosted.org/packages/fb/c1/49524ed553f9a0bec1a11fac09e790f49ff669bcd14164f9fab608831c4d/aiohttp-3.12.15-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6990ef617f14450bc6b34941dba4f12d5613cbf4e33805932f853fbd1cf18bfb", size = 1800491, upload-time = "2025-07-29T05:50:57.202Z" }, - { url = "https://files.pythonhosted.org/packages/de/5e/3bf5acea47a96a28c121b167f5ef659cf71208b19e52a88cdfa5c37f1fcc/aiohttp-3.12.15-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fd736ed420f4db2b8148b52b46b88ed038d0354255f9a73196b7bbce3ea97545", size = 1719929, upload-time = "2025-07-29T05:50:59.192Z" }, - { url = "https://files.pythonhosted.org/packages/39/94/8ae30b806835bcd1cba799ba35347dee6961a11bd507db634516210e91d8/aiohttp-3.12.15-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3c5092ce14361a73086b90c6efb3948ffa5be2f5b6fbcf52e8d8c8b8848bb97c", size = 1635733, upload-time = "2025-07-29T05:51:01.394Z" }, - { url = "https://files.pythonhosted.org/packages/7a/46/06cdef71dd03acd9da7f51ab3a9107318aee12ad38d273f654e4f981583a/aiohttp-3.12.15-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:aaa2234bb60c4dbf82893e934d8ee8dea30446f0647e024074237a56a08c01bd", size = 1696790, upload-time = "2025-07-29T05:51:03.657Z" }, - { url = "https://files.pythonhosted.org/packages/02/90/6b4cfaaf92ed98d0ec4d173e78b99b4b1a7551250be8937d9d67ecb356b4/aiohttp-3.12.15-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:6d86a2fbdd14192e2f234a92d3b494dd4457e683ba07e5905a0b3ee25389ac9f", size = 1718245, upload-time = "2025-07-29T05:51:05.911Z" }, - { url = "https://files.pythonhosted.org/packages/2e/e6/2593751670fa06f080a846f37f112cbe6f873ba510d070136a6ed46117c6/aiohttp-3.12.15-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:a041e7e2612041a6ddf1c6a33b883be6a421247c7afd47e885969ee4cc58bd8d", size = 1658899, upload-time = "2025-07-29T05:51:07.753Z" }, - { url = "https://files.pythonhosted.org/packages/8f/28/c15bacbdb8b8eb5bf39b10680d129ea7410b859e379b03190f02fa104ffd/aiohttp-3.12.15-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:5015082477abeafad7203757ae44299a610e89ee82a1503e3d4184e6bafdd519", size = 1738459, upload-time = "2025-07-29T05:51:09.56Z" }, - { url = "https://files.pythonhosted.org/packages/00/de/c269cbc4faa01fb10f143b1670633a8ddd5b2e1ffd0548f7aa49cb5c70e2/aiohttp-3.12.15-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:56822ff5ddfd1b745534e658faba944012346184fbfe732e0d6134b744516eea", size = 1766434, upload-time = "2025-07-29T05:51:11.423Z" }, - { url = "https://files.pythonhosted.org/packages/52/b0/4ff3abd81aa7d929b27d2e1403722a65fc87b763e3a97b3a2a494bfc63bc/aiohttp-3.12.15-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:b2acbbfff69019d9014508c4ba0401822e8bae5a5fdc3b6814285b71231b60f3", size = 1726045, upload-time = "2025-07-29T05:51:13.689Z" }, - { url = "https://files.pythonhosted.org/packages/71/16/949225a6a2dd6efcbd855fbd90cf476052e648fb011aa538e3b15b89a57a/aiohttp-3.12.15-cp312-cp312-win32.whl", hash = "sha256:d849b0901b50f2185874b9a232f38e26b9b3d4810095a7572eacea939132d4e1", size = 423591, upload-time = "2025-07-29T05:51:15.452Z" }, - { url = "https://files.pythonhosted.org/packages/2b/d8/fa65d2a349fe938b76d309db1a56a75c4fb8cc7b17a398b698488a939903/aiohttp-3.12.15-cp312-cp312-win_amd64.whl", hash = "sha256:b390ef5f62bb508a9d67cb3bba9b8356e23b3996da7062f1a57ce1a79d2b3d34", size = 450266, upload-time = "2025-07-29T05:51:17.239Z" }, - { url = "https://files.pythonhosted.org/packages/f2/33/918091abcf102e39d15aba2476ad9e7bd35ddb190dcdd43a854000d3da0d/aiohttp-3.12.15-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:9f922ffd05034d439dde1c77a20461cf4a1b0831e6caa26151fe7aa8aaebc315", size = 696741, upload-time = "2025-07-29T05:51:19.021Z" }, - { url = "https://files.pythonhosted.org/packages/b5/2a/7495a81e39a998e400f3ecdd44a62107254803d1681d9189be5c2e4530cd/aiohttp-3.12.15-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:2ee8a8ac39ce45f3e55663891d4b1d15598c157b4d494a4613e704c8b43112cd", size = 474407, upload-time = "2025-07-29T05:51:21.165Z" }, - { url = "https://files.pythonhosted.org/packages/49/fc/a9576ab4be2dcbd0f73ee8675d16c707cfc12d5ee80ccf4015ba543480c9/aiohttp-3.12.15-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:3eae49032c29d356b94eee45a3f39fdf4b0814b397638c2f718e96cfadf4c4e4", size = 466703, upload-time = "2025-07-29T05:51:22.948Z" }, - { url = "https://files.pythonhosted.org/packages/09/2f/d4bcc8448cf536b2b54eed48f19682031ad182faa3a3fee54ebe5b156387/aiohttp-3.12.15-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b97752ff12cc12f46a9b20327104448042fce5c33a624f88c18f66f9368091c7", size = 1705532, upload-time = "2025-07-29T05:51:25.211Z" }, - { url = "https://files.pythonhosted.org/packages/f1/f3/59406396083f8b489261e3c011aa8aee9df360a96ac8fa5c2e7e1b8f0466/aiohttp-3.12.15-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:894261472691d6fe76ebb7fcf2e5870a2ac284c7406ddc95823c8598a1390f0d", size = 1686794, upload-time = "2025-07-29T05:51:27.145Z" }, - { url = "https://files.pythonhosted.org/packages/dc/71/164d194993a8d114ee5656c3b7ae9c12ceee7040d076bf7b32fb98a8c5c6/aiohttp-3.12.15-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5fa5d9eb82ce98959fc1031c28198b431b4d9396894f385cb63f1e2f3f20ca6b", size = 1738865, upload-time = "2025-07-29T05:51:29.366Z" }, - { url = "https://files.pythonhosted.org/packages/1c/00/d198461b699188a93ead39cb458554d9f0f69879b95078dce416d3209b54/aiohttp-3.12.15-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f0fa751efb11a541f57db59c1dd821bec09031e01452b2b6217319b3a1f34f3d", size = 1788238, upload-time = "2025-07-29T05:51:31.285Z" }, - { url = "https://files.pythonhosted.org/packages/85/b8/9e7175e1fa0ac8e56baa83bf3c214823ce250d0028955dfb23f43d5e61fd/aiohttp-3.12.15-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5346b93e62ab51ee2a9d68e8f73c7cf96ffb73568a23e683f931e52450e4148d", size = 1710566, upload-time = "2025-07-29T05:51:33.219Z" }, - { url = "https://files.pythonhosted.org/packages/59/e4/16a8eac9df39b48ae102ec030fa9f726d3570732e46ba0c592aeeb507b93/aiohttp-3.12.15-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:049ec0360f939cd164ecbfd2873eaa432613d5e77d6b04535e3d1fbae5a9e645", size = 1624270, upload-time = "2025-07-29T05:51:35.195Z" }, - { url = "https://files.pythonhosted.org/packages/1f/f8/cd84dee7b6ace0740908fd0af170f9fab50c2a41ccbc3806aabcb1050141/aiohttp-3.12.15-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:b52dcf013b57464b6d1e51b627adfd69a8053e84b7103a7cd49c030f9ca44461", size = 1677294, upload-time = "2025-07-29T05:51:37.215Z" }, - { url = "https://files.pythonhosted.org/packages/ce/42/d0f1f85e50d401eccd12bf85c46ba84f947a84839c8a1c2c5f6e8ab1eb50/aiohttp-3.12.15-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:9b2af240143dd2765e0fb661fd0361a1b469cab235039ea57663cda087250ea9", size = 1708958, upload-time = "2025-07-29T05:51:39.328Z" }, - { url = "https://files.pythonhosted.org/packages/d5/6b/f6fa6c5790fb602538483aa5a1b86fcbad66244997e5230d88f9412ef24c/aiohttp-3.12.15-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ac77f709a2cde2cc71257ab2d8c74dd157c67a0558a0d2799d5d571b4c63d44d", size = 1651553, upload-time = "2025-07-29T05:51:41.356Z" }, - { url = "https://files.pythonhosted.org/packages/04/36/a6d36ad545fa12e61d11d1932eef273928b0495e6a576eb2af04297fdd3c/aiohttp-3.12.15-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:47f6b962246f0a774fbd3b6b7be25d59b06fdb2f164cf2513097998fc6a29693", size = 1727688, upload-time = "2025-07-29T05:51:43.452Z" }, - { url = "https://files.pythonhosted.org/packages/aa/c8/f195e5e06608a97a4e52c5d41c7927301bf757a8e8bb5bbf8cef6c314961/aiohttp-3.12.15-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:760fb7db442f284996e39cf9915a94492e1896baac44f06ae551974907922b64", size = 1761157, upload-time = "2025-07-29T05:51:45.643Z" }, - { url = "https://files.pythonhosted.org/packages/05/6a/ea199e61b67f25ba688d3ce93f63b49b0a4e3b3d380f03971b4646412fc6/aiohttp-3.12.15-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:ad702e57dc385cae679c39d318def49aef754455f237499d5b99bea4ef582e51", size = 1710050, upload-time = "2025-07-29T05:51:48.203Z" }, - { url = "https://files.pythonhosted.org/packages/b4/2e/ffeb7f6256b33635c29dbed29a22a723ff2dd7401fff42ea60cf2060abfb/aiohttp-3.12.15-cp313-cp313-win32.whl", hash = "sha256:f813c3e9032331024de2eb2e32a88d86afb69291fbc37a3a3ae81cc9917fb3d0", size = 422647, upload-time = "2025-07-29T05:51:50.718Z" }, - { url = "https://files.pythonhosted.org/packages/1b/8e/78ee35774201f38d5e1ba079c9958f7629b1fd079459aea9467441dbfbf5/aiohttp-3.12.15-cp313-cp313-win_amd64.whl", hash = "sha256:1a649001580bdb37c6fdb1bebbd7e3bc688e8ec2b5c6f52edbb664662b17dc84", size = 449067, upload-time = "2025-07-29T05:51:52.549Z" }, + { url = "https://files.pythonhosted.org/packages/a0/be/4fc11f202955a69e0db803a12a062b8379c970c7c84f4882b6da17337cc1/aiohttp-3.13.3-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:b903a4dfee7d347e2d87697d0713be59e0b87925be030c9178c5faa58ea58d5c", size = 739732, upload-time = "2026-01-03T17:30:14.23Z" }, + { url = "https://files.pythonhosted.org/packages/97/2c/621d5b851f94fa0bb7430d6089b3aa970a9d9b75196bc93bb624b0db237a/aiohttp-3.13.3-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:a45530014d7a1e09f4a55f4f43097ba0fd155089372e105e4bff4ca76cb1b168", size = 494293, upload-time = "2026-01-03T17:30:15.96Z" }, + { url = "https://files.pythonhosted.org/packages/5d/43/4be01406b78e1be8320bb8316dc9c42dbab553d281c40364e0f862d5661c/aiohttp-3.13.3-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:27234ef6d85c914f9efeb77ff616dbf4ad2380be0cda40b4db086ffc7ddd1b7d", size = 493533, upload-time = "2026-01-03T17:30:17.431Z" }, + { url = "https://files.pythonhosted.org/packages/8d/a8/5a35dc56a06a2c90d4742cbf35294396907027f80eea696637945a106f25/aiohttp-3.13.3-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d32764c6c9aafb7fb55366a224756387cd50bfa720f32b88e0e6fa45b27dcf29", size = 1737839, upload-time = "2026-01-03T17:30:19.422Z" }, + { url = "https://files.pythonhosted.org/packages/bf/62/4b9eeb331da56530bf2e198a297e5303e1c1ebdceeb00fe9b568a65c5a0c/aiohttp-3.13.3-cp312-cp312-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:b1a6102b4d3ebc07dad44fbf07b45bb600300f15b552ddf1851b5390202ea2e3", size = 1703932, upload-time = "2026-01-03T17:30:21.756Z" }, + { url = "https://files.pythonhosted.org/packages/7c/f6/af16887b5d419e6a367095994c0b1332d154f647e7dc2bd50e61876e8e3d/aiohttp-3.13.3-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:c014c7ea7fb775dd015b2d3137378b7be0249a448a1612268b5a90c2d81de04d", size = 1771906, upload-time = "2026-01-03T17:30:23.932Z" }, + { url = "https://files.pythonhosted.org/packages/ce/83/397c634b1bcc24292fa1e0c7822800f9f6569e32934bdeef09dae7992dfb/aiohttp-3.13.3-cp312-cp312-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2b8d8ddba8f95ba17582226f80e2de99c7a7948e66490ef8d947e272a93e9463", size = 1871020, upload-time = "2026-01-03T17:30:26Z" }, + { url = "https://files.pythonhosted.org/packages/86/f6/a62cbbf13f0ac80a70f71b1672feba90fdb21fd7abd8dbf25c0105fb6fa3/aiohttp-3.13.3-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9ae8dd55c8e6c4257eae3a20fd2c8f41edaea5992ed67156642493b8daf3cecc", size = 1755181, upload-time = "2026-01-03T17:30:27.554Z" }, + { url = "https://files.pythonhosted.org/packages/0a/87/20a35ad487efdd3fba93d5843efdfaa62d2f1479eaafa7453398a44faf13/aiohttp-3.13.3-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:01ad2529d4b5035578f5081606a465f3b814c542882804e2e8cda61adf5c71bf", size = 1561794, upload-time = "2026-01-03T17:30:29.254Z" }, + { url = "https://files.pythonhosted.org/packages/de/95/8fd69a66682012f6716e1bc09ef8a1a2a91922c5725cb904689f112309c4/aiohttp-3.13.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:bb4f7475e359992b580559e008c598091c45b5088f28614e855e42d39c2f1033", size = 1697900, upload-time = "2026-01-03T17:30:31.033Z" }, + { url = "https://files.pythonhosted.org/packages/e5/66/7b94b3b5ba70e955ff597672dad1691333080e37f50280178967aff68657/aiohttp-3.13.3-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:c19b90316ad3b24c69cd78d5c9b4f3aa4497643685901185b65166293d36a00f", size = 1728239, upload-time = "2026-01-03T17:30:32.703Z" }, + { url = "https://files.pythonhosted.org/packages/47/71/6f72f77f9f7d74719692ab65a2a0252584bf8d5f301e2ecb4c0da734530a/aiohttp-3.13.3-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:96d604498a7c782cb15a51c406acaea70d8c027ee6b90c569baa6e7b93073679", size = 1740527, upload-time = "2026-01-03T17:30:34.695Z" }, + { url = "https://files.pythonhosted.org/packages/fa/b4/75ec16cbbd5c01bdaf4a05b19e103e78d7ce1ef7c80867eb0ace42ff4488/aiohttp-3.13.3-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:084911a532763e9d3dd95adf78a78f4096cd5f58cdc18e6fdbc1b58417a45423", size = 1554489, upload-time = "2026-01-03T17:30:36.864Z" }, + { url = "https://files.pythonhosted.org/packages/52/8f/bc518c0eea29f8406dcf7ed1f96c9b48e3bc3995a96159b3fc11f9e08321/aiohttp-3.13.3-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:7a4a94eb787e606d0a09404b9c38c113d3b099d508021faa615d70a0131907ce", size = 1767852, upload-time = "2026-01-03T17:30:39.433Z" }, + { url = "https://files.pythonhosted.org/packages/9d/f2/a07a75173124f31f11ea6f863dc44e6f09afe2bca45dd4e64979490deab1/aiohttp-3.13.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:87797e645d9d8e222e04160ee32aa06bc5c163e8499f24db719e7852ec23093a", size = 1722379, upload-time = "2026-01-03T17:30:41.081Z" }, + { url = "https://files.pythonhosted.org/packages/3c/4a/1a3fee7c21350cac78e5c5cef711bac1b94feca07399f3d406972e2d8fcd/aiohttp-3.13.3-cp312-cp312-win32.whl", hash = "sha256:b04be762396457bef43f3597c991e192ee7da460a4953d7e647ee4b1c28e7046", size = 428253, upload-time = "2026-01-03T17:30:42.644Z" }, + { url = "https://files.pythonhosted.org/packages/d9/b7/76175c7cb4eb73d91ad63c34e29fc4f77c9386bba4a65b53ba8e05ee3c39/aiohttp-3.13.3-cp312-cp312-win_amd64.whl", hash = "sha256:e3531d63d3bdfa7e3ac5e9b27b2dd7ec9df3206a98e0b3445fa906f233264c57", size = 455407, upload-time = "2026-01-03T17:30:44.195Z" }, + { url = "https://files.pythonhosted.org/packages/97/8a/12ca489246ca1faaf5432844adbfce7ff2cc4997733e0af120869345643a/aiohttp-3.13.3-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:5dff64413671b0d3e7d5918ea490bdccb97a4ad29b3f311ed423200b2203e01c", size = 734190, upload-time = "2026-01-03T17:30:45.832Z" }, + { url = "https://files.pythonhosted.org/packages/32/08/de43984c74ed1fca5c014808963cc83cb00d7bb06af228f132d33862ca76/aiohttp-3.13.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:87b9aab6d6ed88235aa2970294f496ff1a1f9adcd724d800e9b952395a80ffd9", size = 491783, upload-time = "2026-01-03T17:30:47.466Z" }, + { url = "https://files.pythonhosted.org/packages/17/f8/8dd2cf6112a5a76f81f81a5130c57ca829d101ad583ce57f889179accdda/aiohttp-3.13.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:425c126c0dc43861e22cb1c14ba4c8e45d09516d0a3ae0a3f7494b79f5f233a3", size = 490704, upload-time = "2026-01-03T17:30:49.373Z" }, + { url = "https://files.pythonhosted.org/packages/6d/40/a46b03ca03936f832bc7eaa47cfbb1ad012ba1be4790122ee4f4f8cba074/aiohttp-3.13.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:7f9120f7093c2a32d9647abcaf21e6ad275b4fbec5b55969f978b1a97c7c86bf", size = 1720652, upload-time = "2026-01-03T17:30:50.974Z" }, + { url = "https://files.pythonhosted.org/packages/f7/7e/917fe18e3607af92657e4285498f500dca797ff8c918bd7d90b05abf6c2a/aiohttp-3.13.3-cp313-cp313-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:697753042d57f4bf7122cab985bf15d0cef23c770864580f5af4f52023a56bd6", size = 1692014, upload-time = "2026-01-03T17:30:52.729Z" }, + { url = "https://files.pythonhosted.org/packages/71/b6/cefa4cbc00d315d68973b671cf105b21a609c12b82d52e5d0c9ae61d2a09/aiohttp-3.13.3-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:6de499a1a44e7de70735d0b39f67c8f25eb3d91eb3103be99ca0fa882cdd987d", size = 1759777, upload-time = "2026-01-03T17:30:54.537Z" }, + { url = "https://files.pythonhosted.org/packages/fb/e3/e06ee07b45e59e6d81498b591fc589629be1553abb2a82ce33efe2a7b068/aiohttp-3.13.3-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:37239e9f9a7ea9ac5bf6b92b0260b01f8a22281996da609206a84df860bc1261", size = 1861276, upload-time = "2026-01-03T17:30:56.512Z" }, + { url = "https://files.pythonhosted.org/packages/7c/24/75d274228acf35ceeb2850b8ce04de9dd7355ff7a0b49d607ee60c29c518/aiohttp-3.13.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:f76c1e3fe7d7c8afad7ed193f89a292e1999608170dcc9751a7462a87dfd5bc0", size = 1743131, upload-time = "2026-01-03T17:30:58.256Z" }, + { url = "https://files.pythonhosted.org/packages/04/98/3d21dde21889b17ca2eea54fdcff21b27b93f45b7bb94ca029c31ab59dc3/aiohttp-3.13.3-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:fc290605db2a917f6e81b0e1e0796469871f5af381ce15c604a3c5c7e51cb730", size = 1556863, upload-time = "2026-01-03T17:31:00.445Z" }, + { url = "https://files.pythonhosted.org/packages/9e/84/da0c3ab1192eaf64782b03971ab4055b475d0db07b17eff925e8c93b3aa5/aiohttp-3.13.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4021b51936308aeea0367b8f006dc999ca02bc118a0cc78c303f50a2ff6afb91", size = 1682793, upload-time = "2026-01-03T17:31:03.024Z" }, + { url = "https://files.pythonhosted.org/packages/ff/0f/5802ada182f575afa02cbd0ec5180d7e13a402afb7c2c03a9aa5e5d49060/aiohttp-3.13.3-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:49a03727c1bba9a97d3e93c9f93ca03a57300f484b6e935463099841261195d3", size = 1716676, upload-time = "2026-01-03T17:31:04.842Z" }, + { url = "https://files.pythonhosted.org/packages/3f/8c/714d53bd8b5a4560667f7bbbb06b20c2382f9c7847d198370ec6526af39c/aiohttp-3.13.3-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:3d9908a48eb7416dc1f4524e69f1d32e5d90e3981e4e37eb0aa1cd18f9cfa2a4", size = 1733217, upload-time = "2026-01-03T17:31:06.868Z" }, + { url = "https://files.pythonhosted.org/packages/7d/79/e2176f46d2e963facea939f5be2d26368ce543622be6f00a12844d3c991f/aiohttp-3.13.3-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:2712039939ec963c237286113c68dbad80a82a4281543f3abf766d9d73228998", size = 1552303, upload-time = "2026-01-03T17:31:08.958Z" }, + { url = "https://files.pythonhosted.org/packages/ab/6a/28ed4dea1759916090587d1fe57087b03e6c784a642b85ef48217b0277ae/aiohttp-3.13.3-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:7bfdc049127717581866fa4708791220970ce291c23e28ccf3922c700740fdc0", size = 1763673, upload-time = "2026-01-03T17:31:10.676Z" }, + { url = "https://files.pythonhosted.org/packages/e8/35/4a3daeb8b9fab49240d21c04d50732313295e4bd813a465d840236dd0ce1/aiohttp-3.13.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:8057c98e0c8472d8846b9c79f56766bcc57e3e8ac7bfd510482332366c56c591", size = 1721120, upload-time = "2026-01-03T17:31:12.575Z" }, + { url = "https://files.pythonhosted.org/packages/bc/9f/d643bb3c5fb99547323e635e251c609fbbc660d983144cfebec529e09264/aiohttp-3.13.3-cp313-cp313-win32.whl", hash = "sha256:1449ceddcdbcf2e0446957863af03ebaaa03f94c090f945411b61269e2cb5daf", size = 427383, upload-time = "2026-01-03T17:31:14.382Z" }, + { url = "https://files.pythonhosted.org/packages/4e/f1/ab0395f8a79933577cdd996dd2f9aa6014af9535f65dddcf88204682fe62/aiohttp-3.13.3-cp313-cp313-win_amd64.whl", hash = "sha256:693781c45a4033d31d4187d2436f5ac701e7bbfe5df40d917736108c1cc7436e", size = 453899, upload-time = "2026-01-03T17:31:15.958Z" }, ] [[package]] @@ -463,7 +463,7 @@ wheels = [ [[package]] name = "browser-use" -version = "0.11.2" +version = "0.11.13" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "aiohttp" }, @@ -504,9 +504,9 @@ dependencies = [ { name = "typing-extensions" }, { name = "uuid7" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/77/42/aacaba1ee2599101ccb14fde3c4732d6e994d9d616b3a7b9c12f8ac5d5b4/browser_use-0.11.2.tar.gz", hash = "sha256:543face2fd5662ee89526d2099a79e01468b51784cdcc85faa36a81fdae4aa68", size = 501474, upload-time = "2025-12-16T22:07:49.749Z" } +sdist = { url = "https://files.pythonhosted.org/packages/9f/86/40464b112d01dfedf2433570a6537dea1656715bf8631d18a6eaa2dce28b/browser_use-0.11.13.tar.gz", hash = "sha256:c20d029f17c44add2047a72c836cb589b85e90a31a91cf3632a22a2de1928dfe", size = 628359, upload-time = "2026-02-25T05:20:10.662Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/3d/04/9d0b9ee9b176fe329d424bf4337982b021b264295aa2fb9a7aef885abd61/browser_use-0.11.2-py3-none-any.whl", hash = "sha256:6ac57c0e2a495749fc83c1faee85001737567f8cd4301ebfcda2a886018a325b", size = 599219, upload-time = "2025-12-16T22:07:48.39Z" }, + { url = "https://files.pythonhosted.org/packages/c6/ae/011c8a99708c82a2f8b75c5f24fb62541460fcb648050227db67d361bbe4/browser_use-0.11.13-py3-none-any.whl", hash = "sha256:f5232309213715e66e8f2079fb7097ac79a880728735968e4c7d41031ed15e83", size = 745686, upload-time = "2026-02-25T05:20:11.939Z" }, ] [[package]] @@ -602,15 +602,16 @@ wheels = [ [[package]] name = "cdp-use" -version = "1.4.4" +version = "1.4.5" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "httpx" }, + { name = "typing-extensions" }, { name = "websockets" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/d6/48/5143e381a6e24f4cc7a678f1c9657ba3e3d0061b79175bb1db987850fb51/cdp_use-1.4.4.tar.gz", hash = "sha256:330a848b517006eb9ad1dc468aa6434d913cf0c6918610760c36c3fdfdba0fab", size = 185718, upload-time = "2025-11-13T01:54:59.045Z" } +sdist = { url = "https://files.pythonhosted.org/packages/f7/7a/c549417e8c5e4dface6d5d828cd7dc72502dcea33a99f5324abf5a853ce9/cdp_use-1.4.5.tar.gz", hash = "sha256:0da3a32df46336a03ff5a22bc6bc442cd7d2f2d50a118fd4856f29d37f6d26a0", size = 193961, upload-time = "2026-02-22T04:32:50.574Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/68/db/b97d06a6032d63808636f84b7d0dc0eb3bff79a61471ea8eab8a11a293f7/cdp_use-1.4.4-py3-none-any.whl", hash = "sha256:e37e80e067db2653d6fdf953d4ff9e5d80d75daa27b7c6d48c0261cccbef73e1", size = 340828, upload-time = "2025-11-13T01:54:57.599Z" }, + { url = "https://files.pythonhosted.org/packages/56/12/386d8c6bf0448c43674e24d6194c3b57d62e5361e90bca3d58108819ad32/cdp_use-1.4.5-py3-none-any.whl", hash = "sha256:8f8e2435e3a20e4009d2974144192cf3c132f6c2971338e156198814d9b91ecb", size = 350504, upload-time = "2026-02-22T04:32:49.22Z" }, ] [[package]] @@ -3747,7 +3748,7 @@ test = [ [package.metadata] requires-dist = [ - { name = "aiohttp", specifier = ">=3.9,!=3.11.13" }, + { name = "aiohttp", specifier = ">=3.13.3" }, { name = "anthropic", extras = ["vertex"] }, { name = "anyio", specifier = "==4.9" }, { name = "asyncpg", specifier = ">=0.30" }, From 222e8bd03d176c9699c08b3eb61288fca3cfa97f Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Tue, 3 Mar 2026 19:00:53 -0500 Subject: [PATCH 25/67] Fix linear-related mypy type errors and make Manager.start_job async (#13189) Co-authored-by: openhands --- enterprise/integrations/github/github_manager.py | 2 +- enterprise/integrations/gitlab/gitlab_manager.py | 2 +- enterprise/integrations/jira/jira_manager.py | 2 +- enterprise/integrations/jira_dc/jira_dc_manager.py | 2 +- enterprise/integrations/linear/linear_manager.py | 2 +- enterprise/integrations/linear/linear_view.py | 3 +++ enterprise/integrations/manager.py | 2 +- enterprise/integrations/slack/slack_manager.py | 2 +- enterprise/server/routes/integration/linear.py | 10 ++++++++++ 9 files changed, 20 insertions(+), 7 deletions(-) diff --git a/enterprise/integrations/github/github_manager.py b/enterprise/integrations/github/github_manager.py index 37b03a330d..e118a5848b 100644 --- a/enterprise/integrations/github/github_manager.py +++ b/enterprise/integrations/github/github_manager.py @@ -318,7 +318,7 @@ class GithubManager(Manager[GithubViewType]): logger.warning('Unsupported location') return - async def start_job(self, github_view: GithubViewType): + async def start_job(self, github_view: GithubViewType) -> None: """Kick off a job with openhands agent. 1. Get user credential diff --git a/enterprise/integrations/gitlab/gitlab_manager.py b/enterprise/integrations/gitlab/gitlab_manager.py index 9fbe5d46eb..c3641c6cc9 100644 --- a/enterprise/integrations/gitlab/gitlab_manager.py +++ b/enterprise/integrations/gitlab/gitlab_manager.py @@ -170,7 +170,7 @@ class GitlabManager(Manager[GitlabViewType]): f'[GitLab] Unsupported view type: {type(gitlab_view).__name__}' ) - async def start_job(self, gitlab_view: GitlabViewType): + async def start_job(self, gitlab_view: GitlabViewType) -> None: """ Start a job for the GitLab view. diff --git a/enterprise/integrations/jira/jira_manager.py b/enterprise/integrations/jira/jira_manager.py index 9223bcfa36..107acfff3d 100644 --- a/enterprise/integrations/jira/jira_manager.py +++ b/enterprise/integrations/jira/jira_manager.py @@ -257,7 +257,7 @@ class JiraManager(Manager[JiraViewInterface]): return jira_user, saas_user_auth - async def start_job(self, view: JiraViewInterface): + async def start_job(self, view: JiraViewInterface) -> None: """Start a Jira job/conversation.""" # Import here to prevent circular import from server.conversation_callback_processor.jira_callback_processor import ( diff --git a/enterprise/integrations/jira_dc/jira_dc_manager.py b/enterprise/integrations/jira_dc/jira_dc_manager.py index 5adc1fbc75..a5417ddb9a 100644 --- a/enterprise/integrations/jira_dc/jira_dc_manager.py +++ b/enterprise/integrations/jira_dc/jira_dc_manager.py @@ -353,7 +353,7 @@ class JiraDcManager(Manager[JiraDcViewInterface]): logger.error(f'[Jira DC] Error in is_job_requested: {str(e)}') return False - async def start_job(self, jira_dc_view: JiraDcViewInterface): + async def start_job(self, jira_dc_view: JiraDcViewInterface) -> None: """Start a Jira DC job/conversation.""" # Import here to prevent circular import from server.conversation_callback_processor.jira_dc_callback_processor import ( diff --git a/enterprise/integrations/linear/linear_manager.py b/enterprise/integrations/linear/linear_manager.py index 10f1b63c52..708963ab02 100644 --- a/enterprise/integrations/linear/linear_manager.py +++ b/enterprise/integrations/linear/linear_manager.py @@ -343,7 +343,7 @@ class LinearManager(Manager[LinearViewInterface]): logger.error(f'[Linear] Error in is_job_requested: {str(e)}') return False - async def start_job(self, linear_view: LinearViewInterface): + async def start_job(self, linear_view: LinearViewInterface) -> None: """Start a Linear job/conversation.""" # Import here to prevent circular import from server.conversation_callback_processor.linear_callback_processor import ( diff --git a/enterprise/integrations/linear/linear_view.py b/enterprise/integrations/linear/linear_view.py index 7f8282b705..dabe80cf60 100644 --- a/enterprise/integrations/linear/linear_view.py +++ b/enterprise/integrations/linear/linear_view.py @@ -152,6 +152,9 @@ class LinearExistingConversationView(LinearViewInterface): self.conversation_id, conversation_init_data, user_id ) + if agent_loop_info.event_store is None: + raise StartingConvoException('Event store not available') + final_agent_observation = get_final_agent_observation( agent_loop_info.event_store ) diff --git a/enterprise/integrations/manager.py b/enterprise/integrations/manager.py index 550b4ca5c1..880c252bdf 100644 --- a/enterprise/integrations/manager.py +++ b/enterprise/integrations/manager.py @@ -25,7 +25,7 @@ class Manager(ABC, Generic[ViewT]): raise NotImplementedError @abstractmethod - def start_job(self, view: ViewT) -> None: + async def start_job(self, view: ViewT) -> None: """Kick off a job with openhands agent. Args: diff --git a/enterprise/integrations/slack/slack_manager.py b/enterprise/integrations/slack/slack_manager.py index 27a892e8c4..17c57f7e6e 100644 --- a/enterprise/integrations/slack/slack_manager.py +++ b/enterprise/integrations/slack/slack_manager.py @@ -303,7 +303,7 @@ class SlackManager(Manager[SlackViewInterface]): return True - async def start_job(self, slack_view: SlackViewInterface): + async def start_job(self, slack_view: SlackViewInterface) -> None: # Importing here prevents circular import from server.conversation_callback_processor.slack_callback_processor import ( SlackCallbackProcessor, diff --git a/enterprise/server/routes/integration/linear.py b/enterprise/server/routes/integration/linear.py index 9d47c04b0c..2e23325398 100644 --- a/enterprise/server/routes/integration/linear.py +++ b/enterprise/server/routes/integration/linear.py @@ -523,6 +523,11 @@ async def get_current_workspace_link(request: Request): try: user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() + if not user_id: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail='User not authenticated', + ) user = await linear_manager.integration_store.get_user_by_active_workspace( user_id @@ -576,6 +581,11 @@ async def unlink_workspace(request: Request): try: user_auth = cast(SaasUserAuth, await get_user_auth(request)) user_id = await user_auth.get_user_id() + if not user_id: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail='User not authenticated', + ) user = await linear_manager.integration_store.get_user_by_active_workspace( user_id From 8dac1095d73af2f3b8eeb0a77dccb0c2ee1ef8f2 Mon Sep 17 00:00:00 2001 From: Tim O'Farrell Date: Tue, 3 Mar 2026 17:51:53 -0700 Subject: [PATCH 26/67] Refactor user_store.py to use async database sessions (#13187) Co-authored-by: openhands --- enterprise/server/routes/api_keys.py | 8 +- enterprise/server/routes/auth.py | 2 +- enterprise/server/routes/billing.py | 4 +- enterprise/server/routes/integration/slack.py | 2 +- enterprise/server/routes/orgs.py | 2 +- enterprise/server/routes/user.py | 2 +- .../server/services/org_invitation_service.py | 6 +- .../server/services/org_member_service.py | 10 +- enterprise/storage/api_key_store.py | 6 +- enterprise/storage/lite_llm_manager.py | 2 +- enterprise/storage/org_service.py | 4 +- enterprise/storage/saas_conversation_store.py | 2 +- enterprise/storage/saas_secrets_store.py | 4 +- enterprise/storage/saas_settings_store.py | 2 +- enterprise/storage/user_store.py | 226 ++++++------------ .../tests/unit/server/routes/test_api_keys.py | 8 +- .../tests/unit/server/routes/test_orgs.py | 18 +- .../services/test_org_member_service.py | 51 ++-- enterprise/tests/unit/test_api_key_store.py | 8 +- enterprise/tests/unit/test_auth_routes.py | 50 ++-- enterprise/tests/unit/test_billing.py | 10 +- .../tests/unit/test_lite_llm_manager.py | 6 +- .../tests/unit/test_org_invitation_service.py | 8 +- enterprise/tests/unit/test_org_service.py | 17 +- .../unit/test_saas_conversation_store.py | 8 +- .../tests/unit/test_saas_secrets_store.py | 6 +- .../tests/unit/test_user_route_fallback.py | 4 +- enterprise/tests/unit/test_user_store.py | 69 +++--- 28 files changed, 235 insertions(+), 310 deletions(-) diff --git a/enterprise/server/routes/api_keys.py b/enterprise/server/routes/api_keys.py index 5b433aef98..1e3f8a0d51 100644 --- a/enterprise/server/routes/api_keys.py +++ b/enterprise/server/routes/api_keys.py @@ -17,7 +17,7 @@ from openhands.server.user_auth import get_user_id # Helper functions for BYOR API key management async def get_byor_key_from_db(user_id: str) -> str | None: """Get the BYOR key from the database for a user.""" - user = await UserStore.get_user_by_id_async(user_id) + user = await UserStore.get_user_by_id(user_id) if not user: return None @@ -36,7 +36,7 @@ async def get_byor_key_from_db(user_id: str) -> str | None: async def store_byor_key_in_db(user_id: str, key: str) -> None: """Store the BYOR key in the database for a user.""" - user = await UserStore.get_user_by_id_async(user_id) + user = await UserStore.get_user_by_id(user_id) if not user: return None @@ -55,7 +55,7 @@ async def store_byor_key_in_db(user_id: str, key: str) -> None: async def generate_byor_key(user_id: str) -> str | None: """Generate a new BYOR key for a user.""" try: - user = await UserStore.get_user_by_id_async(user_id) + user = await UserStore.get_user_by_id(user_id) if not user: return None current_org_id = str(user.current_org_id) @@ -98,7 +98,7 @@ async def delete_byor_key_from_litellm(user_id: str, byor_key: str) -> bool: """ try: # Get user to construct the key alias - user = await UserStore.get_user_by_id_async(user_id) + user = await UserStore.get_user_by_id(user_id) key_alias = None if user and user.current_org_id: key_alias = f'BYOR Key - user {user_id}, org {user.current_org_id}' diff --git a/enterprise/server/routes/auth.py b/enterprise/server/routes/auth.py index fa298f73e4..7c596cd558 100644 --- a/enterprise/server/routes/auth.py +++ b/enterprise/server/routes/auth.py @@ -204,7 +204,7 @@ async def keycloak_callback( email = user_info.email user_id = user_info.sub user_info_dict = user_info.model_dump(exclude_none=True) - user = await UserStore.get_user_by_id_async(user_id) + user = await UserStore.get_user_by_id(user_id) if not user: user = await UserStore.create_user(user_id, user_info_dict) else: diff --git a/enterprise/server/routes/billing.py b/enterprise/server/routes/billing.py index 942b843cb5..51e5ee3fb1 100644 --- a/enterprise/server/routes/billing.py +++ b/enterprise/server/routes/billing.py @@ -90,7 +90,7 @@ def calculate_credits(user_info: LiteLlmUserInfo) -> float: async def get_credits(user_id: str = Depends(get_user_id)) -> GetCreditsResponse: if not stripe_service.STRIPE_API_KEY: return GetCreditsResponse() - user = await UserStore.get_user_by_id_async(user_id) + user = await UserStore.get_user_by_id(user_id) if user is None: raise HTTPException(status.HTTP_404_NOT_FOUND, detail='User not found') user_team_info = await LiteLlmManager.get_user_team_info( @@ -248,7 +248,7 @@ async def success_callback(session_id: str, request: Request): ) raise HTTPException(status.HTTP_400_BAD_REQUEST) - user = await UserStore.get_user_by_id_async(billing_session.user_id) + user = await UserStore.get_user_by_id(billing_session.user_id) if user is None: raise HTTPException(status.HTTP_404_NOT_FOUND, detail='User not found') user_team_info = await LiteLlmManager.get_user_team_info( diff --git a/enterprise/server/routes/integration/slack.py b/enterprise/server/routes/integration/slack.py index 221c966eb1..dc98552bc3 100644 --- a/enterprise/server/routes/integration/slack.py +++ b/enterprise/server/routes/integration/slack.py @@ -197,7 +197,7 @@ async def keycloak_callback( user_info = await token_manager.get_user_info(keycloak_access_token) keycloak_user_id = user_info.sub - user = await UserStore.get_user_by_id_async(keycloak_user_id) + user = await UserStore.get_user_by_id(keycloak_user_id) if not user: return _html_response( title='Failed to authenticate.', diff --git a/enterprise/server/routes/orgs.py b/enterprise/server/routes/orgs.py index 8c1abb18ed..f67b1f45f2 100644 --- a/enterprise/server/routes/orgs.py +++ b/enterprise/server/routes/orgs.py @@ -99,7 +99,7 @@ async def list_user_orgs( try: # Fetch user to get current_org_id - user = await UserStore.get_user_by_id_async(user_id) + user = await UserStore.get_user_by_id(user_id) current_org_id = ( str(user.current_org_id) if user and user.current_org_id else None ) diff --git a/enterprise/server/routes/user.py b/enterprise/server/routes/user.py index b0e9a6de7b..908f96281b 100644 --- a/enterprise/server/routes/user.py +++ b/enterprise/server/routes/user.py @@ -115,7 +115,7 @@ async def saas_get_user( email = user_info.email sub = user_info.sub if sub: - db_user = await UserStore.get_user_by_id_async(sub) + db_user = await UserStore.get_user_by_id(sub) if db_user and db_user.email is not None: email = db_user.email diff --git a/enterprise/server/services/org_invitation_service.py b/enterprise/server/services/org_invitation_service.py index 3ef0d9d8fa..bae78f1a7b 100644 --- a/enterprise/server/services/org_invitation_service.py +++ b/enterprise/server/services/org_invitation_service.py @@ -106,7 +106,7 @@ class OrgInvitationService: raise ValueError(f'Invalid role: {role_name}') # Step 5: Check if user is already a member (by email) - existing_user = await UserStore.get_user_by_email_async(email) + existing_user = await UserStore.get_user_by_email(email) if existing_user: existing_member = await OrgMemberStore.get_org_member( org_id, existing_user.id @@ -127,7 +127,7 @@ class OrgInvitationService: # Step 7: Send invitation email try: # Get inviter info for the email - inviter_user = UserStore.get_user_by_id(str(inviter_member.user_id)) + inviter_user = await UserStore.get_user_by_id(str(inviter_member.user_id)) inviter_name = 'A team member' if inviter_user and inviter_user.email: inviter_name = inviter_user.email.split('@')[0] @@ -308,7 +308,7 @@ class OrgInvitationService: raise InvitationExpiredError('Invitation has expired') # Step 2.5: Verify user email matches invitation email - user = await UserStore.get_user_by_id_async(str(user_id)) + user = await UserStore.get_user_by_id(str(user_id)) if not user: raise InvitationInvalidError('User not found') diff --git a/enterprise/server/services/org_member_service.py b/enterprise/server/services/org_member_service.py index 7168d0954e..c20292b93e 100644 --- a/enterprise/server/services/org_member_service.py +++ b/enterprise/server/services/org_member_service.py @@ -56,7 +56,7 @@ class OrgMemberService: raise RoleNotFoundError(org_member.role_id) # Get user email - user = await UserStore.get_user_by_id_async(str(user_id)) + user = await UserStore.get_user_by_id(str(user_id)) email = user.email if user and user.email else '' return MeResponse.from_org_member(org_member, role, email) @@ -218,10 +218,10 @@ class OrgMemberService: return False, 'removal_failed' # Update user's current_org_id if it points to the org they were removed from - user = await UserStore.get_user_by_id_async(str(target_user_id)) + user = await UserStore.get_user_by_id(str(target_user_id)) if user and user.current_org_id == org_id: # Set current_org_id to personal workspace (org.id == user.id) - UserStore.update_current_org(str(target_user_id), target_user_id) + await UserStore.update_current_org(str(target_user_id), target_user_id) # If database removal succeeded, also remove from LiteLLM team try: @@ -308,7 +308,7 @@ class OrgMemberService: # If no role change requested, return current state if new_role_name is None: - user = await UserStore.get_user_by_id_async(str(target_user_id)) + user = await UserStore.get_user_by_id(str(target_user_id)) return OrgMemberResponse( user_id=str(target_membership.user_id), email=user.email if user else None, @@ -347,7 +347,7 @@ class OrgMemberService: raise MemberUpdateError('Failed to update member') # Get user email for response - user = await UserStore.get_user_by_id_async(str(target_user_id)) + user = await UserStore.get_user_by_id(str(target_user_id)) return OrgMemberResponse( user_id=str(updated_member.user_id), diff --git a/enterprise/storage/api_key_store.py b/enterprise/storage/api_key_store.py index c6a4cbd05d..d514b70693 100644 --- a/enterprise/storage/api_key_store.py +++ b/enterprise/storage/api_key_store.py @@ -37,7 +37,7 @@ class ApiKeyStore: The generated API key """ api_key = self.generate_api_key() - user = await UserStore.get_user_by_id_async(user_id) + user = await UserStore.get_user_by_id(user_id) if user is None: raise ValueError(f'User not found: {user_id}') org_id = user.current_org_id @@ -117,7 +117,7 @@ class ApiKeyStore: async def list_api_keys(self, user_id: str) -> list[ApiKey]: """List all API keys for a user.""" - user = await UserStore.get_user_by_id_async(user_id) + user = await UserStore.get_user_by_id(user_id) if user is None: raise ValueError(f'User not found: {user_id}') org_id = user.current_org_id @@ -132,7 +132,7 @@ class ApiKeyStore: return [key for key in keys if key.name != 'MCP_API_KEY'] async def retrieve_mcp_api_key(self, user_id: str) -> str | None: - user = await UserStore.get_user_by_id_async(user_id) + user = await UserStore.get_user_by_id(user_id) if user is None: raise ValueError(f'User not found: {user_id}') org_id = user.current_org_id diff --git a/enterprise/storage/lite_llm_manager.py b/enterprise/storage/lite_llm_manager.py index 8cf8b4e998..fc45fb2271 100644 --- a/enterprise/storage/lite_llm_manager.py +++ b/enterprise/storage/lite_llm_manager.py @@ -1171,7 +1171,7 @@ class LiteLlmManager: if LITE_LLM_API_KEY is None or LITE_LLM_API_URL is None: logger.warning('LiteLLM API configuration not found') return None - user = await UserStore.get_user_by_id_async(keycloak_user_id) + user = await UserStore.get_user_by_id(keycloak_user_id) if not user: return {} diff --git a/enterprise/storage/org_service.py b/enterprise/storage/org_service.py index a5108137dc..bc021c525b 100644 --- a/enterprise/storage/org_service.py +++ b/enterprise/storage/org_service.py @@ -875,7 +875,7 @@ class OrgService: Returns: bool: True if BYOR export is enabled, False otherwise """ - user = await UserStore.get_user_by_id_async(user_id) + user = await UserStore.get_user_by_id(user_id) if not user or not user.current_org_id: return False @@ -929,7 +929,7 @@ class OrgService: # Step 3: Update user's current_org_id try: - updated_user = UserStore.update_current_org(user_id, org_id) + updated_user = await UserStore.update_current_org(user_id, org_id) if not updated_user: raise OrgDatabaseError('User not found') diff --git a/enterprise/storage/saas_conversation_store.py b/enterprise/storage/saas_conversation_store.py index eec6961d02..b8ac843e13 100644 --- a/enterprise/storage/saas_conversation_store.py +++ b/enterprise/storage/saas_conversation_store.py @@ -236,6 +236,6 @@ class SaasConversationStore(ConversationStore): # user_id should not be None in SaaS, should we raise? # Use async version since callers now use asyncio.run_coroutine_threadsafe() # to dispatch to the main event loop where asyncpg connections work properly. - user = await UserStore.get_user_by_id_async(user_id) + user = await UserStore.get_user_by_id(user_id) org_id = user.current_org_id if user else None return SaasConversationStore(str(user_id), org_id, session_maker) diff --git a/enterprise/storage/saas_secrets_store.py b/enterprise/storage/saas_secrets_store.py index ccde502cc6..3b2820485b 100644 --- a/enterprise/storage/saas_secrets_store.py +++ b/enterprise/storage/saas_secrets_store.py @@ -24,7 +24,7 @@ class SaasSecretsStore(SecretsStore): async def load(self) -> Secrets | None: if not self.user_id: return None - user = await UserStore.get_user_by_id_async(self.user_id) + user = await UserStore.get_user_by_id(self.user_id) org_id = user.current_org_id if user else None async with a_session_maker() as session: @@ -52,7 +52,7 @@ class SaasSecretsStore(SecretsStore): return Secrets(custom_secrets=kwargs) # type: ignore[arg-type] async def store(self, item: Secrets): - user = await UserStore.get_user_by_id_async(self.user_id) + user = await UserStore.get_user_by_id(self.user_id) if user is None: raise ValueError(f'User not found: {self.user_id}') org_id = user.current_org_id diff --git a/enterprise/storage/saas_settings_store.py b/enterprise/storage/saas_settings_store.py index 3653f83574..bd43fa1a7a 100644 --- a/enterprise/storage/saas_settings_store.py +++ b/enterprise/storage/saas_settings_store.py @@ -68,7 +68,7 @@ class SaasSettingsStore(SettingsStore): return result.scalars().first() async def load(self) -> Settings | None: - user = await UserStore.get_user_by_id_async(self.user_id) + user = await UserStore.get_user_by_id(self.user_id) if not user: logger.error(f'User not found for ID {self.user_id}') return None diff --git a/enterprise/storage/user_store.py b/enterprise/storage/user_store.py index 8c20bd013c..4f55d8650c 100644 --- a/enterprise/storage/user_store.py +++ b/enterprise/storage/user_store.py @@ -16,8 +16,8 @@ from server.constants import ( ) from server.logger import logger from sqlalchemy import select, text -from sqlalchemy.orm import joinedload -from storage.database import a_session_maker, session_maker +from sqlalchemy.orm import selectinload +from storage.database import a_session_maker from storage.encrypt_utils import ( decrypt_legacy_model, decrypt_legacy_value, @@ -30,8 +30,6 @@ from storage.user import User from storage.user_settings import UserSettings from utils.identity import resolve_display_name -from openhands.utils.async_utils import GENERAL_TIMEOUT, call_async_from_sync - # The max possible time to wait for another process to finish creating a user before retrying _REDIS_CREATE_TIMEOUT_SECONDS = 30 # The delay to wait for another process to finish creating a user before trying to load again @@ -50,7 +48,7 @@ class UserStore: role_id: Optional[int] = None, ) -> User | None: """Create a new user.""" - with session_maker() as session: + async with a_session_maker() as session: # create personal org org = Org( id=uuid.UUID(user_id), @@ -105,9 +103,9 @@ class UserStore: **org_member_kwargs, ) session.add(org_member) - session.commit() - session.refresh(user) - user.org_members # load org_members + await session.commit() + await session.refresh(user) + await session.refresh(user, ['org_members']) # load org_members return user @staticmethod @@ -176,19 +174,17 @@ class UserStore: user_settings, ) decrypted_user_settings = UserSettings(**kwargs) - with session_maker() as session: + async with a_session_maker() as session: # Check if user has completed billing sessions to enable BYOR export from storage.billing_session import BillingSession - has_completed_billing = ( - session.query(BillingSession) - .filter( + result = await session.execute( + select(BillingSession).filter( BillingSession.user_id == user_id, BillingSession.status == 'completed', ) - .first() - is not None ) + has_completed_billing = result.scalars().first() is not None # create personal org org = Org( @@ -297,15 +293,15 @@ class UserStore: # Mark the old user_settings as migrated instead of deleting user_settings.already_migrated = True - session.merge(user_settings) - session.flush() + await session.merge(user_settings) + await session.flush() logger.debug( 'user_store:migrate_user:session_flush_complete', extra={'user_id': user_id}, ) # need to migrate conversation metadata - session.execute( + await session.execute( text(""" INSERT INTO conversation_metadata_saas (conversation_id, user_id, org_id) SELECT @@ -322,7 +318,7 @@ class UserStore: user_uuid = uuid.UUID(user_id) # Update stripe_customers - session.execute( + await session.execute( text( 'UPDATE stripe_customers SET org_id = :org_id WHERE keycloak_user_id = :user_id' ), @@ -330,7 +326,7 @@ class UserStore: ) # Update slack_users - session.execute( + await session.execute( text( 'UPDATE slack_users SET org_id = :org_id WHERE keycloak_user_id = :user_id' ), @@ -338,7 +334,7 @@ class UserStore: ) # Update slack_conversation - session.execute( + await session.execute( text( 'UPDATE slack_conversation SET org_id = :org_id WHERE keycloak_user_id = :user_id' ), @@ -346,13 +342,13 @@ class UserStore: ) # Update api_keys - session.execute( + await session.execute( text('UPDATE api_keys SET org_id = :org_id WHERE user_id = :user_id'), {'org_id': user_uuid, 'user_id': user_uuid}, ) # Update custom_secrets - session.execute( + await session.execute( text( 'UPDATE custom_secrets SET org_id = :org_id WHERE keycloak_user_id = :user_id' ), @@ -360,16 +356,16 @@ class UserStore: ) # Update billing_sessions - session.execute( + await session.execute( text( 'UPDATE billing_sessions SET org_id = :org_id WHERE user_id = :user_id' ), {'org_id': user_uuid, 'user_id': user_uuid}, ) - session.commit() - session.refresh(user) - user.org_members # load org_members + await session.commit() + await session.refresh(user) + await session.refresh(user, ['org_members']) # load org_members logger.debug( 'user_store:migrate_user:session_committed', extra={'user_id': user_id}, @@ -410,14 +406,14 @@ class UserStore: extra={'user_id': user_id}, ) - with session_maker() as session: + async with a_session_maker() as session: # Get the user and their org_member - user = ( - session.query(User) - .options(joinedload(User.org_members)) + result = await session.execute( + select(User) + .options(selectinload(User.org_members)) .filter(User.id == uuid.UUID(user_id)) - .first() ) + user = result.scalars().first() if not user: logger.warning( 'user_store:downgrade_user:user_not_found', @@ -426,7 +422,10 @@ class UserStore: return None # Get the user's personal org (org_id == user_id) - org = session.query(Org).filter(Org.id == uuid.UUID(user_id)).first() + result = await session.execute( + select(Org).filter(Org.id == uuid.UUID(user_id)) + ) + org = result.scalars().first() if not org: logger.warning( 'user_store:downgrade_user:org_not_found', @@ -435,9 +434,10 @@ class UserStore: return None # Get org_members for this org - should only be one for personal orgs - org_members = ( - session.query(OrgMember).filter(OrgMember.org_id == org.id).all() + result = await session.execute( + select(OrgMember).filter(OrgMember.org_id == org.id) ) + org_members = result.scalars().all() if len(org_members) != 1: logger.error( @@ -453,14 +453,13 @@ class UserStore: org_member = org_members[0] # Get the user_settings (for migrated users) - user_settings = ( - session.query(UserSettings) - .filter( + result = await session.execute( + select(UserSettings).filter( UserSettings.keycloak_user_id == user_id, UserSettings.already_migrated.is_(True), ) - .first() ) + user_settings = result.scalars().first() # For new sign-ups after migration, user_settings won't exist # Fall back to getting data from org_members @@ -491,7 +490,7 @@ class UserStore: 'user_store:downgrade_user:created_user_settings_from_org_member', extra={'user_id': user_id}, ) - session.flush() + await session.flush() # Call LiteLLM downgrade from storage.lite_llm_manager import LiteLlmManager @@ -531,7 +530,7 @@ class UserStore: # Step 3: Copy user_id from conversation_metadata_saas to conversation_metadata # This ensures any conversations created after migration have their user_id # preserved in the original table before we delete the saas entries - session.execute( + await session.execute( text(""" UPDATE conversation_metadata SET user_id = :user_id @@ -545,14 +544,14 @@ class UserStore: ) # Step 4: Delete conversation_metadata_saas entries - session.execute( + await session.execute( text('DELETE FROM conversation_metadata_saas WHERE user_id = :user_id'), {'user_id': user_uuid}, ) # Step 5: Reset org_id columns in related tables # Reset stripe_customers - session.execute( + await session.execute( text( 'UPDATE stripe_customers SET org_id = NULL WHERE org_id = :org_id' ), @@ -560,13 +559,13 @@ class UserStore: ) # Reset slack_users - session.execute( + await session.execute( text('UPDATE slack_users SET org_id = NULL WHERE org_id = :org_id'), {'org_id': user_uuid}, ) # Reset slack_conversation - session.execute( + await session.execute( text( 'UPDATE slack_conversation SET org_id = NULL WHERE org_id = :org_id' ), @@ -574,19 +573,19 @@ class UserStore: ) # Reset api_keys - session.execute( + await session.execute( text('UPDATE api_keys SET org_id = NULL WHERE org_id = :org_id'), {'org_id': user_uuid}, ) # Reset custom_secrets - session.execute( + await session.execute( text('UPDATE custom_secrets SET org_id = NULL WHERE org_id = :org_id'), {'org_id': user_uuid}, ) # Reset billing_sessions - session.execute( + await session.execute( text( 'UPDATE billing_sessions SET org_id = NULL WHERE org_id = :org_id' ), @@ -594,19 +593,19 @@ class UserStore: ) # Step 6: Delete org_member entries for this org - session.execute( + await session.execute( text('DELETE FROM org_member WHERE org_id = :org_id'), {'org_id': user_uuid}, ) # Step 7: Delete the user entry - session.execute( + await session.execute( text('DELETE FROM "user" WHERE id = :user_id'), {'user_id': user_uuid}, ) # Delete the org entry - session.execute( + await session.execute( text('DELETE FROM org WHERE id = :org_id'), {'org_id': user_uuid}, ) @@ -626,9 +625,9 @@ class UserStore: if value is not None and not _is_legacy_value_encrypted(value): setattr(user_settings, key, encrypt_legacy_value(value)) - session.merge(user_settings) + await session.merge(user_settings) - session.commit() + await session.commit() logger.info( 'user_store:downgrade_user:complete', @@ -637,88 +636,12 @@ class UserStore: return user_settings @staticmethod - def get_user_by_id(user_id: str) -> Optional[User]: - """Get user by Keycloak user ID (sync version). - - Note: This method uses call_async_from_sync internally which creates a new - event loop. If you're already in an async context, use get_user_by_id_async - instead to avoid event loop conflicts. - """ - with session_maker() as session: - user = ( - session.query(User) - .options(joinedload(User.org_members)) - .filter(User.id == uuid.UUID(user_id)) - .first() - ) - if user: - return user - - # Check if we need to migrate from user_settings - while not call_async_from_sync( - UserStore._acquire_user_creation_lock, GENERAL_TIMEOUT, user_id - ): - # The user is already being created in another thread / process - logger.info( - 'user_store:create_default_settings:waiting_for_lock', - extra={'user_id': user_id}, - ) - call_async_from_sync( - asyncio.sleep, GENERAL_TIMEOUT, _RETRY_LOAD_DELAY_SECONDS - ) - - try: - # Check for user again as migration could have happened while trying to get the lock. - user = ( - session.query(User) - .options(joinedload(User.org_members)) - .filter(User.id == uuid.UUID(user_id)) - .first() - ) - if user: - return user - - user_settings = ( - session.query(UserSettings) - .filter( - UserSettings.keycloak_user_id == user_id, - UserSettings.already_migrated.is_(False), - ) - .first() - ) - if user_settings: - token_manager = TokenManager() - user_info = call_async_from_sync( - token_manager.get_user_info_from_user_id, - GENERAL_TIMEOUT, - user_id, - ) - user = call_async_from_sync( - UserStore.migrate_user, - GENERAL_TIMEOUT, - user_id, - user_settings, - user_info, - ) - return user - else: - return None - finally: - call_async_from_sync( - UserStore._release_user_creation_lock, GENERAL_TIMEOUT, user_id - ) - - @staticmethod - async def get_user_by_id_async(user_id: str) -> Optional[User]: - """Get user by Keycloak user ID (async version). - - This is the preferred method when calling from an async context as it - avoids event loop conflicts that can occur with the sync version. - """ + async def get_user_by_id(user_id: str) -> Optional[User]: + """Get user by Keycloak user ID.""" async with a_session_maker() as session: result = await session.execute( select(User) - .options(joinedload(User.org_members)) + .options(selectinload(User.org_members)) .filter(User.id == uuid.UUID(user_id)) ) user = result.scalars().first() @@ -729,7 +652,7 @@ class UserStore: while not await UserStore._acquire_user_creation_lock(user_id): # The user is already being created in another thread / process logger.info( - 'user_store:get_user_by_id_async:waiting_for_lock', + 'user_store:create_default_settings:waiting_for_lock', extra={'user_id': user_id}, ) await asyncio.sleep(_RETRY_LOAD_DELAY_SECONDS) @@ -738,17 +661,13 @@ class UserStore: # Check for user again as migration could have happened while trying to get the lock. result = await session.execute( select(User) - .options(joinedload(User.org_members)) + .options(selectinload(User.org_members)) .filter(User.id == uuid.UUID(user_id)) ) user = result.scalars().first() if user: return user - logger.info( - 'user_store:get_user_by_id_async:start_migration', - extra={'user_id': user_id}, - ) result = await session.execute( select(UserSettings).filter( UserSettings.keycloak_user_id == user_id, @@ -759,10 +678,6 @@ class UserStore: if user_settings: token_manager = TokenManager() user_info = await token_manager.get_user_info_from_user_id(user_id) - logger.info( - 'user_store:get_user_by_id_async:calling_migrate_user', - extra={'user_id': user_id}, - ) user = await UserStore.migrate_user( user_id, user_settings, @@ -775,8 +690,8 @@ class UserStore: await UserStore._release_user_creation_lock(user_id) @staticmethod - async def get_user_by_email_async(email: str) -> Optional[User]: - """Get user by email address (async version). + async def get_user_by_email(email: str) -> Optional[User]: + """Get user by email address. This method looks up a user by their email address. Note that email addresses may not be unique across all users in rare cases. @@ -793,19 +708,20 @@ class UserStore: async with a_session_maker() as session: result = await session.execute( select(User) - .options(joinedload(User.org_members)) + .options(selectinload(User.org_members)) .filter(User.email == email.lower().strip()) ) return result.scalars().first() @staticmethod - def list_users() -> list[User]: + async def list_users() -> list[User]: """List all users.""" - with session_maker() as session: - return session.query(User).all() + async with a_session_maker() as session: + result = await session.execute(select(User)) + return list(result.scalars().all()) @staticmethod - def update_current_org(user_id: str, org_id: UUID) -> Optional[User]: + async def update_current_org(user_id: str, org_id: UUID) -> Optional[User]: """Update the user's current organization. Args: @@ -815,19 +731,17 @@ class UserStore: Returns: User: The updated user object, or None if user not found """ - with session_maker() as session: - user = ( - session.query(User) - .filter(User.id == uuid.UUID(user_id)) - .with_for_update() - .first() + async with a_session_maker() as session: + result = await session.execute( + select(User).filter(User.id == uuid.UUID(user_id)).with_for_update() ) + user = result.scalars().first() if not user: return None user.current_org_id = org_id - session.commit() - session.refresh(user) + await session.commit() + await session.refresh(user) return user @staticmethod diff --git a/enterprise/tests/unit/server/routes/test_api_keys.py b/enterprise/tests/unit/server/routes/test_api_keys.py index 734db4e692..57a9cb465d 100644 --- a/enterprise/tests/unit/server/routes/test_api_keys.py +++ b/enterprise/tests/unit/server/routes/test_api_keys.py @@ -374,7 +374,7 @@ class TestDeleteByorKeyFromLitellm: @pytest.mark.asyncio @patch('storage.lite_llm_manager.LiteLlmManager.delete_key') - @patch('storage.user_store.UserStore.get_user_by_id_async') + @patch('storage.user_store.UserStore.get_user_by_id') async def test_delete_constructs_alias_from_user( self, mock_get_user, mock_delete_key ): @@ -400,7 +400,7 @@ class TestDeleteByorKeyFromLitellm: @pytest.mark.asyncio @patch('storage.lite_llm_manager.LiteLlmManager.delete_key') - @patch('storage.user_store.UserStore.get_user_by_id_async') + @patch('storage.user_store.UserStore.get_user_by_id') async def test_delete_without_user_passes_no_alias( self, mock_get_user, mock_delete_key ): @@ -421,7 +421,7 @@ class TestDeleteByorKeyFromLitellm: @pytest.mark.asyncio @patch('storage.lite_llm_manager.LiteLlmManager.delete_key') - @patch('storage.user_store.UserStore.get_user_by_id_async') + @patch('storage.user_store.UserStore.get_user_by_id') async def test_delete_without_org_id_passes_no_alias( self, mock_get_user, mock_delete_key ): @@ -444,7 +444,7 @@ class TestDeleteByorKeyFromLitellm: @pytest.mark.asyncio @patch('storage.lite_llm_manager.LiteLlmManager.delete_key') - @patch('storage.user_store.UserStore.get_user_by_id_async') + @patch('storage.user_store.UserStore.get_user_by_id') async def test_delete_returns_false_on_exception( self, mock_get_user, mock_delete_key ): diff --git a/enterprise/tests/unit/server/routes/test_orgs.py b/enterprise/tests/unit/server/routes/test_orgs.py index 7aec94c847..069896b2cf 100644 --- a/enterprise/tests/unit/server/routes/test_orgs.py +++ b/enterprise/tests/unit/server/routes/test_orgs.py @@ -514,7 +514,7 @@ async def test_list_user_orgs_success(mock_app_list): with ( patch( - 'server.routes.orgs.UserStore.get_user_by_id_async', + 'server.routes.orgs.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ), patch( @@ -568,7 +568,7 @@ async def test_list_user_orgs_returns_current_org_id(mock_app_list): with ( patch( - 'server.routes.orgs.UserStore.get_user_by_id_async', + 'server.routes.orgs.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ), patch( @@ -613,7 +613,7 @@ async def test_list_user_orgs_with_pagination(mock_app_list): with ( patch( - 'server.routes.orgs.UserStore.get_user_by_id_async', + 'server.routes.orgs.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ), patch( @@ -648,7 +648,7 @@ async def test_list_user_orgs_empty(mock_app_list): with ( patch( - 'server.routes.orgs.UserStore.get_user_by_id_async', + 'server.routes.orgs.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ), patch( @@ -715,7 +715,7 @@ async def test_list_user_orgs_service_error(mock_app_list): with ( patch( - 'server.routes.orgs.UserStore.get_user_by_id_async', + 'server.routes.orgs.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ), patch( @@ -781,7 +781,7 @@ async def test_list_user_orgs_personal_org_identified(mock_app_list): with ( patch( - 'server.routes.orgs.UserStore.get_user_by_id_async', + 'server.routes.orgs.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ), patch( @@ -820,7 +820,7 @@ async def test_list_user_orgs_team_org_identified(mock_app_list): with ( patch( - 'server.routes.orgs.UserStore.get_user_by_id_async', + 'server.routes.orgs.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ), patch( @@ -869,7 +869,7 @@ async def test_list_user_orgs_mixed_personal_and_team(mock_app_list): with ( patch( - 'server.routes.orgs.UserStore.get_user_by_id_async', + 'server.routes.orgs.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ), patch( @@ -941,7 +941,7 @@ async def test_list_user_orgs_all_fields_present(mock_app_list): with ( patch( - 'server.routes.orgs.UserStore.get_user_by_id_async', + 'server.routes.orgs.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ), patch( diff --git a/enterprise/tests/unit/server/services/test_org_member_service.py b/enterprise/tests/unit/server/services/test_org_member_service.py index 001b958c03..440ecde4ba 100644 --- a/enterprise/tests/unit/server/services/test_org_member_service.py +++ b/enterprise/tests/unit/server/services/test_org_member_service.py @@ -718,7 +718,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, ): @@ -767,7 +767,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, ): @@ -815,7 +815,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, ): @@ -967,7 +967,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, patch( @@ -1149,7 +1149,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, ): @@ -1251,11 +1251,12 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, patch( - 'server.services.org_member_service.UserStore.update_current_org' + 'server.services.org_member_service.UserStore.update_current_org', + new_callable=AsyncMock, ) as mock_update_org, ): mock_get_member.side_effect = [ @@ -1274,7 +1275,9 @@ class TestOrgMemberServiceRemoveOrgMember: # Assert assert success is True assert error is None - mock_update_org.assert_called_once_with(str(target_user_id), target_user_id) + mock_update_org.assert_awaited_once_with( + str(target_user_id), target_user_id + ) @pytest.mark.asyncio async def test_remove_member_does_not_update_current_org_id_when_not_matching( @@ -1307,11 +1310,12 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, patch( - 'server.services.org_member_service.UserStore.update_current_org' + 'server.services.org_member_service.UserStore.update_current_org', + new_callable=AsyncMock, ) as mock_update_org, ): mock_get_member.side_effect = [ @@ -1330,7 +1334,7 @@ class TestOrgMemberServiceRemoveOrgMember: # Assert assert success is True assert error is None - mock_update_org.assert_not_called() + mock_update_org.assert_not_awaited() @pytest.mark.asyncio async def test_remove_member_succeeds_when_user_not_found_after_removal( @@ -1359,11 +1363,12 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, patch( - 'server.services.org_member_service.UserStore.update_current_org' + 'server.services.org_member_service.UserStore.update_current_org', + new_callable=AsyncMock, ) as mock_update_org, ): mock_get_member.side_effect = [ @@ -1382,7 +1387,7 @@ class TestOrgMemberServiceRemoveOrgMember: # Assert assert success is True assert error is None - mock_update_org.assert_not_called() + mock_update_org.assert_not_awaited() @pytest.mark.asyncio async def test_successful_removal_calls_litellm_remove_user_from_team( @@ -1411,7 +1416,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, patch( @@ -1465,7 +1470,7 @@ class TestOrgMemberServiceRemoveOrgMember: new_callable=AsyncMock, ) as mock_remove, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, patch( @@ -1632,7 +1637,7 @@ class TestOrgMemberServiceUpdateOrgMember: new_callable=AsyncMock, ) as mock_update, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, ): @@ -1693,7 +1698,7 @@ class TestOrgMemberServiceUpdateOrgMember: new_callable=AsyncMock, ) as mock_update, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, ): @@ -1752,7 +1757,7 @@ class TestOrgMemberServiceUpdateOrgMember: new_callable=AsyncMock, ) as mock_update, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, ): @@ -1815,7 +1820,7 @@ class TestOrgMemberServiceUpdateOrgMember: new_callable=AsyncMock, ) as mock_update, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, patch.object( @@ -2036,7 +2041,7 @@ class TestOrgMemberServiceUpdateOrgMember: new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, ): @@ -2253,7 +2258,7 @@ class TestOrgMemberServiceGetMe: new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, ): @@ -2340,7 +2345,7 @@ class TestOrgMemberServiceGetMe: new_callable=AsyncMock, ) as mock_get_role, patch( - 'server.services.org_member_service.UserStore.get_user_by_id_async', + 'server.services.org_member_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, ): diff --git a/enterprise/tests/unit/test_api_key_store.py b/enterprise/tests/unit/test_api_key_store.py index fb163f978a..26f96d3f03 100644 --- a/enterprise/tests/unit/test_api_key_store.py +++ b/enterprise/tests/unit/test_api_key_store.py @@ -56,7 +56,7 @@ def test_generate_api_key(api_key_store): @pytest.mark.asyncio -@patch('storage.api_key_store.UserStore.get_user_by_id_async') +@patch('storage.api_key_store.UserStore.get_user_by_id') async def test_create_api_key( mock_get_user, api_key_store, async_session_maker, mock_user ): @@ -324,7 +324,7 @@ async def test_delete_api_key_by_id(api_key_store, async_session_maker): @pytest.mark.asyncio -@patch('storage.api_key_store.UserStore.get_user_by_id_async') +@patch('storage.api_key_store.UserStore.get_user_by_id') async def test_list_api_keys( mock_get_user, api_key_store, async_session_maker, mock_user ): @@ -377,7 +377,7 @@ async def test_list_api_keys( @pytest.mark.asyncio -@patch('storage.api_key_store.UserStore.get_user_by_id_async') +@patch('storage.api_key_store.UserStore.get_user_by_id') async def test_retrieve_mcp_api_key( mock_get_user, api_key_store, async_session_maker, mock_user ): @@ -416,7 +416,7 @@ async def test_retrieve_mcp_api_key( @pytest.mark.asyncio -@patch('storage.api_key_store.UserStore.get_user_by_id_async') +@patch('storage.api_key_store.UserStore.get_user_by_id') async def test_retrieve_mcp_api_key_not_found( mock_get_user, api_key_store, async_session_maker, mock_user ): diff --git a/enterprise/tests/unit/test_auth_routes.py b/enterprise/tests/unit/test_auth_routes.py index ce3d142ec4..0d1ed3760c 100644 --- a/enterprise/tests/unit/test_auth_routes.py +++ b/enterprise/tests/unit/test_auth_routes.py @@ -158,7 +158,7 @@ async def test_keycloak_callback_user_not_allowed( mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = None - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.migrate_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() @@ -197,7 +197,7 @@ async def test_keycloak_callback_success_with_valid_offline_token( mock_user.accepted_tos = '2025-01-01' # Setup UserStore mocks - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.migrate_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() @@ -273,7 +273,7 @@ async def test_keycloak_callback_email_not_verified( mock_user = MagicMock() mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -324,7 +324,7 @@ async def test_keycloak_callback_email_not_verified_missing_field( mock_user = MagicMock() mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -368,7 +368,7 @@ async def test_keycloak_callback_success_without_offline_token( mock_user.accepted_tos = '2025-01-01' # Setup UserStore mocks - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.migrate_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() @@ -616,7 +616,7 @@ async def test_keycloak_callback_blocked_email_domain( mock_user = MagicMock() mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -683,7 +683,7 @@ async def test_keycloak_callback_allowed_email_domain( mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -750,7 +750,7 @@ async def test_keycloak_callback_domain_blocking_inactive( mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -813,7 +813,7 @@ async def test_keycloak_callback_missing_email(mock_request, create_keycloak_use mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -862,7 +862,7 @@ async def test_keycloak_callback_duplicate_email_detected( mock_user = MagicMock() mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -910,7 +910,7 @@ async def test_keycloak_callback_duplicate_email_deletion_fails( mock_user = MagicMock() mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -971,7 +971,7 @@ async def test_keycloak_callback_duplicate_check_exception( mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -1032,7 +1032,7 @@ async def test_keycloak_callback_no_duplicate_email( mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -1096,7 +1096,7 @@ async def test_keycloak_callback_no_email_in_user_info( mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -1254,7 +1254,7 @@ class TestKeycloakCallbackRecaptcha: mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -1322,7 +1322,7 @@ class TestKeycloakCallbackRecaptcha: mock_user = MagicMock() mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -1408,7 +1408,7 @@ class TestKeycloakCallbackRecaptcha: mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -1497,7 +1497,7 @@ class TestKeycloakCallbackRecaptcha: mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -1585,7 +1585,7 @@ class TestKeycloakCallbackRecaptcha: mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -1670,7 +1670,7 @@ class TestKeycloakCallbackRecaptcha: mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -1752,7 +1752,7 @@ class TestKeycloakCallbackRecaptcha: mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -1822,7 +1822,7 @@ class TestKeycloakCallbackRecaptcha: mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -1896,7 +1896,7 @@ class TestKeycloakCallbackRecaptcha: mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -1970,7 +1970,7 @@ class TestKeycloakCallbackRecaptcha: mock_user = MagicMock() mock_user.id = 'test_user_id' mock_user.current_org_id = 'test_org_id' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() @@ -2020,7 +2020,7 @@ async def test_keycloak_callback_calls_backfill_user_email_for_existing_user( mock_user.current_org_id = 'test_org_id' mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id_async = AsyncMock(return_value=mock_user) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) mock_user_store.create_user = AsyncMock(return_value=mock_user) mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() diff --git a/enterprise/tests/unit/test_billing.py b/enterprise/tests/unit/test_billing.py index b419faed36..995e277acd 100644 --- a/enterprise/tests/unit/test_billing.py +++ b/enterprise/tests/unit/test_billing.py @@ -103,7 +103,7 @@ async def test_get_credits_lite_llm_error(): with ( patch('integrations.stripe_service.STRIPE_API_KEY', 'mock_key'), patch( - 'storage.user_store.UserStore.get_user_by_id_async', + 'storage.user_store.UserStore.get_user_by_id', new_callable=AsyncMock, return_value=MagicMock(current_org_id='mock_org_id'), ), @@ -135,7 +135,7 @@ async def test_get_credits_success(): patch('integrations.stripe_service.STRIPE_API_KEY', 'mock_key'), patch('httpx.AsyncClient', return_value=mock_client), patch( - 'storage.user_store.UserStore.get_user_by_id_async', + 'storage.user_store.UserStore.get_user_by_id', new_callable=AsyncMock, return_value=MagicMock(current_org_id='mock_org_id'), ), @@ -338,7 +338,7 @@ async def test_success_callback_success(async_session_maker, test_org, test_user patch('server.routes.billing.a_session_maker', async_session_maker), patch('stripe.checkout.Session.retrieve') as mock_stripe_retrieve, patch( - 'storage.user_store.UserStore.get_user_by_id_async', + 'storage.user_store.UserStore.get_user_by_id', new_callable=AsyncMock, return_value=MagicMock(current_org_id=test_org.id), ), @@ -410,7 +410,7 @@ async def test_success_callback_lite_llm_error( patch('server.routes.billing.a_session_maker', async_session_maker), patch('stripe.checkout.Session.retrieve') as mock_stripe_retrieve, patch( - 'storage.user_store.UserStore.get_user_by_id_async', + 'storage.user_store.UserStore.get_user_by_id', new_callable=AsyncMock, return_value=MagicMock(current_org_id=test_org.id), ), @@ -464,7 +464,7 @@ async def test_success_callback_lite_llm_update_budget_error_rollback( patch('server.routes.billing.a_session_maker', async_session_maker), patch('stripe.checkout.Session.retrieve') as mock_stripe_retrieve, patch( - 'storage.user_store.UserStore.get_user_by_id_async', + 'storage.user_store.UserStore.get_user_by_id', new_callable=AsyncMock, return_value=MagicMock(current_org_id=test_org.id), ), diff --git a/enterprise/tests/unit/test_lite_llm_manager.py b/enterprise/tests/unit/test_lite_llm_manager.py index cac0b37e23..9b1f53a6b0 100644 --- a/enterprise/tests/unit/test_lite_llm_manager.py +++ b/enterprise/tests/unit/test_lite_llm_manager.py @@ -1100,9 +1100,7 @@ class TestLiteLlmManager: mock_org_member.org_id = 'test-ord-id' mock_org_member.llm_api_key = 'test-api-key' mock_user.org_members = [mock_org_member] - mock_user_store.get_user_by_id_async = AsyncMock( - return_value=mock_user - ) + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) result = await LiteLlmManager._get_key_info( mock_http_client, 'test-ord-id', 'test-user-id' @@ -1118,7 +1116,7 @@ class TestLiteLlmManager: with patch('storage.lite_llm_manager.LITE_LLM_API_KEY', 'test-key'): with patch('storage.lite_llm_manager.LITE_LLM_API_URL', 'http://test.com'): with patch('storage.user_store.UserStore') as mock_user_store: - mock_user_store.get_user_by_id_async = AsyncMock(return_value=None) + mock_user_store.get_user_by_id = AsyncMock(return_value=None) result = await LiteLlmManager._get_key_info( mock_http_client, 'test-ord-id', 'test-user-id' diff --git a/enterprise/tests/unit/test_org_invitation_service.py b/enterprise/tests/unit/test_org_invitation_service.py index 5f797dedde..487243327e 100644 --- a/enterprise/tests/unit/test_org_invitation_service.py +++ b/enterprise/tests/unit/test_org_invitation_service.py @@ -70,7 +70,7 @@ class TestAcceptInvitationEmailValidation: 'server.services.org_invitation_service.OrgInvitationStore.is_token_expired' ) as mock_is_expired, patch( - 'server.services.org_invitation_service.UserStore.get_user_by_id_async', + 'server.services.org_invitation_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, ): @@ -106,7 +106,7 @@ class TestAcceptInvitationEmailValidation: 'server.services.org_invitation_service.OrgInvitationStore.is_token_expired' ) as mock_is_expired, patch( - 'server.services.org_invitation_service.UserStore.get_user_by_id_async', + 'server.services.org_invitation_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, patch( @@ -174,7 +174,7 @@ class TestAcceptInvitationEmailValidation: 'server.services.org_invitation_service.OrgInvitationStore.is_token_expired' ) as mock_is_expired, patch( - 'server.services.org_invitation_service.UserStore.get_user_by_id_async', + 'server.services.org_invitation_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, patch( @@ -220,7 +220,7 @@ class TestAcceptInvitationEmailValidation: 'server.services.org_invitation_service.OrgInvitationStore.is_token_expired' ) as mock_is_expired, patch( - 'server.services.org_invitation_service.UserStore.get_user_by_id_async', + 'server.services.org_invitation_service.UserStore.get_user_by_id', new_callable=AsyncMock, ) as mock_get_user, patch( diff --git a/enterprise/tests/unit/test_org_service.py b/enterprise/tests/unit/test_org_service.py index 94edcbff3f..0ddd225f5e 100644 --- a/enterprise/tests/unit/test_org_service.py +++ b/enterprise/tests/unit/test_org_service.py @@ -1870,7 +1870,7 @@ async def test_check_byor_export_enabled_returns_true_when_enabled(): with ( patch( - 'storage.org_service.UserStore.get_user_by_id_async', + 'storage.org_service.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ), patch( @@ -1905,7 +1905,7 @@ async def test_check_byor_export_enabled_returns_false_when_disabled(): with ( patch( - 'storage.org_service.UserStore.get_user_by_id_async', + 'storage.org_service.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ), patch( @@ -1932,7 +1932,7 @@ async def test_check_byor_export_enabled_returns_false_when_user_not_found(): user_id = 'nonexistent-user' with patch( - 'storage.org_service.UserStore.get_user_by_id_async', + 'storage.org_service.UserStore.get_user_by_id', AsyncMock(return_value=None), ): # Act @@ -1956,7 +1956,7 @@ async def test_check_byor_export_enabled_returns_false_when_no_current_org(): mock_user.current_org_id = None with patch( - 'storage.org_service.UserStore.get_user_by_id_async', + 'storage.org_service.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ): # Act @@ -1982,7 +1982,7 @@ async def test_check_byor_export_enabled_returns_false_when_org_not_found(): with ( patch( - 'storage.org_service.UserStore.get_user_by_id_async', + 'storage.org_service.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ), patch( @@ -2025,6 +2025,7 @@ async def test_switch_org_success(): patch('storage.org_service.OrgService.is_org_member', return_value=True), patch( 'storage.org_service.UserStore.update_current_org', + new_callable=AsyncMock, return_value=mock_updated_user, ), ): @@ -2116,7 +2117,11 @@ async def test_switch_org_user_not_found(): return_value=mock_org, ), patch('storage.org_service.OrgService.is_org_member', return_value=True), - patch('storage.org_service.UserStore.update_current_org', return_value=None), + patch( + 'storage.org_service.UserStore.update_current_org', + new_callable=AsyncMock, + return_value=None, + ), ): # Act & Assert with pytest.raises(OrgDatabaseError) as exc_info: diff --git a/enterprise/tests/unit/test_saas_conversation_store.py b/enterprise/tests/unit/test_saas_conversation_store.py index 4d59c1227f..6492be3f7f 100644 --- a/enterprise/tests/unit/test_saas_conversation_store.py +++ b/enterprise/tests/unit/test_saas_conversation_store.py @@ -169,14 +169,14 @@ async def test_exists(session_maker): class TestGetInstance: """Tests for SaasConversationStore.get_instance method. - The get_instance method uses async UserStore.get_user_by_id_async because + The get_instance method uses async UserStore.get_user_by_id because callers now use asyncio.run_coroutine_threadsafe() to dispatch to the main event loop where asyncpg connections work properly. """ @pytest.mark.asyncio async def test_get_instance_uses_async_get_user_by_id(self): - """Verify get_instance calls the async get_user_by_id_async for proper event loop handling.""" + """Verify get_instance calls the async get_user_by_id for proper event loop handling.""" # Arrange user_id = '5594c7b6-f959-4b81-92e9-b09c206f5081' mock_user = MagicMock(spec=User) @@ -184,7 +184,7 @@ class TestGetInstance: mock_config = MagicMock(spec=OpenHandsConfig) with patch( - 'storage.saas_conversation_store.UserStore.get_user_by_id_async', + 'storage.saas_conversation_store.UserStore.get_user_by_id', AsyncMock(return_value=mock_user), ) as mock_async_get_user, patch( 'storage.saas_conversation_store.session_maker' @@ -205,7 +205,7 @@ class TestGetInstance: mock_config = MagicMock(spec=OpenHandsConfig) with patch( - 'storage.saas_conversation_store.UserStore.get_user_by_id_async', + 'storage.saas_conversation_store.UserStore.get_user_by_id', AsyncMock(return_value=None), ), patch('storage.saas_conversation_store.session_maker'): # Act diff --git a/enterprise/tests/unit/test_saas_secrets_store.py b/enterprise/tests/unit/test_saas_secrets_store.py index 5cd42cfb71..f9a560d11c 100644 --- a/enterprise/tests/unit/test_saas_secrets_store.py +++ b/enterprise/tests/unit/test_saas_secrets_store.py @@ -44,7 +44,7 @@ def secrets_store(async_session_maker, mock_config): class TestSaasSecretsStore: @pytest.mark.asyncio @patch( - 'storage.saas_secrets_store.UserStore.get_user_by_id_async', + 'storage.saas_secrets_store.UserStore.get_user_by_id', new_callable=AsyncMock, ) async def test_store_and_load(self, mock_get_user, secrets_store, mock_user): @@ -84,7 +84,7 @@ class TestSaasSecretsStore: @pytest.mark.asyncio @patch( - 'storage.saas_secrets_store.UserStore.get_user_by_id_async', + 'storage.saas_secrets_store.UserStore.get_user_by_id', new_callable=AsyncMock, ) async def test_encryption_decryption(self, mock_get_user, secrets_store, mock_user): @@ -186,7 +186,7 @@ class TestSaasSecretsStore: @pytest.mark.asyncio @patch( - 'storage.saas_secrets_store.UserStore.get_user_by_id_async', + 'storage.saas_secrets_store.UserStore.get_user_by_id', new_callable=AsyncMock, ) async def test_update_existing_secrets( diff --git a/enterprise/tests/unit/test_user_route_fallback.py b/enterprise/tests/unit/test_user_route_fallback.py index 23ae43dd7b..cb43301f80 100644 --- a/enterprise/tests/unit/test_user_route_fallback.py +++ b/enterprise/tests/unit/test_user_route_fallback.py @@ -35,9 +35,9 @@ def mock_check_idp(): @pytest.fixture def mock_user_store(): - """Mock UserStore.get_user_by_id_async to return None by default.""" + """Mock UserStore.get_user_by_id to return None by default.""" with patch( - 'server.routes.user.UserStore.get_user_by_id_async', + 'server.routes.user.UserStore.get_user_by_id', new_callable=AsyncMock, return_value=None, ) as mock_fn: diff --git a/enterprise/tests/unit/test_user_store.py b/enterprise/tests/unit/test_user_store.py index 32bfacb1e9..6a2ecb41ac 100644 --- a/enterprise/tests/unit/test_user_store.py +++ b/enterprise/tests/unit/test_user_store.py @@ -101,11 +101,11 @@ async def test_create_default_settings_with_litellm(mock_litellm_api): assert settings.llm_base_url == 'http://test.url' -# --- Tests for get_user_by_id_async --- +# --- Tests for get_user_by_id --- @pytest.mark.asyncio -async def test_get_user_by_id_async_existing_user(async_session_maker): +async def test_get_user_by_id_existing_user(async_session_maker): """Test retrieving an existing user by ID.""" user_id = uuid.uuid4() org_id = uuid.uuid4() @@ -120,7 +120,7 @@ async def test_get_user_by_id_async_existing_user(async_session_maker): # Test retrieval with patched session maker with patch('storage.user_store.a_session_maker', async_session_maker): - result = await UserStore.get_user_by_id_async(str(user_id)) + result = await UserStore.get_user_by_id(str(user_id)) assert result is not None assert result.id == user_id @@ -128,8 +128,8 @@ async def test_get_user_by_id_async_existing_user(async_session_maker): @pytest.mark.asyncio -async def test_get_user_by_id_async_user_not_found(async_session_maker): - """Test that get_user_by_id_async returns None for non-existent user.""" +async def test_get_user_by_id_user_not_found(async_session_maker): + """Test that get_user_by_id returns None for non-existent user.""" non_existent_id = str(uuid.uuid4()) with patch('storage.user_store.a_session_maker', async_session_maker): @@ -138,16 +138,16 @@ async def test_get_user_by_id_async_user_not_found(async_session_maker): patch.object(UserStore, '_acquire_user_creation_lock', return_value=True), patch.object(UserStore, '_release_user_creation_lock', return_value=True), ): - result = await UserStore.get_user_by_id_async(non_existent_id) + result = await UserStore.get_user_by_id(non_existent_id) assert result is None -# --- Tests for get_user_by_email_async --- +# --- Tests for get_user_by_email --- @pytest.mark.asyncio -async def test_get_user_by_email_async_existing_user(async_session_maker): +async def test_get_user_by_email_existing_user(async_session_maker): """Test retrieving a user by email.""" user_id = uuid.uuid4() org_id = uuid.uuid4() @@ -163,7 +163,7 @@ async def test_get_user_by_email_async_existing_user(async_session_maker): # Test retrieval with patch('storage.user_store.a_session_maker', async_session_maker): - result = await UserStore.get_user_by_email_async(email) + result = await UserStore.get_user_by_email(email) assert result is not None assert result.id == user_id @@ -171,28 +171,28 @@ async def test_get_user_by_email_async_existing_user(async_session_maker): @pytest.mark.asyncio -async def test_get_user_by_email_async_not_found(async_session_maker): - """Test that get_user_by_email_async returns None for non-existent email.""" +async def test_get_user_by_email_not_found(async_session_maker): + """Test that get_user_by_email returns None for non-existent email.""" with patch('storage.user_store.a_session_maker', async_session_maker): - result = await UserStore.get_user_by_email_async('nonexistent@example.com') + result = await UserStore.get_user_by_email('nonexistent@example.com') assert result is None @pytest.mark.asyncio -async def test_get_user_by_email_async_empty_email(async_session_maker): - """Test that get_user_by_email_async returns None for empty email.""" +async def test_get_user_by_email_empty_email(async_session_maker): + """Test that get_user_by_email returns None for empty email.""" with patch('storage.user_store.a_session_maker', async_session_maker): - result = await UserStore.get_user_by_email_async('') + result = await UserStore.get_user_by_email('') assert result is None @pytest.mark.asyncio -async def test_get_user_by_email_async_none_email(async_session_maker): - """Test that get_user_by_email_async returns None for None email.""" +async def test_get_user_by_email_none_email(async_session_maker): + """Test that get_user_by_email returns None for None email.""" with patch('storage.user_store.a_session_maker', async_session_maker): - result = await UserStore.get_user_by_email_async(None) + result = await UserStore.get_user_by_email(None) assert result is None @@ -543,47 +543,50 @@ async def test_backfill_contact_name_no_real_name(async_session_maker): assert org.contact_name == 'jdoe' -# --- Tests for update_current_org (sync) --- +# --- Tests for update_current_org --- -def test_update_current_org_success(session_maker): +@pytest.mark.asyncio +async def test_update_current_org_success(async_session_maker): """Test updating a user's current organization.""" user_id = uuid.uuid4() initial_org_id = uuid.uuid4() new_org_id = uuid.uuid4() # Create test data - with session_maker() as session: + async with async_session_maker() as session: org1 = Org(id=initial_org_id, name='org1') org2 = Org(id=new_org_id, name='org2') session.add_all([org1, org2]) user = User(id=user_id, current_org_id=initial_org_id) session.add(user) - session.commit() + await session.commit() # Update current org - with patch('storage.user_store.session_maker', session_maker): - result = UserStore.update_current_org(str(user_id), new_org_id) + with patch('storage.user_store.a_session_maker', async_session_maker): + result = await UserStore.update_current_org(str(user_id), new_org_id) assert result is not None assert result.current_org_id == new_org_id -def test_update_current_org_user_not_found(session_maker): +@pytest.mark.asyncio +async def test_update_current_org_user_not_found(async_session_maker): """Test that update_current_org returns None for non-existent user.""" user_id = str(uuid.uuid4()) org_id = uuid.uuid4() - with patch('storage.user_store.session_maker', session_maker): - result = UserStore.update_current_org(user_id, org_id) + with patch('storage.user_store.a_session_maker', async_session_maker): + result = await UserStore.update_current_org(user_id, org_id) assert result is None -# --- Tests for list_users (sync) --- +# --- Tests for list_users --- -def test_list_users(session_maker): +@pytest.mark.asyncio +async def test_list_users(async_session_maker): """Test listing all users.""" user_id1 = uuid.uuid4() user_id2 = uuid.uuid4() @@ -591,18 +594,18 @@ def test_list_users(session_maker): org_id2 = uuid.uuid4() # Create test data - with session_maker() as session: + async with async_session_maker() as session: org1 = Org(id=org_id1, name='org1') org2 = Org(id=org_id2, name='org2') session.add_all([org1, org2]) user1 = User(id=user_id1, current_org_id=org_id1) user2 = User(id=user_id2, current_org_id=org_id2) session.add_all([user1, user2]) - session.commit() + await session.commit() # List users - with patch('storage.user_store.session_maker', session_maker): - users = UserStore.list_users() + with patch('storage.user_store.a_session_maker', async_session_maker): + users = await UserStore.list_users() assert len(users) >= 2 user_ids = [user.id for user in users] From 1fb28604e68831c6a6c9f321fa8c3381eda6a432 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Wed, 4 Mar 2026 10:04:27 -0500 Subject: [PATCH 27/67] Fix mypy type errors in server/services and storage/org_service (#13190) Co-authored-by: openhands --- enterprise/server/services/org_app_settings_service.py | 7 +++++++ enterprise/server/services/org_invitation_service.py | 10 +++++++++- enterprise/storage/org_service.py | 9 +++++---- enterprise/tests/unit/test_org_invitation_service.py | 9 +++++++-- 4 files changed, 28 insertions(+), 7 deletions(-) diff --git a/enterprise/server/services/org_app_settings_service.py b/enterprise/server/services/org_app_settings_service.py index d98ce4e05c..f535c775b3 100644 --- a/enterprise/server/services/org_app_settings_service.py +++ b/enterprise/server/services/org_app_settings_service.py @@ -17,6 +17,7 @@ from server.routes.org_models import ( ) from storage.org_app_settings_store import OrgAppSettingsStore +from openhands.app_server.errors import AuthError from openhands.app_server.services.injector import Injector, InjectorState from openhands.app_server.user.user_context import UserContext from openhands.core.logger import openhands_logger as logger @@ -39,8 +40,11 @@ class OrgAppSettingsService: Raises: OrgNotFoundError: If current organization is not found + AuthError: If user is not authenticated """ user_id = await self.user_context.get_user_id() + if not user_id: + raise AuthError('User not authenticated') logger.info( 'Getting organization app settings', @@ -72,8 +76,11 @@ class OrgAppSettingsService: Raises: OrgNotFoundError: If current organization is not found + AuthError: If user is not authenticated """ user_id = await self.user_context.get_user_id() + if not user_id: + raise AuthError('User not authenticated') logger.info( 'Updating organization app settings', diff --git a/enterprise/server/services/org_invitation_service.py b/enterprise/server/services/org_invitation_service.py index bae78f1a7b..5c4edcd1e4 100644 --- a/enterprise/server/services/org_invitation_service.py +++ b/enterprise/server/services/org_invitation_service.py @@ -373,11 +373,16 @@ class OrgInvitationService: org_member_kwargs.pop('llm_model', None) org_member_kwargs.pop('llm_base_url', None) + # Get the llm_api_key as string (it's SecretStr | None in Settings) + llm_api_key = ( + settings.llm_api_key.get_secret_value() if settings.llm_api_key else '' + ) + await OrgMemberStore.add_user_to_org( org_id=invitation.org_id, user_id=user_id, role_id=invitation.role_id, - llm_api_key=settings.llm_api_key, + llm_api_key=llm_api_key, status='active', ) @@ -388,6 +393,9 @@ class OrgInvitationService: accepted_by_user_id=user_id, ) + if not updated_invitation: + raise InvitationInvalidError('Failed to update invitation status') + logger.info( 'Organization invitation accepted', extra={ diff --git a/enterprise/storage/org_service.py b/enterprise/storage/org_service.py index bc021c525b..1f5b26a2d4 100644 --- a/enterprise/storage/org_service.py +++ b/enterprise/storage/org_service.py @@ -25,6 +25,7 @@ from storage.role_store import RoleStore from storage.user_store import UserStore from openhands.core.logger import openhands_logger as logger +from openhands.storage.data_models.settings import Settings class OrgService: @@ -46,7 +47,7 @@ class OrgService: raise OrgNameExistsError(name) @staticmethod - async def create_litellm_integration(org_id: UUID, user_id: str) -> dict: + async def create_litellm_integration(org_id: UUID, user_id: str) -> Settings: """ Create LiteLLM team integration for the organization. @@ -55,7 +56,7 @@ class OrgService: user_id: User ID who will own the organization Returns: - dict: LiteLLM settings object + Settings: LiteLLM settings object Raises: LiteLLMIntegrationError: If LiteLLM integration fails @@ -116,7 +117,7 @@ class OrgService: ) @staticmethod - def apply_litellm_settings_to_org(org: Org, settings: dict) -> None: + def apply_litellm_settings_to_org(org: Org, settings: Settings) -> None: """ Apply LiteLLM settings to organization entity. @@ -150,7 +151,7 @@ class OrgService: org_id: UUID, user_id: str, role_id: int, - settings: dict, + settings: Settings, ) -> OrgMember: """ Create an organization member entity. diff --git a/enterprise/tests/unit/test_org_invitation_service.py b/enterprise/tests/unit/test_org_invitation_service.py index 487243327e..c12b50f8e7 100644 --- a/enterprise/tests/unit/test_org_invitation_service.py +++ b/enterprise/tests/unit/test_org_invitation_service.py @@ -4,6 +4,7 @@ from unittest.mock import AsyncMock, MagicMock, patch from uuid import UUID import pytest +from pydantic import SecretStr from server.routes.org_invitation_models import ( EmailMismatchError, ) @@ -141,7 +142,9 @@ class TestAcceptInvitationEmailValidation: mock_token_manager_class.return_value = mock_token_manager mock_get_member.return_value = None # Not already a member - mock_create_litellm.return_value = MagicMock(llm_api_key='test-key') + mock_settings = MagicMock() + mock_settings.llm_api_key = SecretStr('test-key') + mock_create_litellm.return_value = mock_settings mock_update_status.return_value = mock_invitation # Act - should not raise error because Keycloak email matches @@ -244,7 +247,9 @@ class TestAcceptInvitationEmailValidation: mock_is_expired.return_value = False mock_get_user.return_value = mock_user mock_get_member.return_value = None - mock_create_litellm.return_value = MagicMock(llm_api_key='test-key') + mock_settings = MagicMock() + mock_settings.llm_api_key = SecretStr('test-key') + mock_create_litellm.return_value = mock_settings mock_update_status.return_value = mock_invitation # Act - should not raise error because emails match case-insensitively From baae3780e51318ae602cb2b376cacb07a1daad08 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Wed, 4 Mar 2026 10:04:36 -0500 Subject: [PATCH 28/67] Fix mypy type errors in enterprise/integrations/github/ (#13191) Co-authored-by: openhands --- .../integrations/github/data_collector.py | 12 +++--- .../integrations/github/github_service.py | 38 ++++++++++++++++--- enterprise/integrations/github/github_view.py | 2 +- 3 files changed, 38 insertions(+), 14 deletions(-) diff --git a/enterprise/integrations/github/data_collector.py b/enterprise/integrations/github/data_collector.py index d0844b814e..6d24399ddb 100644 --- a/enterprise/integrations/github/data_collector.py +++ b/enterprise/integrations/github/data_collector.py @@ -116,10 +116,8 @@ class GitHubDataCollector: return suffix - def _get_installation_access_token(self, installation_id: str) -> str: - token_data = self.github_integration.get_access_token( - installation_id # type: ignore[arg-type] - ) + def _get_installation_access_token(self, installation_id: int) -> str: + token_data = self.github_integration.get_access_token(installation_id) return token_data.token def _check_openhands_author(self, name, login) -> bool: @@ -134,7 +132,7 @@ class GitHubDataCollector: ) def _get_issue_comments( - self, installation_id: str, repo_name: str, issue_number: int, conversation_id + self, installation_id: int, repo_name: str, issue_number: int, conversation_id ) -> list[dict[str, Any]]: """ Retrieve all comments from an issue until a comment with conversation_id is found @@ -234,7 +232,7 @@ class GitHubDataCollector: f'[Github]: Saved issue #{issue_number} for {github_view.full_repo_name}' ) - def _get_pr_commits(self, installation_id: str, repo_name: str, pr_number: int): + def _get_pr_commits(self, installation_id: int, repo_name: str, pr_number: int): commits = [] installation_token = self._get_installation_access_token(installation_id) with Github(auth=Auth.Token(installation_token)) as github_client: @@ -431,7 +429,7 @@ class GitHubDataCollector: - Num openhands review comments """ pr_number = openhands_pr.pr_number - installation_id = openhands_pr.installation_id + installation_id = int(openhands_pr.installation_id) repo_id = openhands_pr.repo_id # Get installation token and create Github client diff --git a/enterprise/integrations/github/github_service.py b/enterprise/integrations/github/github_service.py index 4ea9e41626..6d1fb929a4 100644 --- a/enterprise/integrations/github/github_service.py +++ b/enterprise/integrations/github/github_service.py @@ -122,13 +122,37 @@ class SaaSGitHubService(GitHubService): raise Exception(f'No node_id found for repository {repo_id}') return node_id + async def _get_external_auth_id(self) -> str | None: + """Get or fetch external_auth_id from Keycloak token if not already set.""" + if self.external_auth_id: + return self.external_auth_id + + if self.external_auth_token: + try: + user_info = await self.token_manager.get_user_info( + self.external_auth_token.get_secret_value() + ) + self.external_auth_id = user_info.sub + logger.info( + f'Determined external_auth_id from Keycloak token: {self.external_auth_id}' + ) + return self.external_auth_id + except Exception as e: + logger.warning( + f'Could not determine external_auth_id from token: {e}', + exc_info=True, + ) + return None + async def get_paginated_repos(self, page, per_page, sort, installation_id): repositories = await super().get_paginated_repos( page, per_page, sort, installation_id ) - asyncio.create_task( - store_repositories_in_db(repositories, self.external_auth_id) - ) + external_auth_id = await self._get_external_auth_id() + if external_auth_id: + asyncio.create_task( + store_repositories_in_db(repositories, external_auth_id) + ) return repositories async def get_all_repositories( @@ -136,8 +160,10 @@ class SaaSGitHubService(GitHubService): ) -> list[Repository]: repositories = await super().get_all_repositories(sort, app_mode) # Schedule the background task without awaiting it - asyncio.create_task( - store_repositories_in_db(repositories, self.external_auth_id) - ) + external_auth_id = await self._get_external_auth_id() + if external_auth_id: + asyncio.create_task( + store_repositories_in_db(repositories, external_auth_id) + ) # Return repositories immediately return repositories diff --git a/enterprise/integrations/github/github_view.py b/enterprise/integrations/github/github_view.py index e8d6e525b3..97ad8a9b98 100644 --- a/enterprise/integrations/github/github_view.py +++ b/enterprise/integrations/github/github_view.py @@ -733,7 +733,7 @@ class GithubFactory: @staticmethod async def create_github_view_from_payload( message: Message, keycloak_user_id: str - ) -> ResolverViewInterface: + ) -> GithubViewType: """Create the appropriate class (GithubIssue or GithubPRComment) based on the payload. Also return metadata about the event (e.g., action type). """ From f01c8dd955b69620724ec81b096a29489af2103c Mon Sep 17 00:00:00 2001 From: Engel Nyst Date: Wed, 4 Mar 2026 16:21:08 +0100 Subject: [PATCH 29/67] V1 resolver: move PR/issue context into initial user message (#12983) Co-authored-by: openhands --- enterprise/integrations/github/github_view.py | 70 +++++- ...est_github_view_v1_initial_user_message.py | 218 ++++++++++++++++++ .../github/issue_comment_initial_message.j2 | 31 +++ .../github/pr_update_initial_message.j2 | 41 ++++ 4 files changed, 355 insertions(+), 5 deletions(-) create mode 100644 enterprise/tests/unit/integrations/github/test_github_view_v1_initial_user_message.py create mode 100644 openhands/integrations/templates/resolver/github/issue_comment_initial_message.j2 create mode 100644 openhands/integrations/templates/resolver/github/pr_update_initial_message.j2 diff --git a/enterprise/integrations/github/github_view.py b/enterprise/integrations/github/github_view.py index 97ad8a9b98..91d125b30d 100644 --- a/enterprise/integrations/github/github_view.py +++ b/enterprise/integrations/github/github_view.py @@ -231,6 +231,29 @@ class GithubIssue(ResolverViewInterface): conversation_instructions=conversation_instructions, ) + async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str: + """Build the initial user message for V1 resolver conversations. + + For "issue opened" events (no specific comment body), we can simply + concatenate the user prompt and the rendered issue context. + + Subclasses that represent comment-driven events (issue comments, PR review + comments, inline review comments) override this method to control ordering + (e.g., context first, then the triggering comment, then previous comments). + """ + + user_instructions, conversation_instructions = await self._get_instructions( + jinja_env + ) + + parts: list[str] = [] + if user_instructions.strip(): + parts.append(user_instructions.strip()) + if conversation_instructions.strip(): + parts.append(conversation_instructions.strip()) + + return '\n\n'.join(parts) + async def _create_v1_conversation( self, jinja_env: Environment, @@ -240,13 +263,11 @@ class GithubIssue(ResolverViewInterface): """Create conversation using the new V1 app conversation system.""" logger.info('[GitHub V1]: Creating V1 conversation') - user_instructions, conversation_instructions = await self._get_instructions( - jinja_env - ) + initial_user_text = await self._get_v1_initial_user_message(jinja_env) # Create the initial message request initial_message = SendMessageRequest( - role='user', content=[TextContent(text=user_instructions)] + role='user', content=[TextContent(text=initial_user_text)] ) # Create the GitHub V1 callback processor @@ -258,7 +279,9 @@ class GithubIssue(ResolverViewInterface): # Create the V1 conversation start request with the callback processor start_request = AppConversationStartRequest( conversation_id=UUID(conversation_metadata.conversation_id), - system_message_suffix=conversation_instructions, + # NOTE: Resolver instructions are intended to be lower priority than the + # system prompt, so we inject them into the initial user message. + system_message_suffix=None, initial_message=initial_message, selected_repository=self.full_repo_name, selected_branch=self._get_branch_name(), @@ -329,6 +352,17 @@ class GithubIssueComment(GithubIssue): return user_instructions, conversation_instructions + async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str: + await self._load_resolver_context() + template = jinja_env.get_template('issue_comment_initial_message.j2') + return template.render( + issue_number=self.issue_number, + issue_title=self.title, + issue_body=self.description, + issue_comment=self.comment_body, + previous_comments=self.previous_comments, + ).strip() + @dataclass class GithubPRComment(GithubIssueComment): @@ -355,6 +389,18 @@ class GithubPRComment(GithubIssueComment): return user_instructions, conversation_instructions + async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str: + await self._load_resolver_context() + template = jinja_env.get_template('pr_update_initial_message.j2') + return template.render( + pr_number=self.issue_number, + branch_name=self.branch_name, + pr_title=self.title, + pr_body=self.description, + pr_comment=self.comment_body, + comments=self.previous_comments, + ).strip() + @dataclass class GithubInlinePRComment(GithubPRComment): @@ -401,6 +447,20 @@ class GithubInlinePRComment(GithubPRComment): return user_instructions, conversation_instructions + async def _get_v1_initial_user_message(self, jinja_env: Environment) -> str: + await self._load_resolver_context() + template = jinja_env.get_template('pr_update_initial_message.j2') + return template.render( + pr_number=self.issue_number, + branch_name=self.branch_name, + pr_title=self.title, + pr_body=self.description, + file_location=self.file_location, + line_number=self.line_number, + pr_comment=self.comment_body, + comments=self.previous_comments, + ).strip() + def _create_github_v1_callback_processor(self): """Create a V1 callback processor for GitHub integration.""" from integrations.github.github_v1_callback_processor import ( diff --git a/enterprise/tests/unit/integrations/github/test_github_view_v1_initial_user_message.py b/enterprise/tests/unit/integrations/github/test_github_view_v1_initial_user_message.py new file mode 100644 index 0000000000..64a9f64388 --- /dev/null +++ b/enterprise/tests/unit/integrations/github/test_github_view_v1_initial_user_message.py @@ -0,0 +1,218 @@ +from __future__ import annotations + +from contextlib import asynccontextmanager +from pathlib import Path +from unittest.mock import AsyncMock, MagicMock, patch +from uuid import uuid4 + +import pytest +from integrations.github.github_view import ( + GithubInlinePRComment, + GithubIssueComment, + GithubPRComment, +) +from integrations.types import UserData +from jinja2 import Environment, FileSystemLoader + +from openhands.app_server.app_conversation.app_conversation_models import ( + AppConversationStartTaskStatus, +) +from openhands.storage.data_models.conversation_metadata import ConversationMetadata + + +@pytest.fixture +def jinja_env() -> Environment: + repo_root = Path(__file__).resolve().parents[5] + return Environment( + loader=FileSystemLoader( + str(repo_root / 'openhands/integrations/templates/resolver/github') + ) + ) + + +@asynccontextmanager +async def _fake_app_conversation_service_ctx(fake_service): + yield fake_service + + +class _FakeAppConversationService: + def __init__(self): + self.requests = [] + + async def start_app_conversation(self, request): + self.requests.append(request) + yield MagicMock(status=AppConversationStartTaskStatus.READY, detail=None) + + +def _build_conversation_metadata() -> ConversationMetadata: + return ConversationMetadata( + conversation_id=str(uuid4()), + selected_repository='test-owner/test-repo', + ) + + +def _build_user_data() -> UserData: + return UserData(user_id=1, username='test-user', keycloak_user_id='kc-user') + + +@pytest.mark.asyncio +class TestGithubViewV1InitialUserMessage: + @patch('integrations.github.github_view.get_app_conversation_service') + async def test_issue_comment_v1_injects_context_into_initial_user_message( + self, + mock_get_app_conversation_service, + jinja_env, + ): + view = GithubIssueComment( + installation_id=123, + issue_number=42, + full_repo_name='test-owner/test-repo', + is_public_repo=False, + user_info=_build_user_data(), + raw_payload=MagicMock(), + conversation_id='conv', + uuid=None, + should_extract=False, + send_summary_instruction=False, + title='ignored', + description='ignored', + previous_comments=[], + v1_enabled=True, + comment_body='please fix this', + comment_id=999, + ) + + async def _load_context(): + view.title = 'Issue title' + view.description = 'Issue body' + view.previous_comments = [MagicMock(author='alice', body='old comment 1')] + + view._load_resolver_context = AsyncMock(side_effect=_load_context) # type: ignore[method-assign] + + fake_service = _FakeAppConversationService() + mock_get_app_conversation_service.return_value = ( + _fake_app_conversation_service_ctx(fake_service) + ) + + await view._create_v1_conversation( + jinja_env=jinja_env, + saas_user_auth=MagicMock(), + conversation_metadata=_build_conversation_metadata(), + ) + + assert len(fake_service.requests) == 1 + req = fake_service.requests[0] + assert req.system_message_suffix is None + + text = req.initial_message.content[0].text + assert 'Issue title' in text + assert 'Issue body' in text + assert 'please fix this' in text + assert 'old comment 1' in text + + @patch('integrations.github.github_view.get_app_conversation_service') + async def test_pr_comment_v1_injects_context_and_comment_into_initial_user_message( + self, + mock_get_app_conversation_service, + jinja_env, + ): + view = GithubPRComment( + installation_id=123, + issue_number=7, + full_repo_name='test-owner/test-repo', + is_public_repo=False, + user_info=_build_user_data(), + raw_payload=MagicMock(), + conversation_id='conv', + uuid=None, + should_extract=False, + send_summary_instruction=False, + title='ignored', + description='ignored', + previous_comments=[], + v1_enabled=True, + comment_body='nit: rename variable', + comment_id=1001, + branch_name='feature-branch', + ) + + async def _load_context(): + view.title = 'PR title' + view.description = 'PR body' + view.previous_comments = [ + MagicMock(author='bob', created_at='2026-01-01', body='old thread') + ] + + view._load_resolver_context = AsyncMock(side_effect=_load_context) # type: ignore[method-assign] + + fake_service = _FakeAppConversationService() + mock_get_app_conversation_service.return_value = ( + _fake_app_conversation_service_ctx(fake_service) + ) + + await view._create_v1_conversation( + jinja_env=jinja_env, + saas_user_auth=MagicMock(), + conversation_metadata=_build_conversation_metadata(), + ) + + assert len(fake_service.requests) == 1 + req = fake_service.requests[0] + assert req.system_message_suffix is None + + text = req.initial_message.content[0].text + assert 'feature-branch' in text + assert 'PR title' in text + assert 'PR body' in text + assert 'nit: rename variable' in text + assert 'old thread' in text + + @patch('integrations.github.github_view.get_app_conversation_service') + async def test_inline_pr_comment_v1_includes_file_context( + self, mock_get_service, jinja_env + ): + view = GithubInlinePRComment( + installation_id=123, + issue_number=7, + full_repo_name='test-owner/test-repo', + is_public_repo=False, + user_info=_build_user_data(), + raw_payload=MagicMock(), + conversation_id='conv', + uuid=None, + should_extract=False, + send_summary_instruction=False, + title='ignored', + description='ignored', + previous_comments=[], + v1_enabled=True, + comment_body='please add a null check', + comment_id=1002, + branch_name='feature-branch', + file_location='src/app.py', + line_number=123, + comment_node_id='node', + ) + + async def _load_context(): + view.title = 'PR title' + view.description = 'PR body' + view.previous_comments = [] + + view._load_resolver_context = AsyncMock(side_effect=_load_context) # type: ignore[method-assign] + + fake_service = _FakeAppConversationService() + mock_get_service.return_value = _fake_app_conversation_service_ctx(fake_service) + + await view._create_v1_conversation( + jinja_env=jinja_env, + saas_user_auth=MagicMock(), + conversation_metadata=_build_conversation_metadata(), + ) + + req = fake_service.requests[0] + assert req.system_message_suffix is None + text = req.initial_message.content[0].text + assert 'src/app.py' in text + assert '123' in text + assert 'please add a null check' in text diff --git a/openhands/integrations/templates/resolver/github/issue_comment_initial_message.j2 b/openhands/integrations/templates/resolver/github/issue_comment_initial_message.j2 new file mode 100644 index 0000000000..69b321aca4 --- /dev/null +++ b/openhands/integrations/templates/resolver/github/issue_comment_initial_message.j2 @@ -0,0 +1,31 @@ +You are requested to fix issue #{{ issue_number }}: "{{ issue_title }}" in a repository. +A comment on the issue has been addressed to you. + +# Issue Body +{{ issue_body }} + +# Comment +{{ issue_comment }} + +{% if previous_comments %} +# Previous Comments +For reference, here are the previous comments on the issue: + +{% for comment in previous_comments %} +- @{{ comment.author }} said: +{{ comment.body }} +{% if not loop.last %} + +{% endif %} +{% endfor %} +{% endif %} + +# Guidelines + +1. Review the task carefully. +2. For all changes to actual application code (e.g. in Python or Javascript), add an appropriate test to the testing directory to make sure that the issue has been fixed +3. Run the tests, and if they pass you are done! +4. You do NOT need to write new tests if there are only changes to documentation or configuration files. + +# Final Checklist +Re-read the issue title, body, and comments and make sure that you have successfully implemented all requirements. diff --git a/openhands/integrations/templates/resolver/github/pr_update_initial_message.j2 b/openhands/integrations/templates/resolver/github/pr_update_initial_message.j2 new file mode 100644 index 0000000000..5582c8ce8f --- /dev/null +++ b/openhands/integrations/templates/resolver/github/pr_update_initial_message.j2 @@ -0,0 +1,41 @@ +You are checked out to branch {{ branch_name }}, which has an open PR #{{ pr_number }}: "{{ pr_title }}". +A comment on the PR has been addressed to you. + +# PR Description +{{ pr_body }} + +{% if file_location %} +# Comment location +The comment is in the file `{{ file_location }}` on line #{{ line_number }}. +{% endif %} + +# Comment +{{ pr_comment }} + +{% if comments %} +# Previous Comments +You may find these other comments relevant: +{% for comment in comments %} +- @{{ comment.author }} said at {{ comment.created_at }}: +{{ comment.body }} +{% if not loop.last %} + +{% endif %} +{% endfor %} +{% endif %} + +# Steps to Handle the Comment + +## Understand the PR Context +Use the $GITHUB_TOKEN and GitHub API to: + 1. Retrieve the diff against the base branch (typically main) to understand the changes + 2. Fetch the PR body and the linked issue for context + +## Process the Comment +If it's a question, answer it. + +If it requests a code update: + 1. Modify the code accordingly in the current branch + 2. Commit your changes with a clear commit message + 3. Verify if the branch is on a fork, and make sure the remote is correct + 4. Push the changes to GitHub to update the PR. From a11435b06182c7addf4c56118c028a0d5bf341b5 Mon Sep 17 00:00:00 2001 From: Juan Michelini Date: Wed, 4 Mar 2026 12:40:15 -0300 Subject: [PATCH 30/67] Add GLM-4.7 model support to frontend (#13202) Co-authored-by: openhands --- frontend/src/utils/verified-models.ts | 2 ++ openhands/llm/model_features.py | 6 ++++++ openhands/utils/llm.py | 1 + 3 files changed, 9 insertions(+) diff --git a/frontend/src/utils/verified-models.ts b/frontend/src/utils/verified-models.ts index d9e57b5fcb..2a6ffc69f4 100644 --- a/frontend/src/utils/verified-models.ts +++ b/frontend/src/utils/verified-models.ts @@ -20,6 +20,7 @@ export const VERIFIED_MODELS = [ "devstral-medium-2512", "kimi-k2-0711-preview", "qwen3-coder-480b", + "glm-4.7", ]; // LiteLLM does not return OpenAI models with the provider, so we list them here to set them ourselves for consistency @@ -63,6 +64,7 @@ export const VERIFIED_OPENHANDS_MODELS = [ "devstral-medium-2512", "kimi-k2-0711-preview", "qwen3-coder-480b", + "glm-4.7", ]; // Default model for OpenHands provider diff --git a/openhands/llm/model_features.py b/openhands/llm/model_features.py index 96386026a4..8538f27456 100644 --- a/openhands/llm/model_features.py +++ b/openhands/llm/model_features.py @@ -97,6 +97,8 @@ FUNCTION_CALLING_PATTERNS: list[str] = [ 'qwen3-coder-480b-a35b-instruct', 'deepseek-chat', 'grok-code-fast-1', + # GLM series - verified via official docs and litellm config + 'glm-4*', ] REASONING_EFFORT_PATTERNS: list[str] = [ @@ -116,6 +118,8 @@ REASONING_EFFORT_PATTERNS: list[str] = [ 'deepseek-r1-0528*', 'claude-sonnet-4-5*', 'claude-haiku-4-5*', + # GLM series - verified via litellm config + 'glm-4*', ] PROMPT_CACHE_PATTERNS: list[str] = [ @@ -129,6 +133,8 @@ PROMPT_CACHE_PATTERNS: list[str] = [ 'claude-3-opus-20240229', 'claude-sonnet-4*', 'claude-opus-4*', + # GLM series - verified via litellm config + 'glm-4*', ] SUPPORTS_STOP_WORDS_FALSE_PATTERNS: list[str] = [ diff --git a/openhands/utils/llm.py b/openhands/utils/llm.py index 40c47e2769..d5498fc766 100644 --- a/openhands/utils/llm.py +++ b/openhands/utils/llm.py @@ -26,6 +26,7 @@ OPENHANDS_MODELS = [ 'openhands/devstral-medium-2512', 'openhands/kimi-k2-0711-preview', 'openhands/qwen3-coder-480b', + 'openhands/glm-4.7', ] CLARIFAI_MODELS = [ From b86b2f16afb9e0c20025bb44aeffd0d8373393fd Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Wed, 4 Mar 2026 11:06:26 -0500 Subject: [PATCH 31/67] Fix mypy type errors in enterprise/server/routes/billing.py and api_keys.py (#13196) Co-authored-by: openhands --- enterprise/server/routes/api_keys.py | 4 ++-- enterprise/server/routes/billing.py | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/enterprise/server/routes/api_keys.py b/enterprise/server/routes/api_keys.py index 1e3f8a0d51..a543d333e3 100644 --- a/enterprise/server/routes/api_keys.py +++ b/enterprise/server/routes/api_keys.py @@ -22,7 +22,7 @@ async def get_byor_key_from_db(user_id: str) -> str | None: return None current_org_id = user.current_org_id - current_org_member: OrgMember = None + current_org_member: OrgMember | None = None for org_member in user.org_members: if org_member.org_id == current_org_id: current_org_member = org_member @@ -41,7 +41,7 @@ async def store_byor_key_in_db(user_id: str, key: str) -> None: return None current_org_id = user.current_org_id - current_org_member: OrgMember = None + current_org_member: OrgMember | None = None for org_member in user.org_members: if org_member.org_id == current_org_id: current_org_member = org_member diff --git a/enterprise/server/routes/billing.py b/enterprise/server/routes/billing.py index 51e5ee3fb1..cf8b72b689 100644 --- a/enterprise/server/routes/billing.py +++ b/enterprise/server/routes/billing.py @@ -146,6 +146,11 @@ async def create_customer_setup_session( ) -> CreateBillingSessionResponse: await validate_billing_enabled() customer_info = await stripe_service.find_or_create_customer_by_user_id(user_id) + if not customer_info: + raise HTTPException( + status_code=status.HTTP_400_BAD_REQUEST, + detail='Could not find or create customer for user', + ) base_url = _get_base_url(request) checkout_session = await stripe.checkout.Session.create_async( customer=customer_info['customer_id'], @@ -167,6 +172,11 @@ async def create_checkout_session( await validate_billing_enabled() base_url = _get_base_url(request) customer_info = await stripe_service.find_or_create_customer_by_user_id(user_id) + if not customer_info: + raise HTTPException( + status_code=status.HTTP_400_BAD_REQUEST, + detail='Could not find or create customer for user', + ) checkout_session = await stripe.checkout.Session.create_async( customer=customer_info['customer_id'], line_items=[ From b8db9ecd53e9275cd8d75cf14a42ef2268b47d73 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Wed, 4 Mar 2026 11:13:16 -0500 Subject: [PATCH 32/67] Fix mypy type errors in enterprise GitLab integration (#13205) Co-authored-by: openhands --- .../gitlab/gitlab_v1_callback_processor.py | 8 ++------ enterprise/integrations/gitlab/gitlab_view.py | 6 +++++- .../server/routes/integration/gitlab.py | 4 ++-- .../test_gitlab_v1_callback_processor.py | 20 +++++++++---------- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py b/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py index fcb3c24cb2..8fb6521d98 100644 --- a/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py +++ b/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py @@ -107,19 +107,15 @@ class GitlabV1CallbackProcessor(EventCallbackProcessor): # Import here to avoid circular imports from integrations.gitlab.gitlab_service import SaaSGitLabService - from openhands.integrations.gitlab.gitlab_service import GitLabServiceImpl - keycloak_user_id = self.gitlab_view_data.get('keycloak_user_id') if not keycloak_user_id: raise RuntimeError('Missing keycloak user ID for GitLab') - gitlab_service: SaaSGitLabService = GitLabServiceImpl( - external_auth_id=keycloak_user_id - ) + gitlab_service = SaaSGitLabService(external_auth_id=keycloak_user_id) project_id = self.gitlab_view_data['project_id'] issue_number = self.gitlab_view_data['issue_number'] - discussion_id = self.gitlab_view_data.get('discussion_id') + discussion_id = self.gitlab_view_data['discussion_id'] is_mr = self.gitlab_view_data.get('is_mr', False) if is_mr: diff --git a/enterprise/integrations/gitlab/gitlab_view.py b/enterprise/integrations/gitlab/gitlab_view.py index 8bb0f22868..4b71940640 100644 --- a/enterprise/integrations/gitlab/gitlab_view.py +++ b/enterprise/integrations/gitlab/gitlab_view.py @@ -461,7 +461,11 @@ class GitlabFactory: ) # Check v1_enabled at construction time - this is the source of truth - v1_enabled = await is_v1_enabled_for_gitlab_resolver(keycloak_user_id) + v1_enabled = ( + await is_v1_enabled_for_gitlab_resolver(keycloak_user_id) + if keycloak_user_id + else False + ) logger.info( f'[GitLab V1]: User flag found for {keycloak_user_id} is {v1_enabled}' ) diff --git a/enterprise/server/routes/integration/gitlab.py b/enterprise/server/routes/integration/gitlab.py index 2b6cbe6fd5..a1e001bdc8 100644 --- a/enterprise/server/routes/integration/gitlab.py +++ b/enterprise/server/routes/integration/gitlab.py @@ -69,13 +69,13 @@ async def verify_gitlab_signature( raise HTTPException(status_code=403, detail='Required payload headers missing!') if IS_LOCAL_DEPLOYMENT: - webhook_secret = 'localdeploymentwebhooktesttoken' + webhook_secret: str | None = 'localdeploymentwebhooktesttoken' else: webhook_secret = await webhook_store.get_webhook_secret( webhook_uuid=webhook_uuid, user_id=user_id ) - if header_webhook_secret != webhook_secret: + if not webhook_secret or header_webhook_secret != webhook_secret: raise HTTPException(status_code=403, detail="Request signatures didn't match!") diff --git a/enterprise/tests/unit/integrations/gitlab/test_gitlab_v1_callback_processor.py b/enterprise/tests/unit/integrations/gitlab/test_gitlab_v1_callback_processor.py index edc50f1477..252d208e08 100644 --- a/enterprise/tests/unit/integrations/gitlab/test_gitlab_v1_callback_processor.py +++ b/enterprise/tests/unit/integrations/gitlab/test_gitlab_v1_callback_processor.py @@ -199,10 +199,10 @@ class TestGitlabV1CallbackProcessor: @patch('openhands.app_server.config.get_sandbox_service') @patch('openhands.app_server.config.get_httpx_client') @patch('integrations.gitlab.gitlab_v1_callback_processor.get_summary_instruction') - @patch('openhands.integrations.gitlab.gitlab_service.GitLabServiceImpl') + @patch('integrations.gitlab.gitlab_service.SaaSGitLabService') async def test_successful_callback_execution_issue( self, - mock_gitlab_service_impl, + mock_saas_gitlab_service_cls, mock_get_summary_instruction, mock_get_httpx_client, mock_get_sandbox_service, @@ -228,7 +228,7 @@ class TestGitlabV1CallbackProcessor: # GitLab service mock mock_gitlab_service = AsyncMock() - mock_gitlab_service_impl.return_value = mock_gitlab_service + mock_saas_gitlab_service_cls.return_value = mock_gitlab_service result = await gitlab_callback_processor( conversation_id=conversation_id, @@ -245,7 +245,7 @@ class TestGitlabV1CallbackProcessor: assert gitlab_callback_processor.should_request_summary is False # Verify GitLab service was called correctly for issue - mock_gitlab_service_impl.assert_called_once_with( + mock_saas_gitlab_service_cls.assert_called_once_with( external_auth_id='test_keycloak_user' ) mock_gitlab_service.reply_to_issue.assert_called_once_with( @@ -265,10 +265,10 @@ class TestGitlabV1CallbackProcessor: @patch('openhands.app_server.config.get_sandbox_service') @patch('openhands.app_server.config.get_httpx_client') @patch('integrations.gitlab.gitlab_v1_callback_processor.get_summary_instruction') - @patch('openhands.integrations.gitlab.gitlab_service.GitLabServiceImpl') + @patch('integrations.gitlab.gitlab_service.SaaSGitLabService') async def test_successful_callback_execution_mr( self, - mock_gitlab_service_impl, + mock_saas_gitlab_service_cls, mock_get_summary_instruction, mock_get_httpx_client, mock_get_sandbox_service, @@ -293,7 +293,7 @@ class TestGitlabV1CallbackProcessor: # GitLab service mock mock_gitlab_service = AsyncMock() - mock_gitlab_service_impl.return_value = mock_gitlab_service + mock_saas_gitlab_service_cls.return_value = mock_gitlab_service result = await gitlab_callback_processor_mr( conversation_id=conversation_id, @@ -326,10 +326,10 @@ class TestGitlabV1CallbackProcessor: @patch('openhands.app_server.config.get_sandbox_service') @patch('openhands.app_server.config.get_httpx_client') @patch('integrations.gitlab.gitlab_v1_callback_processor.get_summary_instruction') - @patch('openhands.integrations.gitlab.gitlab_service.GitLabServiceImpl') + @patch('integrations.gitlab.gitlab_service.SaaSGitLabService') async def test_exception_handling_posts_error_to_gitlab( self, - mock_gitlab_service_impl, + mock_saas_gitlab_service_cls, mock_get_summary_instruction, mock_get_httpx_client, mock_get_sandbox_service, @@ -355,7 +355,7 @@ class TestGitlabV1CallbackProcessor: # GitLab service mock mock_gitlab_service = AsyncMock() - mock_gitlab_service_impl.return_value = mock_gitlab_service + mock_saas_gitlab_service_cls.return_value = mock_gitlab_service result = await gitlab_callback_processor( conversation_id=conversation_id, From ab02c73c7cd2c1fbcab6012f8a8674d6c3492b1e Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Wed, 4 Mar 2026 13:17:21 -0500 Subject: [PATCH 33/67] Fix mypy type errors in enterprise/storage/ (#13204) Co-authored-by: openhands --- enterprise/server/routes/api_keys.py | 25 +++++-------- enterprise/storage/lite_llm_manager.py | 20 +++++------ enterprise/storage/offline_token_store.py | 6 ++-- enterprise/storage/saas_conversation_store.py | 7 ++-- enterprise/storage/saas_secrets_store.py | 4 +-- enterprise/storage/saas_settings_store.py | 36 +++++++++++-------- enterprise/storage/user_store.py | 27 +++++++------- .../tests/unit/test_lite_llm_manager.py | 11 +++--- 8 files changed, 68 insertions(+), 68 deletions(-) diff --git a/enterprise/server/routes/api_keys.py b/enterprise/server/routes/api_keys.py index a543d333e3..d5f30f87cf 100644 --- a/enterprise/server/routes/api_keys.py +++ b/enterprise/server/routes/api_keys.py @@ -66,22 +66,15 @@ async def generate_byor_key(user_id: str) -> str | None: {'type': 'byor'}, ) - if key: - logger.info( - 'Successfully generated new BYOR key', - extra={ - 'user_id': user_id, - 'key_length': len(key) if key else 0, - 'key_prefix': key[:10] + '...' if key and len(key) > 10 else key, - }, - ) - return key - else: - logger.error( - 'Failed to generate BYOR LLM API key - no key in response', - extra={'user_id': user_id}, - ) - return None + logger.info( + 'Successfully generated new BYOR key', + extra={ + 'user_id': user_id, + 'key_length': len(key), + 'key_prefix': key[:10] + '...' if len(key) > 10 else key, + }, + ) + return key except Exception as e: logger.exception( 'Error generating BYOR key', diff --git a/enterprise/storage/lite_llm_manager.py b/enterprise/storage/lite_llm_manager.py index fc45fb2271..49af669359 100644 --- a/enterprise/storage/lite_llm_manager.py +++ b/enterprise/storage/lite_llm_manager.py @@ -316,14 +316,13 @@ class LiteLlmManager: get_openhands_cloud_key_alias(keycloak_user_id, org_id), None, ) - if new_key: - logger.info( - 'LiteLlmManager:migrate_lite_llm_entries:generated_new_key', - extra={'org_id': org_id, 'user_id': keycloak_user_id}, - ) - # Update user_settings with the new key so it gets stored in org_member - user_settings.llm_api_key = SecretStr(new_key) - user_settings.llm_api_key_for_byor = SecretStr(new_key) + logger.info( + 'LiteLlmManager:migrate_lite_llm_entries:generated_new_key', + extra={'org_id': org_id, 'user_id': keycloak_user_id}, + ) + # Update user_settings with the new key so it gets stored in org_member + user_settings.llm_api_key = SecretStr(new_key) + user_settings.llm_api_key_for_byor = SecretStr(new_key) logger.info( 'LiteLlmManager:migrate_lite_llm_entries:complete', @@ -1051,10 +1050,9 @@ class LiteLlmManager: team_id: str | None, key_alias: str | None, metadata: dict | None, - ) -> str | None: + ) -> str: if LITE_LLM_API_KEY is None or LITE_LLM_API_URL is None: - logger.warning('LiteLLM API configuration not found') - return None + raise ValueError('LiteLLM API configuration not found') json_data: dict[str, Any] = { 'user_id': keycloak_user_id, 'models': [], diff --git a/enterprise/storage/offline_token_store.py b/enterprise/storage/offline_token_store.py index 5fa09fa985..28101d4e24 100644 --- a/enterprise/storage/offline_token_store.py +++ b/enterprise/storage/offline_token_store.py @@ -51,10 +51,10 @@ class OfflineTokenStore: @classmethod async def get_instance( - cls, config: OpenHandsConfig, user_id: str + cls, + config: OpenHandsConfig, + user_id: str, # type: ignore[override] ) -> OfflineTokenStore: """Get an instance of the OfflineTokenStore.""" logger.debug(f'offline_token_store.get_instance::{user_id}') - if user_id: - user_id = str(user_id) return OfflineTokenStore(user_id, config) diff --git a/enterprise/storage/saas_conversation_store.py b/enterprise/storage/saas_conversation_store.py index b8ac843e13..1c9580969e 100644 --- a/enterprise/storage/saas_conversation_store.py +++ b/enterprise/storage/saas_conversation_store.py @@ -231,11 +231,12 @@ class SaasConversationStore(ConversationStore): @classmethod async def get_instance( - cls, config: OpenHandsConfig, user_id: str | None + cls, + config: OpenHandsConfig, + user_id: str, # type: ignore[override] ) -> ConversationStore: - # user_id should not be None in SaaS, should we raise? # Use async version since callers now use asyncio.run_coroutine_threadsafe() # to dispatch to the main event loop where asyncpg connections work properly. user = await UserStore.get_user_by_id(user_id) org_id = user.current_org_id if user else None - return SaasConversationStore(str(user_id), org_id, session_maker) + return SaasConversationStore(user_id, org_id, session_maker) diff --git a/enterprise/storage/saas_secrets_store.py b/enterprise/storage/saas_secrets_store.py index 3b2820485b..aede6df419 100644 --- a/enterprise/storage/saas_secrets_store.py +++ b/enterprise/storage/saas_secrets_store.py @@ -133,9 +133,7 @@ class SaasSecretsStore(SecretsStore): async def get_instance( cls, config: OpenHandsConfig, - user_id: str | None, + user_id: str, # type: ignore[override] ) -> SaasSecretsStore: - if not user_id: - raise Exception('SaasSecretsStore cannot be constructed with no user_id') logger.debug(f'saas_secrets_store.get_instance::{user_id}') return SaasSecretsStore(user_id, config) diff --git a/enterprise/storage/saas_settings_store.py b/enterprise/storage/saas_settings_store.py index bd43fa1a7a..b2fa3cff26 100644 --- a/enterprise/storage/saas_settings_store.py +++ b/enterprise/storage/saas_settings_store.py @@ -8,6 +8,7 @@ from dataclasses import dataclass from cryptography.fernet import Fernet from pydantic import SecretStr +from server.auth.token_manager import TokenManager from server.constants import LITE_LLM_API_URL from server.logger import logger from sqlalchemy import select @@ -74,7 +75,7 @@ class SaasSettingsStore(SettingsStore): return None org_id = user.current_org_id - org_member: OrgMember = None + org_member: OrgMember | None = None for om in user.org_members: if om.org_id == org_id: org_member = om @@ -138,14 +139,26 @@ class SaasSettingsStore(SettingsStore): self.user_id, new_session ) if user_settings: - user = await UserStore.migrate_user(self.user_id, user_settings) + token_manager = TokenManager() + user_info = await token_manager.get_user_info_from_user_id( + self.user_id + ) + if not user_info: + logger.error(f'User info not found for ID {self.user_id}') + return None + user = await UserStore.migrate_user( + self.user_id, user_settings, user_info + ) + if not user: + logger.error(f'Failed to migrate user {self.user_id}') + return None else: logger.error(f'User not found for ID {self.user_id}') return None org_id = user.current_org_id - org_member: OrgMember = None + org_member: OrgMember | None = None for om in user.org_members: if om.org_id == org_id: org_member = om @@ -246,7 +259,6 @@ class SaasSettingsStore(SettingsStore): org_id, openhands_type=openhands_type, ): - generated_key = None if openhands_type: generated_key = await LiteLlmManager.generate_key( self.user_id, @@ -265,14 +277,8 @@ class SaasSettingsStore(SettingsStore): None, ) - if generated_key: - item.llm_api_key = SecretStr(generated_key) - logger.info( - 'saas_settings_store:store:generated_openhands_key', - extra={'user_id': self.user_id}, - ) - else: - logger.warning( - 'saas_settings_store:store:failed_to_generate_openhands_key', - extra={'user_id': self.user_id}, - ) + item.llm_api_key = SecretStr(generated_key) + logger.info( + 'saas_settings_store:store:generated_openhands_key', + extra={'user_id': self.user_id}, + ) diff --git a/enterprise/storage/user_store.py b/enterprise/storage/user_store.py index 4f55d8650c..f5d1c9d27a 100644 --- a/enterprise/storage/user_store.py +++ b/enterprise/storage/user_store.py @@ -1,6 +1,4 @@ -""" -Store class for managing users. -""" +"""Store class for managing users.""" import asyncio import uuid @@ -160,10 +158,7 @@ class UserStore: user_id: str, user_settings: UserSettings, user_info: dict, - ) -> User: - if not user_id or not user_settings: - return None - + ) -> User | None: kwargs = decrypt_legacy_model( [ 'llm_api_key', @@ -374,8 +369,7 @@ class UserStore: @staticmethod async def downgrade_user(user_id: str) -> UserSettings | None: - """ - This method can be removed once orgs is established - probably after Feb 15 2026 + """This method can be removed once orgs is established - probably after Feb 15 2026 Downgrade a migrated user back to the pre-migration state. This reverses the migrate_user operation: @@ -678,6 +672,12 @@ class UserStore: if user_settings: token_manager = TokenManager() user_info = await token_manager.get_user_info_from_user_id(user_id) + if not user_info: + logger.warning( + 'user_store:get_user_by_id:failed_to_get_user_info', + extra={'user_id': user_id}, + ) + return None user = await UserStore.migrate_user( user_id, user_settings, @@ -889,12 +889,14 @@ class UserStore: from openhands.storage.data_models.settings import Settings - settings = Settings(language='en', enable_proactive_conversation_starters=True) + default_settings = Settings( + language='en', enable_proactive_conversation_starters=True + ) from storage.lite_llm_manager import LiteLlmManager settings = await LiteLlmManager.create_entries( - org_id, user_id, settings, create_user + org_id, user_id, default_settings, create_user ) if not settings: logger.info( @@ -1017,8 +1019,7 @@ class UserStore: def _has_custom_settings( user_settings: UserSettings, old_user_version: int | None ) -> bool: - """ - Check if user has custom LLM settings that should be preserved. + """Check if user has custom LLM settings that should be preserved. Returns True if user customized either model or base_url. Args: diff --git a/enterprise/tests/unit/test_lite_llm_manager.py b/enterprise/tests/unit/test_lite_llm_manager.py index 9b1f53a6b0..04ca2347fc 100644 --- a/enterprise/tests/unit/test_lite_llm_manager.py +++ b/enterprise/tests/unit/test_lite_llm_manager.py @@ -1353,9 +1353,13 @@ class TestLiteLlmManager: result1 = await LiteLlmManager._get_team(mock_client, 'team_id') result2 = await LiteLlmManager._get_user(mock_client, 'user_id') - result3 = await LiteLlmManager._generate_key( - mock_client, 'user_id', 'team_id', 'alias', {} - ) + # _generate_key raises ValueError when config is missing + with pytest.raises( + ValueError, match='LiteLLM API configuration not found' + ): + await LiteLlmManager._generate_key( + mock_client, 'user_id', 'team_id', 'alias', {} + ) result4 = await LiteLlmManager._get_user_team_info( mock_client, 'user_id', 'team_id' ) @@ -1366,7 +1370,6 @@ class TestLiteLlmManager: # Methods that return None when config is missing assert result1 is None assert result2 is None - assert result3 is None assert result4 is None assert result5 is None From 3bf019b045be183a6d3f6e290e2f80f43db2f95a Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Wed, 4 Mar 2026 13:19:01 -0500 Subject: [PATCH 34/67] Fix mypy type errors in enterprise/server/auth and clustered_conversation_manager (#13210) Co-authored-by: openhands --- enterprise/server/auth/saas_user_auth.py | 8 +++----- enterprise/server/clustered_conversation_manager.py | 3 +++ 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/enterprise/server/auth/saas_user_auth.py b/enterprise/server/auth/saas_user_auth.py index 8064c70cbd..216486b493 100644 --- a/enterprise/server/auth/saas_user_auth.py +++ b/enterprise/server/auth/saas_user_auth.py @@ -119,13 +119,12 @@ class SaasUserAuth(UserAuth): self._settings = settings return settings - async def get_secrets_store(self): + async def get_secrets_store(self) -> SaasSecretsStore: logger.debug('saas_user_auth_get_secrets_store') secrets_store = self.secrets_store if secrets_store: return secrets_store - user_id = await self.get_user_id() - secrets_store = SaasSecretsStore(user_id, get_config()) + secrets_store = SaasSecretsStore(self.user_id, get_config()) self.secrets_store = secrets_store return secrets_store @@ -211,8 +210,7 @@ class SaasUserAuth(UserAuth): settings_store = self.settings_store if settings_store: return settings_store - user_id = await self.get_user_id() - settings_store = SaasSettingsStore(user_id, get_config()) + settings_store = SaasSettingsStore(self.user_id, get_config()) self.settings_store = settings_store return settings_store diff --git a/enterprise/server/clustered_conversation_manager.py b/enterprise/server/clustered_conversation_manager.py index b8b6e04b63..ee10e37246 100644 --- a/enterprise/server/clustered_conversation_manager.py +++ b/enterprise/server/clustered_conversation_manager.py @@ -749,6 +749,9 @@ class ClusteredConversationManager(StandaloneConversationManager): config = load_openhands_config() settings_store = await SaasSettingsStore.get_instance(config, user_id) settings = await settings_store.load() + if not settings: + logger.error(f'Failed to load settings for user {user_id}') + return await self.maybe_start_agent_loop(conversation_id, settings, user_id) async def _start_agent_loop( From 30245dedef7c7db23dc6942fedea7e848bf6ed26 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Wed, 4 Mar 2026 13:19:48 -0500 Subject: [PATCH 35/67] Fix mypy type errors in enterprise/integrations/github/github_manager.py (#13208) Co-authored-by: openhands --- .../integrations/github/github_manager.py | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/enterprise/integrations/github/github_manager.py b/enterprise/integrations/github/github_manager.py index e118a5848b..ae482f617b 100644 --- a/enterprise/integrations/github/github_manager.py +++ b/enterprise/integrations/github/github_manager.py @@ -68,11 +68,8 @@ class GithubManager(Manager[GithubViewType]): return f'{owner}/{repo_name}' - def _get_installation_access_token(self, installation_id: str) -> str: - # get_access_token is typed to only accept int, but it can handle str. - token_data = self.github_integration.get_access_token( - installation_id # type: ignore[arg-type] - ) + def _get_installation_access_token(self, installation_id: int) -> str: + token_data = self.github_integration.get_access_token(installation_id) return token_data.token def _add_reaction( @@ -282,14 +279,14 @@ class GithubManager(Manager[GithubViewType]): self._add_reaction(github_view, 'eyes', installation_token) await self.start_job(github_view) - async def send_message(self, message: str, github_view: ResolverViewInterface): + async def send_message(self, message: str, github_view: GithubViewType): """Send a message to GitHub. Args: message: The message content to send (plain text string) github_view: The GitHub view object containing issue/PR/comment info """ - installation_token = self.token_manager.load_org_token( + installation_token = await self.token_manager.load_org_token( github_view.installation_id ) if not installation_token: @@ -304,10 +301,8 @@ class GithubManager(Manager[GithubViewType]): comment_id=github_view.comment_id, body=message ) - elif ( - isinstance(github_view, GithubPRComment) - or isinstance(github_view, GithubIssueComment) - or isinstance(github_view, GithubIssue) + elif isinstance( + github_view, (GithubPRComment, GithubIssueComment, GithubIssue) ): with Github(auth=Auth.Token(installation_token)) as github_client: repo = github_client.get_repo(github_view.full_repo_name) From 6e9e906946cdc61e6d28a2520372ff67606a528d Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Wed, 4 Mar 2026 13:20:25 -0500 Subject: [PATCH 36/67] Remove dead test code for non-existent update_common_room_signal function (#13211) Co-authored-by: openhands --- enterprise/sync/test_common_room_sync.py | 76 ------------------------ 1 file changed, 76 deletions(-) diff --git a/enterprise/sync/test_common_room_sync.py b/enterprise/sync/test_common_room_sync.py index d000f8da34..3670ddf286 100755 --- a/enterprise/sync/test_common_room_sync.py +++ b/enterprise/sync/test_common_room_sync.py @@ -7,17 +7,13 @@ without making any API calls to Common Room or database connections. """ import os - -# Import the module to test import sys import unittest from unittest.mock import MagicMock, patch sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) from sync.common_room_sync import ( - CommonRoomAPIError, retry_with_backoff, - update_common_room_signal, ) @@ -50,78 +46,6 @@ class TestCommonRoomSync(unittest.TestCase): # Check that the function returned the expected result self.assertEqual(result, 'success') - @patch('sync.common_room_sync.requests.post') - @patch('sync.common_room_sync.COMMON_ROOM_API_KEY', 'test_api_key') - @patch( - 'sync.common_room_sync.COMMON_ROOM_DESTINATION_SOURCE_ID', - 'test_source_id', - ) - def test_update_common_room_signal(self, mock_post): - """Test the update_common_room_signal function.""" - # Mock successful API responses - mock_user_response = MagicMock() - mock_user_response.status_code = 200 - mock_user_response.json.return_value = {'id': 'user123'} - - mock_activity_response = MagicMock() - mock_activity_response.status_code = 200 - mock_activity_response.json.return_value = {'id': 'activity123'} - - mock_post.side_effect = [mock_user_response, mock_activity_response] - - # Call the function - result = update_common_room_signal( - user_id='user123', - email='user@example.com', - github_username='user123', - conversation_count=5, - ) - - # Check that the function made the expected API calls - self.assertEqual(mock_post.call_count, 2) - - # Check the first call (user creation) - args1, kwargs1 = mock_post.call_args_list[0] - self.assertIn('/source/test_source_id/user', args1[0]) - self.assertEqual(kwargs1['headers']['Authorization'], 'Bearer test_api_key') - self.assertEqual(kwargs1['json']['id'], 'user123') - self.assertEqual(kwargs1['json']['email'], 'user@example.com') - - # Check the second call (activity creation) - args2, kwargs2 = mock_post.call_args_list[1] - self.assertIn('/source/test_source_id/activity', args2[0]) - self.assertEqual(kwargs2['headers']['Authorization'], 'Bearer test_api_key') - self.assertEqual(kwargs2['json']['user']['id'], 'user123') - self.assertEqual( - kwargs2['json']['content']['value'], 'User has created 5 conversations' - ) - - # Check the return value - self.assertEqual(result, {'id': 'activity123'}) - - @patch('sync.common_room_sync.requests.post') - @patch('sync.common_room_sync.COMMON_ROOM_API_KEY', 'test_api_key') - @patch( - 'sync.common_room_sync.COMMON_ROOM_DESTINATION_SOURCE_ID', - 'test_source_id', - ) - def test_update_common_room_signal_error(self, mock_post): - """Test error handling in update_common_room_signal function.""" - # Mock failed API response - mock_response = MagicMock() - mock_response.status_code = 400 - mock_response.text = 'Bad Request' - mock_post.return_value = mock_response - - # Call the function and check that it raises the expected exception - with self.assertRaises(CommonRoomAPIError): - update_common_room_signal( - user_id='user123', - email='user@example.com', - github_username='user123', - conversation_count=5, - ) - if __name__ == '__main__': unittest.main() From 6f8bf24226363b6d0e8545977af914491f6f0c6d Mon Sep 17 00:00:00 2001 From: Hiep Le <69354317+hieptl@users.noreply.github.com> Date: Thu, 5 Mar 2026 01:24:06 +0700 Subject: [PATCH 37/67] feat: hide the users, billing, and integration pages for self-hosted customers (#13199) --- .../chat/expandable-message.test.tsx | 3 + .../features/payment/payment-form.test.tsx | 3 + .../features/sidebar/sidebar.test.tsx | 3 + frontend/__tests__/helpers/mock-config.ts | 3 + .../hooks/use-settings-nav-items.test.tsx | 183 +++++++ frontend/__tests__/routes/_oh.test.tsx | 12 + .../__tests__/routes/git-settings.test.tsx | 6 + .../__tests__/routes/home-screen.test.tsx | 3 + .../__tests__/routes/llm-settings.test.tsx | 3 + frontend/__tests__/routes/login.test.tsx | 12 + .../routes/root-layout-refetch.test.tsx | 3 + .../__tests__/routes/root-layout.test.tsx | 3 + .../routes/settings-with-payment.test.tsx | 9 + frontend/__tests__/routes/settings.test.tsx | 490 +++++++++++++++++- .../src/api/option-service/option.types.ts | 3 + frontend/src/hooks/use-settings-nav-items.ts | 7 +- frontend/src/mocks/settings-handlers.ts | 3 + frontend/src/routes/settings.tsx | 81 ++- .../default_web_client_config_injector.py | 8 +- .../web_client/web_client_models.py | 3 + 20 files changed, 808 insertions(+), 33 deletions(-) diff --git a/frontend/__tests__/components/chat/expandable-message.test.tsx b/frontend/__tests__/components/chat/expandable-message.test.tsx index fcabd84d94..d55e926450 100644 --- a/frontend/__tests__/components/chat/expandable-message.test.tsx +++ b/frontend/__tests__/components/chat/expandable-message.test.tsx @@ -122,6 +122,9 @@ describe("ExpandableMessage", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }); const RouterStub = createRoutesStub([ diff --git a/frontend/__tests__/components/features/payment/payment-form.test.tsx b/frontend/__tests__/components/features/payment/payment-form.test.tsx index 7b54876d2c..48979d3c52 100644 --- a/frontend/__tests__/components/features/payment/payment-form.test.tsx +++ b/frontend/__tests__/components/features/payment/payment-form.test.tsx @@ -38,6 +38,9 @@ describe("PaymentForm", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }); }); diff --git a/frontend/__tests__/components/features/sidebar/sidebar.test.tsx b/frontend/__tests__/components/features/sidebar/sidebar.test.tsx index daacfe02e2..b83abbfeae 100644 --- a/frontend/__tests__/components/features/sidebar/sidebar.test.tsx +++ b/frontend/__tests__/components/features/sidebar/sidebar.test.tsx @@ -27,6 +27,9 @@ const createMockConfig = ( enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, ...featureFlagOverrides, }, providers_configured: [], diff --git a/frontend/__tests__/helpers/mock-config.ts b/frontend/__tests__/helpers/mock-config.ts index fa0b03b96d..36141a4773 100644 --- a/frontend/__tests__/helpers/mock-config.ts +++ b/frontend/__tests__/helpers/mock-config.ts @@ -15,6 +15,9 @@ export const createMockWebClientConfig = ( enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, ...overrides.feature_flags, }, providers_configured: [], diff --git a/frontend/__tests__/hooks/use-settings-nav-items.test.tsx b/frontend/__tests__/hooks/use-settings-nav-items.test.tsx index a5bf00d14f..43205ff9d5 100644 --- a/frontend/__tests__/hooks/use-settings-nav-items.test.tsx +++ b/frontend/__tests__/hooks/use-settings-nav-items.test.tsx @@ -4,6 +4,7 @@ import { describe, it, expect, vi, beforeEach } from "vitest"; import { SAAS_NAV_ITEMS, OSS_NAV_ITEMS } from "#/constants/settings-nav"; import OptionService from "#/api/option-service/option-service.api"; import { useSettingsNavItems } from "#/hooks/use-settings-nav-items"; +import { WebClientFeatureFlags } from "#/api/option-service/option.types"; const queryClient = new QueryClient(); const wrapper = ({ children }: { children: React.ReactNode }) => ( @@ -17,6 +18,26 @@ const mockConfig = (appMode: "saas" | "oss", hideLlmSettings = false) => { } as Awaited>); }; +const mockConfigWithFeatureFlags = ( + appMode: "saas" | "oss", + featureFlags: Partial, +) => { + vi.spyOn(OptionService, "getConfig").mockResolvedValue({ + app_mode: appMode, + feature_flags: { + enable_billing: false, + hide_llm_settings: false, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, + ...featureFlags, + }, + } as Awaited>); +}; + describe("useSettingsNavItems", () => { beforeEach(() => { queryClient.clear(); @@ -50,4 +71,166 @@ describe("useSettingsNavItems", () => { ).toBeUndefined(); }); }); + + describe("hide page feature flags", () => { + it("should filter out '/settings/user' when hide_users_page is true", async () => { + mockConfigWithFeatureFlags("saas", { hide_users_page: true }); + const { result } = renderHook(() => useSettingsNavItems(), { wrapper }); + + await waitFor(() => { + expect( + result.current.find((item) => item.to === "/settings/user"), + ).toBeUndefined(); + // Other pages should still be present + expect( + result.current.find((item) => item.to === "/settings/integrations"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/billing"), + ).toBeDefined(); + }); + }); + + it("should filter out '/settings/billing' when hide_billing_page is true", async () => { + mockConfigWithFeatureFlags("saas", { hide_billing_page: true }); + const { result } = renderHook(() => useSettingsNavItems(), { wrapper }); + + await waitFor(() => { + expect( + result.current.find((item) => item.to === "/settings/billing"), + ).toBeUndefined(); + // Other pages should still be present + expect( + result.current.find((item) => item.to === "/settings/user"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/integrations"), + ).toBeDefined(); + }); + }); + + it("should filter out '/settings/integrations' when hide_integrations_page is true", async () => { + mockConfigWithFeatureFlags("saas", { hide_integrations_page: true }); + const { result } = renderHook(() => useSettingsNavItems(), { wrapper }); + + await waitFor(() => { + expect( + result.current.find((item) => item.to === "/settings/integrations"), + ).toBeUndefined(); + // Other pages should still be present + expect( + result.current.find((item) => item.to === "/settings/user"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/billing"), + ).toBeDefined(); + }); + }); + + it("should filter out multiple pages when multiple flags are true", async () => { + mockConfigWithFeatureFlags("saas", { + hide_users_page: true, + hide_billing_page: true, + hide_integrations_page: true, + }); + const { result } = renderHook(() => useSettingsNavItems(), { wrapper }); + + await waitFor(() => { + expect( + result.current.find((item) => item.to === "/settings/user"), + ).toBeUndefined(); + expect( + result.current.find((item) => item.to === "/settings/billing"), + ).toBeUndefined(); + expect( + result.current.find((item) => item.to === "/settings/integrations"), + ).toBeUndefined(); + // Non-hidden pages should still be present + expect( + result.current.find((item) => item.to === "/settings"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/app"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/secrets"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/mcp"), + ).toBeDefined(); + }); + }); + + it("should keep all pages visible when no hide flags are set", async () => { + mockConfigWithFeatureFlags("saas", {}); + const { result } = renderHook(() => useSettingsNavItems(), { wrapper }); + + await waitFor(() => { + // All SAAS pages should be present + expect( + result.current.find((item) => item.to === "/settings/user"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/billing"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/integrations"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/app"), + ).toBeDefined(); + }); + }); + + it("should filter out '/settings/integrations' in OSS mode when hide_integrations_page is true", async () => { + mockConfigWithFeatureFlags("oss", { hide_integrations_page: true }); + const { result } = renderHook(() => useSettingsNavItems(), { wrapper }); + + await waitFor(() => { + expect( + result.current.find((item) => item.to === "/settings/integrations"), + ).toBeUndefined(); + // Other OSS pages should still be present + expect( + result.current.find((item) => item.to === "/settings"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/mcp"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/app"), + ).toBeDefined(); + }); + }); + + it("should filter out both LLM and integrations when both flags are true in OSS mode", async () => { + mockConfigWithFeatureFlags("oss", { + hide_llm_settings: true, + hide_integrations_page: true, + }); + const { result } = renderHook(() => useSettingsNavItems(), { wrapper }); + + await waitFor(() => { + expect( + result.current.find((item) => item.to === "/settings"), + ).toBeUndefined(); + expect( + result.current.find((item) => item.to === "/settings/integrations"), + ).toBeUndefined(); + // Other OSS pages should still be present + expect( + result.current.find((item) => item.to === "/settings/mcp"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/app"), + ).toBeDefined(); + expect( + result.current.find((item) => item.to === "/settings/secrets"), + ).toBeDefined(); + }); + }); + }); }); diff --git a/frontend/__tests__/routes/_oh.test.tsx b/frontend/__tests__/routes/_oh.test.tsx index 6d441012d9..c12f278356 100644 --- a/frontend/__tests__/routes/_oh.test.tsx +++ b/frontend/__tests__/routes/_oh.test.tsx @@ -22,6 +22,9 @@ describe("frontend/routes/_oh", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }; return { @@ -139,6 +142,9 @@ describe("frontend/routes/_oh", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }); @@ -177,6 +183,9 @@ describe("frontend/routes/_oh", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }); useConfigMock.mockReturnValue({ @@ -265,6 +274,9 @@ describe("frontend/routes/_oh", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }); useConfigMock.mockReturnValue({ diff --git a/frontend/__tests__/routes/git-settings.test.tsx b/frontend/__tests__/routes/git-settings.test.tsx index 2f903aa3a2..0766790579 100644 --- a/frontend/__tests__/routes/git-settings.test.tsx +++ b/frontend/__tests__/routes/git-settings.test.tsx @@ -24,6 +24,9 @@ const VALID_OSS_CONFIG: WebClientConfig = { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, providers_configured: [], maintenance_start_time: null, @@ -44,6 +47,9 @@ const VALID_SAAS_CONFIG: WebClientConfig = { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, providers_configured: [], maintenance_start_time: null, diff --git a/frontend/__tests__/routes/home-screen.test.tsx b/frontend/__tests__/routes/home-screen.test.tsx index b3f037989f..df672c6343 100644 --- a/frontend/__tests__/routes/home-screen.test.tsx +++ b/frontend/__tests__/routes/home-screen.test.tsx @@ -21,6 +21,9 @@ const { DEFAULT_FEATURE_FLAGS, useIsAuthedMock, useConfigMock } = vi.hoisted( enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }; return { diff --git a/frontend/__tests__/routes/llm-settings.test.tsx b/frontend/__tests__/routes/llm-settings.test.tsx index 77ac4122c9..82d2085fe8 100644 --- a/frontend/__tests__/routes/llm-settings.test.tsx +++ b/frontend/__tests__/routes/llm-settings.test.tsx @@ -1020,6 +1020,9 @@ describe("View persistence after saving advanced settings", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }); diff --git a/frontend/__tests__/routes/login.test.tsx b/frontend/__tests__/routes/login.test.tsx index 2b63a8c98e..35751a591e 100644 --- a/frontend/__tests__/routes/login.test.tsx +++ b/frontend/__tests__/routes/login.test.tsx @@ -115,6 +115,9 @@ describe("LoginPage", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }); @@ -179,6 +182,9 @@ describe("LoginPage", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }); @@ -215,6 +221,9 @@ describe("LoginPage", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }); @@ -349,6 +358,9 @@ describe("LoginPage", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }); diff --git a/frontend/__tests__/routes/root-layout-refetch.test.tsx b/frontend/__tests__/routes/root-layout-refetch.test.tsx index 3ab626d66e..cfbc640275 100644 --- a/frontend/__tests__/routes/root-layout-refetch.test.tsx +++ b/frontend/__tests__/routes/root-layout-refetch.test.tsx @@ -26,6 +26,9 @@ const DEFAULT_FEATURE_FLAGS = { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }; const RouterStub = createRoutesStub([ diff --git a/frontend/__tests__/routes/root-layout.test.tsx b/frontend/__tests__/routes/root-layout.test.tsx index 107841c71d..0183553534 100644 --- a/frontend/__tests__/routes/root-layout.test.tsx +++ b/frontend/__tests__/routes/root-layout.test.tsx @@ -181,6 +181,9 @@ describe("MainApp", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }); diff --git a/frontend/__tests__/routes/settings-with-payment.test.tsx b/frontend/__tests__/routes/settings-with-payment.test.tsx index cec3a0a67c..0131b86d43 100644 --- a/frontend/__tests__/routes/settings-with-payment.test.tsx +++ b/frontend/__tests__/routes/settings-with-payment.test.tsx @@ -73,6 +73,9 @@ describe("Settings Billing", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }, isLoading: false, @@ -128,6 +131,9 @@ describe("Settings Billing", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }, isLoading: false, @@ -152,6 +158,9 @@ describe("Settings Billing", () => { enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, }, isLoading: false, diff --git a/frontend/__tests__/routes/settings.test.tsx b/frontend/__tests__/routes/settings.test.tsx index ec2cf0974c..c39f389c3c 100644 --- a/frontend/__tests__/routes/settings.test.tsx +++ b/frontend/__tests__/routes/settings.test.tsx @@ -1,9 +1,30 @@ import { render, screen, within } from "@testing-library/react"; import { createRoutesStub } from "react-router"; -import { describe, expect, it, vi } from "vitest"; +import { beforeEach, describe, expect, it, vi } from "vitest"; import { QueryClientProvider } from "@tanstack/react-query"; -import SettingsScreen, { clientLoader } from "#/routes/settings"; +import SettingsScreen, { + clientLoader, + getFirstAvailablePath, +} from "#/routes/settings"; import OptionService from "#/api/option-service/option-service.api"; +import { WebClientFeatureFlags } from "#/api/option-service/option.types"; + +// Module-level mocks using vi.hoisted +const { handleLogoutMock, mockQueryClient } = vi.hoisted(() => ({ + handleLogoutMock: vi.fn(), + mockQueryClient: (() => { + const { QueryClient } = require("@tanstack/react-query"); + return new QueryClient(); + })(), +})); + +vi.mock("#/hooks/use-app-logout", () => ({ + useAppLogout: vi.fn().mockReturnValue({ handleLogout: handleLogoutMock }), +})); + +vi.mock("#/query-client-config", () => ({ + queryClient: mockQueryClient, +})); // Mock the i18next hook vi.mock("react-i18next", async () => { @@ -22,7 +43,9 @@ vi.mock("react-i18next", async () => { SETTINGS$NAV_SECRETS: "Secrets", SETTINGS$NAV_MCP: "MCP", SETTINGS$NAV_USER: "User", + SETTINGS$NAV_BILLING: "Billing", SETTINGS$TITLE: "Settings", + COMMON$LANGUAGE_MODEL_LLM: "LLM", }; return translations[key] || key; }, @@ -34,22 +57,6 @@ vi.mock("react-i18next", async () => { }); describe("Settings Screen", () => { - const { handleLogoutMock, mockQueryClient } = vi.hoisted(() => ({ - handleLogoutMock: vi.fn(), - mockQueryClient: (() => { - const { QueryClient } = require("@tanstack/react-query"); - return new QueryClient(); - })(), - })); - - vi.mock("#/hooks/use-app-logout", () => ({ - useAppLogout: vi.fn().mockReturnValue({ handleLogout: handleLogoutMock }), - })); - - vi.mock("#/query-client-config", () => ({ - queryClient: mockQueryClient, - })); - const RouterStub = createRoutesStub([ { Component: SettingsScreen, @@ -192,4 +199,451 @@ describe("Settings Screen", () => { }); it.todo("should not be able to access oss-only routes in saas mode"); + + describe("hide page feature flags", () => { + it("should hide users page in navbar when hide_users_page is true", async () => { + const saasConfig = { + app_mode: "saas", + feature_flags: { + enable_billing: false, + hide_llm_settings: false, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: true, + hide_billing_page: false, + hide_integrations_page: false, + }, + }; + + mockQueryClient.clear(); + mockQueryClient.setQueryData(["web-client-config"], saasConfig); + + renderSettingsScreen(); + + const navbar = await screen.findByTestId("settings-navbar"); + expect( + within(navbar).queryByText("User", { exact: false }), + ).not.toBeInTheDocument(); + // Other pages should still be visible + expect( + within(navbar).getByText("Integrations", { exact: false }), + ).toBeInTheDocument(); + expect( + within(navbar).getByText("Billing", { exact: false }), + ).toBeInTheDocument(); + }); + + it("should hide billing page in navbar when hide_billing_page is true", async () => { + const saasConfig = { + app_mode: "saas", + feature_flags: { + enable_billing: false, + hide_llm_settings: false, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: false, + hide_billing_page: true, + hide_integrations_page: false, + }, + }; + + mockQueryClient.clear(); + mockQueryClient.setQueryData(["web-client-config"], saasConfig); + + renderSettingsScreen(); + + const navbar = await screen.findByTestId("settings-navbar"); + expect( + within(navbar).queryByText("Billing", { exact: false }), + ).not.toBeInTheDocument(); + // Other pages should still be visible + expect( + within(navbar).getByText("User", { exact: false }), + ).toBeInTheDocument(); + expect( + within(navbar).getByText("Integrations", { exact: false }), + ).toBeInTheDocument(); + }); + + it("should hide integrations page in navbar when hide_integrations_page is true", async () => { + const saasConfig = { + app_mode: "saas", + feature_flags: { + enable_billing: false, + hide_llm_settings: false, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: true, + }, + }; + + mockQueryClient.clear(); + mockQueryClient.setQueryData(["web-client-config"], saasConfig); + + renderSettingsScreen(); + + const navbar = await screen.findByTestId("settings-navbar"); + expect( + within(navbar).queryByText("Integrations", { exact: false }), + ).not.toBeInTheDocument(); + // Other pages should still be visible + expect( + within(navbar).getByText("User", { exact: false }), + ).toBeInTheDocument(); + expect( + within(navbar).getByText("Billing", { exact: false }), + ).toBeInTheDocument(); + }); + + it("should hide multiple pages when multiple flags are true", async () => { + const saasConfig = { + app_mode: "saas", + feature_flags: { + enable_billing: false, + hide_llm_settings: false, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: true, + hide_billing_page: true, + hide_integrations_page: true, + }, + }; + + mockQueryClient.clear(); + mockQueryClient.setQueryData(["web-client-config"], saasConfig); + + renderSettingsScreen(); + + const navbar = await screen.findByTestId("settings-navbar"); + expect( + within(navbar).queryByText("User", { exact: false }), + ).not.toBeInTheDocument(); + expect( + within(navbar).queryByText("Billing", { exact: false }), + ).not.toBeInTheDocument(); + expect( + within(navbar).queryByText("Integrations", { exact: false }), + ).not.toBeInTheDocument(); + // Other pages should still be visible + expect( + within(navbar).getByText("Application", { exact: false }), + ).toBeInTheDocument(); + expect( + within(navbar).getByText("LLM", { exact: false }), + ).toBeInTheDocument(); + }); + + it("should hide integrations page in OSS mode when hide_integrations_page is true", async () => { + const ossConfig = { + app_mode: "oss", + feature_flags: { + enable_billing: false, + hide_llm_settings: false, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: true, + }, + }; + + mockQueryClient.clear(); + mockQueryClient.setQueryData(["web-client-config"], ossConfig); + + renderSettingsScreen(); + + const navbar = await screen.findByTestId("settings-navbar"); + expect( + within(navbar).queryByText("Integrations", { exact: false }), + ).not.toBeInTheDocument(); + // Other OSS pages should still be visible + expect( + within(navbar).getByText("LLM", { exact: false }), + ).toBeInTheDocument(); + expect( + within(navbar).getByText("Application", { exact: false }), + ).toBeInTheDocument(); + }); + }); +}); + +describe("getFirstAvailablePath", () => { + const baseFeatureFlags: WebClientFeatureFlags = { + enable_billing: false, + hide_llm_settings: false, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, + }; + + describe("SaaS mode", () => { + it("should return /settings/user when no pages are hidden", () => { + const result = getFirstAvailablePath(true, baseFeatureFlags); + expect(result).toBe("/settings/user"); + }); + + it("should return /settings/integrations when users page is hidden", () => { + const flags = { ...baseFeatureFlags, hide_users_page: true }; + const result = getFirstAvailablePath(true, flags); + expect(result).toBe("/settings/integrations"); + }); + + it("should return /settings/app when users and integrations are hidden", () => { + const flags = { + ...baseFeatureFlags, + hide_users_page: true, + hide_integrations_page: true, + }; + const result = getFirstAvailablePath(true, flags); + expect(result).toBe("/settings/app"); + }); + + it("should return /settings/app when users, integrations, and LLM settings are hidden", () => { + const flags = { + ...baseFeatureFlags, + hide_users_page: true, + hide_integrations_page: true, + hide_llm_settings: true, + }; + const result = getFirstAvailablePath(true, flags); + expect(result).toBe("/settings/app"); + }); + + it("should return /settings/app when users, integrations, LLM, and billing are hidden", () => { + const flags = { + ...baseFeatureFlags, + hide_users_page: true, + hide_integrations_page: true, + hide_llm_settings: true, + hide_billing_page: true, + }; + // /settings/app is never hidden, so it should return that + const result = getFirstAvailablePath(true, flags); + expect(result).toBe("/settings/app"); + }); + + it("should handle undefined feature flags", () => { + const result = getFirstAvailablePath(true, undefined); + expect(result).toBe("/settings/user"); + }); + }); + + describe("OSS mode", () => { + it("should return /settings when no pages are hidden", () => { + const result = getFirstAvailablePath(false, baseFeatureFlags); + expect(result).toBe("/settings"); + }); + + it("should return /settings/mcp when LLM settings is hidden", () => { + const flags = { ...baseFeatureFlags, hide_llm_settings: true }; + const result = getFirstAvailablePath(false, flags); + expect(result).toBe("/settings/mcp"); + }); + + it("should return /settings/mcp when LLM settings and integrations are hidden", () => { + const flags = { + ...baseFeatureFlags, + hide_llm_settings: true, + hide_integrations_page: true, + }; + const result = getFirstAvailablePath(false, flags); + expect(result).toBe("/settings/mcp"); + }); + + it("should handle undefined feature flags", () => { + const result = getFirstAvailablePath(false, undefined); + expect(result).toBe("/settings"); + }); + }); +}); + +describe("clientLoader redirect behavior", () => { + const createMockRequest = (pathname: string) => ({ + request: new Request(`http://localhost${pathname}`), + }); + + beforeEach(() => { + mockQueryClient.clear(); + }); + + it("should redirect from /settings/user to first available page when hide_users_page is true", async () => { + const config = { + app_mode: "saas", + feature_flags: { + enable_billing: false, + hide_llm_settings: false, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: true, + hide_billing_page: false, + hide_integrations_page: false, + }, + }; + mockQueryClient.setQueryData(["web-client-config"], config); + + const result = await clientLoader( + createMockRequest("/settings/user") as any, + ); + + expect(result).toBeDefined(); + expect(result?.status).toBe(302); + expect(result?.headers.get("Location")).toBe("/settings/integrations"); + }); + + it("should redirect from /settings/billing to first available page when hide_billing_page is true", async () => { + const config = { + app_mode: "saas", + feature_flags: { + enable_billing: false, + hide_llm_settings: false, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: false, + hide_billing_page: true, + hide_integrations_page: false, + }, + }; + mockQueryClient.setQueryData(["web-client-config"], config); + + const result = await clientLoader( + createMockRequest("/settings/billing") as any, + ); + + expect(result).toBeDefined(); + expect(result?.status).toBe(302); + expect(result?.headers.get("Location")).toBe("/settings/user"); + }); + + it("should redirect from /settings/integrations to first available page when hide_integrations_page is true", async () => { + const config = { + app_mode: "saas", + feature_flags: { + enable_billing: false, + hide_llm_settings: false, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: true, + }, + }; + mockQueryClient.setQueryData(["web-client-config"], config); + + const result = await clientLoader( + createMockRequest("/settings/integrations") as any, + ); + + expect(result).toBeDefined(); + expect(result?.status).toBe(302); + expect(result?.headers.get("Location")).toBe("/settings/user"); + }); + + it("should redirect from /settings to /settings/app when LLM, users, and integrations are all hidden", async () => { + const config = { + app_mode: "saas", + feature_flags: { + enable_billing: false, + hide_llm_settings: true, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: true, + hide_billing_page: false, + hide_integrations_page: true, + }, + }; + mockQueryClient.setQueryData(["web-client-config"], config); + + const result = await clientLoader(createMockRequest("/settings") as any); + + expect(result).toBeDefined(); + expect(result?.status).toBe(302); + expect(result?.headers.get("Location")).toBe("/settings/app"); + }); + + it("should redirect from /settings to /settings/mcp in OSS mode when LLM settings is hidden", async () => { + const config = { + app_mode: "oss", + feature_flags: { + enable_billing: false, + hide_llm_settings: true, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, + }, + }; + mockQueryClient.setQueryData(["web-client-config"], config); + + const result = await clientLoader(createMockRequest("/settings") as any); + + expect(result).toBeDefined(); + expect(result?.status).toBe(302); + expect(result?.headers.get("Location")).toBe("/settings/mcp"); + }); + + it("should not redirect when accessing a non-hidden page", async () => { + const config = { + app_mode: "saas", + feature_flags: { + enable_billing: false, + hide_llm_settings: false, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: true, + hide_billing_page: true, + hide_integrations_page: true, + }, + }; + mockQueryClient.setQueryData(["web-client-config"], config); + + // /settings/app is never hidden + const result = await clientLoader( + createMockRequest("/settings/app") as any, + ); + + expect(result).toBeNull(); + }); + + it("should redirect from /settings/integrations in OSS mode when hide_integrations_page is true", async () => { + const config = { + app_mode: "oss", + feature_flags: { + enable_billing: false, + hide_llm_settings: false, + enable_jira: false, + enable_jira_dc: false, + enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: true, + }, + }; + mockQueryClient.setQueryData(["web-client-config"], config); + + const result = await clientLoader( + createMockRequest("/settings/integrations") as any, + ); + + expect(result).toBeDefined(); + expect(result?.status).toBe(302); + // In OSS mode, first available is /settings (LLM) + expect(result?.headers.get("Location")).toBe("/settings"); + }); }); diff --git a/frontend/src/api/option-service/option.types.ts b/frontend/src/api/option-service/option.types.ts index e0d01bb212..45fcdb2586 100644 --- a/frontend/src/api/option-service/option.types.ts +++ b/frontend/src/api/option-service/option.types.ts @@ -6,6 +6,9 @@ export interface WebClientFeatureFlags { enable_jira: boolean; enable_jira_dc: boolean; enable_linear: boolean; + hide_users_page: boolean; + hide_billing_page: boolean; + hide_integrations_page: boolean; } export interface WebClientConfig { diff --git a/frontend/src/hooks/use-settings-nav-items.ts b/frontend/src/hooks/use-settings-nav-items.ts index a0a0d02503..fa0187251d 100644 --- a/frontend/src/hooks/use-settings-nav-items.ts +++ b/frontend/src/hooks/use-settings-nav-items.ts @@ -1,15 +1,14 @@ import { useConfig } from "#/hooks/query/use-config"; import { SAAS_NAV_ITEMS, OSS_NAV_ITEMS } from "#/constants/settings-nav"; +import { isSettingsPageHidden } from "#/routes/settings"; export function useSettingsNavItems() { const { data: config } = useConfig(); - const shouldHideLlmSettings = !!config?.feature_flags?.hide_llm_settings; const isSaasMode = config?.app_mode === "saas"; + const featureFlags = config?.feature_flags; const items = isSaasMode ? SAAS_NAV_ITEMS : OSS_NAV_ITEMS; - return shouldHideLlmSettings - ? items.filter((item) => item.to !== "/settings") - : items; + return items.filter((item) => !isSettingsPageHidden(item.to, featureFlags)); } diff --git a/frontend/src/mocks/settings-handlers.ts b/frontend/src/mocks/settings-handlers.ts index 1b9b34e841..e33a781c1d 100644 --- a/frontend/src/mocks/settings-handlers.ts +++ b/frontend/src/mocks/settings-handlers.ts @@ -78,6 +78,9 @@ export const SETTINGS_HANDLERS = [ enable_jira: false, enable_jira_dc: false, enable_linear: false, + hide_users_page: false, + hide_billing_page: false, + hide_integrations_page: false, }, providers_configured: [], maintenance_start_time: null, diff --git a/frontend/src/routes/settings.tsx b/frontend/src/routes/settings.tsx index 8ccad39907..b617e43549 100644 --- a/frontend/src/routes/settings.tsx +++ b/frontend/src/routes/settings.tsx @@ -4,7 +4,10 @@ import { useTranslation } from "react-i18next"; import { Route } from "./+types/settings"; import OptionService from "#/api/option-service/option-service.api"; import { queryClient } from "#/query-client-config"; -import { WebClientConfig } from "#/api/option-service/option.types"; +import { + WebClientConfig, + WebClientFeatureFlags, +} from "#/api/option-service/option.types"; import { SettingsLayout } from "#/components/features/settings/settings-layout"; import { Typography } from "#/ui/typography"; import { useSettingsNavItems } from "#/hooks/use-settings-nav-items"; @@ -16,6 +19,62 @@ const SAAS_ONLY_PATHS = [ "/settings/api-keys", ]; +/** + * Checks if a settings page should be hidden based on feature flags. + * Used by both the route loader and navigation hook to keep logic in sync. + */ +export function isSettingsPageHidden( + path: string, + featureFlags: WebClientFeatureFlags | undefined, +): boolean { + if (featureFlags?.hide_llm_settings && path === "/settings") return true; + if (featureFlags?.hide_users_page && path === "/settings/user") return true; + if (featureFlags?.hide_billing_page && path === "/settings/billing") + return true; + if (featureFlags?.hide_integrations_page && path === "/settings/integrations") + return true; + return false; +} + +/** + * Find the first available settings page that is not hidden. + * Returns null if no page is available (shouldn't happen in practice). + */ +export function getFirstAvailablePath( + isSaas: boolean, + featureFlags: WebClientFeatureFlags | undefined, +): string | null { + const saasFallbackOrder = [ + { path: "/settings/user", hidden: !!featureFlags?.hide_users_page }, + { + path: "/settings/integrations", + hidden: !!featureFlags?.hide_integrations_page, + }, + { path: "/settings/app", hidden: false }, + { path: "/settings", hidden: !!featureFlags?.hide_llm_settings }, + { path: "/settings/billing", hidden: !!featureFlags?.hide_billing_page }, + { path: "/settings/secrets", hidden: false }, + { path: "/settings/api-keys", hidden: false }, + { path: "/settings/mcp", hidden: false }, + ]; + + const ossFallbackOrder = [ + { path: "/settings", hidden: !!featureFlags?.hide_llm_settings }, + { path: "/settings/mcp", hidden: false }, + { + path: "/settings/integrations", + hidden: !!featureFlags?.hide_integrations_page, + }, + { path: "/settings/app", hidden: false }, + { path: "/settings/secrets", hidden: false }, + ]; + + const fallbackOrder = isSaas ? saasFallbackOrder : ossFallbackOrder; + const firstAvailable = fallbackOrder.find((item) => !item.hidden); + + return firstAvailable?.path ?? null; +} + export const clientLoader = async ({ request }: Route.ClientLoaderArgs) => { const url = new URL(request.url); const { pathname } = url; @@ -27,15 +86,19 @@ export const clientLoader = async ({ request }: Route.ClientLoaderArgs) => { } const isSaas = config?.app_mode === "saas"; + const featureFlags = config?.feature_flags; - if (!isSaas && SAAS_ONLY_PATHS.includes(pathname)) { - // if in OSS mode, do not allow access to saas-only paths - return redirect("/settings"); - } - // If LLM settings are hidden and user tries to access the LLM settings page - if (config?.feature_flags?.hide_llm_settings && pathname === "/settings") { - // Redirect to the first available settings page - return isSaas ? redirect("/settings/user") : redirect("/settings/mcp"); + // Check if current page should be hidden and redirect to first available page + const isHiddenPage = + (!isSaas && SAAS_ONLY_PATHS.includes(pathname)) || + isSettingsPageHidden(pathname, featureFlags); + + if (isHiddenPage) { + const fallbackPath = getFirstAvailablePath(isSaas, featureFlags); + if (fallbackPath && fallbackPath !== pathname) { + return redirect(fallbackPath); + } + // If no fallback available or same as current, stay on current page } return null; diff --git a/openhands/app_server/web_client/default_web_client_config_injector.py b/openhands/app_server/web_client/default_web_client_config_injector.py index 6a5982d47c..fe91d9fae0 100644 --- a/openhands/app_server/web_client/default_web_client_config_injector.py +++ b/openhands/app_server/web_client/default_web_client_config_injector.py @@ -95,8 +95,9 @@ def _get_feature_flags() -> WebClientFeatureFlags: """Get feature flags from environment variables. Reads ENABLE_BILLING, HIDE_LLM_SETTINGS, ENABLE_JIRA, ENABLE_JIRA_DC, - and ENABLE_LINEAR from environment. Each flag is True only if the - corresponding env var is exactly 'true', otherwise False. + ENABLE_LINEAR, HIDE_USERS_PAGE, HIDE_BILLING_PAGE, and HIDE_INTEGRATIONS_PAGE + from environment. Each flag is True only if the corresponding env var is + exactly 'true', otherwise False. """ return WebClientFeatureFlags( enable_billing=os.getenv('ENABLE_BILLING', 'false') == 'true', @@ -104,6 +105,9 @@ def _get_feature_flags() -> WebClientFeatureFlags: enable_jira=os.getenv('ENABLE_JIRA', 'false') == 'true', enable_jira_dc=os.getenv('ENABLE_JIRA_DC', 'false') == 'true', enable_linear=os.getenv('ENABLE_LINEAR', 'false') == 'true', + hide_users_page=os.getenv('HIDE_USERS_PAGE', 'false') == 'true', + hide_billing_page=os.getenv('HIDE_BILLING_PAGE', 'false') == 'true', + hide_integrations_page=os.getenv('HIDE_INTEGRATIONS_PAGE', 'false') == 'true', ) diff --git a/openhands/app_server/web_client/web_client_models.py b/openhands/app_server/web_client/web_client_models.py index f6d176f4f9..a42a397a9e 100644 --- a/openhands/app_server/web_client/web_client_models.py +++ b/openhands/app_server/web_client/web_client_models.py @@ -13,6 +13,9 @@ class WebClientFeatureFlags(BaseModel): enable_jira: bool = False enable_jira_dc: bool = False enable_linear: bool = False + hide_users_page: bool = False + hide_billing_page: bool = False + hide_integrations_page: bool = False class WebClientConfig(DiscriminatedUnionMixin): From 039e208167a7e9102dc3d416828d1b4eebee6810 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Wed, 4 Mar 2026 13:43:46 -0500 Subject: [PATCH 38/67] Fix enterprise mypy type checking to catch type mismatches (#13140) Co-authored-by: openhands --- .../dev_config/python/.pre-commit-config.yaml | 6 ++++-- enterprise/dev_config/python/mypy.ini | 1 - .../integrations/github/github_manager.py | 5 ++++- .../server/routes/org_invitation_models.py | 4 ++-- enterprise/server/routes/org_invitations.py | 5 ++++- enterprise/server/routes/orgs.py | 18 ++++++++++++++---- 6 files changed, 28 insertions(+), 11 deletions(-) diff --git a/enterprise/dev_config/python/.pre-commit-config.yaml b/enterprise/dev_config/python/.pre-commit-config.yaml index e2a2564455..c0925363a4 100644 --- a/enterprise/dev_config/python/.pre-commit-config.yaml +++ b/enterprise/dev_config/python/.pre-commit-config.yaml @@ -50,8 +50,10 @@ repos: - ./ - stripe==11.5.0 - pygithub==2.6.1 - # To see gaps add `--html-report mypy-report/` - entry: mypy --config-file enterprise/dev_config/python/mypy.ini enterprise/ + # Use -p (package) to avoid dual module name conflict when using MYPYPATH + # MYPYPATH=enterprise allows resolving bare imports like "from integrations.xxx" + # Note: tests package excluded to avoid conflict with core openhands tests + entry: bash -c 'MYPYPATH=enterprise mypy --config-file enterprise/dev_config/python/mypy.ini -p integrations -p server -p storage -p sync -p experiments' always_run: true pass_filenames: false files: ^enterprise/ diff --git a/enterprise/dev_config/python/mypy.ini b/enterprise/dev_config/python/mypy.ini index c6c1dfc365..f7dc2002a3 100644 --- a/enterprise/dev_config/python/mypy.ini +++ b/enterprise/dev_config/python/mypy.ini @@ -2,7 +2,6 @@ warn_unused_configs = True ignore_missing_imports = True check_untyped_defs = True -explicit_package_bases = True warn_unreachable = True warn_redundant_casts = True no_implicit_optional = True diff --git a/enterprise/integrations/github/github_manager.py b/enterprise/integrations/github/github_manager.py index ae482f617b..6e653571cb 100644 --- a/enterprise/integrations/github/github_manager.py +++ b/enterprise/integrations/github/github_manager.py @@ -310,7 +310,10 @@ class GithubManager(Manager[GithubViewType]): issue.create_comment(message) else: - logger.warning('Unsupported location') + # Catch any new types added to GithubViewType that aren't handled above + logger.warning( # type: ignore[unreachable] + f'Unsupported github_view type: {type(github_view).__name__}' + ) return async def start_job(self, github_view: GithubViewType) -> None: diff --git a/enterprise/server/routes/org_invitation_models.py b/enterprise/server/routes/org_invitation_models.py index 3852959a68..0c04c6de06 100644 --- a/enterprise/server/routes/org_invitation_models.py +++ b/enterprise/server/routes/org_invitation_models.py @@ -76,7 +76,7 @@ class InvitationResponse(BaseModel): inviter_email: str | None = None @classmethod - def from_invitation( + async def from_invitation( cls, invitation: OrgInvitation, inviter_email: str | None = None, @@ -94,7 +94,7 @@ class InvitationResponse(BaseModel): if invitation.role: role_name = invitation.role.name elif invitation.role_id: - role = RoleStore.get_role_by_id(invitation.role_id) + role = await RoleStore.get_role_by_id(invitation.role_id) role_name = role.name if role else '' return cls( diff --git a/enterprise/server/routes/org_invitations.py b/enterprise/server/routes/org_invitations.py index 3349d600ac..771b78e91f 100644 --- a/enterprise/server/routes/org_invitations.py +++ b/enterprise/server/routes/org_invitations.py @@ -91,8 +91,11 @@ async def create_invitation( }, ) + successful_responses = [ + await InvitationResponse.from_invitation(inv) for inv in successful + ] return BatchInvitationResponse( - successful=[InvitationResponse.from_invitation(inv) for inv in successful], + successful=successful_responses, failed=[ InvitationFailure(email=email, error=error) for email, error in failed ], diff --git a/enterprise/server/routes/orgs.py b/enterprise/server/routes/orgs.py index f67b1f45f2..a39f959864 100644 --- a/enterprise/server/routes/orgs.py +++ b/enterprise/server/routes/orgs.py @@ -781,7 +781,7 @@ async def get_org_members( ) if not success: - error_map = { + error_map: dict[str | None, tuple[int, str]] = { 'not_a_member': ( status.HTTP_403_FORBIDDEN, 'You are not a member of this organization', @@ -790,9 +790,14 @@ async def get_org_members( status.HTTP_400_BAD_REQUEST, 'Invalid page_id format', ), + None: ( + status.HTTP_500_INTERNAL_SERVER_ERROR, + 'An error occurred', + ), } status_code, detail = error_map.get( - error_code, (status.HTTP_500_INTERNAL_SERVER_ERROR, 'An error occurred') + error_code, + (status.HTTP_500_INTERNAL_SERVER_ERROR, 'An error occurred'), ) raise HTTPException(status_code=status_code, detail=detail) @@ -900,7 +905,7 @@ async def remove_org_member( ) if not success: - error_map = { + error_map: dict[str | None, tuple[int, str]] = { 'not_a_member': ( status.HTTP_403_FORBIDDEN, 'You are not a member of this organization', @@ -925,9 +930,14 @@ async def remove_org_member( status.HTTP_500_INTERNAL_SERVER_ERROR, 'Failed to remove member', ), + None: ( + status.HTTP_500_INTERNAL_SERVER_ERROR, + 'An error occurred', + ), } status_code, detail = error_map.get( - error, (status.HTTP_500_INTERNAL_SERVER_ERROR, 'An error occurred') + error, + (status.HTTP_500_INTERNAL_SERVER_ERROR, 'An error occurred'), ) raise HTTPException(status_code=status_code, detail=detail) From eeac9f14a3ce5447ba27be86d7bd9b680aa06c8d Mon Sep 17 00:00:00 2001 From: Hiep Le <69354317+hieptl@users.noreply.github.com> Date: Thu, 5 Mar 2026 01:52:33 +0700 Subject: [PATCH 39/67] fix(backend): allow deleting an organization after recent changes (#13200) --- enterprise/storage/org_store.py | 8 ++++---- enterprise/tests/unit/test_org_store.py | 3 +++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/enterprise/storage/org_store.py b/enterprise/storage/org_store.py index 76ec3fed35..3332024a1c 100644 --- a/enterprise/storage/org_store.py +++ b/enterprise/storage/org_store.py @@ -292,7 +292,7 @@ class OrgStore: text(""" DELETE FROM app_conversation_start_task WHERE app_conversation_id IN ( - SELECT conversation_id FROM conversation_metadata_saas WHERE org_id = :org_id + SELECT conversation_id::uuid FROM conversation_metadata_saas WHERE org_id = :org_id ) """), {'org_id': str(org_id)}, @@ -352,13 +352,13 @@ class OrgStore: # Batch update: reassign current_org_id to an alternative org for all affected users await session.execute( text(""" - UPDATE user + UPDATE "user" SET current_org_id = ( SELECT om.org_id FROM org_member om - WHERE om.user_id = user.id AND om.org_id != :org_id + WHERE om.user_id = "user".id AND om.org_id != :org_id LIMIT 1 ) - WHERE user.current_org_id = :org_id + WHERE "user".current_org_id = :org_id """), {'org_id': str(org_id)}, ) diff --git a/enterprise/tests/unit/test_org_store.py b/enterprise/tests/unit/test_org_store.py index 2ef7619f33..7bada3b7b1 100644 --- a/enterprise/tests/unit/test_org_store.py +++ b/enterprise/tests/unit/test_org_store.py @@ -444,6 +444,9 @@ async def test_persist_org_with_owner_with_multiple_fields( @pytest.mark.asyncio +@pytest.mark.skip( + reason='Uses PostgreSQL-specific ::uuid cast syntax not supported by SQLite' +) async def test_delete_org_cascade_success(async_session_maker, mock_litellm_api): """ GIVEN: Valid organization with associated data From 518fb2ee2434cfb5f2a77294621928d4b415bccd Mon Sep 17 00:00:00 2001 From: Hiep Le <69354317+hieptl@users.noreply.github.com> Date: Thu, 5 Mar 2026 02:03:47 +0700 Subject: [PATCH 40/67] fix(frontend): hide add team members button when anonymous analytics is disabled (#13209) --- .../account-settings-context-menu.test.tsx | 17 ++++++++++++++++- .../account-settings-context-menu.tsx | 6 +++++- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/frontend/__tests__/components/context-menu/account-settings-context-menu.test.tsx b/frontend/__tests__/components/context-menu/account-settings-context-menu.test.tsx index c0a9264fe5..cc009e894d 100644 --- a/frontend/__tests__/components/context-menu/account-settings-context-menu.test.tsx +++ b/frontend/__tests__/components/context-menu/account-settings-context-menu.test.tsx @@ -44,8 +44,9 @@ describe("AccountSettingsContextMenu", () => { return renderWithProviders({ui}); }; - const renderWithSaasConfig = (ui: React.ReactElement) => { + const renderWithSaasConfig = (ui: React.ReactElement, options?: { analyticsConsent?: boolean }) => { queryClient.setQueryData(["web-client-config"], createMockWebClientConfig({ app_mode: "saas" })); + queryClient.setQueryData(["settings"], { user_consents_to_analytics: options?.analyticsConsent ?? true }); return render( {ui} @@ -181,6 +182,20 @@ describe("AccountSettingsContextMenu", () => { expect(screen.queryByText("SETTINGS$NAV_ADD_TEAM_MEMBERS")).not.toBeInTheDocument(); }); + it("should not show Add Team Members button when analytics consent is disabled", () => { + vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(true); + renderWithSaasConfig( + , + { analyticsConsent: false }, + ); + + expect(screen.queryByTestId("add-team-members-button")).not.toBeInTheDocument(); + expect(screen.queryByText("SETTINGS$NAV_ADD_TEAM_MEMBERS")).not.toBeInTheDocument(); + }); + it("should call tracking function and onClose when Add Team Members button is clicked", async () => { vi.mocked(posthog.useFeatureFlagEnabled).mockReturnValue(true); renderWithSaasConfig( diff --git a/frontend/src/components/features/context-menu/account-settings-context-menu.tsx b/frontend/src/components/features/context-menu/account-settings-context-menu.tsx index 6dddd52620..cdc18521cb 100644 --- a/frontend/src/components/features/context-menu/account-settings-context-menu.tsx +++ b/frontend/src/components/features/context-menu/account-settings-context-menu.tsx @@ -12,6 +12,7 @@ import DocumentIcon from "#/icons/document.svg?react"; import PlusIcon from "#/icons/plus.svg?react"; import { useSettingsNavItems } from "#/hooks/use-settings-nav-items"; import { useConfig } from "#/hooks/query/use-config"; +import { useSettings } from "#/hooks/query/use-settings"; import { useTracking } from "#/hooks/use-tracking"; interface AccountSettingsContextMenuProps { @@ -27,6 +28,7 @@ export function AccountSettingsContextMenu({ const { t } = useTranslation(); const { trackAddTeamMembersButtonClick } = useTracking(); const { data: config } = useConfig(); + const { data: settings } = useSettings(); const isAddTeamMemberEnabled = useFeatureFlagEnabled( "exp_add_team_member_button", ); @@ -34,7 +36,9 @@ export function AccountSettingsContextMenu({ const items = useSettingsNavItems(); const isSaasMode = config?.app_mode === "saas"; - const showAddTeamMembers = isSaasMode && isAddTeamMemberEnabled; + const hasAnalyticsConsent = settings?.user_consents_to_analytics === true; + const showAddTeamMembers = + isSaasMode && isAddTeamMemberEnabled && hasAnalyticsConsent; const navItems = items.map((item) => ({ ...item, From c32934ed2fc3ff0666240ccc82bd95aefdb78990 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Wed, 4 Mar 2026 15:25:46 -0500 Subject: [PATCH 41/67] Improve budget exceeded error handling in V1 callback processors (#13219) Co-authored-by: openhands --- .../github/github_v1_callback_processor.py | 44 ++++----- .../gitlab/gitlab_v1_callback_processor.py | 30 +++--- .../slack/slack_v1_callback_processor.py | 32 +++---- enterprise/integrations/v1_utils.py | 77 ++++++++++++++++ .../test_github_v1_callback_processor.py | 91 +++++++++++++++++++ .../test_gitlab_v1_callback_processor.py | 69 ++++++++++++++ .../slack/test_slack_v1_callback_processor.py | 86 ++++++++++++++++++ 7 files changed, 368 insertions(+), 61 deletions(-) diff --git a/enterprise/integrations/github/github_v1_callback_processor.py b/enterprise/integrations/github/github_v1_callback_processor.py index 7dc82da54e..541cb27377 100644 --- a/enterprise/integrations/github/github_v1_callback_processor.py +++ b/enterprise/integrations/github/github_v1_callback_processor.py @@ -4,7 +4,8 @@ from uuid import UUID import httpx from github import Auth, Github, GithubIntegration -from integrations.utils import CONVERSATION_URL, get_summary_instruction +from integrations.utils import get_summary_instruction +from integrations.v1_utils import handle_callback_error from pydantic import Field from server.auth.constants import GITHUB_APP_CLIENT_ID, GITHUB_APP_PRIVATE_KEY @@ -42,7 +43,6 @@ class GithubV1CallbackProcessor(EventCallbackProcessor): event: Event, ) -> EventCallbackResult | None: """Process events for GitHub V1 integration.""" - # Only handle ConversationStateUpdateEvent if not isinstance(event, ConversationStateUpdateEvent): return None @@ -78,25 +78,20 @@ class GithubV1CallbackProcessor(EventCallbackProcessor): detail=summary, ) except Exception as e: - _logger.exception('[GitHub V1] Error processing callback: %s', e) - - # Only try to post error to GitHub if we have basic requirements - try: - # Check if we have installation ID and credentials before posting - if ( - self.github_view_data.get('installation_id') - and GITHUB_APP_CLIENT_ID - and GITHUB_APP_PRIVATE_KEY - ): - await self._post_summary_to_github( - f'OpenHands encountered an error: **{str(e)}**.\n\n' - f'[See the conversation]({CONVERSATION_URL.format(conversation_id)})' - 'for more information.' - ) - except Exception as post_error: - _logger.warning( - '[GitHub V1] Failed to post error message to GitHub: %s', post_error - ) + # Check if we have installation ID and credentials before posting + can_post_error = bool( + self.github_view_data.get('installation_id') + and GITHUB_APP_CLIENT_ID + and GITHUB_APP_PRIVATE_KEY + ) + await handle_callback_error( + error=e, + conversation_id=conversation_id, + service_name='GitHub', + service_logger=_logger, + can_post_error=can_post_error, + post_error_func=self._post_summary_to_github, + ) return EventCallbackResult( status=EventCallbackResultStatus.ERROR, @@ -167,8 +162,8 @@ class GithubV1CallbackProcessor(EventCallbackProcessor): send_message_request = AskAgentRequest(question=message_content) url = ( - f'{agent_server_url.rstrip("/")}' - f'/api/conversations/{conversation_id}/ask_agent' + f"{agent_server_url.rstrip('/')}" + f"/api/conversations/{conversation_id}/ask_agent" ) headers = {'X-Session-API-Key': session_api_key} payload = send_message_request.model_dump() @@ -230,8 +225,7 @@ class GithubV1CallbackProcessor(EventCallbackProcessor): # ------------------------------------------------------------------------- async def _request_summary(self, conversation_id: UUID) -> str: - """ - Ask the agent to produce a summary of its work and return the agent response. + """Ask the agent to produce a summary of its work and return the agent response. NOTE: This method now returns a string (the agent server's response text) and raises exceptions on errors. The wrapping into EventCallbackResult diff --git a/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py b/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py index 8fb6521d98..2fe4d6fc72 100644 --- a/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py +++ b/enterprise/integrations/gitlab/gitlab_v1_callback_processor.py @@ -3,7 +3,8 @@ from typing import Any from uuid import UUID import httpx -from integrations.utils import CONVERSATION_URL, get_summary_instruction +from integrations.utils import get_summary_instruction +from integrations.v1_utils import handle_callback_error from pydantic import Field from openhands.agent_server.models import AskAgentRequest, AskAgentResponse @@ -75,20 +76,15 @@ class GitlabV1CallbackProcessor(EventCallbackProcessor): detail=summary, ) except Exception as e: - _logger.exception('[GitLab V1] Error processing callback: %s', e) - - # Only try to post error to GitLab if we have basic requirements - try: - if self.gitlab_view_data.get('keycloak_user_id'): - await self._post_summary_to_gitlab( - f'OpenHands encountered an error: **{str(e)}**.\n\n' - f'[See the conversation]({CONVERSATION_URL.format(conversation_id)}) ' - 'for more information.' - ) - except Exception as post_error: - _logger.warning( - '[GitLab V1] Failed to post error message to GitLab: %s', post_error - ) + can_post_error = bool(self.gitlab_view_data.get('keycloak_user_id')) + await handle_callback_error( + error=e, + conversation_id=conversation_id, + service_name='GitLab', + service_logger=_logger, + can_post_error=can_post_error, + post_error_func=self._post_summary_to_gitlab, + ) return EventCallbackResult( status=EventCallbackResultStatus.ERROR, @@ -149,8 +145,8 @@ class GitlabV1CallbackProcessor(EventCallbackProcessor): send_message_request = AskAgentRequest(question=message_content) url = ( - f'{agent_server_url.rstrip("/")}' - f'/api/conversations/{conversation_id}/ask_agent' + f"{agent_server_url.rstrip('/')}" + f"/api/conversations/{conversation_id}/ask_agent" ) headers = {'X-Session-API-Key': session_api_key} payload = send_message_request.model_dump() diff --git a/enterprise/integrations/slack/slack_v1_callback_processor.py b/enterprise/integrations/slack/slack_v1_callback_processor.py index e5724b1df5..25b94b7872 100644 --- a/enterprise/integrations/slack/slack_v1_callback_processor.py +++ b/enterprise/integrations/slack/slack_v1_callback_processor.py @@ -2,7 +2,8 @@ import logging from uuid import UUID import httpx -from integrations.utils import CONVERSATION_URL, get_summary_instruction +from integrations.utils import get_summary_instruction +from integrations.v1_utils import handle_callback_error from pydantic import Field from slack_sdk import WebClient from storage.slack_team_store import SlackTeamStore @@ -39,7 +40,6 @@ class SlackV1CallbackProcessor(EventCallbackProcessor): event: Event, ) -> EventCallbackResult | None: """Process events for Slack V1 integration.""" - # Only handle ConversationStateUpdateEvent if not isinstance(event, ConversationStateUpdateEvent): return None @@ -62,19 +62,14 @@ class SlackV1CallbackProcessor(EventCallbackProcessor): detail=summary, ) except Exception as e: - _logger.exception('[Slack V1] Error processing callback: %s', e) - - # Only try to post error to Slack if we have basic requirements - try: - await self._post_summary_to_slack( - f'OpenHands encountered an error: **{str(e)}**.\n\n' - f'[See the conversation]({CONVERSATION_URL.format(conversation_id)})' - 'for more information.' - ) - except Exception as post_error: - _logger.warning( - '[Slack V1] Failed to post error message to Slack: %s', post_error - ) + await handle_callback_error( + error=e, + conversation_id=conversation_id, + service_name='Slack', + service_logger=_logger, + can_post_error=True, # Slack always attempts to post errors + post_error_func=self._post_summary_to_slack, + ) return EventCallbackResult( status=EventCallbackResultStatus.ERROR, @@ -149,8 +144,8 @@ class SlackV1CallbackProcessor(EventCallbackProcessor): send_message_request = AskAgentRequest(question=message_content) url = ( - f'{agent_server_url.rstrip("/")}' - f'/api/conversations/{conversation_id}/ask_agent' + f"{agent_server_url.rstrip('/')}" + f"/api/conversations/{conversation_id}/ask_agent" ) headers = {'X-Session-API-Key': session_api_key} payload = send_message_request.model_dump() @@ -212,8 +207,7 @@ class SlackV1CallbackProcessor(EventCallbackProcessor): # ------------------------------------------------------------------------- async def _request_summary(self, conversation_id: UUID) -> str: - """ - Ask the agent to produce a summary of its work and return the agent response. + """Ask the agent to produce a summary of its work and return the agent response. NOTE: This method now returns a string (the agent server's response text) and raises exceptions on errors. The wrapping into EventCallbackResult diff --git a/enterprise/integrations/v1_utils.py b/enterprise/integrations/v1_utils.py index 78953e4e93..1b42fdd567 100644 --- a/enterprise/integrations/v1_utils.py +++ b/enterprise/integrations/v1_utils.py @@ -1,3 +1,8 @@ +import logging +from typing import Callable, Coroutine +from uuid import UUID + +from integrations.utils import CONVERSATION_URL from pydantic import SecretStr from server.auth.saas_user_auth import SaasUserAuth from server.auth.token_manager import TokenManager @@ -6,6 +11,78 @@ from openhands.core.logger import openhands_logger as logger from openhands.server.user_auth.user_auth import UserAuth +def is_budget_exceeded_error(error_message: str) -> bool: + """Check if an error message indicates a budget exceeded condition. + + This is used to downgrade error logs to info logs for budget exceeded errors + since they are expected cost control behavior rather than unexpected errors. + """ + lower_message = error_message.lower() + return 'budget' in lower_message and 'exceeded' in lower_message + + +BUDGET_EXCEEDED_USER_MESSAGE = 'LLM budget has been exceeded, please re-fill.' + + +async def handle_callback_error( + error: Exception, + conversation_id: UUID, + service_name: str, + service_logger: logging.Logger, + can_post_error: bool, + post_error_func: Callable[[str], Coroutine], +) -> None: + """Handle callback processing errors with appropriate logging and user messages. + + This centralizes the error handling logic for V1 callback processors to: + - Log budget exceeded errors at INFO level (expected cost control behavior) + - Log other errors at EXCEPTION level + - Post user-friendly error messages to the integration platform + + Args: + error: The exception that occurred + conversation_id: The conversation ID for logging and linking + service_name: The service name for log messages (e.g., "GitHub", "GitLab", "Slack") + service_logger: The logger instance to use for logging + can_post_error: Whether the prerequisites are met to post an error message + post_error_func: Async function to post the error message to the platform + """ + error_str = str(error) + budget_exceeded = is_budget_exceeded_error(error_str) + + # Log appropriately based on error type + if budget_exceeded: + service_logger.info( + '[%s V1] Budget exceeded for conversation %s: %s', + service_name, + conversation_id, + error, + ) + else: + service_logger.exception( + '[%s V1] Error processing callback: %s', service_name, error + ) + + # Try to post error message to the platform + if can_post_error: + try: + error_detail = ( + BUDGET_EXCEEDED_USER_MESSAGE if budget_exceeded else error_str + ) + await post_error_func( + f'OpenHands encountered an error: **{error_detail}**\n\n' + f'[See the conversation]({CONVERSATION_URL.format(conversation_id)}) ' + 'for more information.' + ) + except Exception as post_error: + service_logger.warning( + '[%s V1] Failed to post error message to %s: %s', + service_name, + service_name, + post_error, + ) + + async def get_saas_user_auth( keycloak_user_id: str, token_manager: TokenManager ) -> UserAuth: diff --git a/enterprise/tests/unit/integrations/github/test_github_v1_callback_processor.py b/enterprise/tests/unit/integrations/github/test_github_v1_callback_processor.py index 1205feaba6..36ada82fe8 100644 --- a/enterprise/tests/unit/integrations/github/test_github_v1_callback_processor.py +++ b/enterprise/tests/unit/integrations/github/test_github_v1_callback_processor.py @@ -809,3 +809,94 @@ class TestGithubV1CallbackProcessor: ) assert f'conversations/{conversation_id}' in error_comment assert 'for more information.' in error_comment + + @patch( + 'integrations.github.github_v1_callback_processor.GITHUB_APP_CLIENT_ID', + 'test_client_id', + ) + @patch( + 'integrations.github.github_v1_callback_processor.GITHUB_APP_PRIVATE_KEY', + 'test_private_key', + ) + @patch('integrations.github.github_v1_callback_processor.get_summary_instruction') + @patch('openhands.app_server.config.get_httpx_client') + @patch('openhands.app_server.config.get_sandbox_service') + @patch('openhands.app_server.config.get_app_conversation_info_service') + @patch('integrations.github.github_v1_callback_processor._logger') + async def test_budget_exceeded_error_logs_info_and_sends_friendly_message( + self, + mock_logger, + mock_get_app_conversation_info_service, + mock_get_sandbox_service, + mock_get_httpx_client, + mock_get_summary_instruction, + github_callback_processor, + conversation_state_update_event, + event_callback, + mock_app_conversation_info, + mock_sandbox_info, + ): + """Test that budget exceeded errors are logged at INFO level and user gets friendly message.""" + conversation_id = uuid4() + + mock_httpx_client = await _setup_happy_path_services( + mock_get_app_conversation_info_service, + mock_get_sandbox_service, + mock_get_httpx_client, + mock_app_conversation_info, + mock_sandbox_info, + ) + # Simulate a budget exceeded error from the agent server + budget_error_msg = ( + 'HTTP 500 error: {"detail":"Internal Server Error",' + '"exception":"litellm.BadRequestError: Litellm_proxyException - ' + 'Budget has been exceeded! Current cost: 12.65, Max budget: 12.62"}' + ) + mock_httpx_client.post.side_effect = Exception(budget_error_msg) + mock_get_summary_instruction.return_value = 'Please provide a summary' + + with ( + patch( + 'integrations.github.github_v1_callback_processor.GithubIntegration' + ) as mock_github_integration, + patch( + 'integrations.github.github_v1_callback_processor.Github' + ) as mock_github, + ): + mock_integration = MagicMock() + mock_github_integration.return_value = mock_integration + mock_integration.get_access_token.return_value.token = 'test_token' + + mock_gh = MagicMock() + mock_github.return_value.__enter__.return_value = mock_gh + mock_repo = MagicMock() + mock_issue = MagicMock() + mock_repo.get_issue.return_value = mock_issue + mock_gh.get_repo.return_value = mock_repo + + result = await github_callback_processor( + conversation_id=conversation_id, + callback=event_callback, + event=conversation_state_update_event, + ) + + assert result is not None + assert result.status == EventCallbackResultStatus.ERROR + + # Verify exception was NOT called (budget exceeded uses info instead) + mock_logger.exception.assert_not_called() + + # Verify budget exceeded info log was called + info_calls = [str(call) for call in mock_logger.info.call_args_list] + budget_log_found = any('Budget exceeded' in call for call in info_calls) + assert budget_log_found, f'Expected budget exceeded log, got: {info_calls}' + + # Verify user-friendly message was posted to GitHub + mock_issue.create_comment.assert_called_once() + call_args = mock_issue.create_comment.call_args + posted_comment = call_args[1].get('body') or call_args[0][0] + assert 'OpenHands encountered an error' in posted_comment + assert 'LLM budget has been exceeded' in posted_comment + assert 'please re-fill' in posted_comment + # Should NOT contain the raw error message + assert 'litellm.BadRequestError' not in posted_comment diff --git a/enterprise/tests/unit/integrations/gitlab/test_gitlab_v1_callback_processor.py b/enterprise/tests/unit/integrations/gitlab/test_gitlab_v1_callback_processor.py index 252d208e08..43fab5d862 100644 --- a/enterprise/tests/unit/integrations/gitlab/test_gitlab_v1_callback_processor.py +++ b/enterprise/tests/unit/integrations/gitlab/test_gitlab_v1_callback_processor.py @@ -374,3 +374,72 @@ class TestGitlabV1CallbackProcessor: assert 'OpenHands encountered an error' in error_comment assert 'Simulated agent server error' in error_comment assert f'conversations/{conversation_id}' in error_comment + + @patch('openhands.app_server.config.get_app_conversation_info_service') + @patch('openhands.app_server.config.get_sandbox_service') + @patch('openhands.app_server.config.get_httpx_client') + @patch('integrations.gitlab.gitlab_v1_callback_processor.get_summary_instruction') + @patch('integrations.gitlab.gitlab_service.SaaSGitLabService') + @patch('integrations.gitlab.gitlab_v1_callback_processor._logger') + async def test_budget_exceeded_error_logs_info_and_sends_friendly_message( + self, + mock_logger, + mock_saas_gitlab_service_cls, + mock_get_summary_instruction, + mock_get_httpx_client, + mock_get_sandbox_service, + mock_get_app_conversation_info_service, + gitlab_callback_processor, + conversation_state_update_event, + event_callback, + mock_app_conversation_info, + mock_sandbox_info, + ): + """Test that budget exceeded errors are logged at INFO level and user gets friendly message.""" + conversation_id = uuid4() + + mock_httpx_client = await _setup_happy_path_services( + mock_get_app_conversation_info_service, + mock_get_sandbox_service, + mock_get_httpx_client, + mock_app_conversation_info, + mock_sandbox_info, + ) + # Simulate a budget exceeded error from the agent server + budget_error_msg = ( + 'HTTP 500 error: {"detail":"Internal Server Error",' + '"exception":"litellm.BadRequestError: Litellm_proxyException - ' + 'Budget has been exceeded! Current cost: 12.65, Max budget: 12.62"}' + ) + mock_httpx_client.post.side_effect = Exception(budget_error_msg) + mock_get_summary_instruction.return_value = 'Please provide a summary' + + mock_gitlab_service = AsyncMock() + mock_saas_gitlab_service_cls.return_value = mock_gitlab_service + + result = await gitlab_callback_processor( + conversation_id=conversation_id, + callback=event_callback, + event=conversation_state_update_event, + ) + + assert result is not None + assert result.status == EventCallbackResultStatus.ERROR + + # Verify exception was NOT called (budget exceeded uses info instead) + mock_logger.exception.assert_not_called() + + # Verify budget exceeded info log was called + info_calls = [str(call) for call in mock_logger.info.call_args_list] + budget_log_found = any('Budget exceeded' in call for call in info_calls) + assert budget_log_found, f'Expected budget exceeded log, got: {info_calls}' + + # Verify user-friendly message was posted to GitLab + mock_gitlab_service.reply_to_issue.assert_called_once() + call_args = mock_gitlab_service.reply_to_issue.call_args + posted_comment = call_args[0][3] # 4th positional arg is the body + assert 'OpenHands encountered an error' in posted_comment + assert 'LLM budget has been exceeded' in posted_comment + assert 'please re-fill' in posted_comment + # Should NOT contain the raw error message + assert 'litellm.BadRequestError' not in posted_comment diff --git a/enterprise/tests/unit/integrations/slack/test_slack_v1_callback_processor.py b/enterprise/tests/unit/integrations/slack/test_slack_v1_callback_processor.py index e72e89233e..209507c64b 100644 --- a/enterprise/tests/unit/integrations/slack/test_slack_v1_callback_processor.py +++ b/enterprise/tests/unit/integrations/slack/test_slack_v1_callback_processor.py @@ -429,3 +429,89 @@ class TestSlackV1CallbackProcessor: assert result is not None assert result.status == EventCallbackResultStatus.ERROR assert expected_error_fragment in result.detail + + @patch('storage.slack_team_store.SlackTeamStore.get_instance') + @patch('openhands.app_server.config.get_httpx_client') + @patch('openhands.app_server.config.get_sandbox_service') + @patch('openhands.app_server.config.get_app_conversation_info_service') + @patch('integrations.slack.slack_v1_callback_processor.get_summary_instruction') + @patch('integrations.slack.slack_v1_callback_processor._logger') + @patch('integrations.slack.slack_v1_callback_processor.WebClient') + async def test_budget_exceeded_error_logs_info_and_sends_friendly_message( + self, + mock_web_client_cls, + mock_logger, + mock_get_summary_instruction, + mock_get_app_conversation_info_service, + mock_get_sandbox_service, + mock_get_httpx_client, + mock_slack_team_store, + slack_callback_processor, + finish_event, + event_callback, + mock_app_conversation_info, + mock_sandbox_info, + ): + """Test that budget exceeded errors are logged at INFO level and user gets friendly message.""" + conversation_id = uuid4() + + # Mock SlackTeamStore + mock_store = MagicMock() + mock_store.get_team_bot_token = AsyncMock(return_value='xoxb-test-token') + mock_slack_team_store.return_value = mock_store + + mock_get_summary_instruction.return_value = 'Please provide a summary' + + # Mock services + mock_app_conversation_info_service = AsyncMock() + mock_app_conversation_info_service.get_app_conversation_info.return_value = ( + mock_app_conversation_info + ) + mock_get_app_conversation_info_service.return_value.__aenter__.return_value = ( + mock_app_conversation_info_service + ) + + mock_sandbox_service = AsyncMock() + mock_sandbox_service.get_sandbox.return_value = mock_sandbox_info + mock_get_sandbox_service.return_value.__aenter__.return_value = ( + mock_sandbox_service + ) + + # Simulate a budget exceeded error from the agent server + budget_error_msg = ( + 'HTTP 500 error: {"detail":"Internal Server Error",' + '"exception":"litellm.BadRequestError: Litellm_proxyException - ' + 'Budget has been exceeded! Current cost: 12.65, Max budget: 12.62"}' + ) + mock_httpx_client = AsyncMock() + mock_httpx_client.post.side_effect = Exception(budget_error_msg) + mock_get_httpx_client.return_value.__aenter__.return_value = mock_httpx_client + + # Mock Slack WebClient + mock_slack_client = MagicMock() + mock_web_client_cls.return_value = mock_slack_client + + result = await slack_callback_processor( + conversation_id, event_callback, finish_event + ) + + assert result is not None + assert result.status == EventCallbackResultStatus.ERROR + + # Verify exception was NOT called (budget exceeded uses info instead) + mock_logger.exception.assert_not_called() + + # Verify budget exceeded info log was called + info_calls = [str(call) for call in mock_logger.info.call_args_list] + budget_log_found = any('Budget exceeded' in call for call in info_calls) + assert budget_log_found, f'Expected budget exceeded log, got: {info_calls}' + + # Verify user-friendly message was posted to Slack + mock_slack_client.chat_postMessage.assert_called_once() + call_kwargs = mock_slack_client.chat_postMessage.call_args[1] + posted_message = call_kwargs.get('text', '') + assert 'OpenHands encountered an error' in posted_message + assert 'LLM budget has been exceeded' in posted_message + assert 'please re-fill' in posted_message + # Should NOT contain the raw error message + assert 'litellm.BadRequestError' not in posted_message From 3e15b849a35e1bf2cbcacad9dbfc9f9198e94719 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Wed, 4 Mar 2026 15:26:21 -0500 Subject: [PATCH 42/67] Downgrade solvability disabled log from warning to info (#13216) Co-authored-by: openhands --- .../integrations/github/github_manager.py | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/enterprise/integrations/github/github_manager.py b/enterprise/integrations/github/github_manager.py index 6e653571cb..387dd29a56 100644 --- a/enterprise/integrations/github/github_manager.py +++ b/enterprise/integrations/github/github_manager.py @@ -20,6 +20,7 @@ from integrations.models import ( from integrations.types import ResolverViewInterface from integrations.utils import ( CONVERSATION_URL, + ENABLE_SOLVABILITY_ANALYSIS, HOST_URL, OPENHANDS_RESOLVER_TEMPLATES_DIR, get_session_expired_message, @@ -370,19 +371,19 @@ class GithubManager(Manager[GithubViewType]): # 3. Once the conversation is started, its base cost will include the report's spend as well which allows us to control max budget per resolver task convo_metadata = await github_view.initialize_new_conversation() solvability_summary = None - try: - if user_token: + if not ENABLE_SOLVABILITY_ANALYSIS: + logger.info( + '[Github]: Solvability report feature is disabled, skipping' + ) + else: + try: solvability_summary = await summarize_issue_solvability( github_view, user_token ) - else: + except Exception as e: logger.warning( - '[Github]: No user token available for solvability analysis' + f'[Github]: Error summarizing issue solvability: {str(e)}' ) - except Exception as e: - logger.warning( - f'[Github]: Error summarizing issue solvability: {str(e)}' - ) saas_user_auth = await get_saas_user_auth( github_view.user_info.keycloak_user_id, self.token_manager From 15e9435b3521ff7475691bd827abfb1f0d7a8934 Mon Sep 17 00:00:00 2001 From: Tim O'Farrell Date: Wed, 4 Mar 2026 13:41:18 -0700 Subject: [PATCH 43/67] Remove ExperimentManager concept from codebase (#13215) Co-authored-by: openhands --- .../dev_config/python/.pre-commit-config.yaml | 2 +- enterprise/experiments/__init__.py | 0 enterprise/experiments/constants.py | 47 ---- enterprise/experiments/experiment_manager.py | 99 ------- .../_001_litellm_default_model_experiment.py | 107 ------- .../_002_system_prompt_experiment.py | 181 ------------ .../_003_llm_claude4_vs_gpt5_experiment.py | 137 --------- .../_004_condenser_max_step_experiment.py | 232 --------------- .../experiment_versions/__init__.py | 25 -- enterprise/pyproject.toml | 1 - enterprise/server/routes/event_webhook.py | 4 - .../saas_nested_conversation_manager.py | 28 -- enterprise/storage/__init__.py | 2 - enterprise/storage/experiment_assignment.py | 41 --- .../storage/experiment_assignment_store.py | 52 ---- enterprise/tests/unit/experiments/__init__.py | 1 - .../test_saas_experiment_manager.py | 149 ---------- .../live_status_app_conversation_service.py | 11 +- openhands/experiments/experiment_manager.py | 72 ----- .../docker_nested_conversation_manager.py | 7 +- .../server/routes/manage_conversations.py | 28 -- .../server/services/conversation_service.py | 11 +- openhands/server/session/session.py | 7 - openhands/storage/locations.py | 4 - scripts/update_openapi.py | 3 +- ...st_live_status_app_conversation_service.py | 145 +++------- tests/unit/experiments/__init__.py | 0 .../experiments/test_experiment_manager.py | 264 ------------------ 28 files changed, 42 insertions(+), 1618 deletions(-) delete mode 100644 enterprise/experiments/__init__.py delete mode 100644 enterprise/experiments/constants.py delete mode 100644 enterprise/experiments/experiment_manager.py delete mode 100644 enterprise/experiments/experiment_versions/_001_litellm_default_model_experiment.py delete mode 100644 enterprise/experiments/experiment_versions/_002_system_prompt_experiment.py delete mode 100644 enterprise/experiments/experiment_versions/_003_llm_claude4_vs_gpt5_experiment.py delete mode 100644 enterprise/experiments/experiment_versions/_004_condenser_max_step_experiment.py delete mode 100644 enterprise/experiments/experiment_versions/__init__.py delete mode 100644 enterprise/storage/experiment_assignment.py delete mode 100644 enterprise/storage/experiment_assignment_store.py delete mode 100644 enterprise/tests/unit/experiments/__init__.py delete mode 100644 enterprise/tests/unit/experiments/test_saas_experiment_manager.py delete mode 100644 openhands/experiments/experiment_manager.py delete mode 100644 tests/unit/experiments/__init__.py delete mode 100644 tests/unit/experiments/test_experiment_manager.py diff --git a/enterprise/dev_config/python/.pre-commit-config.yaml b/enterprise/dev_config/python/.pre-commit-config.yaml index c0925363a4..231832386d 100644 --- a/enterprise/dev_config/python/.pre-commit-config.yaml +++ b/enterprise/dev_config/python/.pre-commit-config.yaml @@ -53,7 +53,7 @@ repos: # Use -p (package) to avoid dual module name conflict when using MYPYPATH # MYPYPATH=enterprise allows resolving bare imports like "from integrations.xxx" # Note: tests package excluded to avoid conflict with core openhands tests - entry: bash -c 'MYPYPATH=enterprise mypy --config-file enterprise/dev_config/python/mypy.ini -p integrations -p server -p storage -p sync -p experiments' + entry: bash -c 'MYPYPATH=enterprise mypy --config-file enterprise/dev_config/python/mypy.ini -p integrations -p server -p storage -p sync' always_run: true pass_filenames: false files: ^enterprise/ diff --git a/enterprise/experiments/__init__.py b/enterprise/experiments/__init__.py deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/enterprise/experiments/constants.py b/enterprise/experiments/constants.py deleted file mode 100644 index b9eba97be7..0000000000 --- a/enterprise/experiments/constants.py +++ /dev/null @@ -1,47 +0,0 @@ -import os - -import posthog - -from openhands.core.logger import openhands_logger as logger - -# Initialize PostHog -posthog.api_key = os.environ.get('POSTHOG_CLIENT_KEY', 'phc_placeholder') -posthog.host = os.environ.get('POSTHOG_HOST', 'https://us.i.posthog.com') - -# Log PostHog configuration with masked API key for security -api_key = posthog.api_key -if api_key and len(api_key) > 8: - masked_key = f'{api_key[:4]}...{api_key[-4:]}' -else: - masked_key = 'not_set_or_too_short' -logger.info('posthog_configuration', extra={'posthog_api_key_masked': masked_key}) - -# Global toggle for the experiment manager -ENABLE_EXPERIMENT_MANAGER = ( - os.environ.get('ENABLE_EXPERIMENT_MANAGER', 'false').lower() == 'true' -) - -# Get the current experiment type from environment variable -# If None, no experiment is running -EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT = os.environ.get( - 'EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT', '' -) -# System prompt experiment toggle -EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT = os.environ.get( - 'EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT', '' -) - -EXPERIMENT_CLAUDE4_VS_GPT5 = os.environ.get('EXPERIMENT_CLAUDE4_VS_GPT5', '') - -EXPERIMENT_CONDENSER_MAX_STEP = os.environ.get('EXPERIMENT_CONDENSER_MAX_STEP', '') - -logger.info( - 'experiment_manager:run_conversation_variant_test:experiment_config', - extra={ - 'enable_experiment_manager': ENABLE_EXPERIMENT_MANAGER, - 'experiment_litellm_default_model_experiment': EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT, - 'experiment_system_prompt_experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT, - 'experiment_claude4_vs_gpt5_experiment': EXPERIMENT_CLAUDE4_VS_GPT5, - 'experiment_condenser_max_step': EXPERIMENT_CONDENSER_MAX_STEP, - }, -) diff --git a/enterprise/experiments/experiment_manager.py b/enterprise/experiments/experiment_manager.py deleted file mode 100644 index 2a37e7449e..0000000000 --- a/enterprise/experiments/experiment_manager.py +++ /dev/null @@ -1,99 +0,0 @@ -from uuid import UUID - -from experiments.constants import ( - ENABLE_EXPERIMENT_MANAGER, - EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT, -) -from experiments.experiment_versions import ( - handle_system_prompt_experiment, -) - -from openhands.core.config.openhands_config import OpenHandsConfig -from openhands.core.logger import openhands_logger as logger -from openhands.experiments.experiment_manager import ExperimentManager -from openhands.sdk import Agent -from openhands.server.session.conversation_init_data import ConversationInitData - - -class SaaSExperimentManager(ExperimentManager): - @staticmethod - def run_agent_variant_tests__v1( - user_id: str | None, conversation_id: UUID, agent: Agent - ) -> Agent: - if not ENABLE_EXPERIMENT_MANAGER: - logger.info( - 'experiment_manager:run_conversation_variant_test:skipped', - extra={'reason': 'experiment_manager_disabled'}, - ) - return agent - - if EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT: - # Skip experiment for planning agents which require their specialized prompt - if agent.system_prompt_filename != 'system_prompt_planning.j2': - agent = agent.model_copy( - update={'system_prompt_filename': 'system_prompt_long_horizon.j2'} - ) - - return agent - - @staticmethod - def run_conversation_variant_test( - user_id, conversation_id, conversation_settings - ) -> ConversationInitData: - """ - Run conversation variant test and potentially modify the conversation settings - based on the PostHog feature flags. - - Args: - user_id: The user ID - conversation_id: The conversation ID - conversation_settings: The conversation settings that may include convo_id and llm_model - - Returns: - The modified conversation settings - """ - logger.debug( - 'experiment_manager:run_conversation_variant_test:started', - extra={'user_id': user_id, 'conversation_id': conversation_id}, - ) - - return conversation_settings - - @staticmethod - def run_config_variant_test( - user_id: str | None, conversation_id: str, config: OpenHandsConfig - ) -> OpenHandsConfig: - """ - Run agent config variant test and potentially modify the OpenHands config - based on the current experiment type and PostHog feature flags. - - Args: - user_id: The user ID - conversation_id: The conversation ID - config: The OpenHands configuration - - Returns: - The modified OpenHands configuration - """ - logger.info( - 'experiment_manager:run_config_variant_test:started', - extra={'user_id': user_id}, - ) - - # Skip all experiment processing if the experiment manager is disabled - if not ENABLE_EXPERIMENT_MANAGER: - logger.info( - 'experiment_manager:run_config_variant_test:skipped', - extra={'reason': 'experiment_manager_disabled'}, - ) - return config - - # Pass the entire OpenHands config to the system prompt experiment - # Let the experiment handler directly modify the config as needed - modified_config = handle_system_prompt_experiment( - user_id, conversation_id, config - ) - - # Condenser max step experiment is applied via conversation variant test, - # not config variant test. Return modified config from system prompt only. - return modified_config diff --git a/enterprise/experiments/experiment_versions/_001_litellm_default_model_experiment.py b/enterprise/experiments/experiment_versions/_001_litellm_default_model_experiment.py deleted file mode 100644 index 7524df1e76..0000000000 --- a/enterprise/experiments/experiment_versions/_001_litellm_default_model_experiment.py +++ /dev/null @@ -1,107 +0,0 @@ -""" -LiteLLM model experiment handler. - -This module contains the handler for the LiteLLM model experiment. -""" - -import posthog -from experiments.constants import EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT -from server.constants import ( - IS_FEATURE_ENV, - build_litellm_proxy_model_path, - get_default_litellm_model, -) - -from openhands.core.logger import openhands_logger as logger - - -def handle_litellm_default_model_experiment( - user_id, conversation_id, conversation_settings -): - """ - Handle the LiteLLM model experiment. - - Args: - user_id: The user ID - conversation_id: The conversation ID - conversation_settings: The conversation settings - - Returns: - Modified conversation settings - """ - # No-op if the specific experiment is not enabled - if not EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT: - logger.info( - 'experiment_manager:ab_testing:skipped', - extra={ - 'convo_id': conversation_id, - 'reason': 'experiment_not_enabled', - 'experiment': EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT, - }, - ) - return conversation_settings - - # Use experiment name as the flag key - try: - enabled_variant = posthog.get_feature_flag( - EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT, conversation_id - ) - except Exception as e: - logger.error( - 'experiment_manager:get_feature_flag:failed', - extra={ - 'convo_id': conversation_id, - 'experiment': EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT, - 'error': str(e), - }, - ) - return conversation_settings - - # Log the experiment event - # If this is a feature environment, add "FEATURE_" prefix to user_id for PostHog - posthog_user_id = f'FEATURE_{user_id}' if IS_FEATURE_ENV else user_id - - try: - posthog.capture( - distinct_id=posthog_user_id, - event='model_set', - properties={ - 'conversation_id': conversation_id, - 'variant': enabled_variant, - 'original_user_id': user_id, - 'is_feature_env': IS_FEATURE_ENV, - }, - ) - except Exception as e: - logger.error( - 'experiment_manager:posthog_capture:failed', - extra={ - 'convo_id': conversation_id, - 'experiment': EXPERIMENT_LITELLM_DEFAULT_MODEL_EXPERIMENT, - 'error': str(e), - }, - ) - # Continue execution as this is not critical - - logger.info( - 'posthog_capture', - extra={ - 'event': 'model_set', - 'posthog_user_id': posthog_user_id, - 'is_feature_env': IS_FEATURE_ENV, - 'conversation_id': conversation_id, - 'variant': enabled_variant, - }, - ) - - # Set the model based on the feature flag variant - if enabled_variant == 'claude37': - # Use the shared utility to construct the LiteLLM proxy model path - model = build_litellm_proxy_model_path('claude-3-7-sonnet-20250219') - # Update the conversation settings with the selected model - conversation_settings.llm_model = model - else: - # Update the conversation settings with the default model for the current version - conversation_settings.llm_model = get_default_litellm_model() - - return conversation_settings diff --git a/enterprise/experiments/experiment_versions/_002_system_prompt_experiment.py b/enterprise/experiments/experiment_versions/_002_system_prompt_experiment.py deleted file mode 100644 index ef489c4ee4..0000000000 --- a/enterprise/experiments/experiment_versions/_002_system_prompt_experiment.py +++ /dev/null @@ -1,181 +0,0 @@ -""" -System prompt experiment handler. - -This module contains the handler for the system prompt experiment that uses -the PostHog variant as the system prompt filename. -""" - -import copy - -import posthog -from experiments.constants import EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT -from server.constants import IS_FEATURE_ENV -from storage.experiment_assignment_store import ExperimentAssignmentStore - -from openhands.core.config.openhands_config import OpenHandsConfig -from openhands.core.logger import openhands_logger as logger - - -def _get_system_prompt_variant(user_id, conversation_id): - """ - Get the system prompt variant for the experiment. - - Args: - user_id: The user ID - conversation_id: The conversation ID - - Returns: - str or None: The PostHog variant name or None if experiment is not enabled or error occurs - """ - # No-op if the specific experiment is not enabled - if not EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT: - logger.info( - 'experiment_manager_002:ab_testing:skipped', - extra={ - 'convo_id': conversation_id, - 'reason': 'experiment_not_enabled', - 'experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT, - }, - ) - return None - - # Use experiment name as the flag key - try: - enabled_variant = posthog.get_feature_flag( - EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT, conversation_id - ) - except Exception as e: - logger.error( - 'experiment_manager:get_feature_flag:failed', - extra={ - 'convo_id': conversation_id, - 'experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT, - 'error': str(e), - }, - ) - return None - - # Store the experiment assignment in the database - try: - experiment_store = ExperimentAssignmentStore() - experiment_store.update_experiment_variant( - conversation_id=conversation_id, - experiment_name='system_prompt_experiment', - variant=enabled_variant, - ) - except Exception as e: - logger.error( - 'experiment_manager:store_assignment:failed', - extra={ - 'convo_id': conversation_id, - 'experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT, - 'variant': enabled_variant, - 'error': str(e), - }, - ) - # Fail the experiment if we cannot track the splits - results would not be explainable - return None - - # Log the experiment event - # If this is a feature environment, add "FEATURE_" prefix to user_id for PostHog - posthog_user_id = f'FEATURE_{user_id}' if IS_FEATURE_ENV else user_id - - try: - posthog.capture( - distinct_id=posthog_user_id, - event='system_prompt_set', - properties={ - 'conversation_id': conversation_id, - 'variant': enabled_variant, - 'original_user_id': user_id, - 'is_feature_env': IS_FEATURE_ENV, - }, - ) - except Exception as e: - logger.error( - 'experiment_manager:posthog_capture:failed', - extra={ - 'convo_id': conversation_id, - 'experiment': EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT, - 'error': str(e), - }, - ) - # Continue execution as this is not critical - - logger.info( - 'posthog_capture', - extra={ - 'event': 'system_prompt_set', - 'posthog_user_id': posthog_user_id, - 'is_feature_env': IS_FEATURE_ENV, - 'conversation_id': conversation_id, - 'variant': enabled_variant, - }, - ) - - return enabled_variant - - -def handle_system_prompt_experiment( - user_id, conversation_id, config: OpenHandsConfig -) -> OpenHandsConfig: - """ - Handle the system prompt experiment for OpenHands config. - - Args: - user_id: The user ID - conversation_id: The conversation ID - config: The OpenHands configuration - - Returns: - Modified OpenHands configuration - """ - enabled_variant = _get_system_prompt_variant(user_id, conversation_id) - - # If variant is None, experiment is not enabled or there was an error - if enabled_variant is None: - return config - - # Deep copy the config to avoid modifying the original - modified_config = copy.deepcopy(config) - - # Set the system prompt filename based on the variant - if enabled_variant == 'control': - # Use the long-horizon system prompt for the control variant - agent_config = modified_config.get_agent_config(modified_config.default_agent) - agent_config.system_prompt_filename = 'system_prompt_long_horizon.j2' - agent_config.enable_plan_mode = True - elif enabled_variant == 'interactive': - modified_config.get_agent_config( - modified_config.default_agent - ).system_prompt_filename = 'system_prompt_interactive.j2' - elif enabled_variant == 'no_tools': - modified_config.get_agent_config( - modified_config.default_agent - ).system_prompt_filename = 'system_prompt.j2' - else: - logger.error( - 'system_prompt_experiment:unknown_variant', - extra={ - 'user_id': user_id, - 'convo_id': conversation_id, - 'variant': enabled_variant, - 'reason': 'no explicit mapping; returning original config', - }, - ) - return config - - # Log which prompt is being used - logger.info( - 'system_prompt_experiment:prompt_selected', - extra={ - 'user_id': user_id, - 'convo_id': conversation_id, - 'system_prompt_filename': modified_config.get_agent_config( - modified_config.default_agent - ).system_prompt_filename, - 'variant': enabled_variant, - }, - ) - - return modified_config diff --git a/enterprise/experiments/experiment_versions/_003_llm_claude4_vs_gpt5_experiment.py b/enterprise/experiments/experiment_versions/_003_llm_claude4_vs_gpt5_experiment.py deleted file mode 100644 index 8eb41ff042..0000000000 --- a/enterprise/experiments/experiment_versions/_003_llm_claude4_vs_gpt5_experiment.py +++ /dev/null @@ -1,137 +0,0 @@ -""" -LiteLLM model experiment handler. - -This module contains the handler for the LiteLLM model experiment. -""" - -import posthog -from experiments.constants import EXPERIMENT_CLAUDE4_VS_GPT5 -from server.constants import ( - IS_FEATURE_ENV, - build_litellm_proxy_model_path, - get_default_litellm_model, -) -from storage.experiment_assignment_store import ExperimentAssignmentStore - -from openhands.core.logger import openhands_logger as logger -from openhands.server.session.conversation_init_data import ConversationInitData - - -def _get_model_variant(user_id: str | None, conversation_id: str) -> str | None: - if not EXPERIMENT_CLAUDE4_VS_GPT5: - logger.info( - 'experiment_manager:ab_testing:skipped', - extra={ - 'convo_id': conversation_id, - 'reason': 'experiment_not_enabled', - 'experiment': EXPERIMENT_CLAUDE4_VS_GPT5, - }, - ) - return None - - try: - enabled_variant = posthog.get_feature_flag( - EXPERIMENT_CLAUDE4_VS_GPT5, conversation_id - ) - except Exception as e: - logger.error( - 'experiment_manager:get_feature_flag:failed', - extra={ - 'convo_id': conversation_id, - 'experiment': EXPERIMENT_CLAUDE4_VS_GPT5, - 'error': str(e), - }, - ) - return None - - # Store the experiment assignment in the database - try: - experiment_store = ExperimentAssignmentStore() - experiment_store.update_experiment_variant( - conversation_id=conversation_id, - experiment_name='claude4_vs_gpt5_experiment', - variant=enabled_variant, - ) - except Exception as e: - logger.error( - 'experiment_manager:store_assignment:failed', - extra={ - 'convo_id': conversation_id, - 'experiment': EXPERIMENT_CLAUDE4_VS_GPT5, - 'variant': enabled_variant, - 'error': str(e), - }, - ) - # Fail the experiment if we cannot track the splits - results would not be explainable - return None - - # Log the experiment event - # If this is a feature environment, add "FEATURE_" prefix to user_id for PostHog - posthog_user_id = f'FEATURE_{user_id}' if IS_FEATURE_ENV else user_id - - try: - posthog.capture( - distinct_id=posthog_user_id, - event='claude4_or_gpt5_set', - properties={ - 'conversation_id': conversation_id, - 'variant': enabled_variant, - 'original_user_id': user_id, - 'is_feature_env': IS_FEATURE_ENV, - }, - ) - except Exception as e: - logger.error( - 'experiment_manager:posthog_capture:failed', - extra={ - 'convo_id': conversation_id, - 'experiment': EXPERIMENT_CLAUDE4_VS_GPT5, - 'error': str(e), - }, - ) - # Continue execution as this is not critical - - logger.info( - 'posthog_capture', - extra={ - 'event': 'claude4_or_gpt5_set', - 'posthog_user_id': posthog_user_id, - 'is_feature_env': IS_FEATURE_ENV, - 'conversation_id': conversation_id, - 'variant': enabled_variant, - }, - ) - - return enabled_variant - - -def handle_claude4_vs_gpt5_experiment( - user_id: str | None, - conversation_id: str, - conversation_settings: ConversationInitData, -) -> ConversationInitData: - """ - Handle the LiteLLM model experiment. - - Args: - user_id: The user ID - conversation_id: The conversation ID - conversation_settings: The conversation settings - - Returns: - Modified conversation settings - """ - - enabled_variant = _get_model_variant(user_id, conversation_id) - - if not enabled_variant: - return conversation_settings - - # Set the model based on the feature flag variant - if enabled_variant == 'gpt5': - model = build_litellm_proxy_model_path('gpt-5-2025-08-07') - conversation_settings.llm_model = model - else: - conversation_settings.llm_model = get_default_litellm_model() - - return conversation_settings diff --git a/enterprise/experiments/experiment_versions/_004_condenser_max_step_experiment.py b/enterprise/experiments/experiment_versions/_004_condenser_max_step_experiment.py deleted file mode 100644 index 5b5818cb1d..0000000000 --- a/enterprise/experiments/experiment_versions/_004_condenser_max_step_experiment.py +++ /dev/null @@ -1,232 +0,0 @@ -""" -Condenser max step experiment handler. - -This module contains the handler for the condenser max step experiment that tests -different max_size values for the condenser configuration. -""" - -from uuid import UUID - -import posthog -from experiments.constants import EXPERIMENT_CONDENSER_MAX_STEP -from server.constants import IS_FEATURE_ENV -from storage.experiment_assignment_store import ExperimentAssignmentStore - -from openhands.core.logger import openhands_logger as logger -from openhands.sdk import Agent -from openhands.sdk.context.condenser import ( - LLMSummarizingCondenser, -) -from openhands.server.session.conversation_init_data import ConversationInitData - - -def _get_condenser_max_step_variant(user_id, conversation_id): - """ - Get the condenser max step variant for the experiment. - - Args: - user_id: The user ID - conversation_id: The conversation ID - - Returns: - str or None: The PostHog variant name or None if experiment is not enabled or error occurs - """ - # No-op if the specific experiment is not enabled - if not EXPERIMENT_CONDENSER_MAX_STEP: - logger.info( - 'experiment_manager_004:ab_testing:skipped', - extra={ - 'convo_id': conversation_id, - 'reason': 'experiment_not_enabled', - 'experiment': EXPERIMENT_CONDENSER_MAX_STEP, - }, - ) - return None - - # Use experiment name as the flag key - try: - enabled_variant = posthog.get_feature_flag( - EXPERIMENT_CONDENSER_MAX_STEP, conversation_id - ) - except Exception as e: - logger.error( - 'experiment_manager:get_feature_flag:failed', - extra={ - 'convo_id': conversation_id, - 'experiment': EXPERIMENT_CONDENSER_MAX_STEP, - 'error': str(e), - }, - ) - return None - - # Store the experiment assignment in the database - try: - experiment_store = ExperimentAssignmentStore() - experiment_store.update_experiment_variant( - conversation_id=conversation_id, - experiment_name='condenser_max_step_experiment', - variant=enabled_variant, - ) - except Exception as e: - logger.error( - 'experiment_manager:store_assignment:failed', - extra={ - 'convo_id': conversation_id, - 'experiment': EXPERIMENT_CONDENSER_MAX_STEP, - 'variant': enabled_variant, - 'error': str(e), - }, - ) - # Fail the experiment if we cannot track the splits - results would not be explainable - return None - - # Log the experiment event - # If this is a feature environment, add "FEATURE_" prefix to user_id for PostHog - posthog_user_id = f'FEATURE_{user_id}' if IS_FEATURE_ENV else user_id - - try: - posthog.capture( - distinct_id=posthog_user_id, - event='condenser_max_step_set', - properties={ - 'conversation_id': conversation_id, - 'variant': enabled_variant, - 'original_user_id': user_id, - 'is_feature_env': IS_FEATURE_ENV, - }, - ) - except Exception as e: - logger.error( - 'experiment_manager:posthog_capture:failed', - extra={ - 'convo_id': conversation_id, - 'experiment': EXPERIMENT_CONDENSER_MAX_STEP, - 'error': str(e), - }, - ) - # Continue execution as this is not critical - - logger.info( - 'posthog_capture', - extra={ - 'event': 'condenser_max_step_set', - 'posthog_user_id': posthog_user_id, - 'is_feature_env': IS_FEATURE_ENV, - 'conversation_id': conversation_id, - 'variant': enabled_variant, - }, - ) - - return enabled_variant - - -def handle_condenser_max_step_experiment( - user_id: str | None, - conversation_id: str, - conversation_settings: ConversationInitData, -) -> ConversationInitData: - """ - Handle the condenser max step experiment for conversation settings. - - We should not modify persistent user settings. Instead, apply the experiment - variant to the conversation's in-memory settings object for this session only. - - Variants: - - control -> condenser_max_size = 120 - - treatment -> condenser_max_size = 80 - - Returns the (potentially) modified conversation_settings. - """ - - enabled_variant = _get_condenser_max_step_variant(user_id, conversation_id) - - if enabled_variant is None: - return conversation_settings - - if enabled_variant == 'control': - condenser_max_size = 120 - elif enabled_variant == 'treatment': - condenser_max_size = 80 - else: - logger.error( - 'condenser_max_step_experiment:unknown_variant', - extra={ - 'user_id': user_id, - 'convo_id': conversation_id, - 'variant': enabled_variant, - 'reason': 'unknown variant; returning original conversation settings', - }, - ) - return conversation_settings - - try: - # Apply the variant to this conversation only; do not persist to DB. - # Not all OpenHands versions expose `condenser_max_size` on settings. - if hasattr(conversation_settings, 'condenser_max_size'): - conversation_settings.condenser_max_size = condenser_max_size - logger.info( - 'condenser_max_step_experiment:conversation_settings_applied', - extra={ - 'user_id': user_id, - 'convo_id': conversation_id, - 'variant': enabled_variant, - 'condenser_max_size': condenser_max_size, - }, - ) - else: - logger.warning( - 'condenser_max_step_experiment:field_missing_on_settings', - extra={ - 'user_id': user_id, - 'convo_id': conversation_id, - 'variant': enabled_variant, - 'reason': 'condenser_max_size not present on ConversationInitData', - }, - ) - except Exception as e: - logger.error( - 'condenser_max_step_experiment:apply_failed', - extra={ - 'user_id': user_id, - 'convo_id': conversation_id, - 'variant': enabled_variant, - 'error': str(e), - }, - ) - return conversation_settings - - return conversation_settings - - -def handle_condenser_max_step_experiment__v1( - user_id: str | None, - conversation_id: UUID, - agent: Agent, -) -> Agent: - enabled_variant = _get_condenser_max_step_variant(user_id, str(conversation_id)) - - if enabled_variant is None: - return agent - - if enabled_variant == 'control': - condenser_max_size = 120 - elif enabled_variant == 'treatment': - condenser_max_size = 80 - else: - logger.error( - 'condenser_max_step_experiment:unknown_variant', - extra={ - 'user_id': user_id, - 'convo_id': conversation_id, - 'variant': enabled_variant, - 'reason': 'unknown variant; returning original conversation settings', - }, - ) - return agent - - condenser_llm = agent.llm.model_copy(update={'usage_id': 'condenser'}) - condenser = LLMSummarizingCondenser( - llm=condenser_llm, max_size=condenser_max_size, keep_first=4 - ) - - return agent.model_copy(update={'condenser': condenser}) diff --git a/enterprise/experiments/experiment_versions/__init__.py b/enterprise/experiments/experiment_versions/__init__.py deleted file mode 100644 index 76da1fbd3b..0000000000 --- a/enterprise/experiments/experiment_versions/__init__.py +++ /dev/null @@ -1,25 +0,0 @@ -""" -Experiment versions package. - -This package contains handlers for different experiment versions. -""" - -from experiments.experiment_versions._001_litellm_default_model_experiment import ( - handle_litellm_default_model_experiment, -) -from experiments.experiment_versions._002_system_prompt_experiment import ( - handle_system_prompt_experiment, -) -from experiments.experiment_versions._003_llm_claude4_vs_gpt5_experiment import ( - handle_claude4_vs_gpt5_experiment, -) -from experiments.experiment_versions._004_condenser_max_step_experiment import ( - handle_condenser_max_step_experiment, -) - -__all__ = [ - 'handle_litellm_default_model_experiment', - 'handle_system_prompt_experiment', - 'handle_claude4_vs_gpt5_experiment', - 'handle_condenser_max_step_experiment', -] diff --git a/enterprise/pyproject.toml b/enterprise/pyproject.toml index 25607ba315..ef1840a8e4 100644 --- a/enterprise/pyproject.toml +++ b/enterprise/pyproject.toml @@ -17,7 +17,6 @@ packages = [ { include = "storage" }, { include = "sync" }, { include = "integrations" }, - { include = "experiments" }, ] [tool.poetry.dependencies] diff --git a/enterprise/server/routes/event_webhook.py b/enterprise/server/routes/event_webhook.py index c308358f67..8c48d0a69f 100644 --- a/enterprise/server/routes/event_webhook.py +++ b/enterprise/server/routes/event_webhook.py @@ -129,10 +129,6 @@ async def _process_batch_operations_background( # No action required continue - if subpath == 'exp_config.json': - # No action required - continue - # Log unhandled paths for future implementation logger.warning( 'unknown_path_in_batch_webhook', diff --git a/enterprise/server/saas_nested_conversation_manager.py b/enterprise/server/saas_nested_conversation_manager.py index be5f787b10..5c8f8aa235 100644 --- a/enterprise/server/saas_nested_conversation_manager.py +++ b/enterprise/server/saas_nested_conversation_manager.py @@ -391,39 +391,11 @@ class SaasNestedConversationManager(ConversationManager): await self._setup_nested_settings(client, api_url, settings) await self._setup_provider_tokens(client, api_url, settings) await self._setup_custom_secrets(client, api_url, settings.custom_secrets) # type: ignore - await self._setup_experiment_config(client, api_url, sid, user_id) await self._create_nested_conversation( client, api_url, sid, user_id, settings, initial_user_msg, replay_json ) await self._wait_for_conversation_ready(client, api_url, sid) - async def _setup_experiment_config( - self, client: httpx.AsyncClient, api_url: str, sid: str, user_id: str - ): - # Prevent circular import - from openhands.experiments.experiment_manager import ( - ExperimentConfig, - ExperimentManagerImpl, - ) - - config: OpenHandsConfig = ExperimentManagerImpl.run_config_variant_test( - user_id, sid, self.config - ) - - experiment_config = ExperimentConfig( - config={ - 'system_prompt_filename': config.get_agent_config( - config.default_agent - ).system_prompt_filename - } - ) - - response = await client.post( - f'{api_url}/api/conversations/{sid}/exp-config', - json=experiment_config.model_dump(), - ) - response.raise_for_status() - async def _setup_nested_settings( self, client: httpx.AsyncClient, api_url: str, settings: Settings ) -> None: diff --git a/enterprise/storage/__init__.py b/enterprise/storage/__init__.py index 5a9ef9838c..c427ec9222 100644 --- a/enterprise/storage/__init__.py +++ b/enterprise/storage/__init__.py @@ -4,7 +4,6 @@ from storage.billing_session import BillingSession from storage.billing_session_type import BillingSessionType from storage.conversation_callback import CallbackStatus, ConversationCallback from storage.conversation_work import ConversationWork -from storage.experiment_assignment import ExperimentAssignment from storage.feedback import ConversationFeedback, Feedback from storage.github_app_installation import GithubAppInstallation from storage.gitlab_webhook import GitlabWebhook, WebhookStatus @@ -50,7 +49,6 @@ __all__ = [ 'ConversationFeedback', 'StoredConversationMetadataSaas', 'ConversationWork', - 'ExperimentAssignment', 'Feedback', 'GithubAppInstallation', 'GitlabWebhook', diff --git a/enterprise/storage/experiment_assignment.py b/enterprise/storage/experiment_assignment.py deleted file mode 100644 index f648fa8a03..0000000000 --- a/enterprise/storage/experiment_assignment.py +++ /dev/null @@ -1,41 +0,0 @@ -""" -Database model for experiment assignments. - -This model tracks which experiments a conversation is assigned to and what variant -they received from PostHog feature flags. -""" - -import uuid -from datetime import UTC, datetime - -from sqlalchemy import Column, DateTime, String, UniqueConstraint -from storage.base import Base - - -class ExperimentAssignment(Base): # type: ignore - __tablename__ = 'experiment_assignments' - - id = Column(String, primary_key=True, default=lambda: str(uuid.uuid4())) - conversation_id = Column(String, nullable=True, index=True) - experiment_name = Column(String, nullable=False) - variant = Column(String, nullable=False) - - created_at = Column( - DateTime(timezone=True), - default=lambda: datetime.now(UTC), # type: ignore[attr-defined] - nullable=False, - ) - updated_at = Column( - DateTime(timezone=True), - default=lambda: datetime.now(UTC), # type: ignore[attr-defined] - onupdate=lambda: datetime.now(UTC), # type: ignore[attr-defined] - nullable=False, - ) - - __table_args__ = ( - UniqueConstraint( - 'conversation_id', - 'experiment_name', - name='uq_experiment_assignments_conversation_experiment', - ), - ) diff --git a/enterprise/storage/experiment_assignment_store.py b/enterprise/storage/experiment_assignment_store.py deleted file mode 100644 index 283315e13f..0000000000 --- a/enterprise/storage/experiment_assignment_store.py +++ /dev/null @@ -1,52 +0,0 @@ -""" -Store for managing experiment assignments. - -This store handles creating and updating experiment assignments for conversations. -""" - -from sqlalchemy.dialects.postgresql import insert -from storage.database import session_maker -from storage.experiment_assignment import ExperimentAssignment - -from openhands.core.logger import openhands_logger as logger - - -class ExperimentAssignmentStore: - """Store for managing experiment assignments.""" - - def update_experiment_variant( - self, - conversation_id: str, - experiment_name: str, - variant: str, - ) -> None: - """ - Update the variant for a specific experiment. - - Args: - conversation_id: The conversation ID - experiment_name: The name of the experiment - variant: The variant assigned - """ - with session_maker() as session: - # Use PostgreSQL's INSERT ... ON CONFLICT DO NOTHING to handle unique constraint - stmt = insert(ExperimentAssignment).values( - conversation_id=conversation_id, - experiment_name=experiment_name, - variant=variant, - ) - stmt = stmt.on_conflict_do_nothing( - constraint='uq_experiment_assignments_conversation_experiment' - ) - - session.execute(stmt) - session.commit() - - logger.info( - 'experiment_assignment_store:upserted_variant', - extra={ - 'conversation_id': conversation_id, - 'experiment_name': experiment_name, - 'variant': variant, - }, - ) diff --git a/enterprise/tests/unit/experiments/__init__.py b/enterprise/tests/unit/experiments/__init__.py deleted file mode 100644 index 50b9db5067..0000000000 --- a/enterprise/tests/unit/experiments/__init__.py +++ /dev/null @@ -1 +0,0 @@ -"""Unit tests for experiments module.""" diff --git a/enterprise/tests/unit/experiments/test_saas_experiment_manager.py b/enterprise/tests/unit/experiments/test_saas_experiment_manager.py deleted file mode 100644 index 25883fd31c..0000000000 --- a/enterprise/tests/unit/experiments/test_saas_experiment_manager.py +++ /dev/null @@ -1,149 +0,0 @@ -# tests/test_condenser_max_step_experiment_v1.py - -from unittest.mock import patch -from uuid import uuid4 - -from experiments.experiment_manager import SaaSExperimentManager - -# SUT imports (update the module path if needed) -from experiments.experiment_versions._004_condenser_max_step_experiment import ( - handle_condenser_max_step_experiment__v1, -) -from pydantic import SecretStr - -from openhands.sdk import LLM, Agent -from openhands.sdk.context.condenser import LLMSummarizingCondenser - - -def make_agent() -> Agent: - """Build a minimal valid Agent.""" - llm = LLM( - usage_id='primary-llm', - model='provider/model', - api_key=SecretStr('sk-test'), - ) - return Agent(llm=llm) - - -def _patch_variant(monkeypatch, return_value): - """Patch the internal variant getter to return a specific value.""" - monkeypatch.setattr( - 'experiments.experiment_versions._004_condenser_max_step_experiment._get_condenser_max_step_variant', - lambda user_id, conv_id: return_value, - raising=True, - ) - - -def test_control_variant_sets_condenser_with_max_size_120(monkeypatch): - _patch_variant(monkeypatch, 'control') - agent = make_agent() - conv_id = uuid4() - - result = handle_condenser_max_step_experiment__v1('user-1', conv_id, agent) - - # Should be a new Agent instance with a condenser installed - assert result is not agent - assert isinstance(result.condenser, LLMSummarizingCondenser) - - # The condenser should have its own LLM (usage_id overridden to "condenser") - assert result.condenser.llm.usage_id == 'condenser' - # The original agent LLM remains unchanged - assert agent.llm.usage_id == 'primary-llm' - - # Control: max_size = 120, keep_first = 4 - assert result.condenser.max_size == 120 - assert result.condenser.keep_first == 4 - - -def test_treatment_variant_sets_condenser_with_max_size_80(monkeypatch): - _patch_variant(monkeypatch, 'treatment') - agent = make_agent() - conv_id = uuid4() - - result = handle_condenser_max_step_experiment__v1('user-2', conv_id, agent) - - assert result is not agent - assert isinstance(result.condenser, LLMSummarizingCondenser) - assert result.condenser.llm.usage_id == 'condenser' - assert result.condenser.max_size == 80 - assert result.condenser.keep_first == 4 - - -def test_none_variant_returns_original_agent_without_changes(monkeypatch): - _patch_variant(monkeypatch, None) - agent = make_agent() - conv_id = uuid4() - - result = handle_condenser_max_step_experiment__v1('user-3', conv_id, agent) - - # No changes—same instance and no condenser attribute added - assert result is agent - assert getattr(result, 'condenser', None) is None - - -def test_unknown_variant_returns_original_agent_without_changes(monkeypatch): - _patch_variant(monkeypatch, 'weird-variant') - agent = make_agent() - conv_id = uuid4() - - result = handle_condenser_max_step_experiment__v1('user-4', conv_id, agent) - - assert result is agent - assert getattr(result, 'condenser', None) is None - - -@patch('experiments.experiment_manager.ENABLE_EXPERIMENT_MANAGER', False) -def test_run_agent_variant_tests_v1_noop_when_manager_disabled(): - """If ENABLE_EXPERIMENT_MANAGER is False, the method returns the exact same agent and does not call the handler.""" - agent = make_agent() - conv_id = uuid4() - - result = SaaSExperimentManager.run_agent_variant_tests__v1( - user_id='user-123', - conversation_id=conv_id, - agent=agent, - ) - - # Same object returned (no copy) - assert result is agent - - -@patch('experiments.experiment_manager.ENABLE_EXPERIMENT_MANAGER', True) -@patch('experiments.experiment_manager.EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT', True) -def test_run_agent_variant_tests_v1_calls_handler_and_sets_system_prompt(monkeypatch): - """When enabled, it should call the condenser experiment handler and set the long-horizon system prompt.""" - agent = make_agent() - conv_id = uuid4() - - _patch_variant(monkeypatch, 'treatment') - - result: Agent = SaaSExperimentManager.run_agent_variant_tests__v1( - user_id='user-abc', - conversation_id=conv_id, - agent=agent, - ) - - # Should be a different instance than the original (copied after handler runs) - assert result is not agent - assert result.system_prompt_filename == 'system_prompt_long_horizon.j2' - - -@patch('experiments.experiment_manager.ENABLE_EXPERIMENT_MANAGER', True) -@patch('experiments.experiment_manager.EXPERIMENT_SYSTEM_PROMPT_EXPERIMENT', True) -def test_run_agent_variant_tests_v1_preserves_planning_agent_system_prompt(): - """Planning agents should retain their specialized system prompt and not be overwritten by the experiment.""" - # Arrange - planning_agent = make_agent().model_copy( - update={'system_prompt_filename': 'system_prompt_planning.j2'} - ) - conv_id = uuid4() - - # Act - result: Agent = SaaSExperimentManager.run_agent_variant_tests__v1( - user_id='user-planning', - conversation_id=conv_id, - agent=planning_agent, - ) - - # Assert - assert result.system_prompt_filename == 'system_prompt_planning.j2' diff --git a/openhands/app_server/app_conversation/live_status_app_conversation_service.py b/openhands/app_server/app_conversation/live_status_app_conversation_service.py index 32cb6b607b..b4ca372c16 100644 --- a/openhands/app_server/app_conversation/live_status_app_conversation_service.py +++ b/openhands/app_server/app_conversation/live_status_app_conversation_service.py @@ -77,7 +77,6 @@ from openhands.app_server.utils.llm_metadata import ( get_llm_metadata, should_set_litellm_extra_body, ) -from openhands.experiments.experiment_manager import ExperimentManagerImpl from openhands.integrations.provider import ProviderType from openhands.integrations.service_types import SuggestedTask from openhands.sdk import Agent, AgentContext, LocalWorkspace @@ -1140,7 +1139,7 @@ class LiveStatusAppConversationService(AppConversationServiceBase): working_dir: str, plugins: list[PluginSpec] | None = None, ) -> StartConversationRequest: - """Finalize the conversation request with experiment variants and skills. + """Finalize the conversation request with skills and metadata. Args: agent: The configured agent @@ -1161,13 +1160,7 @@ class LiveStatusAppConversationService(AppConversationServiceBase): # Generate conversation ID if not provided conversation_id = conversation_id or uuid4() - # Apply experiment variants - agent = ExperimentManagerImpl.run_agent_variant_tests__v1( - user.id, conversation_id, agent - ) - # Update agent's LLM with litellm_extra_body metadata for tracing - # This is done after experiment variants to ensure the final LLM config is used agent = self._update_agent_with_llm_metadata(agent, conversation_id, user.id) # Load and merge skills if remote workspace is available @@ -1230,7 +1223,7 @@ class LiveStatusAppConversationService(AppConversationServiceBase): 1. Setting up git provider secrets 2. Configuring LLM and MCP settings 3. Creating an agent with appropriate context - 4. Finalizing the request with skills and experiment variants + 4. Finalizing the request with skills and metadata 5. Passing plugins to the agent server for remote plugin loading """ user = await self.user_context.get_user_info() diff --git a/openhands/experiments/experiment_manager.py b/openhands/experiments/experiment_manager.py deleted file mode 100644 index 013aa16bef..0000000000 --- a/openhands/experiments/experiment_manager.py +++ /dev/null @@ -1,72 +0,0 @@ -import os -from uuid import UUID - -from pydantic import BaseModel - -from openhands.core.config.openhands_config import OpenHandsConfig -from openhands.core.logger import openhands_logger as logger -from openhands.sdk import Agent -from openhands.server.session.conversation_init_data import ConversationInitData -from openhands.server.shared import file_store -from openhands.storage.locations import get_experiment_config_filename -from openhands.utils.import_utils import get_impl - - -class ExperimentConfig(BaseModel): - config: dict[str, str] | None = None - - -def load_experiment_config(conversation_id: str) -> ExperimentConfig | None: - try: - file_path = get_experiment_config_filename(conversation_id) - exp_config = file_store.read(file_path) - return ExperimentConfig.model_validate_json(exp_config) - - except FileNotFoundError: - pass - except Exception as e: - logger.warning(f'Failed to load experiment config: {e}') - - return None - - -class ExperimentManager: - @staticmethod - def run_agent_variant_tests__v1( - user_id: str | None, conversation_id: UUID, agent: Agent - ) -> Agent: - return agent - - @staticmethod - def run_conversation_variant_test( - user_id: str | None, - conversation_id: str, - conversation_settings: ConversationInitData, - ) -> ConversationInitData: - return conversation_settings - - @staticmethod - def run_config_variant_test( - user_id: str | None, conversation_id: str, config: OpenHandsConfig - ) -> OpenHandsConfig: - exp_config = load_experiment_config(conversation_id) - if exp_config and exp_config.config: - agent_cfg = config.get_agent_config(config.default_agent) - try: - for attr, value in exp_config.config.items(): - if hasattr(agent_cfg, attr): - logger.info( - f'Set attrib {attr} to {value} for {conversation_id}' - ) - setattr(agent_cfg, attr, value) - except Exception as e: - logger.warning(f'Error processing exp config: {e}') - - return config - - -experiment_manager_cls = os.environ.get( - 'OPENHANDS_EXPERIMENT_MANAGER_CLS', - 'openhands.experiments.experiment_manager.ExperimentManager', -) -ExperimentManagerImpl = get_impl(ExperimentManager, experiment_manager_cls) diff --git a/openhands/server/conversation_manager/docker_nested_conversation_manager.py b/openhands/server/conversation_manager/docker_nested_conversation_manager.py index 425c9cb8a5..aa8feb477c 100644 --- a/openhands/server/conversation_manager/docker_nested_conversation_manager.py +++ b/openhands/server/conversation_manager/docker_nested_conversation_manager.py @@ -28,7 +28,6 @@ from openhands.core.logger import openhands_logger as logger from openhands.events.action import MessageAction from openhands.events.nested_event_store import NestedEventStore from openhands.events.stream import EventStream -from openhands.experiments.experiment_manager import ExperimentManagerImpl from openhands.integrations.provider import PROVIDER_TOKEN_TYPE, ProviderHandler from openhands.runtime import get_runtime_cls from openhands.runtime.impl.docker.docker_runtime import DockerRuntime @@ -551,12 +550,8 @@ class DockerNestedConversationManager(ConversationManager): # This session is created here only because it is the easiest way to get a runtime, which # is the easiest way to create the needed docker container - config: OpenHandsConfig = ExperimentManagerImpl.run_config_variant_test( - user_id, sid, self.config - ) - llm_registry, conversation_stats, config = ( - create_registry_and_conversation_stats(config, sid, user_id, settings) + create_registry_and_conversation_stats(self.config, sid, user_id, settings) ) session = Session( diff --git a/openhands/server/routes/manage_conversations.py b/openhands/server/routes/manage_conversations.py index eb9d359885..547ca6e252 100644 --- a/openhands/server/routes/manage_conversations.py +++ b/openhands/server/routes/manage_conversations.py @@ -60,7 +60,6 @@ from openhands.events.observation import ( AgentStateChangedObservation, NullObservation, ) -from openhands.experiments.experiment_manager import ExperimentConfig from openhands.integrations.provider import ( PROVIDER_TOKEN_TYPE, ProviderHandler, @@ -109,7 +108,6 @@ from openhands.storage.data_models.conversation_metadata import ( from openhands.storage.data_models.conversation_status import ConversationStatus from openhands.storage.data_models.secrets import Secrets from openhands.storage.data_models.settings import Settings -from openhands.storage.locations import get_experiment_config_filename from openhands.storage.settings.settings_store import SettingsStore from openhands.utils.async_utils import wait_all from openhands.utils.conversation_summary import get_default_conversation_title @@ -1240,32 +1238,6 @@ async def update_conversation( ) -@app.post('/conversations/{conversation_id}/exp-config') -def add_experiment_config_for_conversation( - exp_config: ExperimentConfig, - conversation_id: str = Depends(validate_conversation_id), -) -> bool: - exp_config_filepath = get_experiment_config_filename(conversation_id) - exists = False - try: - file_store.read(exp_config_filepath) - exists = True - except FileNotFoundError: - pass - - # Don't modify again if it already exists - if exists: - return False - - try: - file_store.write(exp_config_filepath, exp_config.model_dump_json()) - except Exception as e: - logger.info(f'Failed to write experiment config for {conversation_id}: {e}') - return True - - return False - - def _parse_combined_page_id(page_id: str | None) -> tuple[str | None, str | None]: """Parse combined page_id to extract separate V0 and V1 page_ids. diff --git a/openhands/server/services/conversation_service.py b/openhands/server/services/conversation_service.py index d37d26fbd8..bddf160c1f 100644 --- a/openhands/server/services/conversation_service.py +++ b/openhands/server/services/conversation_service.py @@ -13,7 +13,6 @@ from typing import Any from openhands.core.config.mcp_config import MCPConfig from openhands.core.logger import openhands_logger as logger from openhands.events.action.message import MessageAction -from openhands.experiments.experiment_manager import ExperimentManagerImpl from openhands.integrations.provider import ( CUSTOM_SECRETS_TYPE, PROVIDER_TOKEN_TYPE, @@ -142,10 +141,6 @@ async def start_conversation( conversation_init_data = ConversationInitData(**session_init_args) - conversation_init_data = ExperimentManagerImpl.run_conversation_variant_test( - user_id, conversation_id, conversation_init_data - ) - logger.info( f'Starting agent loop for conversation {conversation_id}', extra={'user_id': user_id, 'session_id': conversation_id}, @@ -281,8 +276,4 @@ async def setup_init_conversation_settings( if user_secrets: session_init_args['custom_secrets'] = user_secrets.custom_secrets - conversation_init_data = ConversationInitData(**session_init_args) - # We should recreate the same experiment conditions when restarting a conversation - return ExperimentManagerImpl.run_conversation_variant_test( - user_id, conversation_id, conversation_init_data - ) + return ConversationInitData(**session_init_args) diff --git a/openhands/server/session/session.py b/openhands/server/session/session.py index e55618993e..c8cb92bd74 100644 --- a/openhands/server/session/session.py +++ b/openhands/server/session/session.py @@ -108,13 +108,6 @@ class WebSession: EventStreamSubscriber.SERVER, self.on_event, self.sid ) self.config = config - - # Lazy import to avoid circular dependency - from openhands.experiments.experiment_manager import ExperimentManagerImpl - - self.config = ExperimentManagerImpl.run_config_variant_test( - user_id, sid, self.config - ) self.loop = asyncio.get_event_loop() self.user_id = user_id diff --git a/openhands/storage/locations.py b/openhands/storage/locations.py index 58883fccb2..0b1ec72c1d 100644 --- a/openhands/storage/locations.py +++ b/openhands/storage/locations.py @@ -36,7 +36,3 @@ def get_conversation_llm_registry_filename(sid: str, user_id: str | None = None) def get_conversation_stats_filename(sid: str, user_id: str | None = None) -> str: return f'{get_conversation_dir(sid, user_id)}conversation_stats.pkl' - - -def get_experiment_config_filename(sid: str, user_id: str | None = None) -> str: - return f'{get_conversation_dir(sid, user_id)}exp_config.json' diff --git a/scripts/update_openapi.py b/scripts/update_openapi.py index 0336924f11..5f58b35ece 100755 --- a/scripts/update_openapi.py +++ b/scripts/update_openapi.py @@ -129,9 +129,8 @@ def generate_openapi_spec(): """Generate the OpenAPI specification from the FastAPI app.""" spec = app.openapi() - # Explicitly exclude certain endpoints that are operational, experimental, or UI-only convenience + # Explicitly exclude certain endpoints that are operational or UI-only convenience excluded_endpoints = [ - '/api/conversations/{conversation_id}/exp-config', # Internal experimentation endpoint '/server_info', # Operational/system diagnostics '/api/conversations/{conversation_id}/vscode-url', # UI/runtime convenience '/api/conversations/{conversation_id}/web-hosts', # UI/runtime convenience diff --git a/tests/unit/app_server/test_live_status_app_conversation_service.py b/tests/unit/app_server/test_live_status_app_conversation_service.py index e374d45146..b203c240f9 100644 --- a/tests/unit/app_server/test_live_status_app_conversation_service.py +++ b/tests/unit/app_server/test_live_status_app_conversation_service.py @@ -1032,27 +1032,17 @@ class TestLiveStatusAppConversationService: assert agent_context.system_message_suffix is None @pytest.mark.asyncio - @patch( - 'openhands.app_server.app_conversation.live_status_app_conversation_service.ExperimentManagerImpl' - ) - async def test_finalize_conversation_request_with_skills( - self, mock_experiment_manager - ): + async def test_finalize_conversation_request_with_skills(self): """Test _finalize_conversation_request with skills loading.""" - # Arrange - mock_agent = Mock(spec=Agent) - # Create mock LLM with required attributes for _update_agent_with_llm_metadata mock_llm = Mock(spec=LLM) mock_llm.model = 'gpt-4' # Non-openhands model, so no metadata update mock_llm.usage_id = 'agent' - mock_updated_agent = Mock(spec=Agent) - mock_updated_agent.llm = mock_llm - mock_updated_agent.condenser = None # No condenser - mock_experiment_manager.run_agent_variant_tests__v1.return_value = ( - mock_updated_agent - ) + # Arrange + mock_agent = Mock(spec=Agent) + mock_agent.llm = mock_llm + mock_agent.condenser = None # No condenser conversation_id = uuid4() workspace = LocalWorkspace(working_dir='/test') @@ -1061,9 +1051,7 @@ class TestLiveStatusAppConversationService: remote_workspace = Mock(spec=AsyncRemoteWorkspace) # Mock the skills loading method - self.service._load_skills_and_update_agent = AsyncMock( - return_value=mock_updated_agent - ) + self.service._load_skills_and_update_agent = AsyncMock(return_value=mock_agent) # Act result = await self.service._finalize_conversation_request( @@ -1082,44 +1070,24 @@ class TestLiveStatusAppConversationService: # Assert assert isinstance(result, StartConversationRequest) assert result.conversation_id == conversation_id - assert result.agent == mock_updated_agent assert result.workspace == workspace assert result.initial_message == initial_message assert result.secrets == secrets - mock_experiment_manager.run_agent_variant_tests__v1.assert_called_once_with( - self.mock_user.id, conversation_id, mock_agent - ) - self.service._load_skills_and_update_agent.assert_called_once_with( - self.mock_sandbox, - mock_updated_agent, - remote_workspace, - 'test_repo', - '/test/dir', - ) + self.service._load_skills_and_update_agent.assert_called_once() @pytest.mark.asyncio - @patch( - 'openhands.app_server.app_conversation.live_status_app_conversation_service.ExperimentManagerImpl' - ) - async def test_finalize_conversation_request_without_skills( - self, mock_experiment_manager - ): + async def test_finalize_conversation_request_without_skills(self): """Test _finalize_conversation_request without remote workspace (no skills).""" - # Arrange - mock_agent = Mock(spec=Agent) - # Create mock LLM with required attributes for _update_agent_with_llm_metadata mock_llm = Mock(spec=LLM) mock_llm.model = 'gpt-4' # Non-openhands model, so no metadata update mock_llm.usage_id = 'agent' - mock_updated_agent = Mock(spec=Agent) - mock_updated_agent.llm = mock_llm - mock_updated_agent.condenser = None # No condenser - mock_experiment_manager.run_agent_variant_tests__v1.return_value = ( - mock_updated_agent - ) + # Arrange + mock_agent = Mock(spec=Agent) + mock_agent.llm = mock_llm + mock_agent.condenser = None # No condenser workspace = LocalWorkspace(working_dir='/test') secrets = {'test': StaticSecret(value='secret')} @@ -1141,31 +1109,18 @@ class TestLiveStatusAppConversationService: # Assert assert isinstance(result, StartConversationRequest) assert isinstance(result.conversation_id, UUID) - assert result.agent == mock_updated_agent - mock_experiment_manager.run_agent_variant_tests__v1.assert_called_once() @pytest.mark.asyncio - @patch( - 'openhands.app_server.app_conversation.live_status_app_conversation_service.ExperimentManagerImpl' - ) - async def test_finalize_conversation_request_skills_loading_fails( - self, mock_experiment_manager - ): + async def test_finalize_conversation_request_skills_loading_fails(self): """Test _finalize_conversation_request when skills loading fails.""" - # Arrange - mock_agent = Mock(spec=Agent) - # Create mock LLM with required attributes for _update_agent_with_llm_metadata mock_llm = Mock(spec=LLM) mock_llm.model = 'gpt-4' # Non-openhands model, so no metadata update mock_llm.usage_id = 'agent' - mock_updated_agent = Mock(spec=Agent) - mock_updated_agent.llm = mock_llm - mock_updated_agent.condenser = None # No condenser - mock_experiment_manager.run_agent_variant_tests__v1.return_value = ( - mock_updated_agent - ) + mock_agent = Mock(spec=Agent) + mock_agent.llm = mock_llm + mock_agent.condenser = None # No condenser workspace = LocalWorkspace(working_dir='/test') secrets = {'test': StaticSecret(value='secret')} @@ -1195,9 +1150,6 @@ class TestLiveStatusAppConversationService: # Assert assert isinstance(result, StartConversationRequest) - assert ( - result.agent == mock_updated_agent - ) # Should still use the experiment-modified agent mock_logger.warning.assert_called_once() @pytest.mark.asyncio @@ -2266,12 +2218,7 @@ class TestPluginHandling: assert 'key2: value2' in text @pytest.mark.asyncio - @patch( - 'openhands.app_server.app_conversation.live_status_app_conversation_service.ExperimentManagerImpl' - ) - async def test_finalize_conversation_request_with_plugins( - self, mock_experiment_manager - ): + async def test_finalize_conversation_request_with_plugins(self): """Test _finalize_conversation_request passes plugins list to StartConversationRequest.""" from openhands.app_server.app_conversation.app_conversation_models import ( PluginSpec, @@ -2282,13 +2229,13 @@ class TestPluginHandling: mock_llm = Mock(spec=LLM) mock_llm.model = 'gpt-4' mock_llm.usage_id = 'agent' + mock_agent.llm = mock_llm + mock_agent.condenser = None mock_updated_agent = Mock(spec=Agent) mock_updated_agent.llm = mock_llm mock_updated_agent.condenser = None - mock_experiment_manager.run_agent_variant_tests__v1.return_value = ( - mock_updated_agent - ) + mock_agent.model_copy = Mock(return_value=mock_updated_agent) workspace = LocalWorkspace(working_dir='/test') secrets = {'test': StaticSecret(value='secret')} @@ -2330,25 +2277,20 @@ class TestPluginHandling: assert '- api_key: test123' in result.initial_message.content[0].text @pytest.mark.asyncio - @patch( - 'openhands.app_server.app_conversation.live_status_app_conversation_service.ExperimentManagerImpl' - ) - async def test_finalize_conversation_request_without_plugins( - self, mock_experiment_manager - ): + async def test_finalize_conversation_request_without_plugins(self): """Test _finalize_conversation_request without plugins sets plugins to None.""" # Arrange mock_agent = Mock(spec=Agent) mock_llm = Mock(spec=LLM) mock_llm.model = 'gpt-4' mock_llm.usage_id = 'agent' + mock_agent.llm = mock_llm + mock_agent.condenser = None mock_updated_agent = Mock(spec=Agent) mock_updated_agent.llm = mock_llm mock_updated_agent.condenser = None - mock_experiment_manager.run_agent_variant_tests__v1.return_value = ( - mock_updated_agent - ) + mock_agent.model_copy = Mock(return_value=mock_updated_agent) workspace = LocalWorkspace(working_dir='/test') secrets = {} @@ -2373,12 +2315,7 @@ class TestPluginHandling: assert result.plugins is None @pytest.mark.asyncio - @patch( - 'openhands.app_server.app_conversation.live_status_app_conversation_service.ExperimentManagerImpl' - ) - async def test_finalize_conversation_request_plugin_without_ref( - self, mock_experiment_manager - ): + async def test_finalize_conversation_request_plugin_without_ref(self): """Test _finalize_conversation_request with plugin that has no ref.""" from openhands.app_server.app_conversation.app_conversation_models import ( PluginSpec, @@ -2389,13 +2326,13 @@ class TestPluginHandling: mock_llm = Mock(spec=LLM) mock_llm.model = 'gpt-4' mock_llm.usage_id = 'agent' + mock_agent.llm = mock_llm + mock_agent.condenser = None mock_updated_agent = Mock(spec=Agent) mock_updated_agent.llm = mock_llm mock_updated_agent.condenser = None - mock_experiment_manager.run_agent_variant_tests__v1.return_value = ( - mock_updated_agent - ) + mock_agent.model_copy = Mock(return_value=mock_updated_agent) workspace = LocalWorkspace(working_dir='/test') secrets = {} @@ -2428,12 +2365,7 @@ class TestPluginHandling: assert result.initial_message is None @pytest.mark.asyncio - @patch( - 'openhands.app_server.app_conversation.live_status_app_conversation_service.ExperimentManagerImpl' - ) - async def test_finalize_conversation_request_plugin_with_repo_path( - self, mock_experiment_manager - ): + async def test_finalize_conversation_request_plugin_with_repo_path(self): """Test _finalize_conversation_request passes repo_path to PluginSource.""" from openhands.app_server.app_conversation.app_conversation_models import ( PluginSpec, @@ -2444,13 +2376,13 @@ class TestPluginHandling: mock_llm = Mock(spec=LLM) mock_llm.model = 'gpt-4' mock_llm.usage_id = 'agent' + mock_agent.llm = mock_llm + mock_agent.condenser = None mock_updated_agent = Mock(spec=Agent) mock_updated_agent.llm = mock_llm mock_updated_agent.condenser = None - mock_experiment_manager.run_agent_variant_tests__v1.return_value = ( - mock_updated_agent - ) + mock_agent.model_copy = Mock(return_value=mock_updated_agent) workspace = LocalWorkspace(working_dir='/test') secrets = {} @@ -2488,12 +2420,7 @@ class TestPluginHandling: assert result.plugins[0].repo_path == 'plugins/city-weather' @pytest.mark.asyncio - @patch( - 'openhands.app_server.app_conversation.live_status_app_conversation_service.ExperimentManagerImpl' - ) - async def test_finalize_conversation_request_multiple_plugins( - self, mock_experiment_manager - ): + async def test_finalize_conversation_request_multiple_plugins(self): """Test _finalize_conversation_request with multiple plugins.""" from openhands.app_server.app_conversation.app_conversation_models import ( PluginSpec, @@ -2504,13 +2431,13 @@ class TestPluginHandling: mock_llm = Mock(spec=LLM) mock_llm.model = 'gpt-4' mock_llm.usage_id = 'agent' + mock_agent.llm = mock_llm + mock_agent.condenser = None mock_updated_agent = Mock(spec=Agent) mock_updated_agent.llm = mock_llm mock_updated_agent.condenser = None - mock_experiment_manager.run_agent_variant_tests__v1.return_value = ( - mock_updated_agent - ) + mock_agent.model_copy = Mock(return_value=mock_updated_agent) workspace = LocalWorkspace(working_dir='/test') secrets = {} diff --git a/tests/unit/experiments/__init__.py b/tests/unit/experiments/__init__.py deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/tests/unit/experiments/test_experiment_manager.py b/tests/unit/experiments/test_experiment_manager.py deleted file mode 100644 index 6a9d5e4a32..0000000000 --- a/tests/unit/experiments/test_experiment_manager.py +++ /dev/null @@ -1,264 +0,0 @@ -"""Unit tests for ExperimentManager class, focusing on the v1 agent method.""" - -from types import SimpleNamespace -from unittest.mock import Mock, patch -from uuid import UUID, uuid4 - -import pytest - -from openhands.app_server.app_conversation.live_status_app_conversation_service import ( - LiveStatusAppConversationService, -) -from openhands.app_server.sandbox.sandbox_models import SandboxInfo, SandboxStatus -from openhands.experiments.experiment_manager import ExperimentManager -from openhands.sdk import Agent -from openhands.sdk.llm import LLM - - -class TestExperimentManager: - """Test cases for ExperimentManager class.""" - - def setup_method(self): - """Set up test fixtures.""" - self.user_id = 'test_user_123' - self.conversation_id = uuid4() - - # Create a mock LLM - self.mock_llm = Mock(spec=LLM) - self.mock_llm.model = 'gpt-4' - self.mock_llm.usage_id = 'agent' - - # Create a mock Agent - self.mock_agent = Mock(spec=Agent) - self.mock_agent.llm = self.mock_llm - self.mock_agent.system_prompt_filename = 'default_system_prompt.j2' - self.mock_agent.model_copy = Mock(return_value=self.mock_agent) - - def test_run_agent_variant_tests__v1_returns_agent_unchanged(self): - """Test that the base ExperimentManager returns the agent unchanged.""" - result = ExperimentManager.run_agent_variant_tests__v1( - self.user_id, self.conversation_id, self.mock_agent - ) - - assert result is self.mock_agent - assert result == self.mock_agent - - def test_run_agent_variant_tests__v1_with_none_user_id(self): - """Test that the method works with None user_id.""" - # Act - result = ExperimentManager.run_agent_variant_tests__v1( - None, self.conversation_id, self.mock_agent - ) - - # Assert - assert result is self.mock_agent - - def test_run_agent_variant_tests__v1_with_different_conversation_ids(self): - """Test that the method works with different conversation IDs.""" - conversation_id_1 = uuid4() - conversation_id_2 = uuid4() - - # Act - result_1 = ExperimentManager.run_agent_variant_tests__v1( - self.user_id, conversation_id_1, self.mock_agent - ) - result_2 = ExperimentManager.run_agent_variant_tests__v1( - self.user_id, conversation_id_2, self.mock_agent - ) - - # Assert - assert result_1 is self.mock_agent - assert result_2 is self.mock_agent - - -class TestExperimentManagerIntegration: - """Integration tests for ExperimentManager with start_app_conversation.""" - - def setup_method(self): - """Set up test fixtures.""" - self.user_id = 'test_user_123' - self.conversation_id = uuid4() - - # Create a mock LLM - self.mock_llm = Mock(spec=LLM) - self.mock_llm.model = 'gpt-4' - self.mock_llm.usage_id = 'agent' - - # Create a mock Agent - self.mock_agent = Mock(spec=Agent) - self.mock_agent.llm = self.mock_llm - self.mock_agent.system_prompt_filename = 'default_system_prompt.j2' - self.mock_agent.model_copy = Mock(return_value=self.mock_agent) - - @patch('openhands.experiments.experiment_manager.ExperimentManagerImpl') - def test_start_app_conversation_calls_experiment_manager_v1( - self, mock_experiment_manager_impl - ): - """Test that start_app_conversation calls the experiment manager v1 method with correct parameters.""" - # Arrange - mock_experiment_manager_impl.run_agent_variant_tests__v1.return_value = ( - self.mock_agent - ) - - # Create a mock service instance - mock_service = Mock(spec=LiveStatusAppConversationService) - - # Mock the _build_start_conversation_request_for_user method to simulate the call - with patch.object(mock_service, '_build_start_conversation_request_for_user'): - # Simulate the part of the code that calls the experiment manager - from uuid import uuid4 - - conversation_id = uuid4() - - # This simulates the call that happens in the actual service - result_agent = mock_experiment_manager_impl.run_agent_variant_tests__v1( - self.user_id, conversation_id, self.mock_agent - ) - - # Assert - mock_experiment_manager_impl.run_agent_variant_tests__v1.assert_called_once_with( - self.user_id, conversation_id, self.mock_agent - ) - assert result_agent == self.mock_agent - - @pytest.mark.asyncio - async def test_experiment_manager_called_with_correct_parameters_in_context__noop_pass_through( - self, - ): - """ - Test that ExperimentManagerImpl.run_agent_variant_tests__v1 is called with correct parameters - and returns the same agent instance (no copy/mutation) when building a StartConversationRequest. - """ - # --- Arrange: fixed UUID to assert call parameters deterministically - fixed_conversation_id = UUID('00000000-0000-0000-0000-000000000001') - - # Create a stable Agent (and LLM) we can identity-check later - mock_llm = Mock(spec=LLM) - mock_llm.model = 'gpt-4' - mock_llm.usage_id = 'agent' - - mock_agent = Mock(spec=Agent) - mock_agent.llm = mock_llm - mock_agent.condenser = None # No condenser for this test - mock_agent.system_prompt_filename = 'default_system_prompt.j2' - mock_agent.model_copy = Mock(return_value=mock_agent) - - # Minimal, real-ish user context used by the service - class DummyUserContext: - async def get_user_info(self): - # confirmation_mode=False -> NeverConfirm() - return SimpleNamespace( - id='test_user_123', - llm_model='gpt-4', - llm_base_url=None, - llm_api_key=None, - confirmation_mode=False, - condenser_max_size=None, - security_analyzer=None, - ) - - async def get_secrets(self): - return {} - - async def get_latest_token(self, provider): - return None - - async def get_user_id(self): - return 'test_user_123' - - user_context = DummyUserContext() - - # The service requires a lot of deps, but for this test we won't exercise them. - app_conversation_info_service = Mock() - app_conversation_start_task_service = Mock() - event_callback_service = Mock() - sandbox_service = Mock() - sandbox_spec_service = Mock() - jwt_service = Mock() - httpx_client = Mock() - - event_service = Mock() - - service = LiveStatusAppConversationService( - init_git_in_empty_workspace=False, - user_context=user_context, - app_conversation_info_service=app_conversation_info_service, - app_conversation_start_task_service=app_conversation_start_task_service, - event_callback_service=event_callback_service, - event_service=event_service, - sandbox_service=sandbox_service, - sandbox_spec_service=sandbox_spec_service, - jwt_service=jwt_service, - sandbox_startup_timeout=30, - sandbox_startup_poll_frequency=1, - httpx_client=httpx_client, - web_url=None, - openhands_provider_base_url=None, - access_token_hard_timeout=None, - ) - - sandbox = SandboxInfo( - id='mock-sandbox-id', - created_by_user_id='mock-user-id', - sandbox_spec_id='mock-sandbox-spec-id', - status=SandboxStatus.RUNNING, - session_api_key='mock-session-api-key', - ) - - # Patch the pieces invoked by the service - with ( - patch.object( - service, - '_setup_secrets_for_git_providers', - return_value={}, - ), - patch.object( - service, - '_configure_llm_and_mcp', - return_value=(mock_llm, {}), - ), - patch.object( - service, - '_create_agent_with_context', - return_value=mock_agent, - ), - patch.object( - service, - '_load_skills_and_update_agent', - return_value=mock_agent, - ), - patch( - 'openhands.app_server.app_conversation.live_status_app_conversation_service.uuid4', - return_value=fixed_conversation_id, - ), - patch( - 'openhands.app_server.app_conversation.live_status_app_conversation_service.ExperimentManagerImpl' - ) as mock_experiment_manager, - ): - # Configure the experiment manager mock to return the same agent - mock_experiment_manager.run_agent_variant_tests__v1.return_value = ( - mock_agent - ) - - # --- Act: build the start request - start_req = await service._build_start_conversation_request_for_user( - sandbox=sandbox, - initial_message=None, - system_message_suffix=None, # No additional system message suffix - git_provider=None, # Keep secrets path simple - working_dir='/tmp/project', # Arbitrary path - ) - - # --- Assert: verify experiment manager was called with correct parameters - mock_experiment_manager.run_agent_variant_tests__v1.assert_called_once_with( - 'test_user_123', # user_id - fixed_conversation_id, # conversation_id - mock_agent, # agent (after model_copy with agent_context) - ) - - # The agent in the StartConversationRequest is the *same* object returned by experiment manager - assert start_req.agent is mock_agent - - # No tweaks to agent fields by the experiment manager (noop) - assert start_req.agent.llm is mock_llm - assert start_req.agent.system_prompt_filename == 'default_system_prompt.j2' From bf769d17447aba684ee7aa13f607bcd7d21e9eef Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Wed, 4 Mar 2026 15:50:37 -0500 Subject: [PATCH 44/67] Handle deleted GitHub issues (410 error) gracefully (#13217) Co-authored-by: openhands --- .../github/github_v1_callback_processor.py | 33 ++++++++++++------- .../test_github_v1_callback_processor.py | 28 ++++++++++++++++ 2 files changed, 50 insertions(+), 11 deletions(-) diff --git a/enterprise/integrations/github/github_v1_callback_processor.py b/enterprise/integrations/github/github_v1_callback_processor.py index 541cb27377..42e68027ca 100644 --- a/enterprise/integrations/github/github_v1_callback_processor.py +++ b/enterprise/integrations/github/github_v1_callback_processor.py @@ -3,7 +3,7 @@ from typing import Any from uuid import UUID import httpx -from github import Auth, Github, GithubIntegration +from github import Auth, Github, GithubException, GithubIntegration from integrations.utils import get_summary_instruction from integrations.v1_utils import handle_callback_error from pydantic import Field @@ -132,19 +132,30 @@ class GithubV1CallbackProcessor(EventCallbackProcessor): full_repo_name = self.github_view_data['full_repo_name'] issue_number = self.github_view_data['issue_number'] - if self.inline_pr_comment: + try: + if self.inline_pr_comment: + with Github(auth=Auth.Token(installation_token)) as github_client: + repo = github_client.get_repo(full_repo_name) + pr = repo.get_pull(issue_number) + pr.create_review_comment_reply( + comment_id=self.github_view_data.get('comment_id', ''), + body=summary, + ) + return + with Github(auth=Auth.Token(installation_token)) as github_client: repo = github_client.get_repo(full_repo_name) - pr = repo.get_pull(issue_number) - pr.create_review_comment_reply( - comment_id=self.github_view_data.get('comment_id', ''), body=summary + issue = repo.get_issue(number=issue_number) + issue.create_comment(summary) + except GithubException as e: + if e.status == 410: + _logger.info( + '[GitHub V1] Issue/PR %s#%s was deleted, skipping summary post', + full_repo_name, + issue_number, ) - return - - with Github(auth=Auth.Token(installation_token)) as github_client: - repo = github_client.get_repo(full_repo_name) - issue = repo.get_issue(number=issue_number) - issue.create_comment(summary) + else: + raise # ------------------------------------------------------------------------- # Agent / sandbox helpers diff --git a/enterprise/tests/unit/integrations/github/test_github_v1_callback_processor.py b/enterprise/tests/unit/integrations/github/test_github_v1_callback_processor.py index 36ada82fe8..4e8e500318 100644 --- a/enterprise/tests/unit/integrations/github/test_github_v1_callback_processor.py +++ b/enterprise/tests/unit/integrations/github/test_github_v1_callback_processor.py @@ -15,6 +15,7 @@ from uuid import uuid4 import httpx import pytest +from github import GithubException from integrations.github.github_v1_callback_processor import ( GithubV1CallbackProcessor, ) @@ -734,6 +735,33 @@ class TestGithubV1CallbackProcessor: with pytest.raises(RuntimeError, match='Missing GitHub credentials'): await github_callback_processor._post_summary_to_github('Test summary') + @patch('integrations.github.github_v1_callback_processor.Auth') + @patch('integrations.github.github_v1_callback_processor.Github') + async def test_post_summary_to_github_deleted_issue_does_not_raise( + self, mock_github, mock_auth, github_callback_processor + ): + """Test that 410 errors (deleted issues) are handled gracefully without raising.""" + mock_github_client = MagicMock() + mock_repo = MagicMock() + mock_repo.get_issue.side_effect = GithubException( + status=410, + data={'message': 'This issue was deleted'}, + headers={}, + ) + mock_github_client.get_repo.return_value = mock_repo + mock_github.return_value.__enter__.return_value = mock_github_client + + mock_token_auth = MagicMock() + mock_auth.Token.return_value = mock_token_auth + + with patch.object( + github_callback_processor, + '_get_installation_access_token', + return_value='test_token', + ): + # Should not raise - 410 errors are handled gracefully + await github_callback_processor._post_summary_to_github('Test summary') + @patch( 'integrations.github.github_v1_callback_processor.GITHUB_APP_CLIENT_ID', 'test_client_id', From a1f73bb4c6af38ece4b4242c4c33d22ef00689cb Mon Sep 17 00:00:00 2001 From: Juan Michelini Date: Wed, 4 Mar 2026 21:13:30 -0300 Subject: [PATCH 45/67] Add Claude-Sonnet-4-6 model support to frontend (#13224) Co-authored-by: openhands --- frontend/src/utils/verified-models.ts | 2 ++ openhands/llm/model_features.py | 1 + openhands/utils/llm.py | 1 + 3 files changed, 4 insertions(+) diff --git a/frontend/src/utils/verified-models.ts b/frontend/src/utils/verified-models.ts index 2a6ffc69f4..64bc996f3d 100644 --- a/frontend/src/utils/verified-models.ts +++ b/frontend/src/utils/verified-models.ts @@ -10,6 +10,7 @@ export const VERIFIED_PROVIDERS = [ export const VERIFIED_MODELS = [ "claude-opus-4-6", "claude-opus-4-5-20251101", + "claude-sonnet-4-6", "claude-sonnet-4-5-20250929", "gpt-5.2-codex", "gpt-5.2", @@ -55,6 +56,7 @@ export const VERIFIED_MISTRAL_MODELS = ["devstral-medium-2512"]; export const VERIFIED_OPENHANDS_MODELS = [ "claude-opus-4-6", "claude-opus-4-5-20251101", + "claude-sonnet-4-6", "claude-sonnet-4-5-20250929", "gpt-5.2-codex", "gpt-5.2", diff --git a/openhands/llm/model_features.py b/openhands/llm/model_features.py index 8538f27456..17efdc18b2 100644 --- a/openhands/llm/model_features.py +++ b/openhands/llm/model_features.py @@ -117,6 +117,7 @@ REASONING_EFFORT_PATTERNS: list[str] = [ # DeepSeek reasoning family 'deepseek-r1-0528*', 'claude-sonnet-4-5*', + 'claude-sonnet-4-6*', 'claude-haiku-4-5*', # GLM series - verified via litellm config 'glm-4*', diff --git a/openhands/utils/llm.py b/openhands/utils/llm.py index d5498fc766..3a72ae4ef3 100644 --- a/openhands/utils/llm.py +++ b/openhands/utils/llm.py @@ -16,6 +16,7 @@ from openhands.llm import bedrock OPENHANDS_MODELS = [ 'openhands/claude-opus-4-6', 'openhands/claude-opus-4-5-20251101', + 'openhands/claude-sonnet-4-6', 'openhands/claude-sonnet-4-5-20250929', 'openhands/gpt-5.2-codex', 'openhands/gpt-5.2', From 039e966dade7f0f6843ed29da5bf04d9314d1d32 Mon Sep 17 00:00:00 2001 From: aivong-openhands Date: Thu, 5 Mar 2026 07:42:24 -0600 Subject: [PATCH 46/67] update mcp to 1.25.0 in uv lock (#13231) --- uv.lock | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/uv.lock b/uv.lock index 993b868a7a..dc78555d6f 100644 --- a/uv.lock +++ b/uv.lock @@ -3070,7 +3070,7 @@ wheels = [ [[package]] name = "mcp" -version = "1.16.0" +version = "1.25.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "anyio" }, @@ -3079,15 +3079,18 @@ dependencies = [ { name = "jsonschema" }, { name = "pydantic" }, { name = "pydantic-settings" }, + { name = "pyjwt", extra = ["crypto"] }, { name = "python-multipart" }, { name = "pywin32", marker = "sys_platform == 'win32'" }, { name = "sse-starlette" }, { name = "starlette" }, + { name = "typing-extensions" }, + { name = "typing-inspection" }, { name = "uvicorn", marker = "sys_platform != 'emscripten'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/3d/a1/b1f328da3b153683d2ec34f849b4b6eac2790fb240e3aef06ff2fab3df9d/mcp-1.16.0.tar.gz", hash = "sha256:39b8ca25460c578ee2cdad33feeea122694cfdf73eef58bee76c42f6ef0589df", size = 472918, upload-time = "2025-10-02T16:58:20.631Z" } +sdist = { url = "https://files.pythonhosted.org/packages/d5/2d/649d80a0ecf6a1f82632ca44bec21c0461a9d9fc8934d38cb5b319f2db5e/mcp-1.25.0.tar.gz", hash = "sha256:56310361ebf0364e2d438e5b45f7668cbb124e158bb358333cd06e49e83a6802", size = 605387, upload-time = "2025-12-19T10:19:56.000Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/c9/0e/7cebc88e17daf94ebe28c95633af595ccb2864dc2ee7abd75542d98495cc/mcp-1.16.0-py3-none-any.whl", hash = "sha256:ec917be9a5d31b09ba331e1768aa576e0af45470d657a0319996a20a57d7d633", size = 167266, upload-time = "2025-10-02T16:58:19.039Z" }, + { url = "https://files.pythonhosted.org/packages/e2/fc/6dc7659c2ae5ddf280477011f4213a74f806862856b796ef08f028e664bf/mcp-1.25.0-py3-none-any.whl", hash = "sha256:b37c38144a666add0862614cc79ec276e97d72aa8ca26d622818d4e278b9721a", size = 233076, upload-time = "2025-12-19T10:19:55.000Z" }, ] [[package]] From 6751bba939530122646fc00627d3b02c99a019c4 Mon Sep 17 00:00:00 2001 From: Juan Michelini Date: Thu, 5 Mar 2026 11:44:33 -0300 Subject: [PATCH 47/67] Add GLM-5 model support to frontend (#13213) Co-authored-by: openhands Co-authored-by: OpenHands Bot --- frontend/src/utils/verified-models.ts | 2 ++ openhands/llm/model_features.py | 3 +++ openhands/utils/llm.py | 1 + 3 files changed, 6 insertions(+) diff --git a/frontend/src/utils/verified-models.ts b/frontend/src/utils/verified-models.ts index 64bc996f3d..b540cf46a3 100644 --- a/frontend/src/utils/verified-models.ts +++ b/frontend/src/utils/verified-models.ts @@ -22,6 +22,7 @@ export const VERIFIED_MODELS = [ "kimi-k2-0711-preview", "qwen3-coder-480b", "glm-4.7", + "glm-5", ]; // LiteLLM does not return OpenAI models with the provider, so we list them here to set them ourselves for consistency @@ -67,6 +68,7 @@ export const VERIFIED_OPENHANDS_MODELS = [ "kimi-k2-0711-preview", "qwen3-coder-480b", "glm-4.7", + "glm-5", ]; // Default model for OpenHands provider diff --git a/openhands/llm/model_features.py b/openhands/llm/model_features.py index 17efdc18b2..5b37720196 100644 --- a/openhands/llm/model_features.py +++ b/openhands/llm/model_features.py @@ -99,6 +99,7 @@ FUNCTION_CALLING_PATTERNS: list[str] = [ 'grok-code-fast-1', # GLM series - verified via official docs and litellm config 'glm-4*', + 'glm-5*', ] REASONING_EFFORT_PATTERNS: list[str] = [ @@ -121,6 +122,7 @@ REASONING_EFFORT_PATTERNS: list[str] = [ 'claude-haiku-4-5*', # GLM series - verified via litellm config 'glm-4*', + 'glm-5*', ] PROMPT_CACHE_PATTERNS: list[str] = [ @@ -136,6 +138,7 @@ PROMPT_CACHE_PATTERNS: list[str] = [ 'claude-opus-4*', # GLM series - verified via litellm config 'glm-4*', + 'glm-5*', ] SUPPORTS_STOP_WORDS_FALSE_PATTERNS: list[str] = [ diff --git a/openhands/utils/llm.py b/openhands/utils/llm.py index 3a72ae4ef3..6c71e753ef 100644 --- a/openhands/utils/llm.py +++ b/openhands/utils/llm.py @@ -28,6 +28,7 @@ OPENHANDS_MODELS = [ 'openhands/kimi-k2-0711-preview', 'openhands/qwen3-coder-480b', 'openhands/glm-4.7', + 'openhands/glm-5', ] CLARIFAI_MODELS = [ From e78d7de0c07465e65abc656cf71d475ccd95d1ae Mon Sep 17 00:00:00 2001 From: layla <111667698+04cb@users.noreply.github.com> Date: Thu, 5 Mar 2026 22:47:11 +0800 Subject: [PATCH 48/67] Fix dark background in chat status row hiding message content (#13236) --- frontend/src/components/features/chat/chat-interface.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/src/components/features/chat/chat-interface.tsx b/frontend/src/components/features/chat/chat-interface.tsx index 85a9435678..b7980133a7 100644 --- a/frontend/src/components/features/chat/chat-interface.tsx +++ b/frontend/src/components/features/chat/chat-interface.tsx @@ -295,7 +295,7 @@ export function ChatInterface() { )} -
+
From 42b0a89366a5b9a2b244de6c63d3b65e17984455 Mon Sep 17 00:00:00 2001 From: aivong-openhands Date: Thu, 5 Mar 2026 08:56:47 -0600 Subject: [PATCH 49/67] Fix CVE-2026-28802: Update authlib to 1.6.7 (#13229) Co-authored-by: OpenHands CVE Fix Bot --- enterprise/poetry.lock | 7 ++++--- poetry.lock | 8 ++++---- pyproject.toml | 2 ++ uv.lock | 8 +++++--- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/enterprise/poetry.lock b/enterprise/poetry.lock index a59c4f1b50..8ad94113f7 100644 --- a/enterprise/poetry.lock +++ b/enterprise/poetry.lock @@ -569,14 +569,14 @@ files = [ [[package]] name = "authlib" -version = "1.6.6" +version = "1.6.7" description = "The ultimate Python library in building OAuth and OpenID Connect servers and clients." optional = false python-versions = ">=3.9" groups = ["main"] files = [ - {file = "authlib-1.6.6-py2.py3-none-any.whl", hash = "sha256:7d9e9bc535c13974313a87f53e8430eb6ea3d1cf6ae4f6efcd793f2e949143fd"}, - {file = "authlib-1.6.6.tar.gz", hash = "sha256:45770e8e056d0f283451d9996fbb59b70d45722b45d854d58f32878d0a40c38e"}, + {file = "authlib-1.6.7-py2.py3-none-any.whl", hash = "sha256:c637340d9a02789d2efa1d003a7437d10d3e565237bcb5fcbc6c134c7b95bab0"}, + {file = "authlib-1.6.7.tar.gz", hash = "sha256:dbf10100011d1e1b34048c9d120e83f13b35d69a826ae762b93d2fb5aafc337b"}, ] [package.dependencies] @@ -6149,6 +6149,7 @@ aiohttp = ">=3.13.3" anthropic = {version = "*", extras = ["vertex"]} anyio = "4.9" asyncpg = ">=0.30" +authlib = ">=1.6.7" bashlex = ">=0.18" boto3 = "*" browsergym-core = "0.13.3" diff --git a/poetry.lock b/poetry.lock index 912f2d6d3d..2f0264dd48 100644 --- a/poetry.lock +++ b/poetry.lock @@ -573,14 +573,14 @@ files = [ [[package]] name = "authlib" -version = "1.6.6" +version = "1.6.7" description = "The ultimate Python library in building OAuth and OpenID Connect servers and clients." optional = false python-versions = ">=3.9" groups = ["main"] files = [ - {file = "authlib-1.6.6-py2.py3-none-any.whl", hash = "sha256:7d9e9bc535c13974313a87f53e8430eb6ea3d1cf6ae4f6efcd793f2e949143fd"}, - {file = "authlib-1.6.6.tar.gz", hash = "sha256:45770e8e056d0f283451d9996fbb59b70d45722b45d854d58f32878d0a40c38e"}, + {file = "authlib-1.6.7-py2.py3-none-any.whl", hash = "sha256:c637340d9a02789d2efa1d003a7437d10d3e565237bcb5fcbc6c134c7b95bab0"}, + {file = "authlib-1.6.7.tar.gz", hash = "sha256:dbf10100011d1e1b34048c9d120e83f13b35d69a826ae762b93d2fb5aafc337b"}, ] [package.dependencies] @@ -14691,4 +14691,4 @@ third-party-runtimes = ["daytona", "e2b-code-interpreter", "modal", "runloop-api [metadata] lock-version = "2.1" python-versions = "^3.12,<3.14" -content-hash = "8238ef4e4687e246f55f9d524b0b1d81df7187abdec0fc9f1b121ae0a9e0caa0" +content-hash = "b0265f1398ff1f6bf64c89cbad01185241238df3930a212264a6a3033de7aac6" diff --git a/pyproject.toml b/pyproject.toml index e11b3b9b1d..b88c8b705f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -25,6 +25,7 @@ dependencies = [ "anthropic[vertex]", "anyio==4.9", "asyncpg>=0.30", + "authlib>=1.6.7", "bashlex>=0.18", "boto3", "browsergym-core==0.13.3", @@ -160,6 +161,7 @@ include = [ [tool.poetry.dependencies] python = "^3.12,<3.14" +authlib = ">=1.6.7" # Pinned to fix CVE-2026-28802 litellm = ">=1.74.3, !=1.64.4, !=1.67.*" # avoid 1.64.4 (known bug) & 1.67.* (known bug #10272) openai = "2.8.0" # Pin due to litellm incompatibility with >=1.100.0 (BerriAI/litellm#13711) aiohttp = ">=3.13.3" # Pin to avoid CVE-2025-69223 (vulnerable versions < 3.13.3) diff --git a/uv.lock b/uv.lock index dc78555d6f..d7e4632a33 100644 --- a/uv.lock +++ b/uv.lock @@ -336,14 +336,14 @@ wheels = [ [[package]] name = "authlib" -version = "1.6.6" +version = "1.6.7" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "cryptography" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/bb/9b/b1661026ff24bc641b76b78c5222d614776b0c085bcfdac9bd15a1cb4b35/authlib-1.6.6.tar.gz", hash = "sha256:45770e8e056d0f283451d9996fbb59b70d45722b45d854d58f32878d0a40c38e", size = 164894, upload-time = "2025-12-12T08:01:41.464Z" } +sdist = { url = "https://files.pythonhosted.org/packages/49/dc/ed1681bf1339dd6ea1ce56136bad4baabc6f7ad466e375810702b0237047/authlib-1.6.7.tar.gz", hash = "sha256:dbf10100011d1e1b34048c9d120e83f13b35d69a826ae762b93d2fb5aafc337b", size = 164950, upload-time = "2026-02-06T14:04:14.171Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/54/51/321e821856452f7386c4e9df866f196720b1ad0c5ea1623ea7399969ae3b/authlib-1.6.6-py2.py3-none-any.whl", hash = "sha256:7d9e9bc535c13974313a87f53e8430eb6ea3d1cf6ae4f6efcd793f2e949143fd", size = 244005, upload-time = "2025-12-12T08:01:40.209Z" }, + { url = "https://files.pythonhosted.org/packages/f8/00/3ed12264094ec91f534fae429945efbaa9f8c666f3aa7061cc3b2a26a0cd/authlib-1.6.7-py2.py3-none-any.whl", hash = "sha256:c637340d9a02789d2efa1d003a7437d10d3e565237bcb5fcbc6c134c7b95bab0", size = 244115, upload-time = "2026-02-06T14:04:12.141Z" }, ] [[package]] @@ -3635,6 +3635,7 @@ dependencies = [ { name = "anthropic", extra = ["vertex"] }, { name = "anyio" }, { name = "asyncpg" }, + { name = "authlib" }, { name = "bashlex" }, { name = "boto3" }, { name = "browsergym-core" }, @@ -3755,6 +3756,7 @@ requires-dist = [ { name = "anthropic", extras = ["vertex"] }, { name = "anyio", specifier = "==4.9" }, { name = "asyncpg", specifier = ">=0.30" }, + { name = "authlib", specifier = ">=1.6.7" }, { name = "bashlex", specifier = ">=0.18" }, { name = "boto3" }, { name = "browsergym-core", specifier = "==0.13.3" }, From 0b0bfdff0515645cc77c652d99d4f3529b81da01 Mon Sep 17 00:00:00 2001 From: Hiep Le <69354317+hieptl@users.noreply.github.com> Date: Thu, 5 Mar 2026 22:19:14 +0700 Subject: [PATCH 50/67] feat(frontend): add the build button to the planner tab (#13235) --- .../conversation-tab-title.test.tsx | 135 ++++++++++++++++++ .../conversation-tab-title.tsx | 37 +++++ 2 files changed, 172 insertions(+) diff --git a/frontend/__tests__/components/conversation-tab-title.test.tsx b/frontend/__tests__/components/conversation-tab-title.test.tsx index 4e3a0aa0fe..e79790ebe4 100644 --- a/frontend/__tests__/components/conversation-tab-title.test.tsx +++ b/frontend/__tests__/components/conversation-tab-title.test.tsx @@ -5,11 +5,43 @@ import { QueryClient, QueryClientProvider } from "@tanstack/react-query"; import { ConversationTabTitle } from "#/components/features/conversation/conversation-tabs/conversation-tab-title"; import GitService from "#/api/git-service/git-service.api"; import V1GitService from "#/api/git-service/v1-git-service.api"; +import { useConversationStore } from "#/stores/conversation-store"; +import { useAgentStore } from "#/stores/agent-store"; +import { useOptimisticUserMessageStore } from "#/stores/optimistic-user-message-store"; +import { AgentState } from "#/types/agent-state"; +import { createChatMessage } from "#/services/chat-service"; // Mock the services that the hook depends on vi.mock("#/api/git-service/git-service.api"); vi.mock("#/api/git-service/v1-git-service.api"); +// Mock i18n +vi.mock("react-i18next", async (importOriginal) => { + const actual = await importOriginal(); + return { + ...actual, + useTranslation: () => ({ + t: (key: string) => key, + }), + }; +}); + +// Mock services for Build button +const mockSend = vi.fn(); + +vi.mock("#/hooks/use-send-message", () => ({ + useSendMessage: vi.fn(() => ({ + send: mockSend, + })), +})); + +vi.mock("#/services/chat-service", () => ({ + createChatMessage: vi.fn((content, imageUrls, fileUrls, timestamp) => ({ + action: "message", + args: { content, image_urls: imageUrls, file_urls: fileUrls, timestamp }, + })), +})); + // Mock the hooks that useUnifiedGetGitChanges depends on vi.mock("#/hooks/use-conversation-id", () => ({ useConversationId: () => ({ @@ -51,11 +83,24 @@ describe("ConversationTabTitle", () => { // Mock GitService methods vi.mocked(GitService.getGitChanges).mockResolvedValue([]); vi.mocked(V1GitService.getGitChanges).mockResolvedValue([]); + + // Reset stores for Build button tests + useConversationStore.setState({ + planContent: null, + conversationMode: "plan", + }); + useAgentStore.setState({ + curAgentState: AgentState.AWAITING_USER_INPUT, + }); + useOptimisticUserMessageStore.setState({ + optimisticUserMessage: null, + }); }); afterEach(() => { vi.clearAllMocks(); queryClient.clear(); + localStorage.clear(); }); const renderWithProviders = (ui: React.ReactElement) => { @@ -146,4 +191,94 @@ describe("ConversationTabTitle", () => { }); }); }); + + describe("Build Button", () => { + it("should show Build button when conversationKey is 'planner' and planContent exists", () => { + // Arrange + useConversationStore.setState({ planContent: "# Plan content" }); + + // Act + renderWithProviders( + , + ); + + // Assert + const buildButton = screen.getByTestId("planner-tab-build-button"); + expect(buildButton).toBeInTheDocument(); + }); + + it("should not show Build button when conversationKey is not 'planner'", () => { + // Arrange + useConversationStore.setState({ planContent: "# Plan content" }); + + // Act + renderWithProviders( + , + ); + + // Assert + expect( + screen.queryByTestId("planner-tab-build-button"), + ).not.toBeInTheDocument(); + }); + + it("should disable Build button when no planContent exists", () => { + // Arrange + useConversationStore.setState({ planContent: null }); + useAgentStore.setState({ curAgentState: AgentState.AWAITING_USER_INPUT }); + + // Act + renderWithProviders( + , + ); + + // Assert + const buildButton = screen.getByTestId("planner-tab-build-button"); + expect(buildButton).toBeDisabled(); + }); + + it("should disable Build button when agent is running", () => { + // Arrange + useConversationStore.setState({ planContent: "# Plan content" }); + useAgentStore.setState({ curAgentState: AgentState.RUNNING }); + + // Act + renderWithProviders( + , + ); + + // Assert + const buildButton = screen.getByTestId("planner-tab-build-button"); + expect(buildButton).toBeDisabled(); + }); + + it("should switch to code mode and send message when Build button is clicked", async () => { + // Arrange + const user = userEvent.setup(); + useConversationStore.setState({ + planContent: "# Plan content", + conversationMode: "plan", + }); + useAgentStore.setState({ curAgentState: AgentState.AWAITING_USER_INPUT }); + + renderWithProviders( + , + ); + + const buildButton = screen.getByTestId("planner-tab-build-button"); + + // Act + await user.click(buildButton); + + // Assert + expect(useConversationStore.getState().conversationMode).toBe("code"); + expect(createChatMessage).toHaveBeenCalledWith( + "Execute the plan based on the .agents_tmp/PLAN.md file.", + [], + [], + expect.any(String), + ); + expect(mockSend).toHaveBeenCalled(); + }); + }); }); diff --git a/frontend/src/components/features/conversation/conversation-tabs/conversation-tab-title.tsx b/frontend/src/components/features/conversation/conversation-tabs/conversation-tab-title.tsx index 406b985f33..75dbb23f8e 100644 --- a/frontend/src/components/features/conversation/conversation-tabs/conversation-tab-title.tsx +++ b/frontend/src/components/features/conversation/conversation-tabs/conversation-tab-title.tsx @@ -1,21 +1,40 @@ +import { useTranslation } from "react-i18next"; import RefreshIcon from "#/icons/u-refresh.svg?react"; import { useUnifiedGetGitChanges } from "#/hooks/query/use-unified-get-git-changes"; +import { useHandleBuildPlanClick } from "#/hooks/use-handle-build-plan-click"; +import { useAgentState } from "#/hooks/use-agent-state"; +import { useConversationStore } from "#/stores/conversation-store"; +import { AgentState } from "#/types/agent-state"; +import { I18nKey } from "#/i18n/declaration"; +import { cn } from "#/utils/utils"; +import { Typography } from "#/ui/typography"; type ConversationTabTitleProps = { title: string; conversationKey: string; }; +/* eslint-disable i18next/no-literal-string */ export function ConversationTabTitle({ title, conversationKey, }: ConversationTabTitleProps) { + const { t } = useTranslation(); const { refetch } = useUnifiedGetGitChanges(); + const { handleBuildPlanClick } = useHandleBuildPlanClick(); + const { curAgentState } = useAgentState(); + const { planContent } = useConversationStore(); const handleRefresh = () => { refetch(); }; + // Determine if Build button should be disabled + const isAgentRunning = + curAgentState === AgentState.RUNNING || + curAgentState === AgentState.LOADING; + const isBuildDisabled = isAgentRunning || !planContent; + return (
{title} @@ -28,6 +47,24 @@ export function ConversationTabTitle({ )} + {conversationKey === "planner" && ( + + )}
); } From 07468e39f768a09f409ac3bdbee87a6933775247 Mon Sep 17 00:00:00 2001 From: Hiep Le <69354317+hieptl@users.noreply.github.com> Date: Thu, 5 Mar 2026 22:19:50 +0700 Subject: [PATCH 51/67] feat(frontend): disable the create a plan button when users are using the planning agent (#13234) --- .../__tests__/routes/planner-tab.test.tsx | 55 +++++++++++++++++++ frontend/src/routes/planner-tab.tsx | 12 +++- 2 files changed, 65 insertions(+), 2 deletions(-) create mode 100644 frontend/__tests__/routes/planner-tab.test.tsx diff --git a/frontend/__tests__/routes/planner-tab.test.tsx b/frontend/__tests__/routes/planner-tab.test.tsx new file mode 100644 index 0000000000..8f139ffc5f --- /dev/null +++ b/frontend/__tests__/routes/planner-tab.test.tsx @@ -0,0 +1,55 @@ +import { screen } from "@testing-library/react"; +import { describe, expect, it, vi, beforeEach } from "vitest"; +import PlannerTab from "#/routes/planner-tab"; +import { renderWithProviders } from "../../test-utils"; +import { useConversationStore } from "#/stores/conversation-store"; + +// Mock the handle plan click hook +vi.mock("#/hooks/use-handle-plan-click", () => ({ + useHandlePlanClick: () => ({ + handlePlanClick: vi.fn(), + }), +})); + +describe("PlannerTab", () => { + beforeEach(() => { + vi.clearAllMocks(); + // Reset store state to defaults + useConversationStore.setState({ + planContent: null, + conversationMode: "code", + }); + }); + + describe("Create a plan button", () => { + it("should be enabled when conversation mode is 'code'", () => { + // Arrange + useConversationStore.setState({ + planContent: null, + conversationMode: "code", + }); + + // Act + renderWithProviders(); + + // Assert + const button = screen.getByRole("button"); + expect(button).not.toBeDisabled(); + }); + + it("should be disabled when conversation mode is 'plan'", () => { + // Arrange + useConversationStore.setState({ + planContent: null, + conversationMode: "plan", + }); + + // Act + renderWithProviders(); + + // Assert + const button = screen.getByRole("button"); + expect(button).toBeDisabled(); + }); + }); +}); diff --git a/frontend/src/routes/planner-tab.tsx b/frontend/src/routes/planner-tab.tsx index dfda9b9a8f..11e5f8e3c0 100644 --- a/frontend/src/routes/planner-tab.tsx +++ b/frontend/src/routes/planner-tab.tsx @@ -7,6 +7,7 @@ import { useScrollToBottom } from "#/hooks/use-scroll-to-bottom"; import { MarkdownRenderer } from "#/components/features/markdown/markdown-renderer"; import { planComponents } from "#/components/features/markdown/plan-components"; import { useHandlePlanClick } from "#/hooks/use-handle-plan-click"; +import { cn } from "#/utils/utils"; function PlannerTab() { const { t } = useTranslation(); @@ -14,7 +15,8 @@ function PlannerTab() { React.useRef(null), ); - const { planContent } = useConversationStore(); + const { planContent, conversationMode } = useConversationStore(); + const isPlanMode = conversationMode === "plan"; const { handlePlanClick } = useHandlePlanClick(); if (planContent !== null && planContent !== undefined) { @@ -40,7 +42,13 @@ function PlannerTab() { From 59b369047f4dd2811c5323649e08545d53cf6942 Mon Sep 17 00:00:00 2001 From: "sp.wack" <83104063+amanape@users.noreply.github.com> Date: Thu, 5 Mar 2026 19:40:06 +0400 Subject: [PATCH 52/67] Revert "Fix dark background in chat status row hiding message content" (#13239) --- frontend/src/components/features/chat/chat-interface.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frontend/src/components/features/chat/chat-interface.tsx b/frontend/src/components/features/chat/chat-interface.tsx index b7980133a7..85a9435678 100644 --- a/frontend/src/components/features/chat/chat-interface.tsx +++ b/frontend/src/components/features/chat/chat-interface.tsx @@ -295,7 +295,7 @@ export function ChatInterface() { )}
-
+
From cfbf29f6e8fad29e30c8558b4010ef2a4a0dfc9a Mon Sep 17 00:00:00 2001 From: aivong-openhands Date: Thu, 5 Mar 2026 14:42:01 -0600 Subject: [PATCH 53/67] chore: downgrade fastmcp to 2.12.4 in uv.lock (#13240) Co-authored-by: openhands Co-authored-by: OpenHands Bot --- poetry.lock | 2 +- pyproject.toml | 2 +- uv.lock | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/poetry.lock b/poetry.lock index 2f0264dd48..d16e9ddd8d 100644 --- a/poetry.lock +++ b/poetry.lock @@ -14691,4 +14691,4 @@ third-party-runtimes = ["daytona", "e2b-code-interpreter", "modal", "runloop-api [metadata] lock-version = "2.1" python-versions = "^3.12,<3.14" -content-hash = "b0265f1398ff1f6bf64c89cbad01185241238df3930a212264a6a3033de7aac6" +content-hash = "f51ce6271ad5a8141386895148e95b9e28a24ceadd0acd402220485a761f9e62" diff --git a/pyproject.toml b/pyproject.toml index b88c8b705f..5b89f42003 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -34,7 +34,7 @@ dependencies = [ "dirhash", "docker", "fastapi", - "fastmcp>=2.12.4", + "fastmcp>=2.12.4,<2.12.5", "google-api-python-client>=2.164", "google-auth-httplib2", "google-auth-oauthlib", diff --git a/uv.lock b/uv.lock index d7e4632a33..c266974d4d 100644 --- a/uv.lock +++ b/uv.lock @@ -1325,7 +1325,7 @@ wheels = [ [[package]] name = "fastmcp" -version = "2.12.5" +version = "2.12.4" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "authlib" }, @@ -1340,9 +1340,9 @@ dependencies = [ { name = "python-dotenv" }, { name = "rich" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/00/a6/e3b46cd3e228635e0064c2648788b6f66a53bf0d0ddbf5fb44cca951f908/fastmcp-2.12.5.tar.gz", hash = "sha256:2dfd02e255705a4afe43d26caddbc864563036e233dbc6870f389ee523b39a6a", size = 7190263, upload-time = "2025-10-17T13:24:58.896Z" } +sdist = { url = "https://files.pythonhosted.org/packages/a8/b2/57845353a9bc63002995a982e66f3d0be4ec761e7bcb89e7d0638518d42a/fastmcp-2.12.4.tar.gz", hash = "sha256:b55fe89537038f19d0f4476544f9ca5ac171033f61811cc8f12bdeadcbea5016", size = 7167745, upload-time = "2025-09-26T16:43:27.71Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/d8/c1/9fb98c9649e15ea8cc691b4b09558b61dafb3dc0345f7322f8c4a8991ade/fastmcp-2.12.5-py3-none-any.whl", hash = "sha256:b1e542f9b83dbae7cecfdc9c73b062f77074785abda9f2306799116121344133", size = 329099, upload-time = "2025-10-17T13:24:57.518Z" }, + { url = "https://files.pythonhosted.org/packages/e2/c7/562ff39f25de27caec01e4c1e88cbb5fcae5160802ba3d90be33165df24f/fastmcp-2.12.4-py3-none-any.whl", hash = "sha256:56188fbbc1a9df58c537063f25958c57b5c4d715f73e395c41b51550b247d140", size = 329090, upload-time = "2025-09-26T16:43:25.314Z" }, ] [[package]] @@ -3088,9 +3088,9 @@ dependencies = [ { name = "typing-inspection" }, { name = "uvicorn", marker = "sys_platform != 'emscripten'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/d5/2d/649d80a0ecf6a1f82632ca44bec21c0461a9d9fc8934d38cb5b319f2db5e/mcp-1.25.0.tar.gz", hash = "sha256:56310361ebf0364e2d438e5b45f7668cbb124e158bb358333cd06e49e83a6802", size = 605387, upload-time = "2025-12-19T10:19:56.000Z" } +sdist = { url = "https://files.pythonhosted.org/packages/d5/2d/649d80a0ecf6a1f82632ca44bec21c0461a9d9fc8934d38cb5b319f2db5e/mcp-1.25.0.tar.gz", hash = "sha256:56310361ebf0364e2d438e5b45f7668cbb124e158bb358333cd06e49e83a6802", size = 605387, upload-time = "2025-12-19T10:19:56.985Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/e2/fc/6dc7659c2ae5ddf280477011f4213a74f806862856b796ef08f028e664bf/mcp-1.25.0-py3-none-any.whl", hash = "sha256:b37c38144a666add0862614cc79ec276e97d72aa8ca26d622818d4e278b9721a", size = 233076, upload-time = "2025-12-19T10:19:55.000Z" }, + { url = "https://files.pythonhosted.org/packages/e2/fc/6dc7659c2ae5ddf280477011f4213a74f806862856b796ef08f028e664bf/mcp-1.25.0-py3-none-any.whl", hash = "sha256:b37c38144a666add0862614cc79ec276e97d72aa8ca26d622818d4e278b9721a", size = 233076, upload-time = "2025-12-19T10:19:55.416Z" }, ] [[package]] @@ -3767,7 +3767,7 @@ requires-dist = [ { name = "docker" }, { name = "e2b-code-interpreter", marker = "extra == 'third-party-runtimes'", specifier = ">=2" }, { name = "fastapi" }, - { name = "fastmcp", specifier = ">=2.12.4" }, + { name = "fastmcp", specifier = ">=2.12.4,<2.12.5" }, { name = "google-api-python-client", specifier = ">=2.164" }, { name = "google-auth-httplib2" }, { name = "google-auth-oauthlib" }, From dcef5ae1f1783f9eeaa2da667842d5c564fdee15 Mon Sep 17 00:00:00 2001 From: aivong-openhands Date: Thu, 5 Mar 2026 14:42:20 -0600 Subject: [PATCH 54/67] Fix CVE-2026-0540: Override dompurify to version 3.3.2 (#13230) Co-authored-by: OpenHands CVE Fix Bot --- frontend/package-lock.json | 18 ++++++------------ frontend/package.json | 3 +++ 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/frontend/package-lock.json b/frontend/package-lock.json index be9f5fe808..92813ce1a8 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -8526,10 +8526,13 @@ "license": "MIT" }, "node_modules/dompurify": { - "version": "3.2.7", - "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.7.tgz", - "integrity": "sha512-WhL/YuveyGXJaerVlMYGWhvQswa7myDG17P7Vu65EWC05o8vfeNbvNf4d/BOvH99+ZW+LlQsc1GDKMa1vNK6dw==", + "version": "3.3.2", + "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.2.tgz", + "integrity": "sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==", "license": "(MPL-2.0 OR Apache-2.0)", + "engines": { + "node": ">=20" + }, "optionalDependencies": { "@types/trusted-types": "^2.0.7" } @@ -13997,15 +14000,6 @@ "web-vitals": "^5.1.0" } }, - "node_modules/posthog-js/node_modules/dompurify": { - "version": "3.3.1", - "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.1.tgz", - "integrity": "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q==", - "license": "(MPL-2.0 OR Apache-2.0)", - "optionalDependencies": { - "@types/trusted-types": "^2.0.7" - } - }, "node_modules/preact": { "version": "10.28.2", "resolved": "https://registry.npmjs.org/preact/-/preact-10.28.2.tgz", diff --git a/frontend/package.json b/frontend/package.json index d0bd868ac2..8448faba21 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -127,5 +127,8 @@ "workerDirectory": [ "public" ] + }, + "overrides": { + "dompurify": "3.3.2" } } From 64e96b7c3c97d056f4db3b5c5bf06636131d852a Mon Sep 17 00:00:00 2001 From: Juan Michelini Date: Thu, 5 Mar 2026 19:33:59 -0300 Subject: [PATCH 55/67] Add Kimi-K2.5 model support to frontend (#13227) Co-authored-by: openhands --- frontend/src/utils/verified-models.ts | 2 ++ openhands/llm/model_features.py | 5 +++++ openhands/utils/llm.py | 1 + 3 files changed, 8 insertions(+) diff --git a/frontend/src/utils/verified-models.ts b/frontend/src/utils/verified-models.ts index b540cf46a3..1e0c0d3417 100644 --- a/frontend/src/utils/verified-models.ts +++ b/frontend/src/utils/verified-models.ts @@ -20,6 +20,7 @@ export const VERIFIED_MODELS = [ "deepseek-chat", "devstral-medium-2512", "kimi-k2-0711-preview", + "kimi-k2.5", "qwen3-coder-480b", "glm-4.7", "glm-5", @@ -66,6 +67,7 @@ export const VERIFIED_OPENHANDS_MODELS = [ "gemini-3-flash-preview", "devstral-medium-2512", "kimi-k2-0711-preview", + "kimi-k2.5", "qwen3-coder-480b", "glm-4.7", "glm-5", diff --git a/openhands/llm/model_features.py b/openhands/llm/model_features.py index 5b37720196..a6c07056a7 100644 --- a/openhands/llm/model_features.py +++ b/openhands/llm/model_features.py @@ -93,6 +93,7 @@ FUNCTION_CALLING_PATTERNS: list[str] = [ # Others 'kimi-k2-0711-preview', 'kimi-k2-instruct', + 'kimi-k2.5', 'qwen3-coder*', 'qwen3-coder-480b-a35b-instruct', 'deepseek-chat', @@ -120,6 +121,8 @@ REASONING_EFFORT_PATTERNS: list[str] = [ 'claude-sonnet-4-5*', 'claude-sonnet-4-6*', 'claude-haiku-4-5*', + # Kimi series - verified via litellm config + 'kimi-k2.5', # GLM series - verified via litellm config 'glm-4*', 'glm-5*', @@ -136,6 +139,8 @@ PROMPT_CACHE_PATTERNS: list[str] = [ 'claude-3-opus-20240229', 'claude-sonnet-4*', 'claude-opus-4*', + # Kimi series - verified via litellm config + 'kimi-k2.5', # GLM series - verified via litellm config 'glm-4*', 'glm-5*', diff --git a/openhands/utils/llm.py b/openhands/utils/llm.py index 6c71e753ef..f7b010d767 100644 --- a/openhands/utils/llm.py +++ b/openhands/utils/llm.py @@ -26,6 +26,7 @@ OPENHANDS_MODELS = [ 'openhands/deepseek-chat', 'openhands/devstral-medium-2512', 'openhands/kimi-k2-0711-preview', + 'openhands/kimi-k2.5', 'openhands/qwen3-coder-480b', 'openhands/glm-4.7', 'openhands/glm-5', From d8444ef626338d2869cf73f62e4a27e335b8654b Mon Sep 17 00:00:00 2001 From: Juan Michelini Date: Thu, 5 Mar 2026 19:34:06 -0300 Subject: [PATCH 56/67] Add Qwen3-Coder-Next model support to frontend (#13222) Co-authored-by: openhands --- frontend/src/utils/verified-models.ts | 2 ++ openhands/utils/llm.py | 1 + 2 files changed, 3 insertions(+) diff --git a/frontend/src/utils/verified-models.ts b/frontend/src/utils/verified-models.ts index 1e0c0d3417..1e757597a5 100644 --- a/frontend/src/utils/verified-models.ts +++ b/frontend/src/utils/verified-models.ts @@ -22,6 +22,7 @@ export const VERIFIED_MODELS = [ "kimi-k2-0711-preview", "kimi-k2.5", "qwen3-coder-480b", + "qwen3-coder-next", "glm-4.7", "glm-5", ]; @@ -69,6 +70,7 @@ export const VERIFIED_OPENHANDS_MODELS = [ "kimi-k2-0711-preview", "kimi-k2.5", "qwen3-coder-480b", + "qwen3-coder-next", "glm-4.7", "glm-5", ]; diff --git a/openhands/utils/llm.py b/openhands/utils/llm.py index f7b010d767..cf8a6f60a8 100644 --- a/openhands/utils/llm.py +++ b/openhands/utils/llm.py @@ -28,6 +28,7 @@ OPENHANDS_MODELS = [ 'openhands/kimi-k2-0711-preview', 'openhands/kimi-k2.5', 'openhands/qwen3-coder-480b', + 'openhands/qwen3-coder-next', 'openhands/glm-4.7', 'openhands/glm-5', ] From ded0363e36e37bcd8780655e604487bd2b47f9a6 Mon Sep 17 00:00:00 2001 From: Chris Bagwell Date: Thu, 5 Mar 2026 17:53:15 -0600 Subject: [PATCH 57/67] fix: ensure VSCode tab popout works for V1 (#13118) --- .../vscode-tooltip-content.tsx | 28 ++++++++----------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/frontend/src/components/features/conversation/conversation-tabs/vscode-tooltip-content.tsx b/frontend/src/components/features/conversation/conversation-tabs/vscode-tooltip-content.tsx index 400340b11e..07509ab19d 100644 --- a/frontend/src/components/features/conversation/conversation-tabs/vscode-tooltip-content.tsx +++ b/frontend/src/components/features/conversation/conversation-tabs/vscode-tooltip-content.tsx @@ -2,33 +2,27 @@ import { FaExternalLinkAlt } from "react-icons/fa"; import { useTranslation } from "react-i18next"; import { I18nKey } from "#/i18n/declaration"; import { RUNTIME_INACTIVE_STATES } from "#/types/agent-state"; -import { transformVSCodeUrl } from "#/utils/vscode-url-helper"; -import { useConversationId } from "#/hooks/use-conversation-id"; -import ConversationService from "#/api/conversation-service/conversation-service.api"; import { useAgentState } from "#/hooks/use-agent-state"; +import { useUnifiedVSCodeUrl } from "#/hooks/query/use-unified-vscode-url"; export function VSCodeTooltipContent() { const { curAgentState } = useAgentState(); - const { t } = useTranslation(); - const { conversationId } = useConversationId(); + const { data, refetch } = useUnifiedVSCodeUrl(); const handleVSCodeClick = async (e: React.MouseEvent) => { e.preventDefault(); e.stopPropagation(); - if (conversationId) { - try { - const data = await ConversationService.getVSCodeUrl(conversationId); - if (data.vscode_url) { - const transformedUrl = transformVSCodeUrl(data.vscode_url); - if (transformedUrl) { - window.open(transformedUrl, "_blank"); - } - } - } catch (err) { - // Silently handle the error - } + let vscodeUrl = data?.url; + + if (!vscodeUrl) { + const result = await refetch(); + vscodeUrl = result.data?.url ?? null; + } + + if (vscodeUrl) { + window.open(vscodeUrl, "_blank", "noopener,noreferrer"); } }; From 4c380e5a580f0a4771cc145278db6f39f44a504a Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Thu, 5 Mar 2026 19:02:04 -0500 Subject: [PATCH 58/67] feat: Add timeout handling for Slack repo query (#13249) Co-authored-by: openhands --- .../integrations/slack/slack_manager.py | 28 ++++- .../tests/unit/test_slack_integration.py | 119 +++++++++++++++++- .../integrations/protocols/http_client.py | 11 +- openhands/integrations/provider.py | 11 +- openhands/integrations/service_types.py | 6 + .../protocols/test_http_client.py | 19 ++- 6 files changed, 179 insertions(+), 15 deletions(-) diff --git a/enterprise/integrations/slack/slack_manager.py b/enterprise/integrations/slack/slack_manager.py index 17c57f7e6e..0db105805f 100644 --- a/enterprise/integrations/slack/slack_manager.py +++ b/enterprise/integrations/slack/slack_manager.py @@ -33,7 +33,7 @@ from storage.slack_user import SlackUser from openhands.core.logger import openhands_logger as logger from openhands.integrations.provider import ProviderHandler -from openhands.integrations.service_types import Repository +from openhands.integrations.service_types import ProviderTimeoutError, Repository from openhands.server.shared import config, server_config from openhands.server.types import ( LLMAuthenticationError, @@ -269,9 +269,31 @@ class SlackManager(Manager[SlackViewInterface]): return True elif isinstance(slack_view, SlackNewConversationView): user = slack_view.slack_to_openhands_user - user_repos: list[Repository] = await self._get_repositories( - slack_view.saas_user_auth + + # Fetch repositories, handling timeout errors from the provider + logger.info( + f'[Slack] Fetching repositories for user {user.slack_display_name} (id={slack_view.saas_user_auth.get_user_id()})' ) + try: + user_repos: list[Repository] = await self._get_repositories( + slack_view.saas_user_auth + ) + except ProviderTimeoutError: + logger.warning( + 'repo_query_timeout', + extra={ + 'slack_user_id': user.slack_user_id, + 'keycloak_user_id': user.keycloak_user_id, + }, + ) + timeout_msg = ( + 'The repository selection timed out while fetching your repository list. ' + 'Please re-send your message with a more specific repository name ' + '(e.g., "owner/repo-name") to help me find it faster.' + ) + await self.send_message(timeout_msg, slack_view, ephemeral=True) + return False + match, repos = self.filter_potential_repos_by_user_msg( slack_view.user_msg, user_repos ) diff --git a/enterprise/tests/unit/test_slack_integration.py b/enterprise/tests/unit/test_slack_integration.py index 255b730459..4797341a2e 100644 --- a/enterprise/tests/unit/test_slack_integration.py +++ b/enterprise/tests/unit/test_slack_integration.py @@ -1,7 +1,12 @@ -from unittest.mock import MagicMock +from unittest.mock import AsyncMock, MagicMock, patch import pytest from integrations.slack.slack_manager import SlackManager +from integrations.slack.slack_view import SlackNewConversationView +from storage.slack_user import SlackUser + +from openhands.integrations.service_types import ProviderTimeoutError +from openhands.server.user_auth.user_auth import UserAuth @pytest.fixture @@ -11,6 +16,46 @@ def slack_manager(): return slack_manager +@pytest.fixture +def mock_slack_user(): + """Create a mock SlackUser.""" + user = SlackUser() + user.slack_user_id = 'U1234567890' + user.keycloak_user_id = 'test-user-123' + user.slack_display_name = 'Test User' + return user + + +@pytest.fixture +def mock_user_auth(): + """Create a mock UserAuth.""" + auth = MagicMock(spec=UserAuth) + auth.get_provider_tokens = AsyncMock(return_value={}) + auth.get_secrets = AsyncMock(return_value=MagicMock(custom_secrets={})) + return auth + + +@pytest.fixture +def slack_new_conversation_view(mock_slack_user, mock_user_auth): + """Create a SlackNewConversationView instance for testing.""" + return SlackNewConversationView( + bot_access_token='xoxb-test-token', + user_msg='Hello OpenHands!', + slack_user_id='U1234567890', + slack_to_openhands_user=mock_slack_user, + saas_user_auth=mock_user_auth, + channel_id='C1234567890', + message_ts='1234567890.123456', + thread_ts=None, + selected_repo=None, + should_extract=True, + send_summary_instruction=True, + conversation_id='', + team_id='T1234567890', + v1_enabled=False, + ) + + @pytest.mark.parametrize( 'message,expected', [ @@ -23,3 +68,75 @@ def test_infer_repo_from_message(message, expected, slack_manager): # Test the extracted function result = slack_manager._infer_repo_from_message(message) assert result == expected + + +class TestRepoQueryTimeoutHandling: + """Test timeout handling when fetching repositories for Slack integration.""" + + @patch.object(SlackManager, 'send_message', new_callable=AsyncMock) + @patch.object(SlackManager, '_get_repositories', new_callable=AsyncMock) + async def test_timeout_sends_user_friendly_message( + self, + mock_get_repositories, + mock_send_message, + slack_manager, + slack_new_conversation_view, + ): + """Test that when repository fetching times out, a user-friendly message is sent.""" + # Setup: _get_repositories raises ProviderTimeoutError + mock_get_repositories.side_effect = ProviderTimeoutError( + 'github API request timed out: ConnectTimeout' + ) + + # Execute + result = await slack_manager.is_job_requested( + MagicMock(), slack_new_conversation_view + ) + + # Verify: should return False (job not started) + assert result is False + + # Verify: send_message was called with the timeout message + mock_send_message.assert_called_once() + call_args = mock_send_message.call_args + + # Check the message content + message = call_args[0][0] + assert 'timed out' in message + assert 'repository name' in message + assert 'owner/repo-name' in message + + # Check it was sent as ephemeral + assert call_args[1]['ephemeral'] is True + + @patch.object(SlackManager, 'send_message', new_callable=AsyncMock) + @patch.object(SlackManager, '_get_repositories', new_callable=AsyncMock) + async def test_successful_repo_fetch_does_not_send_timeout_message( + self, + mock_get_repositories, + mock_send_message, + slack_manager, + slack_new_conversation_view, + ): + """Test that successful repo fetch shows repo selector, not timeout message.""" + # Setup: _get_repositories returns empty list (no repos, but no timeout) + mock_get_repositories.return_value = [] + + # Execute + result = await slack_manager.is_job_requested( + MagicMock(), slack_new_conversation_view + ) + + # Verify: should return False (no repo selected yet) + assert result is False + + # Verify: send_message was called (for repo selector) + mock_send_message.assert_called_once() + call_args = mock_send_message.call_args + + # Check the message is NOT the timeout message + message = call_args[0][0] + assert 'timed out' not in str(message) + # Should be the repo selection form + assert isinstance(message, dict) + assert message.get('text') == 'Choose a Repository:' diff --git a/openhands/integrations/protocols/http_client.py b/openhands/integrations/protocols/http_client.py index 5b12da029e..92dba3dade 100644 --- a/openhands/integrations/protocols/http_client.py +++ b/openhands/integrations/protocols/http_client.py @@ -3,12 +3,13 @@ from abc import ABC, abstractmethod from typing import Any -from httpx import AsyncClient, HTTPError, HTTPStatusError +from httpx import AsyncClient, HTTPError, HTTPStatusError, TimeoutException from pydantic import SecretStr from openhands.core.logger import openhands_logger as logger from openhands.integrations.service_types import ( AuthenticationError, + ProviderTimeoutError, RateLimitError, RequestMethod, ResourceNotFoundError, @@ -93,7 +94,13 @@ class HTTPClient(ABC): logger.warning(f'Status error on {self.provider} API: {e}') return UnknownException(f'Unknown error: {e}') - def handle_http_error(self, e: HTTPError) -> UnknownException: + def handle_http_error( + self, e: HTTPError + ) -> ProviderTimeoutError | UnknownException: """Handle general HTTP errors.""" logger.warning(f'HTTP error on {self.provider} API: {type(e).__name__} : {e}') + if isinstance(e, TimeoutException): + return ProviderTimeoutError( + f'{self.provider} API request timed out: {type(e).__name__}' + ) return UnknownException(f'HTTP error {type(e).__name__} : {e}') diff --git a/openhands/integrations/provider.py b/openhands/integrations/provider.py index ad94305b3c..aa210eae18 100644 --- a/openhands/integrations/provider.py +++ b/openhands/integrations/provider.py @@ -35,6 +35,7 @@ from openhands.integrations.service_types import ( InstallationsService, MicroagentParseError, PaginatedBranchesResponse, + ProviderTimeoutError, ProviderType, Repository, ResourceNotFoundError, @@ -258,9 +259,10 @@ class ProviderHandler: per_page: int | None, installation_id: str | None, ) -> list[Repository]: - """Get repositories from providers""" - """ - Get repositories from providers + """Get repositories from providers. + + Raises: + ProviderTimeoutError: If a timeout occurs while fetching repos. """ if selected_provider: if not page or not per_page: @@ -277,6 +279,9 @@ class ProviderHandler: service = self.get_service(provider) service_repos = await service.get_all_repositories(sort, app_mode) all_repos.extend(service_repos) + except ProviderTimeoutError: + # Propagate timeout errors so callers can handle them appropriately + raise except Exception as e: logger.warning(f'Error fetching repos from {provider}: {e}') diff --git a/openhands/integrations/service_types.py b/openhands/integrations/service_types.py index 27ae0e5edb..38f7a83da5 100644 --- a/openhands/integrations/service_types.py +++ b/openhands/integrations/service_types.py @@ -191,6 +191,12 @@ class RateLimitError(ValueError): pass +class ProviderTimeoutError(ValueError): + """Raised when a request to a git provider times out.""" + + pass + + class ResourceNotFoundError(ValueError): """Raised when a requested resource (file, directory, etc.) is not found.""" diff --git a/tests/unit/integrations/protocols/test_http_client.py b/tests/unit/integrations/protocols/test_http_client.py index 1210d34344..c6ce529c9d 100644 --- a/tests/unit/integrations/protocols/test_http_client.py +++ b/tests/unit/integrations/protocols/test_http_client.py @@ -10,6 +10,7 @@ from pydantic import SecretStr from openhands.integrations.protocols.http_client import HTTPClient from openhands.integrations.service_types import ( AuthenticationError, + ProviderTimeoutError, RateLimitError, RequestMethod, ResourceNotFoundError, @@ -201,18 +202,24 @@ class TestHTTPClient: client = TestableHTTPClient() client.provider = 'test-provider' - # Test with different error types - errors = [ - httpx.ConnectError('Connection failed'), + # Test with non-timeout error (should return UnknownException) + connect_error = httpx.ConnectError('Connection failed') + result = client.handle_http_error(connect_error) + assert isinstance(result, UnknownException) + assert 'HTTP error ConnectError' in str(result) + + # Test with timeout errors (should return ProviderTimeoutError) + timeout_errors = [ httpx.TimeoutException('Request timed out'), httpx.ReadTimeout('Read timeout'), httpx.WriteTimeout('Write timeout'), ] - for error in errors: + for error in timeout_errors: result = client.handle_http_error(error) - assert isinstance(result, UnknownException) - assert f'HTTP error {type(error).__name__}' in str(result) + assert isinstance(result, ProviderTimeoutError) + assert 'test-provider API request timed out' in str(result) + assert type(error).__name__ in str(result) def test_runtime_checkable(self): """Test that HTTPClient is runtime checkable.""" From 6c394cc4152eb551ef70867f9d09b7fbb6d8db57 Mon Sep 17 00:00:00 2001 From: Rohit Malhotra Date: Thu, 5 Mar 2026 19:10:25 -0500 Subject: [PATCH 59/67] Add rate limiting to verification emails during OAuth flow (#13255) Co-authored-by: openhands --- enterprise/server/routes/auth.py | 30 ++++++- enterprise/tests/unit/test_auth_routes.py | 79 +++++++++++++++++++ .../email-verification-modal.test.tsx | 15 ++++ .../waitlist/email-verification-modal.tsx | 12 ++- frontend/src/hooks/use-email-verification.ts | 10 +++ frontend/src/i18n/declaration.ts | 1 + frontend/src/i18n/translation.json | 16 ++++ frontend/src/routes/login.tsx | 2 + 8 files changed, 160 insertions(+), 5 deletions(-) diff --git a/enterprise/server/routes/auth.py b/enterprise/server/routes/auth.py index 7c596cd558..d6af1e90f0 100644 --- a/enterprise/server/routes/auth.py +++ b/enterprise/server/routes/auth.py @@ -34,6 +34,7 @@ from server.services.org_invitation_service import ( OrgInvitationService, UserAlreadyMemberError, ) +from server.utils.rate_limit_utils import check_rate_limit_by_user_id from sqlalchemy import select from storage.database import a_session_maker from storage.user import User @@ -326,12 +327,37 @@ async def keycloak_callback( # Check email verification status email_verified = user_info.email_verified or False if not email_verified: - # Send verification email + # Send verification email with rate limiting to prevent abuse + # Users who repeatedly login without verifying would otherwise trigger + # unlimited verification emails # Import locally to avoid circular import with email.py from server.routes.email import verify_email - await verify_email(request=request, user_id=user_id, is_auth_flow=True) + # Rate limit verification emails during auth flow (60 seconds per user) + # This is separate from the manual resend rate limit which uses 30 seconds + rate_limited = False + try: + await check_rate_limit_by_user_id( + request=request, + key_prefix='auth_verify_email', + user_id=user_id, + user_rate_limit_seconds=60, + ip_rate_limit_seconds=120, + ) + await verify_email(request=request, user_id=user_id, is_auth_flow=True) + except HTTPException as e: + if e.status_code == status.HTTP_429_TOO_MANY_REQUESTS: + # Rate limited - still redirect to verification page but don't send email + rate_limited = True + logger.info( + f'Rate limited verification email for user {user_id} during auth flow' + ) + else: + raise + verification_redirect_url = f'{request.base_url}login?email_verification_required=true&user_id={user_id}' + if rate_limited: + verification_redirect_url = f'{verification_redirect_url}&rate_limited=true' # Preserve invitation token so it can be included in OAuth state after verification if invitation_token: verification_redirect_url = ( diff --git a/enterprise/tests/unit/test_auth_routes.py b/enterprise/tests/unit/test_auth_routes.py index 0d1ed3760c..43a6f348f5 100644 --- a/enterprise/tests/unit/test_auth_routes.py +++ b/enterprise/tests/unit/test_auth_routes.py @@ -249,10 +249,12 @@ async def test_keycloak_callback_email_not_verified( """Test keycloak_callback when email is not verified.""" # Arrange mock_verify_email = AsyncMock() + mock_rate_limit = AsyncMock() with ( patch('server.routes.auth.token_manager') as mock_token_manager, patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.email.verify_email', mock_verify_email), + patch('server.routes.auth.check_rate_limit_by_user_id', mock_rate_limit), patch('server.routes.auth.UserStore') as mock_user_store, ): mock_token_manager.get_keycloak_tokens = AsyncMock( @@ -291,6 +293,14 @@ async def test_keycloak_callback_email_not_verified( mock_verify_email.assert_called_once_with( request=mock_request, user_id='test_user_id', is_auth_flow=True ) + # Verify rate limit was checked + mock_rate_limit.assert_called_once_with( + request=mock_request, + key_prefix='auth_verify_email', + user_id='test_user_id', + user_rate_limit_seconds=60, + ip_rate_limit_seconds=120, + ) @pytest.mark.asyncio @@ -300,10 +310,12 @@ async def test_keycloak_callback_email_not_verified_missing_field( """Test keycloak_callback when email_verified field is missing (defaults to False).""" # Arrange mock_verify_email = AsyncMock() + mock_rate_limit = AsyncMock() with ( patch('server.routes.auth.token_manager') as mock_token_manager, patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.email.verify_email', mock_verify_email), + patch('server.routes.auth.check_rate_limit_by_user_id', mock_rate_limit), patch('server.routes.auth.UserStore') as mock_user_store, ): mock_token_manager.get_keycloak_tokens = AsyncMock( @@ -344,6 +356,73 @@ async def test_keycloak_callback_email_not_verified_missing_field( ) +@pytest.mark.asyncio +async def test_keycloak_callback_email_verification_rate_limited( + mock_request, create_keycloak_user_info +): + """Test keycloak_callback when email verification is rate limited. + + Users who repeatedly try to login without completing email verification + should not trigger unlimited verification emails. + """ + from fastapi import HTTPException + + # Arrange + mock_verify_email = AsyncMock() + mock_rate_limit = AsyncMock( + side_effect=HTTPException( + status_code=status.HTTP_429_TOO_MANY_REQUESTS, + detail='Too many requests. Please wait 1 minute before trying again.', + ) + ) + with ( + patch('server.routes.auth.token_manager') as mock_token_manager, + patch('server.routes.auth.user_verifier') as mock_verifier, + patch('server.routes.email.verify_email', mock_verify_email), + patch('server.routes.auth.check_rate_limit_by_user_id', mock_rate_limit), + patch('server.routes.auth.UserStore') as mock_user_store, + ): + mock_token_manager.get_keycloak_tokens = AsyncMock( + return_value=('test_access_token', 'test_refresh_token') + ) + mock_token_manager.get_user_info = AsyncMock( + return_value=create_keycloak_user_info( + sub='test_user_id', + preferred_username='test_user', + identity_provider='github', + email_verified=False, + ) + ) + mock_token_manager.store_idp_tokens = AsyncMock() + mock_verifier.is_active.return_value = False + + # Mock the user creation + mock_user = MagicMock() + mock_user.id = 'test_user_id' + mock_user.current_org_id = 'test_org_id' + mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) + mock_user_store.create_user = AsyncMock(return_value=mock_user) + mock_user_store.backfill_contact_name = AsyncMock() + mock_user_store.backfill_user_email = AsyncMock() + + # Act + result = await keycloak_callback( + code='test_code', state='test_state', request=mock_request + ) + + # Assert - should still redirect to verification page but NOT send email + assert isinstance(result, RedirectResponse) + assert result.status_code == 302 + assert 'email_verification_required=true' in result.headers['location'] + assert 'user_id=test_user_id' in result.headers['location'] + # When rate limited, the redirect URL should include rate_limited=true + # so the frontend can show an appropriate message + assert 'rate_limited=true' in result.headers['location'] + # verify_email should NOT have been called due to rate limit + mock_verify_email.assert_not_called() + mock_rate_limit.assert_called_once() + + @pytest.mark.asyncio async def test_keycloak_callback_success_without_offline_token( mock_request, create_keycloak_user_info diff --git a/frontend/__tests__/components/features/waitlist/email-verification-modal.test.tsx b/frontend/__tests__/components/features/waitlist/email-verification-modal.test.tsx index c62f85036b..12ff0398a3 100644 --- a/frontend/__tests__/components/features/waitlist/email-verification-modal.test.tsx +++ b/frontend/__tests__/components/features/waitlist/email-verification-modal.test.tsx @@ -36,6 +36,21 @@ describe("EmailVerificationModal", () => { ).toBeInTheDocument(); }); + it("should render the rate limited message when wasRateLimited is true", () => { + // Arrange & Act + renderWithRouter( + , + ); + + // Assert - should show the rate limited message instead of the default one + expect( + screen.getByText("AUTH$CHECK_INBOX_FOR_VERIFICATION_EMAIL"), + ).toBeInTheDocument(); + expect( + screen.queryByText("AUTH$PLEASE_CHECK_EMAIL_TO_VERIFY"), + ).not.toBeInTheDocument(); + }); + it("should render the TermsAndPrivacyNotice component", () => { // Arrange & Act renderWithRouter(); diff --git a/frontend/src/components/features/waitlist/email-verification-modal.tsx b/frontend/src/components/features/waitlist/email-verification-modal.tsx index fafd11ee4e..751a0fa106 100644 --- a/frontend/src/components/features/waitlist/email-verification-modal.tsx +++ b/frontend/src/components/features/waitlist/email-verification-modal.tsx @@ -10,11 +10,13 @@ import { useEmailVerification } from "#/hooks/use-email-verification"; interface EmailVerificationModalProps { onClose: () => void; userId?: string | null; + wasRateLimited?: boolean; } export function EmailVerificationModal({ onClose, userId, + wasRateLimited = false, }: EmailVerificationModalProps) { const { t } = useTranslation(); const { @@ -33,14 +35,18 @@ export function EmailVerificationModal({ resendButtonLabel = t(I18nKey.SETTINGS$RESEND_VERIFICATION); } + // Show different message when rate limited - user should check their inbox + // for the verification email sent earlier + const headerMessage = wasRateLimited + ? t(I18nKey.AUTH$CHECK_INBOX_FOR_VERIFICATION_EMAIL) + : t(I18nKey.AUTH$PLEASE_CHECK_EMAIL_TO_VERIFY); + return (
-

- {t(I18nKey.AUTH$PLEASE_CHECK_EMAIL_TO_VERIFY)} -

+

{headerMessage}

diff --git a/frontend/src/hooks/use-email-verification.ts b/frontend/src/hooks/use-email-verification.ts index ac919fc8ec..f9cf4fe29c 100644 --- a/frontend/src/hooks/use-email-verification.ts +++ b/frontend/src/hooks/use-email-verification.ts @@ -21,6 +21,7 @@ import { useResendEmailVerification } from "#/hooks/mutation/use-resend-email-ve * - isCooldownActive: boolean indicating if cooldown is currently active * - cooldownRemaining: number of milliseconds remaining in cooldown * - formattedCooldownTime: string formatted as "M:SS" for display + * - wasRateLimited: boolean indicating if the user was rate limited during OAuth flow */ export function useEmailVerification() { const [searchParams, setSearchParams] = useSearchParams(); @@ -29,6 +30,7 @@ export function useEmailVerification() { const [emailVerified, setEmailVerified] = React.useState(false); const [hasDuplicatedEmail, setHasDuplicatedEmail] = React.useState(false); const [recaptchaBlocked, setRecaptchaBlocked] = React.useState(false); + const [wasRateLimited, setWasRateLimited] = React.useState(false); const [userId, setUserId] = React.useState(null); const [lastSentTimestamp, setLastSentTimestamp] = React.useState< number | null @@ -85,6 +87,13 @@ export function useEmailVerification() { shouldUpdate = true; } + const rateLimitedParam = searchParams.get("rate_limited"); + if (rateLimitedParam === "true") { + setWasRateLimited(true); + searchParams.delete("rate_limited"); + shouldUpdate = true; + } + if (userIdParam) { setUserId(userIdParam); searchParams.delete("user_id"); @@ -136,6 +145,7 @@ export function useEmailVerification() { setEmailVerified, hasDuplicatedEmail, recaptchaBlocked, + wasRateLimited, userId, resendEmailVerification: resendEmailVerificationMutation.mutate, isResendingVerification: resendEmailVerificationMutation.isPending, diff --git a/frontend/src/i18n/declaration.ts b/frontend/src/i18n/declaration.ts index a42047bb84..44ff4dcc38 100644 --- a/frontend/src/i18n/declaration.ts +++ b/frontend/src/i18n/declaration.ts @@ -767,6 +767,7 @@ export enum I18nKey { AUTH$BY_SIGNING_UP_YOU_AGREE_TO_OUR = "AUTH$BY_SIGNING_UP_YOU_AGREE_TO_OUR", AUTH$NO_PROVIDERS_CONFIGURED = "AUTH$NO_PROVIDERS_CONFIGURED", AUTH$PLEASE_CHECK_EMAIL_TO_VERIFY = "AUTH$PLEASE_CHECK_EMAIL_TO_VERIFY", + AUTH$CHECK_INBOX_FOR_VERIFICATION_EMAIL = "AUTH$CHECK_INBOX_FOR_VERIFICATION_EMAIL", AUTH$EMAIL_VERIFIED_PLEASE_LOGIN = "AUTH$EMAIL_VERIFIED_PLEASE_LOGIN", AUTH$DUPLICATE_EMAIL_ERROR = "AUTH$DUPLICATE_EMAIL_ERROR", AUTH$RECAPTCHA_BLOCKED = "AUTH$RECAPTCHA_BLOCKED", diff --git a/frontend/src/i18n/translation.json b/frontend/src/i18n/translation.json index 868eee4a94..0306c04244 100644 --- a/frontend/src/i18n/translation.json +++ b/frontend/src/i18n/translation.json @@ -12275,6 +12275,22 @@ "de": "Bitte überprüfen Sie Ihre E-Mail, um Ihr Konto zu verifizieren.", "uk": "Будь ласка, перевірте свою електронну пошту, щоб підтвердити свій обліковий запис." }, + "AUTH$CHECK_INBOX_FOR_VERIFICATION_EMAIL": { + "en": "Please check your inbox for the verification email we sent earlier.", + "ja": "先ほど送信した確認メールを受信トレイでご確認ください。", + "zh-CN": "请检查您的收件箱,查收我们之前发送的验证邮件。", + "zh-TW": "請檢查您的收件箱,查收我們之前發送的驗證郵件。", + "ko-KR": "이전에 보내드린 인증 이메일을 받은 편지함에서 확인해 주세요.", + "no": "Vennligst sjekk innboksen din for bekreftelsese-posten vi sendte tidligere.", + "it": "Controlla la tua casella di posta per l'email di verifica che ti abbiamo inviato in precedenza.", + "pt": "Por favor, verifique sua caixa de entrada para o e-mail de verificação que enviamos anteriormente.", + "es": "Por favor, revisa tu bandeja de entrada para el correo de verificación que te enviamos anteriormente.", + "ar": "يرجى التحقق من صندوق الوارد للبريد الإلكتروني الذي أرسلناه لك سابقًا.", + "fr": "Veuillez vérifier votre boîte de réception pour l'e-mail de vérification que nous vous avons envoyé précédemment.", + "tr": "Lütfen daha önce gönderdiğimiz doğrulama e-postası için gelen kutunuzu kontrol edin.", + "de": "Bitte überprüfen Sie Ihren Posteingang auf die Bestätigungs-E-Mail, die wir Ihnen zuvor gesendet haben.", + "uk": "Будь ласка, перевірте вашу поштову скриньку на наявність листа підтвердження, який ми надіслали раніше." + }, "AUTH$EMAIL_VERIFIED_PLEASE_LOGIN": { "en": "Your email has been verified. Please login below.", "ja": "メールアドレスが確認されました。下記からログインしてください。", diff --git a/frontend/src/routes/login.tsx b/frontend/src/routes/login.tsx index 874743aa6e..0b357909b6 100644 --- a/frontend/src/routes/login.tsx +++ b/frontend/src/routes/login.tsx @@ -19,6 +19,7 @@ export default function LoginPage() { emailVerified, hasDuplicatedEmail, recaptchaBlocked, + wasRateLimited, emailVerificationModalOpen, setEmailVerificationModalOpen, userId, @@ -83,6 +84,7 @@ export default function LoginPage() { setEmailVerificationModalOpen(false); }} userId={userId} + wasRateLimited={wasRateLimited} /> )} From 41d8bd28e9fa6837a89dc6901a86e7adb08a60fa Mon Sep 17 00:00:00 2001 From: Chris Bagwell Date: Thu, 5 Mar 2026 19:39:58 -0600 Subject: [PATCH 60/67] fix: preserve llm_base_url when saving MCP server config (#13225) --- openhands/server/routes/settings.py | 7 +- .../routes/test_settings_store_functions.py | 66 ++++++++++++++++++- 2 files changed, 70 insertions(+), 3 deletions(-) diff --git a/openhands/server/routes/settings.py b/openhands/server/routes/settings.py index eda0cb938f..cc431f2e4d 100644 --- a/openhands/server/routes/settings.py +++ b/openhands/server/routes/settings.py @@ -141,9 +141,12 @@ async def store_llm_settings( settings.llm_api_key = existing_settings.llm_api_key if settings.llm_model is None: settings.llm_model = existing_settings.llm_model - # if llm_base_url is missing or empty, try to determine appropriate URL + # if llm_base_url is missing or empty, try to preserve existing or determine appropriate URL if not settings.llm_base_url: - if is_openhands_model(settings.llm_model): + if settings.llm_base_url is None and existing_settings.llm_base_url: + # Not provided at all (e.g. MCP config save) - preserve existing + settings.llm_base_url = existing_settings.llm_base_url + elif is_openhands_model(settings.llm_model): # OpenHands models use the LiteLLM proxy settings.llm_base_url = LITE_LLM_API_URL elif settings.llm_model: diff --git a/tests/unit/server/routes/test_settings_store_functions.py b/tests/unit/server/routes/test_settings_store_functions.py index 366f9e145f..f51a5b506a 100644 --- a/tests/unit/server/routes/test_settings_store_functions.py +++ b/tests/unit/server/routes/test_settings_store_functions.py @@ -6,6 +6,7 @@ from fastapi import FastAPI from fastapi.testclient import TestClient from pydantic import SecretStr +from openhands.core.config.mcp_config import MCPConfig, MCPStdioServerConfig from openhands.integrations.provider import ProviderToken from openhands.integrations.service_types import ProviderType from openhands.server.routes.secrets import ( @@ -193,7 +194,8 @@ async def test_store_llm_settings_partial_update(): For OpenAI models, this returns https://api.openai.com. """ settings = Settings( - llm_model='gpt-4' # Only updating model (not an openhands model) + llm_model='gpt-4', # Only updating model (not an openhands model) + llm_base_url='', # Explicitly cleared (e.g. basic mode save) ) # Create existing settings @@ -209,10 +211,72 @@ async def test_store_llm_settings_partial_update(): assert result.llm_model == 'gpt-4' # For SecretStr objects, we need to compare the secret value assert result.llm_api_key.get_secret_value() == 'existing-api-key' + # llm_base_url was explicitly cleared (""), so auto-detection runs # OpenAI models: litellm.get_api_base() returns https://api.openai.com assert result.llm_base_url == 'https://api.openai.com' +@pytest.mark.asyncio +async def test_store_llm_settings_mcp_update_preserves_base_url(): + """Test that saving MCP config (without LLM fields) preserves existing base URL. + + Regression test: When adding an MCP server, the frontend sends only mcp_config + and v1_enabled. This should not wipe out the existing llm_base_url. + """ + # Simulate what the MCP add/update/delete mutations send: mcp_config but no LLM fields + settings = Settings( + mcp_config=MCPConfig( + stdio_servers=[ + MCPStdioServerConfig( + name='my-server', + command='npx', + args=['-y', '@my/mcp-server'], + env={'API_TOKEN': 'secret123', 'ENDPOINT': 'https://example.com'}, + ) + ], + ), + ) + + # Create existing settings with a custom base URL + existing_settings = Settings( + llm_model='anthropic/claude-sonnet-4-5-20250929', + llm_api_key=SecretStr('existing-api-key'), + llm_base_url='https://my-custom-proxy.example.com', + ) + + result = await store_llm_settings(settings, existing_settings) + + # All existing LLM settings should be preserved + assert result.llm_model == 'anthropic/claude-sonnet-4-5-20250929' + assert result.llm_api_key.get_secret_value() == 'existing-api-key' + assert result.llm_base_url == 'https://my-custom-proxy.example.com' + + +@pytest.mark.asyncio +async def test_store_llm_settings_no_existing_base_url_uses_auto_detection(): + """Test auto-detection kicks in only when there is no existing base URL. + + When neither the incoming settings nor existing settings have a base URL, + auto-detection from litellm should be used. + """ + settings = Settings( + llm_model='gpt-4' # Not an openhands model + ) + + # Existing settings without a base URL + existing_settings = Settings( + llm_model='gpt-3.5', + llm_api_key=SecretStr('existing-api-key'), + ) + + result = await store_llm_settings(settings, existing_settings) + + assert result.llm_model == 'gpt-4' + assert result.llm_api_key.get_secret_value() == 'existing-api-key' + # No existing base URL, so auto-detection should set it + assert result.llm_base_url == 'https://api.openai.com' + + @pytest.mark.asyncio async def test_store_llm_settings_anthropic_model_gets_api_base(): """Test store_llm_settings with an Anthropic model. From 1f1fb5a95438c1d672ec2cbf0d1ce400fb57e5e0 Mon Sep 17 00:00:00 2001 From: Povo43 <43anillo@gmail.com> Date: Fri, 6 Mar 2026 19:15:27 +0900 Subject: [PATCH 61/67] fix(i18n): correct Japanese translation strings (#13261) --- frontend/src/i18n/translation.json | 84 +++++++++++++++--------------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/frontend/src/i18n/translation.json b/frontend/src/i18n/translation.json index 0306c04244..d84602daab 100644 --- a/frontend/src/i18n/translation.json +++ b/frontend/src/i18n/translation.json @@ -513,7 +513,7 @@ }, "HOME$LAUNCH_FROM_SCRATCH": { "en": "Launch from Scratch", - "ja": "ゼロから始める", + "ja": "新規作成", "zh-CN": "从零开始", "zh-TW": "從零開始", "ko-KR": "처음부터 시작", @@ -529,7 +529,7 @@ }, "HOME$READ_THIS": { "en": "Read this", - "ja": "こちらを読む", + "ja": "詳細はこちら", "zh-CN": "阅读此内容", "zh-TW": "閱讀此內容", "ko-KR": "이것을 읽어보세요", @@ -865,7 +865,7 @@ }, "TASK$ADDRESSING_TASK": { "en": "Addressing task...", - "ja": "タスクに対応中...", + "ja": "タスクを処理中...", "zh-CN": "正在处理任务...", "zh-TW": "正在處理任務...", "ko-KR": "작업 처리 중...", @@ -4289,19 +4289,19 @@ }, "EXPLORER$VSCODE_SWITCHING_MESSAGE": { "en": "Switching to VS Code in 3 seconds...\nImportant: Please inform the agent of any changes you make in VS Code. To avoid conflicts, wait for the assistant to complete its work before making your own changes.", - "zh-CN": "切换到VS Code中...", - "zh-TW": "切換到 VS Code 中...", - "ja": "3秒後にVS Codeに切り替わります...\n重要:VS Codeで行った変更はエージェントに通知してください。競合を避けるため、アシスタントの作業が完了するまで自身の変更を待ってください。", - "ko-KR": "VS Code로 전환 중...", - "no": "Bytter til VS Code om 3 sekunder...\nViktig: Vennligst informer agenten om eventuelle endringer du gjør i VS Code. For å unngå konflikter, vent til assistenten er ferdig med sitt arbeid før du gjør dine egne endringer.", - "ar": "جارٍ التبديل إلى VS Code في غضون 3 ثوانٍ...\nمهم: يرجى إبلاغ الوكيل بأي تغييرات تقوم بها في VS Code. لتجنب التعارضات، انتظر حتى يكمل المساعد عمله قبل إجراء تغييراتك.", - "de": "Wechsel zu VS Code in 3 Sekunden...\nWichtig: Bitte informieren Sie den Agenten über alle Änderungen, die Sie in VS Code vornehmen. Um Konflikte zu vermeiden, warten Sie, bis der Assistent seine Arbeit abgeschlossen hat, bevor Sie eigene Änderungen vornehmen.", - "fr": "Passage à VS Code dans 3 secondes...\nImportant : Veuillez informer l'agent de toute modification que vous apportez dans VS Code. Pour éviter les conflits, attendez que l'assistant ait terminé son travail avant d'apporter vos propres modifications.", - "it": "Passaggio a VS Code tra 3 secondi...\nImportante: Si prega di informare l'agente di eventuali modifiche apportate in VS Code. Per evitare conflitti, attendere che l'assistente completi il suo lavoro prima di apportare le proprie modifiche.", - "pt": "Mudando para o VS Code em 3 segundos...\nImportante: Por favor, informe o agente sobre quaisquer alterações que você fizer no VS Code. Para evitar conflitos, aguarde até que o assistente conclua seu trabalho antes de fazer suas próprias alterações.", - "es": "Cambiando a VS Code en 3 segundos...\nImportante: Por favor, informe al agente de cualquier cambio que realice en VS Code. Para evitar conflictos, espere a que el asistente complete su trabajo antes de realizar sus propios cambios.", - "tr": "3 saniye içinde VS Code'a geçiliyor...\nÖnemli: Lütfen VS Code'da yaptığınız değişiklikleri aracıya bildirin. Çakışmaları önlemek için, kendi değişikliklerinizi yapmadan önce asistanın işini tamamlamasını bekleyin.", - "uk": "Перехід до VS Code через 3 секунди...\nВажливо: Будь ласка, повідомте агента про будь-які зміни, які ви вносите у VS Code. Щоб уникнути конфліктів, зачекайте, поки помічник завершить свою роботу, перш ніж вносити власні зміни." + "ja": "3秒後にVS Codeへ切り替わります...\n重要:VS Codeで行った変更はエージェントに通知してください。競合を避けるため、アシスタントの作業が完了してから変更を行ってください。", + "zh-CN": "3秒后将切换到 VS Code...\n重要:请将您在 VS Code 中所做的任何更改告知代理。为避免冲突,请在助手完成工作后再进行自己的修改。", + "zh-TW": "3秒後將切換到 VS Code...\n重要:請將您在 VS Code 中所做的任何變更告知代理。為避免衝突,請在助手完成工作後再進行自己的修改。", + "ko-KR": "3초 후 VS Code로 전환됩니다...\n중요: VS Code에서 수행한 변경 사항을 에이전트에게 알려 주세요. 충돌을 방지하려면 어시스턴트의 작업이 완료된 후에 직접 변경하세요.", + "no": "Bytter til VS Code om 3 sekunder...\nViktig: Vennligst informer agenten om eventuelle endringer du gjør i VS Code. For å unngå konflikter, vent til assistenten er ferdig før du gjør egne endringer.", + "ar": "سيتم التبديل إلى VS Code خلال 3 ثوانٍ...\nمهم: يرجى إبلاغ الوكيل بأي تغييرات تجريها في VS Code. لتجنب التعارضات، انتظر حتى ينهي المساعد عمله قبل إجراء تغييراتك.", + "de": "Wechsel zu VS Code in 3 Sekunden...\nWichtig: Bitte informieren Sie den Agenten über alle Änderungen, die Sie in VS Code vornehmen. Um Konflikte zu vermeiden, warten Sie, bis der Assistent seine Arbeit abgeschlossen hat, bevor Sie eigene Änderungen durchführen.", + "fr": "Passage à VS Code dans 3 secondes...\nImportant : veuillez informer l’agent de toute modification effectuée dans VS Code. Pour éviter les conflits, attendez que l’assistant ait terminé son travail avant d’apporter vos propres modifications.", + "it": "Passaggio a VS Code tra 3 secondi...\nImportante: informa l’agente di qualsiasi modifica effettuata in VS Code. Per evitare conflitti, attendi che l’assistente completi il lavoro prima di apportare le tue modifiche.", + "pt": "Mudando para o VS Code em 3 segundos...\nImportante: informe o agente sobre quaisquer alterações feitas no VS Code. Para evitar conflitos, aguarde até que o assistente conclua seu trabalho antes de fazer suas próprias alterações.", + "es": "Cambiando a VS Code en 3 segundos...\nImportante: informe al agente de cualquier cambio realizado en VS Code. Para evitar conflictos, espere a que el asistente termine su trabajo antes de hacer sus propios cambios.", + "tr": "3 saniye içinde VS Code'a geçiliyor...\nÖnemli: VS Code’da yaptığınız değişiklikleri aracıya bildirin. Çakışmaları önlemek için kendi değişikliklerinizi yapmadan önce asistanın işini bitirmesini bekleyin.", + "uk": "Перехід до VS Code через 3 секунди...\nВажливо: повідомте агента про будь-які зміни, які ви робите у VS Code. Щоб уникнути конфліктів, дочекайтеся завершення роботи помічника перед власними змінами." }, "EXPLORER$VSCODE_SWITCHING_ERROR_MESSAGE": { "en": "Error switching to VS Code: {{error}}", @@ -5633,35 +5633,35 @@ }, "LANDING$REPLAY": { "en": "+ Replay Trajectory", - "ja": "+ Replay Trajectory", - "zh-CN": "+ Replay Trajectory", - "zh-TW": "+ Replay Trajectory", - "ko-KR": "+ Replay Trajectory", - "fr": "+ Replay Trajectory", - "es": "+ Replay Trajectory", - "de": "+ Replay Trajectory", - "it": "+ Replay Trajectory", - "pt": "+ Replay Trajectory", - "ar": "+ Replay Trajectory", - "no": "+ Replay Trajectory", - "tr": "+ Replay Trajectory", - "uk": "+ Replay Trajectory" + "ja": "+ トラジェクトリを再生", + "zh-CN": "+ 回放 Trajectory", + "zh-TW": "+ 回放 Trajectory", + "ko-KR": "+ Trajectory 재생", + "fr": "+ Rejouer la trajectoire", + "es": "+ Reproducir trayectoria", + "de": "+ Trajektorie abspielen", + "it": "+ Riproduci traiettoria", + "pt": "+ Reproduzir trajetória", + "ar": "+ إعادة تشغيل المسار", + "no": "+ Spill av trajektori", + "tr": "+ Yörüngeyi yeniden oynat", + "uk": "+ Відтворити траєкторію" }, "LANDING$UPLOAD_TRAJECTORY": { "en": "Upload a .json", - "zh-CN": "Upload a .json", - "zh-TW": "Upload a .json", - "ko-KR": "Upload a .json", - "fr": "Upload a .json", - "es": "Upload a .json", - "de": "Upload a .json", - "it": "Upload a .json", - "pt": "Upload a .json", - "ar": "Upload a .json", - "no": "Upload a .json", - "tr": "Upload a .json", - "uk": "Завантажити .json", - "ja": ".jsonをアップロード" + "zh-CN": "上传 .json 文件", + "zh-TW": "上傳 .json 檔案", + "ko-KR": ".json 파일 업로드", + "fr": "Téléverser un fichier .json", + "es": "Subir un archivo .json", + "de": ".json-Datei hochladen", + "it": "Carica un file .json", + "pt": "Enviar um arquivo .json", + "ar": "تحميل ملف .json", + "no": "Last opp en .json-fil", + "tr": ".json dosyası yükle", + "uk": "Завантажити файл .json", + "ja": ".jsonファイルをアップロード" }, "LANDING$RECENT_CONVERSATION": { "en": "jump back to your most recent conversation", From 2d7362bf2621fefe5dfa4ee6233eaa67dae240e5 Mon Sep 17 00:00:00 2001 From: jpelletier1 <44589723+jpelletier1@users.noreply.github.com> Date: Fri, 6 Mar 2026 09:22:28 -0500 Subject: [PATCH 62/67] refactor: update skills to Agent Skills format (#13267) Co-authored-by: openhands --- .agents/skills/upcoming-release.md | 22 -------------- .agents/skills/upcoming-release/SKILL.md | 37 ++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 22 deletions(-) delete mode 100644 .agents/skills/upcoming-release.md create mode 100644 .agents/skills/upcoming-release/SKILL.md diff --git a/.agents/skills/upcoming-release.md b/.agents/skills/upcoming-release.md deleted file mode 100644 index b17a15785b..0000000000 --- a/.agents/skills/upcoming-release.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -name: upcoming-release -description: Generate a concise summary of PRs included in the upcoming release. -triggers: -- /upcoming-release ---- - -We want to know what is part of the upcoming release. - -To do this, you need two commit SHAs. One SHA is what is currently running. The second SHA is what is going to be -released. The user must provide these. If the user does not provide these, ask the user to provide them before doing -anything. - -Once you have received the two SHAs: -1. Run the `.github/scripts/find_prs_between_commits.py` script from the repository root directory with the `--json` flag. The **first SHA** should be the older commit (current release), and the **second SHA** should be the newer commit (what's being released). -2. Do not show PRs that are chores, dependency updates, adding logs, refactors. -3. From the remaining PRs, split them into these categories: - - Features - - Bug fixes - - Security/CVE fixes - - Other -4. The output should list the PRs under their category, including the PR number with a brief description of the PR. diff --git a/.agents/skills/upcoming-release/SKILL.md b/.agents/skills/upcoming-release/SKILL.md new file mode 100644 index 0000000000..c9c6fd00c7 --- /dev/null +++ b/.agents/skills/upcoming-release/SKILL.md @@ -0,0 +1,37 @@ +--- +name: upcoming-release +description: This skill should be used when the user asks to "generate release notes", "list upcoming release PRs", "summarize upcoming release", "/upcoming-release", or needs to know what changes are part of an upcoming release. +--- + +# Upcoming Release Summary + +Generate a concise summary of PRs included in the upcoming release. + +## Prerequisites + +Two commit SHAs are required: +- **First SHA**: The older commit (current release) +- **Second SHA**: The newer commit (what's being released) + +If the user does not provide both SHAs, ask for them before proceeding. + +## Workflow + +1. Run the script from the repository root with the `--json` flag: + ```bash + .github/scripts/find_prs_between_commits.py --json + ``` + +2. Filter out PRs that are: + - Chores + - Dependency updates + - Adding logs + - Refactors + +3. Categorize the remaining PRs: + - **Features** - New functionality + - **Bug fixes** - Corrections to existing behavior + - **Security/CVE fixes** - Security-related changes + - **Other** - Everything else + +4. Format the output with PRs listed under their category, including the PR number and a brief description. From 6186685ebcf172026ebd0a7e0019e373820d60c4 Mon Sep 17 00:00:00 2001 From: Tim O'Farrell Date: Fri, 6 Mar 2026 09:10:59 -0700 Subject: [PATCH 63/67] Refactor user authorization: Replace domain blocklist with flexible whitelist/blacklist pattern matching (#13207) Co-authored-by: openhands --- .../099_create_user_authorizations_table.py | 136 ++++ enterprise/server/auth/auth_utils.py | 53 -- enterprise/server/auth/domain_blocker.py | 66 -- enterprise/server/auth/saas_user_auth.py | 21 +- enterprise/server/auth/user/__init__.py | 0 .../auth/user/default_user_authorizer.py | 98 +++ .../server/auth/user/user_authorizer.py | 48 ++ enterprise/server/routes/auth.py | 140 ++-- enterprise/storage/blocked_email_domain.py | 30 - .../storage/blocked_email_domain_store.py | 43 -- enterprise/storage/user_authorization.py | 45 ++ .../storage/user_authorization_store.py | 203 ++++++ .../storage/test_user_authorization_store.py | 635 ++++++++++++++++++ enterprise/tests/unit/test_auth_routes.py | 596 +++++++--------- enterprise/tests/unit/test_domain_blocker.py | 429 ------------ enterprise/tests/unit/test_saas_user_auth.py | 53 +- 16 files changed, 1490 insertions(+), 1106 deletions(-) create mode 100644 enterprise/migrations/versions/099_create_user_authorizations_table.py delete mode 100644 enterprise/server/auth/auth_utils.py delete mode 100644 enterprise/server/auth/domain_blocker.py create mode 100644 enterprise/server/auth/user/__init__.py create mode 100644 enterprise/server/auth/user/default_user_authorizer.py create mode 100644 enterprise/server/auth/user/user_authorizer.py delete mode 100644 enterprise/storage/blocked_email_domain.py delete mode 100644 enterprise/storage/blocked_email_domain_store.py create mode 100644 enterprise/storage/user_authorization.py create mode 100644 enterprise/storage/user_authorization_store.py create mode 100644 enterprise/tests/unit/storage/test_user_authorization_store.py delete mode 100644 enterprise/tests/unit/test_domain_blocker.py diff --git a/enterprise/migrations/versions/099_create_user_authorizations_table.py b/enterprise/migrations/versions/099_create_user_authorizations_table.py new file mode 100644 index 0000000000..17b45d8fca --- /dev/null +++ b/enterprise/migrations/versions/099_create_user_authorizations_table.py @@ -0,0 +1,136 @@ +"""Create user_authorizations table and migrate blocked_email_domains + +Revision ID: 099 +Revises: 098 +Create Date: 2025-03-05 00:00:00.000000 + +""" + +import os +from typing import Sequence, Union + +import sqlalchemy as sa +from alembic import op + +# revision identifiers, used by Alembic. +revision: str = '099' +down_revision: Union[str, None] = '098' +branch_labels: Union[str, Sequence[str], None] = None +depends_on: Union[str, Sequence[str], None] = None + + +def _seed_from_environment() -> None: + """Seed user_authorizations table from environment variables. + + Reads EMAIL_PATTERN_BLACKLIST and EMAIL_PATTERN_WHITELIST environment variables. + Each should be a comma-separated list of SQL LIKE patterns (e.g., '%@example.com'). + + If the environment variables are not set or empty, this function does nothing. + + This allows us to set up feature deployments with particular patterns already + blacklisted or whitelisted. (For example, you could blacklist everything with + `%`, and then whitelist certain email accounts.) + """ + blacklist_patterns = os.environ.get('EMAIL_PATTERN_BLACKLIST', '').strip() + whitelist_patterns = os.environ.get('EMAIL_PATTERN_WHITELIST', '').strip() + + connection = op.get_bind() + + if blacklist_patterns: + for pattern in blacklist_patterns.split(','): + pattern = pattern.strip() + if pattern: + connection.execute( + sa.text(""" + INSERT INTO user_authorizations + (email_pattern, provider_type, type) + VALUES + (:pattern, NULL, 'blacklist') + """), + {'pattern': pattern}, + ) + + if whitelist_patterns: + for pattern in whitelist_patterns.split(','): + pattern = pattern.strip() + if pattern: + connection.execute( + sa.text(""" + INSERT INTO user_authorizations + (email_pattern, provider_type, type) + VALUES + (:pattern, NULL, 'whitelist') + """), + {'pattern': pattern}, + ) + + +def upgrade() -> None: + """Create user_authorizations table, migrate data, and drop blocked_email_domains.""" + # Create user_authorizations table + op.create_table( + 'user_authorizations', + sa.Column('id', sa.Integer(), sa.Identity(), nullable=False, primary_key=True), + sa.Column('email_pattern', sa.String(), nullable=True), + sa.Column('provider_type', sa.String(), nullable=True), + sa.Column('type', sa.String(), nullable=False), + sa.Column( + 'created_at', + sa.DateTime(timezone=True), + nullable=False, + server_default=sa.text('CURRENT_TIMESTAMP'), + ), + sa.Column( + 'updated_at', + sa.DateTime(timezone=True), + nullable=False, + server_default=sa.text('CURRENT_TIMESTAMP'), + ), + sa.PrimaryKeyConstraint('id'), + ) + + # Create index on email_pattern for efficient LIKE queries + op.create_index( + 'ix_user_authorizations_email_pattern', + 'user_authorizations', + ['email_pattern'], + ) + + # Create index on type for efficient filtering + op.create_index( + 'ix_user_authorizations_type', + 'user_authorizations', + ['type'], + ) + + # Migrate existing blocked_email_domains to user_authorizations as blacklist entries + # The domain patterns are converted to SQL LIKE patterns: + # - 'example.com' becomes '%@example.com' (matches user@example.com) + # - '.us' becomes '%@%.us' (matches user@anything.us) + # We also add '%.' prefix for subdomain matching + op.execute(""" + INSERT INTO user_authorizations (email_pattern, provider_type, type, created_at, updated_at) + SELECT + CASE + WHEN domain LIKE '.%' THEN '%' || domain + ELSE '%@%' || domain + END as email_pattern, + NULL as provider_type, + 'blacklist' as type, + created_at, + updated_at + FROM blocked_email_domains + """) + + # Seed additional patterns from environment variables (if set) + _seed_from_environment() + + +def downgrade() -> None: + """Recreate blocked_email_domains table and migrate data back.""" + # Drop user_authorizations table + op.drop_index('ix_user_authorizations_type', table_name='user_authorizations') + op.drop_index( + 'ix_user_authorizations_email_pattern', table_name='user_authorizations' + ) + op.drop_table('user_authorizations') diff --git a/enterprise/server/auth/auth_utils.py b/enterprise/server/auth/auth_utils.py deleted file mode 100644 index 7e1fed2f14..0000000000 --- a/enterprise/server/auth/auth_utils.py +++ /dev/null @@ -1,53 +0,0 @@ -import os - -from openhands.core.logger import openhands_logger as logger - - -class UserVerifier: - def __init__(self) -> None: - logger.debug('Initializing UserVerifier') - self.file_users: list[str] | None = None - - # Initialize from environment variables - self._init_file_users() - - def _init_file_users(self) -> None: - """Load users from text file if configured.""" - waitlist = os.getenv('GITHUB_USER_LIST_FILE') - if not waitlist: - logger.debug('GITHUB_USER_LIST_FILE not configured') - return - - if not os.path.exists(waitlist): - logger.error(f'User list file not found: {waitlist}') - raise FileNotFoundError(f'User list file not found: {waitlist}') - - try: - with open(waitlist, 'r') as f: - self.file_users = [line.strip().lower() for line in f if line.strip()] - logger.info( - f'Successfully loaded {len(self.file_users)} users from {waitlist}' - ) - except Exception: - logger.exception(f'Error reading user list file {waitlist}') - - def is_active(self) -> bool: - if os.getenv('DISABLE_WAITLIST', '').lower() == 'true': - logger.info('Waitlist disabled via DISABLE_WAITLIST env var') - return False - return bool(self.file_users) - - def is_user_allowed(self, username: str) -> bool: - """Check if user is allowed based on file and/or sheet configuration.""" - logger.debug(f'Checking if GitHub user {username} is allowed') - if self.file_users: - if username.lower() in self.file_users: - logger.debug(f'User {username} found in text file allowlist') - return True - logger.debug(f'User {username} not found in text file allowlist') - - logger.debug(f'User {username} not found in any allowlist') - return False - - -user_verifier = UserVerifier() diff --git a/enterprise/server/auth/domain_blocker.py b/enterprise/server/auth/domain_blocker.py deleted file mode 100644 index 5808c797cf..0000000000 --- a/enterprise/server/auth/domain_blocker.py +++ /dev/null @@ -1,66 +0,0 @@ -from storage.blocked_email_domain_store import BlockedEmailDomainStore - -from openhands.core.logger import openhands_logger as logger - - -class DomainBlocker: - def __init__(self, store: BlockedEmailDomainStore) -> None: - logger.debug('Initializing DomainBlocker') - self.store = store - - def _extract_domain(self, email: str) -> str | None: - """Extract and normalize email domain from email address""" - if not email: - return None - try: - # Extract domain part after @ - if '@' not in email: - return None - domain = email.split('@')[1].strip().lower() - return domain if domain else None - except Exception: - logger.debug(f'Error extracting domain from email: {email}', exc_info=True) - return None - - async def is_domain_blocked(self, email: str) -> bool: - """Check if email domain is blocked by querying the database directly via SQL. - - Supports blocking: - - Exact domains: 'example.com' blocks 'user@example.com' - - Subdomains: 'example.com' blocks 'user@subdomain.example.com' - - TLDs: '.us' blocks 'user@company.us' and 'user@subdomain.company.us' - - The blocking logic is handled efficiently in SQL, avoiding the need to load - all blocked domains into memory. - """ - if not email: - logger.debug('No email provided for domain check') - return False - - domain = self._extract_domain(email) - if not domain: - logger.debug(f'Could not extract domain from email: {email}') - return False - - try: - # Query database directly via SQL to check if domain is blocked - is_blocked = await self.store.is_domain_blocked(domain) - - if is_blocked: - logger.warning(f'Email domain {domain} is blocked for email: {email}') - else: - logger.debug(f'Email domain {domain} is not blocked') - - return is_blocked - except Exception as e: - logger.error( - f'Error checking if domain is blocked for email {email}: {e}', - exc_info=True, - ) - # Fail-safe: if database query fails, don't block (allow auth to proceed) - return False - - -# Initialize store and domain blocker -_store = BlockedEmailDomainStore() -domain_blocker = DomainBlocker(store=_store) diff --git a/enterprise/server/auth/saas_user_auth.py b/enterprise/server/auth/saas_user_auth.py index 216486b493..501f0c31a6 100644 --- a/enterprise/server/auth/saas_user_auth.py +++ b/enterprise/server/auth/saas_user_auth.py @@ -13,7 +13,6 @@ from server.auth.auth_error import ( ExpiredError, NoCredentialsError, ) -from server.auth.domain_blocker import domain_blocker from server.auth.token_manager import TokenManager from server.config import get_config from server.logger import logger @@ -24,6 +23,8 @@ from storage.auth_tokens import AuthTokens from storage.database import a_session_maker from storage.saas_secrets_store import SaasSecretsStore from storage.saas_settings_store import SaasSettingsStore +from storage.user_authorization import UserAuthorizationType +from storage.user_authorization_store import UserAuthorizationStore from tenacity import retry, retry_if_exception_type, stop_after_attempt, wait_fixed from openhands.integrations.provider import ( @@ -326,14 +327,16 @@ async def saas_user_auth_from_signed_token(signed_token: str) -> SaasUserAuth: email = access_token_payload['email'] email_verified = access_token_payload['email_verified'] - # Check if email domain is blocked - if email and await domain_blocker.is_domain_blocked(email): - logger.warning( - f'Blocked authentication attempt for existing user with email: {email}' - ) - raise AuthError( - 'Access denied: Your email domain is not allowed to access this service' - ) + # Check if email is blacklisted (whitelist takes precedence) + if email: + auth_type = await UserAuthorizationStore.get_authorization_type(email, None) + if auth_type == UserAuthorizationType.BLACKLIST: + logger.warning( + f'Blocked authentication attempt for existing user with email: {email}' + ) + raise AuthError( + 'Access denied: Your email domain is not allowed to access this service' + ) logger.debug('saas_user_auth_from_signed_token:return') diff --git a/enterprise/server/auth/user/__init__.py b/enterprise/server/auth/user/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/enterprise/server/auth/user/default_user_authorizer.py b/enterprise/server/auth/user/default_user_authorizer.py new file mode 100644 index 0000000000..53f4ff553f --- /dev/null +++ b/enterprise/server/auth/user/default_user_authorizer.py @@ -0,0 +1,98 @@ +import logging +from dataclasses import dataclass +from typing import AsyncGenerator + +from fastapi import Request +from pydantic import Field +from server.auth.email_validation import extract_base_email +from server.auth.token_manager import KeycloakUserInfo, TokenManager +from server.auth.user.user_authorizer import ( + UserAuthorizationResponse, + UserAuthorizer, + UserAuthorizerInjector, +) +from storage.user_authorization import UserAuthorizationType +from storage.user_authorization_store import UserAuthorizationStore + +from openhands.app_server.services.injector import InjectorState + +logger = logging.getLogger(__name__) +token_manager = TokenManager() + + +@dataclass +class DefaultUserAuthorizer(UserAuthorizer): + """Class determining whether a user may be authorized. + + Uses the user_authorizations database table to check whitelist/blacklist rules. + """ + + prevent_duplicates: bool + + async def authorize_user( + self, user_info: KeycloakUserInfo + ) -> UserAuthorizationResponse: + user_id = user_info.sub + email = user_info.email + provider_type = user_info.identity_provider + try: + if not email: + logger.warning(f'No email provided for user_id: {user_id}') + return UserAuthorizationResponse( + success=False, error_detail='missing_email' + ) + + if self.prevent_duplicates: + has_duplicate = await token_manager.check_duplicate_base_email( + email, user_id + ) + if has_duplicate: + logger.warning( + f'Blocked signup attempt for email {email} - duplicate base email found', + extra={'user_id': user_id, 'email': email}, + ) + return UserAuthorizationResponse( + success=False, error_detail='duplicate_email' + ) + + # Check authorization rules (whitelist takes precedence over blacklist) + base_email = extract_base_email(email) + if base_email is None: + return UserAuthorizationResponse( + success=False, error_detail='invalid_email' + ) + auth_type = await UserAuthorizationStore.get_authorization_type( + base_email, provider_type + ) + + if auth_type == UserAuthorizationType.WHITELIST: + logger.debug( + f'User {email} matched whitelist rule', + extra={'user_id': user_id, 'email': email}, + ) + return UserAuthorizationResponse(success=True) + + if auth_type == UserAuthorizationType.BLACKLIST: + logger.warning( + f'Blocked authentication attempt for email: {email}, user_id: {user_id}' + ) + return UserAuthorizationResponse(success=False, error_detail='blocked') + + return UserAuthorizationResponse(success=True) + except Exception: + logger.exception('error authorizing user', extra={'user_id': user_id}) + return UserAuthorizationResponse(success=False) + + +class DefaultUserAuthorizerInjector(UserAuthorizerInjector): + prevent_duplicates: bool = Field( + default=True, + description='Whether duplicate emails (containing +) are filtered', + ) + + async def inject( + self, state: InjectorState, request: Request | None = None + ) -> AsyncGenerator[UserAuthorizer, None]: + yield DefaultUserAuthorizer( + prevent_duplicates=self.prevent_duplicates, + ) diff --git a/enterprise/server/auth/user/user_authorizer.py b/enterprise/server/auth/user/user_authorizer.py new file mode 100644 index 0000000000..9623c89d50 --- /dev/null +++ b/enterprise/server/auth/user/user_authorizer.py @@ -0,0 +1,48 @@ +import logging +from abc import ABC, abstractmethod + +from fastapi import Depends +from pydantic import BaseModel +from server.auth.token_manager import KeycloakUserInfo + +from openhands.agent_server.env_parser import from_env +from openhands.app_server.services.injector import Injector +from openhands.sdk.utils.models import DiscriminatedUnionMixin + +logger = logging.getLogger(__name__) + + +class UserAuthorizationResponse(BaseModel): + success: bool + error_detail: str | None = None + + +class UserAuthorizer(ABC): + """Class determining whether a user may be authorized.""" + + @abstractmethod + async def authorize_user( + self, user_info: KeycloakUserInfo + ) -> UserAuthorizationResponse: + """Determine whether the info given is permitted.""" + + +class UserAuthorizerInjector(DiscriminatedUnionMixin, Injector[UserAuthorizer], ABC): + pass + + +def depends_user_authorizer(): + from server.auth.user.default_user_authorizer import ( + DefaultUserAuthorizerInjector, + ) + + try: + injector: UserAuthorizerInjector = from_env( + UserAuthorizerInjector, 'OH_USER_AUTHORIZER' + ) + except Exception as ex: + print(ex) + logger.info('Using default UserAuthorizer') + injector = DefaultUserAuthorizerInjector() + + return Depends(injector.depends) diff --git a/enterprise/server/routes/auth.py b/enterprise/server/routes/auth.py index d6af1e90f0..5bd3b755d9 100644 --- a/enterprise/server/routes/auth.py +++ b/enterprise/server/routes/auth.py @@ -4,14 +4,13 @@ import uuid import warnings from datetime import datetime, timezone from typing import Annotated, Literal, Optional, cast -from urllib.parse import quote +from urllib.parse import quote, urlencode from uuid import UUID as parse_uuid import posthog from fastapi import APIRouter, Header, HTTPException, Request, Response, status from fastapi.responses import JSONResponse, RedirectResponse from pydantic import SecretStr -from server.auth.auth_utils import user_verifier from server.auth.constants import ( KEYCLOAK_CLIENT_ID, KEYCLOAK_REALM_NAME, @@ -19,11 +18,14 @@ from server.auth.constants import ( RECAPTCHA_SITE_KEY, ROLE_CHECK_ENABLED, ) -from server.auth.domain_blocker import domain_blocker from server.auth.gitlab_sync import schedule_gitlab_repo_sync from server.auth.recaptcha_service import recaptcha_service from server.auth.saas_user_auth import SaasUserAuth from server.auth.token_manager import TokenManager +from server.auth.user.user_authorizer import ( + UserAuthorizer, + depends_user_authorizer, +) from server.config import sign_token from server.constants import IS_FEATURE_ENV from server.routes.event_webhook import _get_session_api_key, _get_user_id @@ -40,6 +42,7 @@ from storage.database import a_session_maker from storage.user import User from storage.user_store import UserStore +from openhands.app_server.config import get_global_config from openhands.core.logger import openhands_logger as logger from openhands.integrations.provider import ProviderHandler from openhands.integrations.service_types import ProviderType, TokenResponse @@ -157,11 +160,16 @@ async def keycloak_callback( state: Optional[str] = None, error: Optional[str] = None, error_description: Optional[str] = None, + user_authorizer: UserAuthorizer = depends_user_authorizer(), ): # Extract redirect URL, reCAPTCHA token, and invitation token from state redirect_url, recaptcha_token, invitation_token = _extract_oauth_state(state) - if not redirect_url: - redirect_url = str(request.base_url) + + if redirect_url is None: + raise HTTPException( + status_code=status.HTTP_400_BAD_REQUEST, + detail='Missing state in request params', + ) if not code: # check if this is a forward from the account linking page @@ -170,36 +178,40 @@ async def keycloak_callback( and error_description == 'authentication_expired' ): return RedirectResponse(redirect_url, status_code=302) - return JSONResponse( + raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, - content={'error': 'Missing code in request params'}, + detail='Missing code in request params', ) - scheme = 'http' if request.url.hostname == 'localhost' else 'https' - redirect_uri = f'{scheme}://{request.url.netloc}{request.url.path}' - logger.debug(f'code: {code}, redirect_uri: {redirect_uri}') + + web_url = get_global_config().web_url + if not web_url: + scheme = 'http' if request.url.hostname == 'localhost' else 'https' + web_url = f'{scheme}://{request.url.netloc}' + redirect_uri = web_url + request.url.path ( keycloak_access_token, keycloak_refresh_token, ) = await token_manager.get_keycloak_tokens(code, redirect_uri) if not keycloak_access_token or not keycloak_refresh_token: - return JSONResponse( + raise HTTPException( status_code=status.HTTP_400_BAD_REQUEST, - content={'error': 'Problem retrieving Keycloak tokens'}, + detail='Problem retrieving Keycloak tokens', ) user_info = await token_manager.get_user_info(keycloak_access_token) logger.debug(f'user_info: {user_info}') if ROLE_CHECK_ENABLED and user_info.roles is None: - return JSONResponse( - status_code=status.HTTP_401_UNAUTHORIZED, - content={'error': 'Missing required role'}, + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, detail='Missing required role' ) - if user_info.preferred_username is None: - return JSONResponse( - status_code=status.HTTP_400_BAD_REQUEST, - content={'error': 'Missing user ID or username in response'}, + authorization = await user_authorizer.authorize_user(user_info) + if not authorization.success: + # Return unauthorized + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail=authorization.error_detail, ) email = user_info.email @@ -214,12 +226,10 @@ async def keycloak_callback( await UserStore.backfill_user_email(user_id, user_info_dict) if not user: - logger.error(f'Failed to authenticate user {user_info.preferred_username}') - return JSONResponse( + logger.error(f'Failed to authenticate user {user_info.email}') + raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, - content={ - 'error': f'Failed to authenticate user {user_info.preferred_username}' - }, + detail=f'Failed to authenticate user {user_info.email}', ) logger.info(f'Logging in user {str(user.id)} in org {user.current_org_id}') @@ -234,7 +244,7 @@ async def keycloak_callback( 'email': email, }, ) - error_url = f'{request.base_url}login?recaptcha_blocked=true' + error_url = f'{web_url}/login?recaptcha_blocked=true' return RedirectResponse(error_url, status_code=302) user_ip = request.client.host if request.client else 'unknown' @@ -265,65 +275,13 @@ async def keycloak_callback( }, ) # Redirect to home with error parameter - error_url = f'{request.base_url}login?recaptcha_blocked=true' + error_url = f'{web_url}/login?recaptcha_blocked=true' return RedirectResponse(error_url, status_code=302) except Exception as e: logger.exception(f'reCAPTCHA verification error at callback: {e}') # Fail open - continue with login if reCAPTCHA service unavailable - # Check if email domain is blocked - if email and await domain_blocker.is_domain_blocked(email): - logger.warning( - f'Blocked authentication attempt for email: {email}, user_id: {user_id}' - ) - - # Disable the Keycloak account - await token_manager.disable_keycloak_user(user_id, email) - - return JSONResponse( - status_code=status.HTTP_401_UNAUTHORIZED, - content={ - 'error': 'Access denied: Your email domain is not allowed to access this service' - }, - ) - - # Check for duplicate email with + modifier - if email: - try: - has_duplicate = await token_manager.check_duplicate_base_email( - email, user_id - ) - if has_duplicate: - logger.warning( - f'Blocked signup attempt for email {email} - duplicate base email found', - extra={'user_id': user_id, 'email': email}, - ) - - # Delete the Keycloak user that was automatically created during OAuth - # This prevents orphaned accounts in Keycloak - # The delete_keycloak_user method already handles all errors internally - deletion_success = await token_manager.delete_keycloak_user(user_id) - if deletion_success: - logger.info( - f'Deleted Keycloak user {user_id} after detecting duplicate email {email}' - ) - else: - logger.warning( - f'Failed to delete Keycloak user {user_id} after detecting duplicate email {email}. ' - f'User may need to be manually cleaned up.' - ) - - # Redirect to home page with query parameter indicating the issue - home_url = f'{request.base_url}/login?duplicated_email=true' - return RedirectResponse(home_url, status_code=302) - except Exception as e: - # Log error but allow signup to proceed (fail open) - logger.error( - f'Error checking duplicate email for {email}: {e}', - extra={'user_id': user_id, 'email': email}, - ) - # Check email verification status email_verified = user_info.email_verified or False if not email_verified: @@ -358,6 +316,7 @@ async def keycloak_callback( verification_redirect_url = f'{request.base_url}login?email_verification_required=true&user_id={user_id}' if rate_limited: verification_redirect_url = f'{verification_redirect_url}&rate_limited=true' + # Preserve invitation token so it can be included in OAuth state after verification if invitation_token: verification_redirect_url = ( @@ -379,13 +338,6 @@ async def keycloak_callback( ProviderType(idp), user_id, keycloak_access_token ) - username = user_info.preferred_username - if user_verifier.is_active() and not user_verifier.is_user_allowed(username): - return JSONResponse( - status_code=status.HTTP_401_UNAUTHORIZED, - content={'error': 'Not authorized via waitlist'}, - ) - valid_offline_token = ( await token_manager.validate_offline_token(user_id=user_info.sub) if idp_type != 'saml' @@ -431,13 +383,19 @@ async def keycloak_callback( ) if not valid_offline_token: + param_str = urlencode( + { + 'client_id': KEYCLOAK_CLIENT_ID, + 'response_type': 'code', + 'kc_idp_hint': idp, + 'redirect_uri': f'{web_url}/oauth/keycloak/offline/callback', + 'scope': 'openid email profile offline_access', + 'state': state, + } + ) redirect_url = ( f'{KEYCLOAK_SERVER_URL_EXT}/realms/{KEYCLOAK_REALM_NAME}/protocol/openid-connect/auth' - f'?client_id={KEYCLOAK_CLIENT_ID}&response_type=code' - f'&kc_idp_hint={idp}' - f'&redirect_uri={scheme}%3A%2F%2F{request.url.netloc}%2Foauth%2Fkeycloak%2Foffline%2Fcallback' - f'&scope=openid%20email%20profile%20offline_access' - f'&state={state}' + f'?{param_str}' ) has_accepted_tos = user.accepted_tos is not None @@ -532,7 +490,7 @@ async def keycloak_callback( response=response, keycloak_access_token=keycloak_access_token, keycloak_refresh_token=keycloak_refresh_token, - secure=True if scheme == 'https' else False, + secure=True if redirect_url.startswith('https') else False, accepted_tos=has_accepted_tos, ) diff --git a/enterprise/storage/blocked_email_domain.py b/enterprise/storage/blocked_email_domain.py deleted file mode 100644 index 59783ba975..0000000000 --- a/enterprise/storage/blocked_email_domain.py +++ /dev/null @@ -1,30 +0,0 @@ -from datetime import UTC, datetime - -from sqlalchemy import Column, DateTime, Identity, Integer, String -from storage.base import Base - - -class BlockedEmailDomain(Base): # type: ignore - """Stores blocked email domain patterns. - - Supports blocking: - - Exact domains: 'example.com' blocks 'user@example.com' - - Subdomains: 'example.com' blocks 'user@subdomain.example.com' - - TLDs: '.us' blocks 'user@company.us' and 'user@subdomain.company.us' - """ - - __tablename__ = 'blocked_email_domains' - - id = Column(Integer, Identity(), primary_key=True) - domain = Column(String, nullable=False, unique=True) - created_at = Column( - DateTime(timezone=True), - default=lambda: datetime.now(UTC), - nullable=False, - ) - updated_at = Column( - DateTime(timezone=True), - default=lambda: datetime.now(UTC), - onupdate=lambda: datetime.now(UTC), - nullable=False, - ) diff --git a/enterprise/storage/blocked_email_domain_store.py b/enterprise/storage/blocked_email_domain_store.py deleted file mode 100644 index 7aa6f793e8..0000000000 --- a/enterprise/storage/blocked_email_domain_store.py +++ /dev/null @@ -1,43 +0,0 @@ -from dataclasses import dataclass - -from sqlalchemy import text -from storage.database import a_session_maker - - -@dataclass -class BlockedEmailDomainStore: - async def is_domain_blocked(self, domain: str) -> bool: - """Check if a domain is blocked by querying the database directly. - - This method uses SQL to efficiently check if the domain matches any blocked pattern: - - TLD patterns (e.g., '.us'): checks if domain ends with the pattern - - Full domain patterns (e.g., 'example.com'): checks for exact match or subdomain match - - Args: - domain: The extracted domain from the email (e.g., 'example.com' or 'subdomain.example.com') - - Returns: - True if the domain is blocked, False otherwise - """ - async with a_session_maker() as session: - # SQL query that handles both TLD patterns and full domain patterns - # TLD patterns (starting with '.'): check if domain ends with it (case-insensitive) - # Full domain patterns: check for exact match or subdomain match - # All comparisons are case-insensitive using LOWER() to ensure consistent matching - query = text(""" - SELECT EXISTS( - SELECT 1 - FROM blocked_email_domains - WHERE - -- TLD pattern (e.g., '.us') - check if domain ends with it (case-insensitive) - (LOWER(domain) LIKE '.%' AND LOWER(:domain) LIKE '%' || LOWER(domain)) OR - -- Full domain pattern (e.g., 'example.com') - -- Block exact match or subdomains (case-insensitive) - (LOWER(domain) NOT LIKE '.%' AND ( - LOWER(:domain) = LOWER(domain) OR - LOWER(:domain) LIKE '%.' || LOWER(domain) - )) - ) - """) - result = await session.execute(query, {'domain': domain}) - return bool(result.scalar()) diff --git a/enterprise/storage/user_authorization.py b/enterprise/storage/user_authorization.py new file mode 100644 index 0000000000..895b644739 --- /dev/null +++ b/enterprise/storage/user_authorization.py @@ -0,0 +1,45 @@ +"""User authorization model for managing email/provider based access control.""" + +from datetime import UTC, datetime +from enum import Enum + +from sqlalchemy import Column, DateTime, Identity, Integer, String +from storage.base import Base + + +class UserAuthorizationType(str, Enum): + """Type of user authorization rule.""" + + WHITELIST = 'whitelist' + BLACKLIST = 'blacklist' + + +class UserAuthorization(Base): # type: ignore + """Stores user authorization rules based on email patterns and provider types. + + Supports: + - Email pattern matching using SQL LIKE (e.g., '%@openhands.dev') + - Provider type filtering (e.g., 'github', 'gitlab') + - Whitelist/Blacklist rules + + When email_pattern is NULL, the rule matches all emails. + When provider_type is NULL, the rule matches all providers. + """ + + __tablename__ = 'user_authorizations' + + id = Column(Integer, Identity(), primary_key=True) + email_pattern = Column(String, nullable=True) + provider_type = Column(String, nullable=True) + type = Column(String, nullable=False) + created_at = Column( + DateTime(timezone=True), + default=lambda: datetime.now(UTC), + nullable=False, + ) + updated_at = Column( + DateTime(timezone=True), + default=lambda: datetime.now(UTC), + onupdate=lambda: datetime.now(UTC), + nullable=False, + ) diff --git a/enterprise/storage/user_authorization_store.py b/enterprise/storage/user_authorization_store.py new file mode 100644 index 0000000000..f36f8da8b8 --- /dev/null +++ b/enterprise/storage/user_authorization_store.py @@ -0,0 +1,203 @@ +"""Store class for managing user authorizations.""" + +from typing import Optional + +from sqlalchemy import func, or_, select +from sqlalchemy.ext.asyncio import AsyncSession +from storage.database import a_session_maker +from storage.user_authorization import UserAuthorization, UserAuthorizationType + + +class UserAuthorizationStore: + """Store for managing user authorization rules.""" + + @staticmethod + async def _get_matching_authorizations( + email: str, + provider_type: str | None, + session: AsyncSession, + ) -> list[UserAuthorization]: + """Get all authorization rules that match the given email and provider. + + Uses SQL LIKE for pattern matching: + - email_pattern is NULL matches all emails + - provider_type is NULL matches all providers + - email LIKE email_pattern for pattern matching + + Args: + email: The user's email address + provider_type: The identity provider type (e.g., 'github', 'gitlab') + session: Database session + + Returns: + List of matching UserAuthorization objects + """ + # Build query using SQLAlchemy ORM + # We need: (email_pattern IS NULL OR LOWER(email) LIKE LOWER(email_pattern)) + # AND (provider_type IS NULL OR provider_type = :provider_type) + email_condition = or_( + UserAuthorization.email_pattern.is_(None), + func.lower(email).like(func.lower(UserAuthorization.email_pattern)), + ) + provider_condition = or_( + UserAuthorization.provider_type.is_(None), + UserAuthorization.provider_type == provider_type, + ) + + query = select(UserAuthorization).where(email_condition, provider_condition) + result = await session.execute(query) + return list(result.scalars().all()) + + @staticmethod + async def get_matching_authorizations( + email: str, + provider_type: str | None, + session: Optional[AsyncSession] = None, + ) -> list[UserAuthorization]: + """Get all authorization rules that match the given email and provider. + + Args: + email: The user's email address + provider_type: The identity provider type (e.g., 'github', 'gitlab') + session: Optional database session + + Returns: + List of matching UserAuthorization objects + """ + if session is not None: + return await UserAuthorizationStore._get_matching_authorizations( + email, provider_type, session + ) + async with a_session_maker() as new_session: + return await UserAuthorizationStore._get_matching_authorizations( + email, provider_type, new_session + ) + + @staticmethod + async def get_authorization_type( + email: str, + provider_type: str | None, + session: Optional[AsyncSession] = None, + ) -> UserAuthorizationType | None: + """Get the authorization type for the given email and provider. + + Checks matching authorization rules and returns the effective authorization + type. Whitelist rules take precedence over blacklist rules. + + Args: + email: The user's email address + provider_type: The identity provider type (e.g., 'github', 'gitlab') + session: Optional database session + + Returns: + UserAuthorizationType.WHITELIST if a whitelist rule matches, + UserAuthorizationType.BLACKLIST if a blacklist rule matches (and no whitelist), + None if no rules match + """ + authorizations = await UserAuthorizationStore.get_matching_authorizations( + email, provider_type, session + ) + + has_whitelist = any( + auth.type == UserAuthorizationType.WHITELIST.value + for auth in authorizations + ) + if has_whitelist: + return UserAuthorizationType.WHITELIST + + has_blacklist = any( + auth.type == UserAuthorizationType.BLACKLIST.value + for auth in authorizations + ) + if has_blacklist: + return UserAuthorizationType.BLACKLIST + + return None + + @staticmethod + async def _create_authorization( + email_pattern: str | None, + provider_type: str | None, + auth_type: UserAuthorizationType, + session: AsyncSession, + ) -> UserAuthorization: + """Create a new user authorization rule.""" + authorization = UserAuthorization( + email_pattern=email_pattern, + provider_type=provider_type, + type=auth_type.value, + ) + session.add(authorization) + await session.flush() + await session.refresh(authorization) + return authorization + + @staticmethod + async def create_authorization( + email_pattern: str | None, + provider_type: str | None, + auth_type: UserAuthorizationType, + session: Optional[AsyncSession] = None, + ) -> UserAuthorization: + """Create a new user authorization rule. + + Args: + email_pattern: SQL LIKE pattern for email matching (e.g., '%@openhands.dev') + provider_type: Provider type to match (e.g., 'github'), or None for all + auth_type: WHITELIST or BLACKLIST + session: Optional database session + + Returns: + The created UserAuthorization object + """ + if session is not None: + return await UserAuthorizationStore._create_authorization( + email_pattern, provider_type, auth_type, session + ) + async with a_session_maker() as new_session: + auth = await UserAuthorizationStore._create_authorization( + email_pattern, provider_type, auth_type, new_session + ) + await new_session.commit() + return auth + + @staticmethod + async def _delete_authorization( + authorization_id: int, + session: AsyncSession, + ) -> bool: + """Delete an authorization rule by ID.""" + result = await session.execute( + select(UserAuthorization).where(UserAuthorization.id == authorization_id) + ) + authorization = result.scalars().first() + if authorization: + await session.delete(authorization) + return True + return False + + @staticmethod + async def delete_authorization( + authorization_id: int, + session: Optional[AsyncSession] = None, + ) -> bool: + """Delete an authorization rule by ID. + + Args: + authorization_id: The ID of the authorization to delete + session: Optional database session + + Returns: + True if deleted, False if not found + """ + if session is not None: + return await UserAuthorizationStore._delete_authorization( + authorization_id, session + ) + async with a_session_maker() as new_session: + deleted = await UserAuthorizationStore._delete_authorization( + authorization_id, new_session + ) + if deleted: + await new_session.commit() + return deleted diff --git a/enterprise/tests/unit/storage/test_user_authorization_store.py b/enterprise/tests/unit/storage/test_user_authorization_store.py new file mode 100644 index 0000000000..661bf50e92 --- /dev/null +++ b/enterprise/tests/unit/storage/test_user_authorization_store.py @@ -0,0 +1,635 @@ +"""Unit tests for UserAuthorizationStore using SQLite in-memory database.""" + +from unittest.mock import patch + +import pytest +from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine +from sqlalchemy.pool import StaticPool +from storage.base import Base +from storage.user_authorization import UserAuthorization, UserAuthorizationType +from storage.user_authorization_store import UserAuthorizationStore + + +@pytest.fixture +async def async_engine(): + """Create an async SQLite engine for testing.""" + engine = create_async_engine( + 'sqlite+aiosqlite:///:memory:', + poolclass=StaticPool, + connect_args={'check_same_thread': False}, + ) + return engine + + +@pytest.fixture +async def async_session_maker(async_engine): + """Create an async session maker bound to the async engine.""" + session_maker = async_sessionmaker( + bind=async_engine, + class_=AsyncSession, + expire_on_commit=False, + ) + async with async_engine.begin() as conn: + await conn.run_sync(Base.metadata.create_all) + return session_maker + + +class TestGetMatchingAuthorizations: + """Tests for get_matching_authorizations method.""" + + @pytest.mark.asyncio + async def test_no_authorizations_returns_empty_list(self, async_session_maker): + """Test returns empty list when no authorizations exist.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + result = await UserAuthorizationStore.get_matching_authorizations( + email='test@example.com', + provider_type='github', + ) + assert result == [] + + @pytest.mark.asyncio + async def test_exact_email_pattern_match(self, async_session_maker): + """Test matching with exact email pattern.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + # Create a whitelist rule for exact email + await UserAuthorizationStore.create_authorization( + email_pattern='test@example.com', + provider_type=None, + auth_type=UserAuthorizationType.WHITELIST, + ) + + result = await UserAuthorizationStore.get_matching_authorizations( + email='test@example.com', + provider_type='github', + ) + + assert len(result) == 1 + assert result[0].email_pattern == 'test@example.com' + + @pytest.mark.asyncio + async def test_domain_suffix_pattern_match(self, async_session_maker): + """Test matching with domain suffix pattern (e.g., %@example.com).""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + # Create a whitelist rule for domain + await UserAuthorizationStore.create_authorization( + email_pattern='%@example.com', + provider_type=None, + auth_type=UserAuthorizationType.WHITELIST, + ) + + # Should match + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@example.com', + provider_type='github', + ) + assert len(result) == 1 + + # Should also match different user + result = await UserAuthorizationStore.get_matching_authorizations( + email='another.user@example.com', + provider_type='github', + ) + assert len(result) == 1 + + # Should not match different domain + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@other.com', + provider_type='github', + ) + assert len(result) == 0 + + @pytest.mark.asyncio + async def test_null_email_pattern_matches_all_emails(self, async_session_maker): + """Test that NULL email_pattern matches all emails.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + # Create a rule with NULL email pattern + await UserAuthorizationStore.create_authorization( + email_pattern=None, + provider_type='github', + auth_type=UserAuthorizationType.BLACKLIST, + ) + + # Should match any email with github provider + result = await UserAuthorizationStore.get_matching_authorizations( + email='any@email.com', + provider_type='github', + ) + assert len(result) == 1 + + # Should not match different provider + result = await UserAuthorizationStore.get_matching_authorizations( + email='any@email.com', + provider_type='gitlab', + ) + assert len(result) == 0 + + @pytest.mark.asyncio + async def test_null_provider_type_matches_all_providers(self, async_session_maker): + """Test that NULL provider_type matches all providers.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + # Create a rule with NULL provider type + await UserAuthorizationStore.create_authorization( + email_pattern='%@blocked.com', + provider_type=None, + auth_type=UserAuthorizationType.BLACKLIST, + ) + + # Should match any provider + for provider in ['github', 'gitlab', 'bitbucket', None]: + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@blocked.com', + provider_type=provider, + ) + assert len(result) == 1 + + @pytest.mark.asyncio + async def test_provider_type_filter(self, async_session_maker): + """Test filtering by provider type.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + # Create rules for different providers + await UserAuthorizationStore.create_authorization( + email_pattern='%@example.com', + provider_type='github', + auth_type=UserAuthorizationType.WHITELIST, + ) + await UserAuthorizationStore.create_authorization( + email_pattern='%@example.com', + provider_type='gitlab', + auth_type=UserAuthorizationType.BLACKLIST, + ) + + # Check github + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@example.com', + provider_type='github', + ) + assert len(result) == 1 + assert result[0].type == UserAuthorizationType.WHITELIST.value + + # Check gitlab + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@example.com', + provider_type='gitlab', + ) + assert len(result) == 1 + assert result[0].type == UserAuthorizationType.BLACKLIST.value + + @pytest.mark.asyncio + async def test_case_insensitive_email_matching(self, async_session_maker): + """Test that email matching is case insensitive.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + await UserAuthorizationStore.create_authorization( + email_pattern='%@Example.COM', + provider_type=None, + auth_type=UserAuthorizationType.WHITELIST, + ) + + # Should match regardless of case + result = await UserAuthorizationStore.get_matching_authorizations( + email='USER@example.com', + provider_type='github', + ) + assert len(result) == 1 + + @pytest.mark.asyncio + async def test_multiple_matching_rules(self, async_session_maker): + """Test that multiple matching rules are returned.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + # Create multiple rules that match + await UserAuthorizationStore.create_authorization( + email_pattern='%@example.com', + provider_type=None, + auth_type=UserAuthorizationType.WHITELIST, + ) + await UserAuthorizationStore.create_authorization( + email_pattern=None, # Matches all emails + provider_type='github', + auth_type=UserAuthorizationType.BLACKLIST, + ) + + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@example.com', + provider_type='github', + ) + + assert len(result) == 2 + + @pytest.mark.asyncio + async def test_with_provided_session(self, async_session_maker): + """Test using a provided session instead of creating one.""" + async with async_session_maker() as session: + # Create authorization within session + auth = UserAuthorization( + email_pattern='%@test.com', + provider_type=None, + type=UserAuthorizationType.WHITELIST.value, + ) + session.add(auth) + await session.flush() + + # Query within same session + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@test.com', + provider_type='github', + session=session, + ) + + assert len(result) == 1 + + +class TestGetAuthorizationType: + """Tests for get_authorization_type method.""" + + @pytest.mark.asyncio + async def test_returns_whitelist_when_whitelist_match_exists( + self, async_session_maker + ): + """Test returns WHITELIST when a whitelist rule matches.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + await UserAuthorizationStore.create_authorization( + email_pattern='%@allowed.com', + provider_type=None, + auth_type=UserAuthorizationType.WHITELIST, + ) + + result = await UserAuthorizationStore.get_authorization_type( + email='user@allowed.com', + provider_type='github', + ) + + assert result == UserAuthorizationType.WHITELIST + + @pytest.mark.asyncio + async def test_returns_blacklist_when_blacklist_match_exists( + self, async_session_maker + ): + """Test returns BLACKLIST when a blacklist rule matches.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + await UserAuthorizationStore.create_authorization( + email_pattern='%@blocked.com', + provider_type=None, + auth_type=UserAuthorizationType.BLACKLIST, + ) + + result = await UserAuthorizationStore.get_authorization_type( + email='user@blocked.com', + provider_type='github', + ) + + assert result == UserAuthorizationType.BLACKLIST + + @pytest.mark.asyncio + async def test_returns_none_when_no_rules_exist(self, async_session_maker): + """Test returns None when no authorization rules exist.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + result = await UserAuthorizationStore.get_authorization_type( + email='user@example.com', + provider_type='github', + ) + + assert result is None + + @pytest.mark.asyncio + async def test_returns_none_when_only_non_matching_rules_exist( + self, async_session_maker + ): + """Test returns None when rules exist but don't match.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + await UserAuthorizationStore.create_authorization( + email_pattern='%@other.com', + provider_type=None, + auth_type=UserAuthorizationType.BLACKLIST, + ) + + result = await UserAuthorizationStore.get_authorization_type( + email='user@example.com', + provider_type='github', + ) + + assert result is None + + @pytest.mark.asyncio + async def test_whitelist_takes_precedence_over_blacklist(self, async_session_maker): + """Test whitelist takes precedence when both match.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + # Create both whitelist and blacklist rules that match + await UserAuthorizationStore.create_authorization( + email_pattern='%@example.com', + provider_type=None, + auth_type=UserAuthorizationType.BLACKLIST, + ) + await UserAuthorizationStore.create_authorization( + email_pattern='%@example.com', + provider_type='github', + auth_type=UserAuthorizationType.WHITELIST, + ) + + result = await UserAuthorizationStore.get_authorization_type( + email='user@example.com', + provider_type='github', + ) + + assert result == UserAuthorizationType.WHITELIST + + @pytest.mark.asyncio + async def test_returns_blacklist_for_domain_block(self, async_session_maker): + """Test blacklist match for domain-based blocking.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + await UserAuthorizationStore.create_authorization( + email_pattern='%@disposable-email.com', + provider_type=None, + auth_type=UserAuthorizationType.BLACKLIST, + ) + + result = await UserAuthorizationStore.get_authorization_type( + email='spammer@disposable-email.com', + provider_type='github', + ) + + assert result == UserAuthorizationType.BLACKLIST + + +class TestCreateAuthorization: + """Tests for create_authorization method.""" + + @pytest.mark.asyncio + async def test_creates_whitelist_authorization(self, async_session_maker): + """Test creating a whitelist authorization.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + auth = await UserAuthorizationStore.create_authorization( + email_pattern='%@example.com', + provider_type='github', + auth_type=UserAuthorizationType.WHITELIST, + ) + + assert auth.id is not None + assert auth.email_pattern == '%@example.com' + assert auth.provider_type == 'github' + assert auth.type == UserAuthorizationType.WHITELIST.value + assert auth.created_at is not None + assert auth.updated_at is not None + + @pytest.mark.asyncio + async def test_creates_blacklist_authorization(self, async_session_maker): + """Test creating a blacklist authorization.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + auth = await UserAuthorizationStore.create_authorization( + email_pattern='%@blocked.com', + provider_type=None, + auth_type=UserAuthorizationType.BLACKLIST, + ) + + assert auth.id is not None + assert auth.email_pattern == '%@blocked.com' + assert auth.provider_type is None + assert auth.type == UserAuthorizationType.BLACKLIST.value + + @pytest.mark.asyncio + async def test_creates_with_null_email_pattern(self, async_session_maker): + """Test creating authorization with NULL email pattern.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + auth = await UserAuthorizationStore.create_authorization( + email_pattern=None, + provider_type='github', + auth_type=UserAuthorizationType.WHITELIST, + ) + + assert auth.email_pattern is None + assert auth.provider_type == 'github' + + @pytest.mark.asyncio + async def test_creates_with_provided_session(self, async_session_maker): + """Test creating authorization with a provided session.""" + async with async_session_maker() as session: + auth = await UserAuthorizationStore.create_authorization( + email_pattern='%@test.com', + provider_type=None, + auth_type=UserAuthorizationType.WHITELIST, + session=session, + ) + + assert auth.id is not None + + # Verify it exists in session + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@test.com', + provider_type='github', + session=session, + ) + assert len(result) == 1 + + +class TestDeleteAuthorization: + """Tests for delete_authorization method.""" + + @pytest.mark.asyncio + async def test_deletes_existing_authorization(self, async_session_maker): + """Test deleting an existing authorization.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + # Create an authorization + auth = await UserAuthorizationStore.create_authorization( + email_pattern='%@example.com', + provider_type=None, + auth_type=UserAuthorizationType.WHITELIST, + ) + + # Delete it + deleted = await UserAuthorizationStore.delete_authorization(auth.id) + + assert deleted is True + + # Verify it's gone + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@example.com', + provider_type='github', + ) + assert len(result) == 0 + + @pytest.mark.asyncio + async def test_returns_false_for_nonexistent_authorization( + self, async_session_maker + ): + """Test returns False when authorization doesn't exist.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + deleted = await UserAuthorizationStore.delete_authorization(99999) + + assert deleted is False + + @pytest.mark.asyncio + async def test_deletes_with_provided_session(self, async_session_maker): + """Test deleting authorization with a provided session.""" + async with async_session_maker() as session: + # Create an authorization + auth = await UserAuthorizationStore.create_authorization( + email_pattern='%@test.com', + provider_type=None, + auth_type=UserAuthorizationType.WHITELIST, + session=session, + ) + auth_id = auth.id + + # Flush to persist to database before delete + await session.flush() + + # Delete within same session + deleted = await UserAuthorizationStore.delete_authorization( + auth_id, session=session + ) + + assert deleted is True + + # Flush delete to database + await session.flush() + + # Verify it's gone + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@test.com', + provider_type='github', + session=session, + ) + assert len(result) == 0 + + +class TestPatternMatchingEdgeCases: + """Tests for edge cases in pattern matching.""" + + @pytest.mark.asyncio + async def test_wildcard_prefix_pattern(self, async_session_maker): + """Test pattern with wildcard prefix (e.g., admin%).""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + await UserAuthorizationStore.create_authorization( + email_pattern='admin%', + provider_type=None, + auth_type=UserAuthorizationType.WHITELIST, + ) + + # Should match + result = await UserAuthorizationStore.get_matching_authorizations( + email='admin@example.com', + provider_type='github', + ) + assert len(result) == 1 + + # Should also match + result = await UserAuthorizationStore.get_matching_authorizations( + email='administrator@example.com', + provider_type='github', + ) + assert len(result) == 1 + + # Should not match + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@admin.com', + provider_type='github', + ) + assert len(result) == 0 + + @pytest.mark.asyncio + async def test_single_character_wildcard(self, async_session_maker): + """Test pattern with single character wildcard (underscore in SQL LIKE).""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + await UserAuthorizationStore.create_authorization( + email_pattern='user_@example.com', + provider_type=None, + auth_type=UserAuthorizationType.WHITELIST, + ) + + # Should match user1@example.com + result = await UserAuthorizationStore.get_matching_authorizations( + email='user1@example.com', + provider_type='github', + ) + assert len(result) == 1 + + # Should not match user12@example.com + result = await UserAuthorizationStore.get_matching_authorizations( + email='user12@example.com', + provider_type='github', + ) + assert len(result) == 0 + + @pytest.mark.asyncio + async def test_email_with_plus_sign(self, async_session_maker): + """Test matching emails with plus signs (common for email aliases).""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + await UserAuthorizationStore.create_authorization( + email_pattern='%@example.com', + provider_type=None, + auth_type=UserAuthorizationType.WHITELIST, + ) + + result = await UserAuthorizationStore.get_matching_authorizations( + email='user+alias@example.com', + provider_type='github', + ) + assert len(result) == 1 + + @pytest.mark.asyncio + async def test_subdomain_email(self, async_session_maker): + """Test that subdomain emails don't match parent domain patterns.""" + with patch( + 'storage.user_authorization_store.a_session_maker', async_session_maker + ): + await UserAuthorizationStore.create_authorization( + email_pattern='%@example.com', + provider_type=None, + auth_type=UserAuthorizationType.BLACKLIST, + ) + + # Should match exact domain + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@example.com', + provider_type='github', + ) + assert len(result) == 1 + + # Should NOT match subdomain + result = await UserAuthorizationStore.get_matching_authorizations( + email='user@sub.example.com', + provider_type='github', + ) + assert len(result) == 0 diff --git a/enterprise/tests/unit/test_auth_routes.py b/enterprise/tests/unit/test_auth_routes.py index 43a6f348f5..88b112595d 100644 --- a/enterprise/tests/unit/test_auth_routes.py +++ b/enterprise/tests/unit/test_auth_routes.py @@ -4,11 +4,12 @@ from unittest.mock import AsyncMock, MagicMock, patch import jwt import pytest -from fastapi import Request, Response, status +from fastapi import HTTPException, Request, Response, status from fastapi.responses import JSONResponse, RedirectResponse from pydantic import SecretStr from server.auth.auth_error import AuthError from server.auth.saas_user_auth import SaasUserAuth +from server.auth.user.user_authorizer import UserAuthorizationResponse, UserAuthorizer from server.routes.auth import ( _extract_recaptcha_state, accept_tos, @@ -22,6 +23,17 @@ from server.routes.auth import ( from openhands.integrations.service_types import ProviderType +def create_mock_user_authorizer(success: bool = True, error_detail: str | None = None): + """Create a mock UserAuthorizer that returns the specified authorization result.""" + mock_authorizer = MagicMock(spec=UserAuthorizer) + mock_authorizer.authorize_user = AsyncMock( + return_value=UserAuthorizationResponse( + success=success, error_detail=error_detail + ) + ) + return mock_authorizer + + @pytest.fixture def mock_request(): request = MagicMock(spec=Request) @@ -78,12 +90,16 @@ def test_set_response_cookie(mock_response, mock_request): @pytest.mark.asyncio async def test_keycloak_callback_missing_code(mock_request): """Test keycloak_callback with missing code.""" - result = await keycloak_callback(code='', state='test_state', request=mock_request) + with pytest.raises(HTTPException) as exc_info: + await keycloak_callback( + code='', + state='test_state', + request=mock_request, + user_authorizer=create_mock_user_authorizer(), + ) - assert isinstance(result, JSONResponse) - assert result.status_code == status.HTTP_400_BAD_REQUEST - assert 'error' in result.body.decode() - assert 'Missing code' in result.body.decode() + assert exc_info.value.status_code == status.HTTP_400_BAD_REQUEST + assert 'Missing code' in exc_info.value.detail @pytest.mark.asyncio @@ -93,51 +109,31 @@ async def test_keycloak_callback_token_retrieval_failure(mock_request): with patch( 'server.routes.auth.token_manager.get_keycloak_tokens', get_keycloak_tokens_mock ): - result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request - ) + with pytest.raises(HTTPException) as exc_info: + await keycloak_callback( + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=create_mock_user_authorizer(), + ) - assert isinstance(result, JSONResponse) - assert result.status_code == status.HTTP_400_BAD_REQUEST - assert 'error' in result.body.decode() - assert 'Problem retrieving Keycloak tokens' in result.body.decode() + assert exc_info.value.status_code == status.HTTP_400_BAD_REQUEST + assert 'Problem retrieving Keycloak tokens' in exc_info.value.detail get_keycloak_tokens_mock.assert_called_once() -@pytest.mark.asyncio -async def test_keycloak_callback_missing_user_info( - mock_request, create_keycloak_user_info -): - """Test keycloak_callback when user info is missing preferred_username.""" - with patch('server.routes.auth.token_manager') as mock_token_manager: - mock_token_manager.get_keycloak_tokens = AsyncMock( - return_value=('test_access_token', 'test_refresh_token') - ) - # Return KeycloakUserInfo with sub but without preferred_username - mock_token_manager.get_user_info = AsyncMock( - return_value=create_keycloak_user_info( - sub='test_user_id', preferred_username=None - ) - ) - - result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request - ) - - assert isinstance(result, JSONResponse) - assert result.status_code == status.HTTP_400_BAD_REQUEST - assert 'error' in result.body.decode() - assert 'Missing user ID or username' in result.body.decode() +# Note: test_keycloak_callback_missing_user_info was removed as part of the +# user authorization refactor. The "Missing user ID or username" check has been +# removed from keycloak_callback - authorization is now handled by UserAuthorizer. @pytest.mark.asyncio -async def test_keycloak_callback_user_not_allowed( +async def test_keycloak_callback_user_not_authorized( mock_request, create_keycloak_user_info ): - """Test keycloak_callback when user is not allowed by verifier.""" + """Test keycloak_callback when user authorization fails.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.auth.UserStore') as mock_user_store, ): mock_token_manager.get_keycloak_tokens = AsyncMock( @@ -164,18 +160,21 @@ async def test_keycloak_callback_user_not_allowed( mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = False - - result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request + # Create mock user authorizer that denies authorization + mock_authorizer = create_mock_user_authorizer( + success=False, error_detail='blocked' ) - assert isinstance(result, JSONResponse) - assert result.status_code == status.HTTP_401_UNAUTHORIZED - assert 'error' in result.body.decode() - assert 'Not authorized via waitlist' in result.body.decode() - mock_verifier.is_user_allowed.assert_called_once_with('test_user') + with pytest.raises(HTTPException) as exc_info: + await keycloak_callback( + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=mock_authorizer, + ) + + assert exc_info.value.status_code == status.HTTP_401_UNAUTHORIZED + assert exc_info.value.detail == 'blocked' @pytest.mark.asyncio @@ -185,7 +184,6 @@ async def test_keycloak_callback_success_with_valid_offline_token( """Test successful keycloak_callback with valid offline token.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.auth.set_response_cookie') as mock_set_cookie, patch('server.routes.auth.UserStore') as mock_user_store, patch('server.routes.auth.posthog') as mock_posthog, @@ -217,11 +215,11 @@ async def test_keycloak_callback_success_with_valid_offline_token( mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) assert isinstance(result, RedirectResponse) @@ -252,7 +250,6 @@ async def test_keycloak_callback_email_not_verified( mock_rate_limit = AsyncMock() with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.email.verify_email', mock_verify_email), patch('server.routes.auth.check_rate_limit_by_user_id', mock_rate_limit), patch('server.routes.auth.UserStore') as mock_user_store, @@ -269,7 +266,6 @@ async def test_keycloak_callback_email_not_verified( ) ) mock_token_manager.store_idp_tokens = AsyncMock() - mock_verifier.is_active.return_value = False # Mock the user creation mock_user = MagicMock() @@ -282,7 +278,10 @@ async def test_keycloak_callback_email_not_verified( # Act result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -313,7 +312,6 @@ async def test_keycloak_callback_email_not_verified_missing_field( mock_rate_limit = AsyncMock() with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.email.verify_email', mock_verify_email), patch('server.routes.auth.check_rate_limit_by_user_id', mock_rate_limit), patch('server.routes.auth.UserStore') as mock_user_store, @@ -330,7 +328,6 @@ async def test_keycloak_callback_email_not_verified_missing_field( ) ) mock_token_manager.store_idp_tokens = AsyncMock() - mock_verifier.is_active.return_value = False # Mock the user creation mock_user = MagicMock() @@ -343,7 +340,10 @@ async def test_keycloak_callback_email_not_verified_missing_field( # Act result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -377,7 +377,6 @@ async def test_keycloak_callback_email_verification_rate_limited( ) with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.email.verify_email', mock_verify_email), patch('server.routes.auth.check_rate_limit_by_user_id', mock_rate_limit), patch('server.routes.auth.UserStore') as mock_user_store, @@ -394,7 +393,6 @@ async def test_keycloak_callback_email_verification_rate_limited( ) ) mock_token_manager.store_idp_tokens = AsyncMock() - mock_verifier.is_active.return_value = False # Mock the user creation mock_user = MagicMock() @@ -407,7 +405,10 @@ async def test_keycloak_callback_email_verification_rate_limited( # Act result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert - should still redirect to verification page but NOT send email @@ -430,7 +431,6 @@ async def test_keycloak_callback_success_without_offline_token( """Test successful keycloak_callback without valid offline token.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.auth.set_response_cookie') as mock_set_cookie, patch( 'server.routes.auth.KEYCLOAK_SERVER_URL_EXT', 'https://keycloak.example.com' @@ -468,11 +468,11 @@ async def test_keycloak_callback_success_without_offline_token( # Set validate_offline_token to return False to test the "without offline token" scenario mock_token_manager.validate_offline_token = AsyncMock(return_value=False) - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) assert isinstance(result, RedirectResponse) @@ -484,12 +484,14 @@ async def test_keycloak_callback_success_without_offline_token( mock_token_manager.store_idp_tokens.assert_called_once_with( ProviderType.GITHUB, 'test_user_id', 'test_access_token' ) + # When redirecting to Keycloak for offline token, redirect_url becomes https://keycloak... + # so secure=True is expected mock_set_cookie.assert_called_once_with( request=mock_request, response=result, keycloak_access_token='test_access_token', keycloak_refresh_token='test_refresh_token', - secure=False, + secure=True, accepted_tos=True, ) mock_posthog.set.assert_called_once() @@ -505,6 +507,7 @@ async def test_keycloak_callback_account_linking_error(mock_request): error='temporarily_unavailable', error_description='authentication_expired', request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) assert isinstance(result, RedirectResponse) @@ -671,11 +674,10 @@ async def test_logout_without_refresh_token(): async def test_keycloak_callback_blocked_email_domain( mock_request, create_keycloak_user_info ): - """Test keycloak_callback when email domain is blocked.""" + """Test keycloak_callback when user authorization fails (blocked email domain).""" # Arrange with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, patch('server.routes.auth.UserStore') as mock_user_store, ): mock_token_manager.get_keycloak_tokens = AsyncMock( @@ -689,7 +691,6 @@ async def test_keycloak_callback_blocked_email_domain( identity_provider='github', ) ) - mock_token_manager.disable_keycloak_user = AsyncMock() # Mock the user creation mock_user = MagicMock() @@ -700,155 +701,34 @@ async def test_keycloak_callback_blocked_email_domain( mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_domain_blocker.is_active.return_value = True - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=True) + # Create mock user authorizer that blocks the user + mock_authorizer = create_mock_user_authorizer( + success=False, error_detail='blocked' + ) # Act - result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request - ) - - # Assert - assert isinstance(result, JSONResponse) - assert result.status_code == status.HTTP_401_UNAUTHORIZED - assert 'error' in result.body.decode() - assert 'email domain is not allowed' in result.body.decode() - mock_domain_blocker.is_domain_blocked.assert_called_once_with('user@colsch.us') - mock_token_manager.disable_keycloak_user.assert_called_once_with( - 'test_user_id', 'user@colsch.us' - ) - - -@pytest.mark.asyncio -async def test_keycloak_callback_allowed_email_domain( - mock_request, create_keycloak_user_info -): - """Test keycloak_callback when email domain is not blocked.""" - # Arrange - with ( - patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, - patch('server.routes.auth.user_verifier') as mock_verifier, - patch('server.routes.auth.a_session_maker') as mock_session_maker, - patch('server.routes.auth.UserStore') as mock_user_store, - ): - mock_session = MagicMock() - mock_session_maker.return_value.__enter__.return_value = mock_session - mock_query = MagicMock() - mock_session.query.return_value = mock_query - mock_query.filter.return_value = mock_query - - mock_user_settings = MagicMock() - mock_user_settings.accepted_tos = '2025-01-01' - mock_query.first.return_value = mock_user_settings - - mock_token_manager.get_keycloak_tokens = AsyncMock( - return_value=('test_access_token', 'test_refresh_token') - ) - mock_token_manager.get_user_info = AsyncMock( - return_value=create_keycloak_user_info( - sub='test_user_id', - preferred_username='test_user', - email='user@example.com', - identity_provider='github', - email_verified=True, + with pytest.raises(HTTPException) as exc_info: + await keycloak_callback( + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=mock_authorizer, ) - ) - mock_token_manager.store_idp_tokens = AsyncMock() - mock_token_manager.validate_offline_token = AsyncMock(return_value=True) - - # Mock the user creation - mock_user = MagicMock() - mock_user.id = 'test_user_id' - mock_user.current_org_id = 'test_org_id' - mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) - mock_user_store.create_user = AsyncMock(return_value=mock_user) - mock_user_store.backfill_contact_name = AsyncMock() - mock_user_store.backfill_user_email = AsyncMock() - - mock_domain_blocker.is_active.return_value = True - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) - - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - - # Act - result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request - ) # Assert - assert isinstance(result, RedirectResponse) - mock_domain_blocker.is_domain_blocked.assert_called_once_with( - 'user@example.com' - ) - mock_token_manager.disable_keycloak_user.assert_not_called() + assert exc_info.value.status_code == status.HTTP_401_UNAUTHORIZED + assert exc_info.value.detail == 'blocked' -@pytest.mark.asyncio -async def test_keycloak_callback_domain_blocking_inactive( - mock_request, create_keycloak_user_info -): - """Test keycloak_callback when email domain is not blocked.""" - # Arrange - with ( - patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, - patch('server.routes.auth.user_verifier') as mock_verifier, - patch('server.routes.auth.a_session_maker') as mock_session_maker, - patch('server.routes.auth.UserStore') as mock_user_store, - ): - mock_session = MagicMock() - mock_session_maker.return_value.__enter__.return_value = mock_session - mock_query = MagicMock() - mock_session.query.return_value = mock_query - mock_query.filter.return_value = mock_query +# Note: test_keycloak_callback_allowed_email_domain was simplified as part of +# the user authorization refactor. The email domain authorization logic is now +# in DefaultUserAuthorizer and tested in test_user_authorization_store.py. +# The keycloak_callback test only needs to verify it proceeds when authorized. - mock_user_settings = MagicMock() - mock_user_settings.accepted_tos = '2025-01-01' - mock_query.first.return_value = mock_user_settings - mock_token_manager.get_keycloak_tokens = AsyncMock( - return_value=('test_access_token', 'test_refresh_token') - ) - mock_token_manager.get_user_info = AsyncMock( - return_value=create_keycloak_user_info( - sub='test_user_id', - preferred_username='test_user', - email='user@colsch.us', - identity_provider='github', - email_verified=True, - ) - ) - mock_token_manager.store_idp_tokens = AsyncMock() - mock_token_manager.validate_offline_token = AsyncMock(return_value=True) - - # Mock the user creation - mock_user = MagicMock() - mock_user.id = 'test_user_id' - mock_user.current_org_id = 'test_org_id' - mock_user.accepted_tos = '2025-01-01' - mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) - mock_user_store.create_user = AsyncMock(return_value=mock_user) - mock_user_store.backfill_contact_name = AsyncMock() - mock_user_store.backfill_user_email = AsyncMock() - - mock_domain_blocker.is_active.return_value = False - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) - - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - - # Act - result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request - ) - - # Assert - assert isinstance(result, RedirectResponse) - mock_domain_blocker.is_domain_blocked.assert_called_once_with('user@colsch.us') - mock_token_manager.disable_keycloak_user.assert_not_called() +# Note: test_keycloak_callback_domain_blocking_inactive was removed as part of +# the user authorization refactor. The concept of "domain blocking inactive" no +# longer applies - authorization is always performed by UserAuthorizer. @pytest.mark.asyncio @@ -857,8 +737,9 @@ async def test_keycloak_callback_missing_email(mock_request, create_keycloak_use # Arrange with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, - patch('server.routes.auth.user_verifier') as mock_verifier, + patch( + 'storage.user_authorization_store.UserAuthorizationStore' + ) as mock_user_auth_store, patch('server.routes.auth.a_session_maker') as mock_session_maker, patch('server.routes.auth.UserStore') as mock_user_store, ): @@ -897,19 +778,17 @@ async def test_keycloak_callback_missing_email(mock_request, create_keycloak_use mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_domain_blocker.is_active.return_value = True - - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - # Act result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert assert isinstance(result, RedirectResponse) - mock_domain_blocker.is_domain_blocked.assert_not_called() + mock_user_auth_store.get_authorization_type.assert_not_called() mock_token_manager.disable_keycloak_user.assert_not_called() @@ -917,7 +796,12 @@ async def test_keycloak_callback_missing_email(mock_request, create_keycloak_use async def test_keycloak_callback_duplicate_email_detected( mock_request, create_keycloak_user_info ): - """Test keycloak_callback when duplicate email is detected.""" + """Test keycloak_callback when duplicate email is detected by UserAuthorizer. + + Note: Duplicate email detection has been moved to DefaultUserAuthorizer. + This test verifies that keycloak_callback correctly handles the authorization + failure when a duplicate email is detected. + """ with ( patch('server.routes.auth.token_manager') as mock_token_manager, patch('server.routes.auth.UserStore') as mock_user_store, @@ -934,8 +818,6 @@ async def test_keycloak_callback_duplicate_email_detected( identity_provider='github', ) ) - mock_token_manager.check_duplicate_base_email = AsyncMock(return_value=True) - mock_token_manager.delete_keycloak_user = AsyncMock(return_value=True) # Mock the user creation mock_user = MagicMock() @@ -946,64 +828,28 @@ async def test_keycloak_callback_duplicate_email_detected( mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - # Act - result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request + # Create mock authorizer that returns duplicate_email error + mock_authorizer = create_mock_user_authorizer( + success=False, error_detail='duplicate_email' ) - # Assert - assert isinstance(result, RedirectResponse) - assert result.status_code == 302 - assert 'duplicated_email=true' in result.headers['location'] - mock_token_manager.check_duplicate_base_email.assert_called_once_with( - 'joe+test@example.com', 'test_user_id' - ) - mock_token_manager.delete_keycloak_user.assert_called_once_with('test_user_id') - - -@pytest.mark.asyncio -async def test_keycloak_callback_duplicate_email_deletion_fails( - mock_request, create_keycloak_user_info -): - """Test keycloak_callback when duplicate is detected but deletion fails.""" - with ( - patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.UserStore') as mock_user_store, - ): - # Arrange - mock_token_manager.get_keycloak_tokens = AsyncMock( - return_value=('test_access_token', 'test_refresh_token') - ) - mock_token_manager.get_user_info = AsyncMock( - return_value=create_keycloak_user_info( - sub='test_user_id', - preferred_username='test_user', - email='joe+test@example.com', - identity_provider='github', + # Act & Assert - should raise HTTPException with 401 + with pytest.raises(HTTPException) as exc_info: + await keycloak_callback( + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=mock_authorizer, ) - ) - mock_token_manager.check_duplicate_base_email = AsyncMock(return_value=True) - mock_token_manager.delete_keycloak_user = AsyncMock(return_value=False) - # Mock the user creation - mock_user = MagicMock() - mock_user.id = 'test_user_id' - mock_user.current_org_id = 'test_org_id' - mock_user_store.get_user_by_id = AsyncMock(return_value=mock_user) - mock_user_store.create_user = AsyncMock(return_value=mock_user) - mock_user_store.backfill_contact_name = AsyncMock() - mock_user_store.backfill_user_email = AsyncMock() + assert exc_info.value.status_code == status.HTTP_401_UNAUTHORIZED + assert exc_info.value.detail == 'duplicate_email' - # Act - result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request - ) - # Assert - assert isinstance(result, RedirectResponse) - assert result.status_code == 302 - assert 'duplicated_email=true' in result.headers['location'] - mock_token_manager.delete_keycloak_user.assert_called_once_with('test_user_id') +# Note: test_keycloak_callback_duplicate_email_deletion_fails was removed as part of +# the user authorization refactor. The Keycloak user deletion logic for duplicate emails +# has been removed from keycloak_callback. If this behavior needs to be restored, +# it should be implemented in the DefaultUserAuthorizer or handled separately. @pytest.mark.asyncio @@ -1013,7 +859,6 @@ async def test_keycloak_callback_duplicate_check_exception( """Test keycloak_callback when duplicate check raises exception.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.auth.a_session_maker') as mock_session_maker, patch('server.routes.auth.UserStore') as mock_user_store, ): @@ -1055,12 +900,12 @@ async def test_keycloak_callback_duplicate_check_exception( mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - # Act result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -1073,10 +918,13 @@ async def test_keycloak_callback_duplicate_check_exception( async def test_keycloak_callback_no_duplicate_email( mock_request, create_keycloak_user_info ): - """Test keycloak_callback when no duplicate email is found.""" + """Test keycloak_callback when authorization succeeds (no duplicate email). + + Note: Duplicate email detection has been moved to DefaultUserAuthorizer. + This test verifies the normal flow when authorization is successful. + """ with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.auth.a_session_maker') as mock_session_maker, patch('server.routes.auth.UserStore') as mock_user_store, ): @@ -1102,7 +950,6 @@ async def test_keycloak_callback_no_duplicate_email( email_verified=True, ) ) - mock_token_manager.check_duplicate_base_email = AsyncMock(return_value=False) mock_token_manager.store_idp_tokens = AsyncMock() mock_token_manager.validate_offline_token = AsyncMock(return_value=True) @@ -1116,22 +963,17 @@ async def test_keycloak_callback_no_duplicate_email( mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - - # Act + # Act - use successful authorizer (no duplicate detected) result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=create_mock_user_authorizer(success=True), ) - # Assert + # Assert - normal redirect flow should succeed assert isinstance(result, RedirectResponse) assert result.status_code == 302 - mock_token_manager.check_duplicate_base_email.assert_called_once_with( - 'joe+test@example.com', 'test_user_id' - ) - # Should not delete user when no duplicate found - mock_token_manager.delete_keycloak_user.assert_not_called() @pytest.mark.asyncio @@ -1141,7 +983,6 @@ async def test_keycloak_callback_no_email_in_user_info( """Test keycloak_callback when email is not in user_info.""" with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.auth.a_session_maker') as mock_session_maker, patch('server.routes.auth.UserStore') as mock_user_store, ): @@ -1180,12 +1021,12 @@ async def test_keycloak_callback_no_email_in_user_info( mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - # Act result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -1291,11 +1132,12 @@ class TestKeycloakCallbackRecaptcha: with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.auth.recaptcha_service') as mock_recaptcha_service, patch('server.routes.auth.RECAPTCHA_SITE_KEY', 'test-site-key'), patch('server.routes.auth.a_session_maker') as mock_session_maker, - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, + patch( + 'storage.user_authorization_store.UserAuthorizationStore' + ) as mock_user_auth_store, patch('server.routes.auth.set_response_cookie'), patch('server.routes.auth.posthog'), patch('server.routes.email.verify_email', new_callable=AsyncMock), @@ -1338,10 +1180,7 @@ class TestKeycloakCallbackRecaptcha: mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) # Patch the module-level recaptcha_service instance mock_recaptcha_service.create_assessment.return_value = ( @@ -1350,7 +1189,10 @@ class TestKeycloakCallbackRecaptcha: # Act result = await keycloak_callback( - code='test_code', state=encoded_state, request=mock_request + code='test_code', + state=encoded_state, + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -1380,7 +1222,9 @@ class TestKeycloakCallbackRecaptcha: patch('server.routes.auth.token_manager') as mock_token_manager, patch('server.routes.auth.recaptcha_service') as mock_recaptcha_service, patch('server.routes.auth.RECAPTCHA_SITE_KEY', 'test-site-key'), - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, + patch( + 'storage.user_authorization_store.UserAuthorizationStore' + ) as mock_user_auth_store, patch('server.routes.auth.UserStore') as mock_user_store, ): mock_token_manager.get_keycloak_tokens = AsyncMock( @@ -1406,7 +1250,7 @@ class TestKeycloakCallbackRecaptcha: mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) # Patch the module-level recaptcha_service instance mock_recaptcha_service.create_assessment.return_value = ( @@ -1415,7 +1259,10 @@ class TestKeycloakCallbackRecaptcha: # Act result = await keycloak_callback( - code='test_code', state=encoded_state, request=mock_request + code='test_code', + state=encoded_state, + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -1447,8 +1294,9 @@ class TestKeycloakCallbackRecaptcha: patch('server.routes.auth.token_manager') as mock_token_manager, patch('server.routes.auth.recaptcha_service') as mock_recaptcha_service, patch('server.routes.auth.RECAPTCHA_SITE_KEY', 'test-site-key'), - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, - patch('server.routes.auth.user_verifier') as mock_verifier, + patch( + 'storage.user_authorization_store.UserAuthorizationStore' + ) as mock_user_auth_store, patch('server.routes.auth.a_session_maker') as mock_session_maker, patch('server.routes.auth.set_response_cookie'), patch('server.routes.auth.posthog'), @@ -1492,10 +1340,7 @@ class TestKeycloakCallbackRecaptcha: mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) # Patch the module-level recaptcha_service instance mock_recaptcha_service.create_assessment.return_value = ( @@ -1504,7 +1349,10 @@ class TestKeycloakCallbackRecaptcha: # Act await keycloak_callback( - code='test_code', state=encoded_state, request=mock_request + code='test_code', + state=encoded_state, + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -1536,8 +1384,9 @@ class TestKeycloakCallbackRecaptcha: patch('server.routes.auth.token_manager') as mock_token_manager, patch('server.routes.auth.recaptcha_service') as mock_recaptcha_service, patch('server.routes.auth.RECAPTCHA_SITE_KEY', 'test-site-key'), - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, - patch('server.routes.auth.user_verifier') as mock_verifier, + patch( + 'storage.user_authorization_store.UserAuthorizationStore' + ) as mock_user_auth_store, patch('server.routes.auth.a_session_maker') as mock_session_maker, patch('server.routes.auth.set_response_cookie'), patch('server.routes.auth.posthog'), @@ -1581,10 +1430,7 @@ class TestKeycloakCallbackRecaptcha: mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) # Patch the module-level recaptcha_service instance mock_recaptcha_service.create_assessment.return_value = ( @@ -1593,7 +1439,10 @@ class TestKeycloakCallbackRecaptcha: # Act await keycloak_callback( - code='test_code', state=encoded_state, request=mock_request + code='test_code', + state=encoded_state, + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -1624,8 +1473,9 @@ class TestKeycloakCallbackRecaptcha: patch('server.routes.auth.token_manager') as mock_token_manager, patch('server.routes.auth.recaptcha_service') as mock_recaptcha_service, patch('server.routes.auth.RECAPTCHA_SITE_KEY', 'test-site-key'), - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, - patch('server.routes.auth.user_verifier') as mock_verifier, + patch( + 'storage.user_authorization_store.UserAuthorizationStore' + ) as mock_user_auth_store, patch('server.routes.auth.a_session_maker') as mock_session_maker, patch('server.routes.auth.set_response_cookie'), patch('server.routes.auth.posthog'), @@ -1669,10 +1519,7 @@ class TestKeycloakCallbackRecaptcha: mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) # Patch the module-level recaptcha_service instance mock_recaptcha_service.create_assessment.return_value = ( @@ -1681,7 +1528,10 @@ class TestKeycloakCallbackRecaptcha: # Act await keycloak_callback( - code='test_code', state=encoded_state, request=mock_request + code='test_code', + state=encoded_state, + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -1709,8 +1559,9 @@ class TestKeycloakCallbackRecaptcha: patch('server.routes.auth.token_manager') as mock_token_manager, patch('server.routes.auth.recaptcha_service') as mock_recaptcha_service, patch('server.routes.auth.RECAPTCHA_SITE_KEY', 'test-site-key'), - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, - patch('server.routes.auth.user_verifier') as mock_verifier, + patch( + 'storage.user_authorization_store.UserAuthorizationStore' + ) as mock_user_auth_store, patch('server.routes.auth.a_session_maker') as mock_session_maker, patch('server.routes.auth.set_response_cookie'), patch('server.routes.auth.posthog'), @@ -1754,10 +1605,7 @@ class TestKeycloakCallbackRecaptcha: mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) # Patch the module-level recaptcha_service instance mock_recaptcha_service.create_assessment.return_value = ( @@ -1766,7 +1614,10 @@ class TestKeycloakCallbackRecaptcha: # Act await keycloak_callback( - code='test_code', state=encoded_state, request=mock_request + code='test_code', + state=encoded_state, + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -1791,9 +1642,10 @@ class TestKeycloakCallbackRecaptcha: patch('server.routes.auth.token_manager') as mock_token_manager, patch('server.routes.auth.recaptcha_service') as mock_recaptcha_service, patch('server.routes.auth.RECAPTCHA_SITE_KEY', ''), - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.auth.a_session_maker') as mock_session_maker, - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, + patch( + 'storage.user_authorization_store.UserAuthorizationStore' + ) as mock_user_auth_store, patch('server.routes.auth.set_response_cookie'), patch('server.routes.auth.posthog'), patch('server.routes.email.verify_email', new_callable=AsyncMock), @@ -1836,14 +1688,14 @@ class TestKeycloakCallbackRecaptcha: mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) # Act await keycloak_callback( - code='test_code', state=encoded_state, request=mock_request + code='test_code', + state=encoded_state, + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -1861,9 +1713,10 @@ class TestKeycloakCallbackRecaptcha: patch('server.routes.auth.token_manager') as mock_token_manager, patch('server.routes.auth.recaptcha_service') as mock_recaptcha_service, patch('server.routes.auth.RECAPTCHA_SITE_KEY', 'test-site-key'), - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.auth.a_session_maker') as mock_session_maker, - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, + patch( + 'storage.user_authorization_store.UserAuthorizationStore' + ) as mock_user_auth_store, patch('server.routes.auth.set_response_cookie'), patch('server.routes.auth.posthog'), patch('server.routes.email.verify_email', new_callable=AsyncMock), @@ -1906,13 +1759,15 @@ class TestKeycloakCallbackRecaptcha: mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) # Act - await keycloak_callback(code='test_code', state=state, request=mock_request) + await keycloak_callback( + code='test_code', + state=state, + request=mock_request, + user_authorizer=create_mock_user_authorizer(), + ) # Assert mock_recaptcha_service.create_assessment.assert_not_called() @@ -1935,9 +1790,10 @@ class TestKeycloakCallbackRecaptcha: patch('server.routes.auth.token_manager') as mock_token_manager, patch('server.routes.auth.recaptcha_service') as mock_recaptcha_service, patch('server.routes.auth.RECAPTCHA_SITE_KEY', 'test-site-key'), - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.auth.a_session_maker') as mock_session_maker, - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, + patch( + 'storage.user_authorization_store.UserAuthorizationStore' + ) as mock_user_auth_store, patch('server.routes.auth.set_response_cookie'), patch('server.routes.auth.posthog'), patch('server.routes.auth.logger') as mock_logger, @@ -1980,10 +1836,7 @@ class TestKeycloakCallbackRecaptcha: mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) mock_recaptcha_service.create_assessment.side_effect = Exception( 'Service error' @@ -1991,7 +1844,10 @@ class TestKeycloakCallbackRecaptcha: # Act result = await keycloak_callback( - code='test_code', state=encoded_state, request=mock_request + code='test_code', + state=encoded_state, + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -2026,7 +1882,9 @@ class TestKeycloakCallbackRecaptcha: patch('server.routes.auth.token_manager') as mock_token_manager, patch('server.routes.auth.recaptcha_service') as mock_recaptcha_service, patch('server.routes.auth.RECAPTCHA_SITE_KEY', 'test-site-key'), - patch('server.routes.auth.domain_blocker') as mock_domain_blocker, + patch( + 'storage.user_authorization_store.UserAuthorizationStore' + ) as mock_user_auth_store, patch('server.routes.auth.logger') as mock_logger, patch('server.routes.email.verify_email', new_callable=AsyncMock), patch('server.routes.auth.UserStore') as mock_user_store, @@ -2054,7 +1912,7 @@ class TestKeycloakCallbackRecaptcha: mock_user_store.backfill_contact_name = AsyncMock() mock_user_store.backfill_user_email = AsyncMock() - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) # Patch the module-level recaptcha_service instance mock_recaptcha_service.create_assessment.return_value = ( @@ -2063,7 +1921,10 @@ class TestKeycloakCallbackRecaptcha: # Act await keycloak_callback( - code='test_code', state=encoded_state, request=mock_request + code='test_code', + state=encoded_state, + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) # Assert @@ -2089,7 +1950,6 @@ async def test_keycloak_callback_calls_backfill_user_email_for_existing_user( with ( patch('server.routes.auth.token_manager') as mock_token_manager, - patch('server.routes.auth.user_verifier') as mock_verifier, patch('server.routes.auth.set_response_cookie'), patch('server.routes.auth.UserStore') as mock_user_store, patch('server.routes.auth.posthog'), @@ -2112,11 +1972,11 @@ async def test_keycloak_callback_calls_backfill_user_email_for_existing_user( mock_token_manager.validate_offline_token = AsyncMock(return_value=True) mock_token_manager.check_duplicate_base_email = AsyncMock(return_value=False) - mock_verifier.is_active.return_value = True - mock_verifier.is_user_allowed.return_value = True - result = await keycloak_callback( - code='test_code', state='test_state', request=mock_request + code='test_code', + state='test_state', + request=mock_request, + user_authorizer=create_mock_user_authorizer(), ) assert isinstance(result, RedirectResponse) diff --git a/enterprise/tests/unit/test_domain_blocker.py b/enterprise/tests/unit/test_domain_blocker.py deleted file mode 100644 index 82670edfe0..0000000000 --- a/enterprise/tests/unit/test_domain_blocker.py +++ /dev/null @@ -1,429 +0,0 @@ -"""Unit tests for DomainBlocker class.""" - -from unittest.mock import AsyncMock, MagicMock - -import pytest -from server.auth.domain_blocker import DomainBlocker - - -@pytest.fixture -def mock_store(): - """Create a mock BlockedEmailDomainStore for testing.""" - store = MagicMock() - store.is_domain_blocked = AsyncMock() - return store - - -@pytest.fixture -def domain_blocker(mock_store): - """Create a DomainBlocker instance for testing with a mocked store.""" - return DomainBlocker(store=mock_store) - - -@pytest.mark.parametrize( - 'email,expected_domain', - [ - ('user@example.com', 'example.com'), - ('test@colsch.us', 'colsch.us'), - ('user.name@other-domain.com', 'other-domain.com'), - ('USER@EXAMPLE.COM', 'example.com'), # Case insensitive - ('user@EXAMPLE.COM', 'example.com'), - (' user@example.com ', 'example.com'), # Whitespace handling - ], -) -def test_extract_domain_valid_emails(domain_blocker, email, expected_domain): - """Test that _extract_domain correctly extracts and normalizes domains from valid emails.""" - # Act - result = domain_blocker._extract_domain(email) - - # Assert - assert result == expected_domain - - -@pytest.mark.parametrize( - 'email,expected', - [ - (None, None), - ('', None), - ('invalid-email', None), - ('user@', None), # Empty domain after @ - ('no-at-sign', None), - ], -) -def test_extract_domain_invalid_emails(domain_blocker, email, expected): - """Test that _extract_domain returns None for invalid email formats.""" - # Act - result = domain_blocker._extract_domain(email) - - # Assert - assert result == expected - - -@pytest.mark.asyncio -async def test_is_domain_blocked_with_none_email(domain_blocker, mock_store): - """Test that is_domain_blocked returns False when email is None.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked(None) - - # Assert - assert result is False - mock_store.is_domain_blocked.assert_not_called() - - -@pytest.mark.asyncio -async def test_is_domain_blocked_with_empty_email(domain_blocker, mock_store): - """Test that is_domain_blocked returns False when email is empty.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked('') - - # Assert - assert result is False - mock_store.is_domain_blocked.assert_not_called() - - -@pytest.mark.asyncio -async def test_is_domain_blocked_with_invalid_email(domain_blocker, mock_store): - """Test that is_domain_blocked returns False when email format is invalid.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked('invalid-email') - - # Assert - assert result is False - mock_store.is_domain_blocked.assert_not_called() - - -@pytest.mark.asyncio -async def test_is_domain_blocked_domain_not_blocked(domain_blocker, mock_store): - """Test that is_domain_blocked returns False when domain is not blocked.""" - # Arrange - mock_store.is_domain_blocked.return_value = False - - # Act - result = await domain_blocker.is_domain_blocked('user@example.com') - - # Assert - assert result is False - mock_store.is_domain_blocked.assert_called_once_with('example.com') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_domain_blocked(domain_blocker, mock_store): - """Test that is_domain_blocked returns True when domain is blocked.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked('user@colsch.us') - - # Assert - assert result is True - mock_store.is_domain_blocked.assert_called_once_with('colsch.us') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_case_insensitive(domain_blocker, mock_store): - """Test that is_domain_blocked performs case-insensitive domain extraction.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked('user@COLSCH.US') - - # Assert - assert result is True - mock_store.is_domain_blocked.assert_called_once_with('colsch.us') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_with_whitespace(domain_blocker, mock_store): - """Test that is_domain_blocked handles emails with whitespace correctly.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked(' user@colsch.us ') - - # Assert - assert result is True - mock_store.is_domain_blocked.assert_called_once_with('colsch.us') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_multiple_blocked_domains(domain_blocker, mock_store): - """Test that is_domain_blocked correctly checks multiple domains.""" - # Arrange - mock_store.is_domain_blocked = AsyncMock( - side_effect=lambda domain: domain - in [ - 'other-domain.com', - 'blocked.org', - ] - ) - - # Act - result1 = await domain_blocker.is_domain_blocked('user@other-domain.com') - result2 = await domain_blocker.is_domain_blocked('user@blocked.org') - result3 = await domain_blocker.is_domain_blocked('user@allowed.com') - - # Assert - assert result1 is True - assert result2 is True - assert result3 is False - assert mock_store.is_domain_blocked.call_count == 3 - - -@pytest.mark.asyncio -async def test_is_domain_blocked_tld_pattern_blocks_matching_domain( - domain_blocker, mock_store -): - """Test that TLD pattern blocks domains ending with that TLD.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked('user@company.us') - - # Assert - assert result is True - mock_store.is_domain_blocked.assert_called_once_with('company.us') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_tld_pattern_blocks_subdomain_with_tld( - domain_blocker, mock_store -): - """Test that TLD pattern blocks subdomains with that TLD.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked('user@subdomain.company.us') - - # Assert - assert result is True - mock_store.is_domain_blocked.assert_called_once_with('subdomain.company.us') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_tld_pattern_does_not_block_different_tld( - domain_blocker, mock_store -): - """Test that TLD pattern does not block domains with different TLD.""" - # Arrange - mock_store.is_domain_blocked.return_value = False - - # Act - result = await domain_blocker.is_domain_blocked('user@company.com') - - # Assert - assert result is False - mock_store.is_domain_blocked.assert_called_once_with('company.com') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_tld_pattern_case_insensitive( - domain_blocker, mock_store -): - """Test that TLD pattern matching is case-insensitive.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked('user@COMPANY.US') - - # Assert - assert result is True - mock_store.is_domain_blocked.assert_called_once_with('company.us') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_tld_pattern_with_multi_level_tld( - domain_blocker, mock_store -): - """Test that TLD pattern works with multi-level TLDs like .co.uk.""" - # Arrange - mock_store.is_domain_blocked.side_effect = lambda domain: domain.endswith('.co.uk') - - # Act - result_match = await domain_blocker.is_domain_blocked('user@example.co.uk') - result_subdomain = await domain_blocker.is_domain_blocked('user@api.example.co.uk') - result_no_match = await domain_blocker.is_domain_blocked('user@example.uk') - - # Assert - assert result_match is True - assert result_subdomain is True - assert result_no_match is False - - -@pytest.mark.asyncio -async def test_is_domain_blocked_domain_pattern_blocks_exact_match( - domain_blocker, mock_store -): - """Test that domain pattern blocks exact domain match.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked('user@example.com') - - # Assert - assert result is True - mock_store.is_domain_blocked.assert_called_once_with('example.com') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_domain_pattern_blocks_subdomain( - domain_blocker, mock_store -): - """Test that domain pattern blocks subdomains of that domain.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked('user@subdomain.example.com') - - # Assert - assert result is True - mock_store.is_domain_blocked.assert_called_once_with('subdomain.example.com') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_domain_pattern_blocks_multi_level_subdomain( - domain_blocker, mock_store -): - """Test that domain pattern blocks multi-level subdomains.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked('user@api.v2.example.com') - - # Assert - assert result is True - mock_store.is_domain_blocked.assert_called_once_with('api.v2.example.com') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_domain_pattern_does_not_block_similar_domain( - domain_blocker, mock_store -): - """Test that domain pattern does not block domains that contain but don't match the pattern.""" - # Arrange - mock_store.is_domain_blocked.return_value = False - - # Act - result = await domain_blocker.is_domain_blocked('user@notexample.com') - - # Assert - assert result is False - mock_store.is_domain_blocked.assert_called_once_with('notexample.com') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_domain_pattern_does_not_block_different_tld( - domain_blocker, mock_store -): - """Test that domain pattern does not block same domain with different TLD.""" - # Arrange - mock_store.is_domain_blocked.return_value = False - - # Act - result = await domain_blocker.is_domain_blocked('user@example.org') - - # Assert - assert result is False - mock_store.is_domain_blocked.assert_called_once_with('example.org') - - -@pytest.mark.asyncio -async def test_is_domain_blocked_subdomain_pattern_blocks_exact_and_nested( - domain_blocker, mock_store -): - """Test that blocking a subdomain also blocks its nested subdomains.""" - # Arrange - mock_store.is_domain_blocked.side_effect = ( - lambda domain: 'api.example.com' in domain - ) - - # Act - result_exact = await domain_blocker.is_domain_blocked('user@api.example.com') - result_nested = await domain_blocker.is_domain_blocked('user@v1.api.example.com') - result_parent = await domain_blocker.is_domain_blocked('user@example.com') - - # Assert - assert result_exact is True - assert result_nested is True - assert result_parent is False - - -@pytest.mark.asyncio -async def test_is_domain_blocked_domain_with_hyphens(domain_blocker, mock_store): - """Test that domain patterns work with hyphenated domains.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result_exact = await domain_blocker.is_domain_blocked('user@my-company.com') - result_subdomain = await domain_blocker.is_domain_blocked('user@api.my-company.com') - - # Assert - assert result_exact is True - assert result_subdomain is True - assert mock_store.is_domain_blocked.call_count == 2 - - -@pytest.mark.asyncio -async def test_is_domain_blocked_domain_with_numbers(domain_blocker, mock_store): - """Test that domain patterns work with numeric domains.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result_exact = await domain_blocker.is_domain_blocked('user@test123.com') - result_subdomain = await domain_blocker.is_domain_blocked('user@api.test123.com') - - # Assert - assert result_exact is True - assert result_subdomain is True - assert mock_store.is_domain_blocked.call_count == 2 - - -@pytest.mark.asyncio -async def test_is_domain_blocked_very_long_subdomain_chain(domain_blocker, mock_store): - """Test that blocking works with very long subdomain chains.""" - # Arrange - mock_store.is_domain_blocked.return_value = True - - # Act - result = await domain_blocker.is_domain_blocked( - 'user@level4.level3.level2.level1.example.com' - ) - - # Assert - assert result is True - mock_store.is_domain_blocked.assert_called_once_with( - 'level4.level3.level2.level1.example.com' - ) - - -@pytest.mark.asyncio -async def test_is_domain_blocked_handles_store_exception(domain_blocker, mock_store): - """Test that is_domain_blocked returns False when store raises an exception.""" - # Arrange - mock_store.is_domain_blocked.side_effect = Exception('Database connection error') - - # Act - result = await domain_blocker.is_domain_blocked('user@example.com') - - # Assert - assert result is False - mock_store.is_domain_blocked.assert_called_once_with('example.com') diff --git a/enterprise/tests/unit/test_saas_user_auth.py b/enterprise/tests/unit/test_saas_user_auth.py index 001dc4c4f0..1b3355ab1a 100644 --- a/enterprise/tests/unit/test_saas_user_auth.py +++ b/enterprise/tests/unit/test_saas_user_auth.py @@ -18,6 +18,7 @@ from server.auth.saas_user_auth import ( saas_user_auth_from_cookie, saas_user_auth_from_signed_token, ) +from storage.user_authorization import UserAuthorizationType from openhands.integrations.provider import ProviderToken, ProviderType @@ -493,14 +494,20 @@ async def test_saas_user_auth_from_signed_token(mock_config): } signed_token = jwt.encode(token_payload, 'test_secret', algorithm='HS256') - result = await saas_user_auth_from_signed_token(signed_token) + # Mock UserAuthorizationStore to avoid database access + with patch( + 'server.auth.saas_user_auth.UserAuthorizationStore' + ) as mock_user_auth_store: + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) - assert isinstance(result, SaasUserAuth) - assert result.user_id == 'test_user_id' - assert result.access_token.get_secret_value() == access_token - assert result.refresh_token.get_secret_value() == 'test_refresh_token' - assert result.email == 'test@example.com' - assert result.email_verified is True + result = await saas_user_auth_from_signed_token(signed_token) + + assert isinstance(result, SaasUserAuth) + assert result.user_id == 'test_user_id' + assert result.access_token.get_secret_value() == access_token + assert result.refresh_token.get_secret_value() == 'test_refresh_token' + assert result.email == 'test@example.com' + assert result.email_verified is True def test_get_api_key_from_header_with_authorization_header(): @@ -701,15 +708,21 @@ async def test_saas_user_auth_from_signed_token_blocked_domain(mock_config): } signed_token = jwt.encode(token_payload, 'test_secret', algorithm='HS256') - with patch('server.auth.saas_user_auth.domain_blocker') as mock_domain_blocker: - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=True) + with patch( + 'server.auth.saas_user_auth.UserAuthorizationStore' + ) as mock_user_auth_store: + mock_user_auth_store.get_authorization_type = AsyncMock( + return_value=UserAuthorizationType.BLACKLIST + ) # Act & Assert with pytest.raises(AuthError) as exc_info: await saas_user_auth_from_signed_token(signed_token) assert 'email domain is not allowed' in str(exc_info.value) - mock_domain_blocker.is_domain_blocked.assert_called_once_with('user@colsch.us') + mock_user_auth_store.get_authorization_type.assert_called_once_with( + 'user@colsch.us', None + ) @pytest.mark.asyncio @@ -730,8 +743,10 @@ async def test_saas_user_auth_from_signed_token_allowed_domain(mock_config): } signed_token = jwt.encode(token_payload, 'test_secret', algorithm='HS256') - with patch('server.auth.saas_user_auth.domain_blocker') as mock_domain_blocker: - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) + with patch( + 'server.auth.saas_user_auth.UserAuthorizationStore' + ) as mock_user_auth_store: + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) # Act result = await saas_user_auth_from_signed_token(signed_token) @@ -740,8 +755,8 @@ async def test_saas_user_auth_from_signed_token_allowed_domain(mock_config): assert isinstance(result, SaasUserAuth) assert result.user_id == 'test_user_id' assert result.email == 'user@example.com' - mock_domain_blocker.is_domain_blocked.assert_called_once_with( - 'user@example.com' + mock_user_auth_store.get_authorization_type.assert_called_once_with( + 'user@example.com', None ) @@ -763,8 +778,10 @@ async def test_saas_user_auth_from_signed_token_domain_blocking_inactive(mock_co } signed_token = jwt.encode(token_payload, 'test_secret', algorithm='HS256') - with patch('server.auth.saas_user_auth.domain_blocker') as mock_domain_blocker: - mock_domain_blocker.is_domain_blocked = AsyncMock(return_value=False) + with patch( + 'server.auth.saas_user_auth.UserAuthorizationStore' + ) as mock_user_auth_store: + mock_user_auth_store.get_authorization_type = AsyncMock(return_value=None) # Act result = await saas_user_auth_from_signed_token(signed_token) @@ -772,4 +789,6 @@ async def test_saas_user_auth_from_signed_token_domain_blocking_inactive(mock_co # Assert assert isinstance(result, SaasUserAuth) assert result.user_id == 'test_user_id' - mock_domain_blocker.is_domain_blocked.assert_called_once_with('user@colsch.us') + mock_user_auth_store.get_authorization_type.assert_called_once_with( + 'user@colsch.us', None + ) From b0cdd0358f59318d05db13b9ef65b2e7f0b4794a Mon Sep 17 00:00:00 2001 From: aivong-openhands Date: Fri, 6 Mar 2026 10:31:46 -0600 Subject: [PATCH 64/67] fix: add mcp>=1.25 constraint and CVE-2025-66416 tests (#13247) Co-authored-by: openhands Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- poetry.lock | 2 +- pyproject.toml | 2 + tests/unit/mcp/test_cve_2025_66416.py | 256 ++++++++++++++++++++++++++ 3 files changed, 259 insertions(+), 1 deletion(-) create mode 100644 tests/unit/mcp/test_cve_2025_66416.py diff --git a/poetry.lock b/poetry.lock index d16e9ddd8d..52209d1803 100644 --- a/poetry.lock +++ b/poetry.lock @@ -14691,4 +14691,4 @@ third-party-runtimes = ["daytona", "e2b-code-interpreter", "modal", "runloop-api [metadata] lock-version = "2.1" python-versions = "^3.12,<3.14" -content-hash = "f51ce6271ad5a8141386895148e95b9e28a24ceadd0acd402220485a761f9e62" +content-hash = "40f6bb8fe5d6f6d911523b8ad8fd431c932eb0b9bf6dcbfe114c67ebae8e5123" diff --git a/pyproject.toml b/pyproject.toml index 5b89f42003..44ef787e25 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -52,6 +52,7 @@ dependencies = [ "libtmux>=0.46.2", "litellm!=1.64.4,!=1.67.*,>=1.74.3", "lmnr>=0.7.20", + "mcp>=1.25", "memory-profiler>=0.61", "numpy", "openai==2.8", @@ -210,6 +211,7 @@ poetry = "^2.1.2" anyio = "4.9.0" pythonnet = "*" fastmcp = "^2.12.4" # Note: 2.12.0+ has breaking auth API changes +mcp = "^1.25.0" # CVE-2025-66416 fix (DNS rebinding protection) python-frontmatter = "^1.1.0" shellingham = "^1.5.4" # TODO: Should these go into the runtime group? diff --git a/tests/unit/mcp/test_cve_2025_66416.py b/tests/unit/mcp/test_cve_2025_66416.py new file mode 100644 index 0000000000..2b50a4bcb0 --- /dev/null +++ b/tests/unit/mcp/test_cve_2025_66416.py @@ -0,0 +1,256 @@ +"""Tests to verify CVE-2025-66416 (DNS rebinding vulnerability) is fixed. + +CVE-2025-66416: The Model Context Protocol (MCP) Python SDK prior to version 1.23.0 +did not enable DNS rebinding protection by default for HTTP-based servers. When an +HTTP-based MCP server is run on localhost without authentication using FastMCP with +streamable HTTP or SSE transport, and has not configured TransportSecuritySettings, +a malicious website could exploit DNS rebinding to bypass same-origin policy +restrictions and send requests to the local MCP server. + +Fix: MCP version 1.23.0+ enables DNS rebinding protection by default when the host +parameter is 127.0.0.1 or localhost. This is enforced through TransportSecuritySettings. + +Reference: https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f +""" + +import importlib.metadata +import re + +import pytest + + +class TestMCPVersionRequirement: + """Test that MCP version meets the security requirement.""" + + def test_mcp_version_is_1_23_0_or_higher(self): + """Verify mcp version is >= 1.23.0 to include CVE-2025-66416 fix.""" + version = importlib.metadata.version('mcp') + + # Parse version string (e.g., "1.25.0" -> (1, 25, 0)) + version_parts = [int(x) for x in re.split(r'[.-]', version)[:3]] + major, minor, patch = (version_parts + [0, 0, 0])[:3] + + # CVE-2025-66416 was fixed in mcp 1.23.0 + assert (major, minor, patch) >= (1, 23, 0), ( + f'MCP version {version} is vulnerable to CVE-2025-66416. ' + f'Minimum required version is 1.23.0.' + ) + + def test_mcp_version_is_1_25_0_or_higher_preferred(self): + """Verify mcp version is >= 1.25.0 for complete security hardening.""" + version = importlib.metadata.version('mcp') + + # Parse version string + version_parts = [int(x) for x in re.split(r'[.-]', version)[:3]] + major, minor, patch = (version_parts + [0, 0, 0])[:3] + + # 1.25.0 is the recommended version with all security improvements + assert (major, minor, patch) >= (1, 25, 0), ( + f'MCP version {version} should be upgraded to 1.25.0+ ' + f'for complete CVE-2025-66416 security hardening.' + ) + + +class TestTransportSecuritySettingsAvailability: + """Test that TransportSecuritySettings is available for DNS rebinding protection.""" + + def test_transport_security_settings_exists(self): + """Verify TransportSecuritySettings class is available in mcp module.""" + from mcp.server.fastmcp.server import Settings + + # The Settings class should have security-related configuration + assert hasattr(Settings, '__annotations__'), ( + 'Settings class should have annotations for configuration' + ) + + def test_fastmcp_accepts_security_settings(self): + """Test FastMCP can be instantiated (security defaults are applied internally).""" + from fastmcp import FastMCP + + # Create a server - in 1.23.0+ DNS rebinding protection is enabled by default + # for localhost/127.0.0.1 hosts + server = FastMCP('cve-test-server') + assert server is not None + + +class TestDNSRebindingProtectionDefaults: + """Test that DNS rebinding protection is enabled by default for localhost.""" + + def test_fastmcp_has_localhost_protection(self): + """Verify FastMCP applies security defaults for localhost servers.""" + from fastmcp import FastMCP + + # Creating a server for localhost should have protection by default + # per the CVE fix in mcp 1.23.0+ + server = FastMCP('localhost-test-server') + + # Server should be created successfully with defaults + assert server is not None + assert server.name == 'localhost-test-server' + + def test_mcp_server_has_security_configuration(self): + """Test that MCP server components have security configuration options.""" + # Check that security-related imports are available + from mcp.server.session import ServerSession # noqa: F401 + from mcp.shared.exceptions import McpError # noqa: F401 + + # These should be importable if mcp 1.23.0+ is installed + # and the security fix is in place + assert True + + +class TestSSETransportSecurity: + """Test SSE transport has appropriate security settings.""" + + def test_sse_transport_can_be_created(self): + """Test SSETransport can be instantiated from fastmcp.""" + from fastmcp.client.transports import SSETransport + + # Create SSE transport - should work without errors + transport = SSETransport( + url='http://localhost:8080/sse', + headers={'X-Test': 'value'}, + ) + assert transport is not None + + def test_sse_transport_with_localhost_url(self): + """Test SSE transport with localhost URL has proper configuration.""" + from fastmcp.client.transports import SSETransport + + # Localhost URLs should work with the security fix + transport = SSETransport(url='http://127.0.0.1:8080/sse') + assert transport is not None + assert any(host in str(transport.url) for host in ('127.0.0.1', 'localhost')) + + +class TestStreamableHttpTransportSecurity: + """Test StreamableHttp transport has appropriate security settings.""" + + def test_streamable_http_transport_can_be_created(self): + """Test StreamableHttpTransport can be instantiated.""" + from fastmcp.client.transports import StreamableHttpTransport + + transport = StreamableHttpTransport( + url='http://localhost:8080/mcp', + headers={'Authorization': 'Bearer test'}, + ) + assert transport is not None + + def test_streamable_http_transport_with_localhost(self): + """Test StreamableHttp transport with localhost URL.""" + from fastmcp.client.transports import StreamableHttpTransport + + transport = StreamableHttpTransport(url='http://localhost:3000/mcp') + assert transport is not None + + +class TestMCPErrorHandling: + """Test MCP error handling for security-related errors.""" + + def test_mcp_error_exists(self): + """Verify McpError is properly defined for error handling.""" + from mcp import McpError + + assert issubclass(McpError, Exception) + + def test_mcp_error_can_be_raised(self): + """Test McpError can be raised and caught.""" + from mcp import McpError + from mcp.types import ErrorData + + # McpError requires ErrorData object, not a string + error_data = ErrorData(code=-1, message='Test security error') + with pytest.raises(McpError): + raise McpError(error_data) + + def test_tool_error_exists(self): + """Verify ToolError from fastmcp is available.""" + from fastmcp.exceptions import ToolError + + assert issubclass(ToolError, Exception) + + +class TestMCPTypesIntegrity: + """Test MCP types are properly defined (integrity check for the fix).""" + + def test_call_tool_result_type(self): + """Verify CallToolResult type is available.""" + from mcp.types import CallToolResult + + assert CallToolResult is not None + + def test_tool_type(self): + """Verify Tool type is available.""" + from mcp.types import Tool + + assert Tool is not None + + def test_text_content_type(self): + """Verify TextContent type is available for tool responses.""" + from mcp.types import TextContent + + assert TextContent is not None + + +class TestFastMCPVersionCompatibility: + """Test FastMCP version is compatible with the security fix.""" + + def test_fastmcp_server_creation_with_mask_error_details(self): + """Test FastMCP server can be created with mask_error_details option.""" + from fastmcp import FastMCP + + # This option helps prevent leaking sensitive information in errors + server = FastMCP('secure-server', mask_error_details=True) + assert server is not None + + +class TestSecurityIntegration: + """Integration tests for security-related functionality.""" + + def test_full_import_chain(self): + """Test the full import chain for security-fixed modules.""" + # MCP core + # FastMCP components + from fastmcp import FastMCP + from fastmcp.client.transports import ( + SSETransport, + StdioTransport, + StreamableHttpTransport, + ) + from fastmcp.exceptions import ToolError + from mcp import McpError + from mcp.types import CallToolResult, Tool + + # All imports should succeed with the CVE fix in place + assert all( + [ + McpError is not None, + CallToolResult is not None, + Tool is not None, + FastMCP is not None, + SSETransport is not None, + StreamableHttpTransport is not None, + StdioTransport is not None, + ToolError is not None, + ] + ) + + def test_openhands_mcp_client_imports(self): + """Test OpenHands MCP client can import required dependencies.""" + from openhands.mcp.client import MCPClient + from openhands.mcp.tool import MCPClientTool + + assert MCPClient is not None + assert MCPClientTool is not None + + def test_openhands_mcp_config_types(self): + """Test OpenHands MCP config types are available.""" + from openhands.core.config.mcp_config import ( + MCPSHTTPServerConfig, + MCPSSEServerConfig, + MCPStdioServerConfig, + ) + + assert MCPSSEServerConfig is not None + assert MCPSHTTPServerConfig is not None + assert MCPStdioServerConfig is not None From ede203add3a59ba68d7bc511fbaf2fac5543302a Mon Sep 17 00:00:00 2001 From: Joe Laverty Date: Fri, 6 Mar 2026 11:49:20 -0500 Subject: [PATCH 65/67] feat(enterprise): Bitbucket Data Center Integration (#13228) Co-authored-by: openhands --- .../allhands-realm-github-provider.json.tmpl | 54 ++++++ enterprise/enterprise_local/convert_to_env.py | 3 + .../bitbucket_data_center/__init__.py | 0 .../bitbucket_dc_service.py | 65 +++++++ enterprise/saas_server.py | 7 + enterprise/server/auth/constants.py | 10 + enterprise/server/auth/saas_user_auth.py | 4 + enterprise/server/auth/token_manager.py | 33 ++++ enterprise/server/config.py | 4 + .../server/routes/bitbucket_dc_proxy.py | 63 ++++++ .../bitbucket_data_center/__init__.py | 0 .../test_bitbucket_dc_service.py | 132 +++++++++++++ .../server/routes/test_bitbucket_dc_proxy.py | 182 ++++++++++++++++++ enterprise/tests/unit/test_saas_user_auth.py | 102 ++++++++++ .../tests/unit/test_token_manager_extended.py | 105 ++++++++++ 15 files changed, 764 insertions(+) create mode 100644 enterprise/integrations/bitbucket_data_center/__init__.py create mode 100644 enterprise/integrations/bitbucket_data_center/bitbucket_dc_service.py create mode 100644 enterprise/server/routes/bitbucket_dc_proxy.py create mode 100644 enterprise/tests/unit/integrations/bitbucket_data_center/__init__.py create mode 100644 enterprise/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_service.py create mode 100644 enterprise/tests/unit/server/routes/test_bitbucket_dc_proxy.py diff --git a/enterprise/allhands-realm-github-provider.json.tmpl b/enterprise/allhands-realm-github-provider.json.tmpl index 35ff5f0afc..c3e24e61d4 100644 --- a/enterprise/allhands-realm-github-provider.json.tmpl +++ b/enterprise/allhands-realm-github-provider.json.tmpl @@ -1772,6 +1772,40 @@ "sendIdTokenOnLogout": "true", "passMaxAge": "false" } + }, + { + "alias": "bitbucket_data_center", + "displayName": "Bitbucket Data Center", + "internalId": "b77b4ead-20e8-451c-ad27-99f92d561616", + "providerId": "oauth2", + "enabled": true, + "updateProfileFirstLoginMode": "on", + "trustEmail": true, + "storeToken": true, + "addReadTokenRoleOnCreate": false, + "authenticateByDefault": false, + "linkOnly": false, + "hideOnLogin": false, + "config": { + "givenNameClaim": "given_name", + "userInfoUrl": "https://${WEB_HOST}/bitbucket-dc-proxy/oauth2/userinfo", + "clientId": "$BITBUCKET_DATA_CENTER_CLIENT_ID", + "tokenUrl": "https://${BITBUCKET_DATA_CENTER_HOST}/rest/oauth2/latest/token", + "acceptsPromptNoneForwardFromClient": "false", + "fullNameClaim": "name", + "userIDClaim": "sub", + "emailClaim": "email", + "userNameClaim": "preferred_username", + "caseSensitiveOriginalUsername": "false", + "familyNameClaim": "family_name", + "pkceEnabled": "false", + "authorizationUrl": "https://${BITBUCKET_DATA_CENTER_HOST}/rest/oauth2/latest/authorize", + "clientAuthMethod": "client_secret_post", + "syncMode": "IMPORT", + "clientSecret": "$BITBUCKET_DATA_CENTER_CLIENT_SECRET", + "allowedClockSkew": "0", + "defaultScope": "REPO_WRITE" + } } ], "identityProviderMappers": [ @@ -1829,6 +1863,26 @@ "syncMode": "FORCE", "attribute": "identity_provider" } + }, + { + "name": "id-mapper", + "identityProviderAlias": "bitbucket_data_center", + "identityProviderMapper": "oidc-user-attribute-idp-mapper", + "config": { + "syncMode": "FORCE", + "claim": "sub", + "user.attribute": "bitbucket_data_center_id" + } + }, + { + "name": "identity-provider", + "identityProviderAlias": "bitbucket_data_center", + "identityProviderMapper": "hardcoded-attribute-idp-mapper", + "config": { + "attribute.value": "bitbucket_data_center", + "syncMode": "FORCE", + "attribute": "identity_provider" + } } ], "components": { diff --git a/enterprise/enterprise_local/convert_to_env.py b/enterprise/enterprise_local/convert_to_env.py index cbd04b6449..cfef08bf19 100644 --- a/enterprise/enterprise_local/convert_to_env.py +++ b/enterprise/enterprise_local/convert_to_env.py @@ -109,6 +109,9 @@ lines.append( lines.append( 'OPENHANDS_BITBUCKET_SERVICE_CLS=integrations.bitbucket.bitbucket_service.SaaSBitBucketService' ) +lines.append( + 'OPENHANDS_BITBUCKET_DATA_CENTER_SERVICE_CLS=integrations.bitbucket_data_center.bitbucket_dc_service.SaaSBitbucketDCService' +) lines.append( 'OPENHANDS_CONVERSATION_VALIDATOR_CLS=storage.saas_conversation_validator.SaasConversationValidator' ) diff --git a/enterprise/integrations/bitbucket_data_center/__init__.py b/enterprise/integrations/bitbucket_data_center/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/enterprise/integrations/bitbucket_data_center/bitbucket_dc_service.py b/enterprise/integrations/bitbucket_data_center/bitbucket_dc_service.py new file mode 100644 index 0000000000..eeb0334b95 --- /dev/null +++ b/enterprise/integrations/bitbucket_data_center/bitbucket_dc_service.py @@ -0,0 +1,65 @@ +from pydantic import SecretStr +from server.auth.token_manager import TokenManager + +from openhands.core.logger import openhands_logger as logger +from openhands.integrations.bitbucket_data_center.bitbucket_dc_service import ( + BitbucketDCService, +) +from openhands.integrations.service_types import ProviderType + + +class SaaSBitbucketDCService(BitbucketDCService): + def __init__( + self, + user_id: str | None = None, + external_auth_token: SecretStr | None = None, + external_auth_id: str | None = None, + token: SecretStr | None = None, + external_token_manager: bool = False, + base_domain: str | None = None, + ): + logger.debug( + f'SaaSBitbucketDCService created with user_id {user_id}, external_auth_id {external_auth_id}, external_auth_token {'set' if external_auth_token else 'None'}, token {'set' if token else 'None'}, external_token_manager {external_token_manager}' + ) + super().__init__( + user_id=user_id, + external_auth_token=external_auth_token, + external_auth_id=external_auth_id, + token=token, + external_token_manager=external_token_manager, + base_domain=base_domain, + ) + + self.token_manager = TokenManager(external=external_token_manager) + self.refresh = True + + async def get_latest_token(self) -> SecretStr | None: + bitbucket_dc_token = None + if self.external_auth_token: + bitbucket_dc_token = SecretStr( + await self.token_manager.get_idp_token( + self.external_auth_token.get_secret_value(), + idp=ProviderType.BITBUCKET_DATA_CENTER, + ) + ) + logger.debug('Got Bitbucket DC token via external_auth_token') + elif self.external_auth_id: + offline_token = await self.token_manager.load_offline_token( + self.external_auth_id + ) + bitbucket_dc_token = SecretStr( + await self.token_manager.get_idp_token_from_offline_token( + offline_token, ProviderType.BITBUCKET_DATA_CENTER + ) + ) + logger.debug('Got Bitbucket DC token via external_auth_id') + elif self.user_id: + bitbucket_dc_token = SecretStr( + await self.token_manager.get_idp_token_from_idp_user_id( + self.user_id, ProviderType.BITBUCKET_DATA_CENTER + ) + ) + logger.debug('Got Bitbucket DC token via user_id') + else: + logger.warning('external_auth_token and user_id not set!') + return bitbucket_dc_token diff --git a/enterprise/saas_server.py b/enterprise/saas_server.py index 106ca93200..8bb576a55b 100644 --- a/enterprise/saas_server.py +++ b/enterprise/saas_server.py @@ -14,6 +14,7 @@ from fastapi.middleware.cors import CORSMiddleware # noqa: E402 from fastapi.responses import JSONResponse # noqa: E402 from server.auth.auth_error import ExpiredError, NoCredentialsError # noqa: E402 from server.auth.constants import ( # noqa: E402 + BITBUCKET_DATA_CENTER_HOST, ENABLE_JIRA, ENABLE_JIRA_DC, ENABLE_LINEAR, @@ -130,6 +131,12 @@ if ENABLE_JIRA_DC: base_app.include_router(jira_dc_integration_router) if ENABLE_LINEAR: base_app.include_router(linear_integration_router) +if BITBUCKET_DATA_CENTER_HOST: + from server.routes.bitbucket_dc_proxy import ( + router as bitbucket_dc_proxy_router, # noqa: E402 + ) + + base_app.include_router(bitbucket_dc_proxy_router) base_app.include_router(email_router) # Add routes for email management base_app.include_router(feedback_router) # Add routes for conversation feedback base_app.include_router( diff --git a/enterprise/server/auth/constants.py b/enterprise/server/auth/constants.py index df6e9aef54..eb8b1aaf60 100644 --- a/enterprise/server/auth/constants.py +++ b/enterprise/server/auth/constants.py @@ -40,6 +40,16 @@ ROLE_CHECK_ENABLED = os.getenv('ROLE_CHECK_ENABLED', 'false').lower() in ( ) DUPLICATE_EMAIL_CHECK = os.getenv('DUPLICATE_EMAIL_CHECK', 'true') in ('1', 'true') +BITBUCKET_DATA_CENTER_CLIENT_ID = os.getenv( + 'BITBUCKET_DATA_CENTER_CLIENT_ID', '' +).strip() +BITBUCKET_DATA_CENTER_CLIENT_SECRET = os.getenv( + 'BITBUCKET_DATA_CENTER_CLIENT_SECRET', '' +).strip() +BITBUCKET_DATA_CENTER_HOST = os.getenv('BITBUCKET_DATA_CENTER_HOST', '').strip() +BITBUCKET_DATA_CENTER_TOKEN_URL = ( + f'https://{BITBUCKET_DATA_CENTER_HOST}/rest/oauth2/latest/token' +) # reCAPTCHA Enterprise RECAPTCHA_PROJECT_ID = os.getenv('RECAPTCHA_PROJECT_ID', '').strip() diff --git a/enterprise/server/auth/saas_user_auth.py b/enterprise/server/auth/saas_user_auth.py index 501f0c31a6..c2b3e1fbe9 100644 --- a/enterprise/server/auth/saas_user_auth.py +++ b/enterprise/server/auth/saas_user_auth.py @@ -13,6 +13,7 @@ from server.auth.auth_error import ( ExpiredError, NoCredentialsError, ) +from server.auth.constants import BITBUCKET_DATA_CENTER_HOST from server.auth.token_manager import TokenManager from server.config import get_config from server.logger import logger @@ -177,6 +178,9 @@ class SaasUserAuth(UserAuth): if user_secrets and idp_type in user_secrets.provider_tokens: host = user_secrets.provider_tokens[idp_type].host + if idp_type == ProviderType.BITBUCKET_DATA_CENTER and not host: + host = BITBUCKET_DATA_CENTER_HOST or None + provider_token = await token_manager.get_idp_token( access_token.get_secret_value(), idp=idp_type, diff --git a/enterprise/server/auth/token_manager.py b/enterprise/server/auth/token_manager.py index b057968a0d..e409d62c1a 100644 --- a/enterprise/server/auth/token_manager.py +++ b/enterprise/server/auth/token_manager.py @@ -21,6 +21,10 @@ from server.auth.auth_error import ExpiredError from server.auth.constants import ( BITBUCKET_APP_CLIENT_ID, BITBUCKET_APP_CLIENT_SECRET, + BITBUCKET_DATA_CENTER_CLIENT_ID, + BITBUCKET_DATA_CENTER_CLIENT_SECRET, + BITBUCKET_DATA_CENTER_HOST, + BITBUCKET_DATA_CENTER_TOKEN_URL, DUPLICATE_EMAIL_CHECK, GITHUB_APP_CLIENT_ID, GITHUB_APP_CLIENT_SECRET, @@ -379,6 +383,8 @@ class TokenManager: return await self._refresh_gitlab_token(refresh_token) elif idp == ProviderType.BITBUCKET: return await self._refresh_bitbucket_token(refresh_token) + elif idp == ProviderType.BITBUCKET_DATA_CENTER: + return await self._refresh_bitbucket_data_center_token(refresh_token) else: raise ValueError(f'Unsupported IDP: {idp}') @@ -460,6 +466,33 @@ class TokenManager: data = response.json() return await self._parse_refresh_response(data) + async def _refresh_bitbucket_data_center_token( + self, refresh_token: str + ) -> dict[str, str | int]: + if not BITBUCKET_DATA_CENTER_HOST: + raise ValueError( + 'BITBUCKET_DATA_CENTER_HOST is not configured. ' + 'Set the BITBUCKET_DATA_CENTER_HOST environment variable.' + ) + url = BITBUCKET_DATA_CENTER_TOKEN_URL + logger.info(f'Refreshing Bitbucket Data Center token with URL: {url}') + + payload = { + 'client_id': BITBUCKET_DATA_CENTER_CLIENT_ID, + 'client_secret': BITBUCKET_DATA_CENTER_CLIENT_SECRET, + 'refresh_token': refresh_token, + 'grant_type': 'refresh_token', + } + async with httpx.AsyncClient( + verify=httpx_verify_option(), timeout=IDP_HTTP_TIMEOUT + ) as client: + response = await client.post(url, data=payload) + response.raise_for_status() + logger.info('Successfully refreshed Bitbucket Data Center token') + + data = response.json() + return await self._parse_refresh_response(data) + async def _parse_refresh_response(self, data: dict) -> dict[str, str | int]: access_token = data.get('access_token') refresh_token = data.get('refresh_token') diff --git a/enterprise/server/config.py b/enterprise/server/config.py index bc20b94706..dbccc94a55 100644 --- a/enterprise/server/config.py +++ b/enterprise/server/config.py @@ -9,6 +9,7 @@ import requests # type: ignore from fastapi import HTTPException from server.auth.constants import ( BITBUCKET_APP_CLIENT_ID, + BITBUCKET_DATA_CENTER_CLIENT_ID, ENABLE_ENTERPRISE_SSO, ENABLE_JIRA, ENABLE_JIRA_DC, @@ -164,6 +165,9 @@ class SaaSServerConfig(ServerConfig): if ENABLE_ENTERPRISE_SSO: providers_configured.append(ProviderType.ENTERPRISE_SSO) + if BITBUCKET_DATA_CENTER_CLIENT_ID: + providers_configured.append(ProviderType.BITBUCKET_DATA_CENTER) + config: dict[str, typing.Any] = { 'APP_MODE': self.app_mode, 'APP_SLUG': self.app_slug, diff --git a/enterprise/server/routes/bitbucket_dc_proxy.py b/enterprise/server/routes/bitbucket_dc_proxy.py new file mode 100644 index 0000000000..aae25d823f --- /dev/null +++ b/enterprise/server/routes/bitbucket_dc_proxy.py @@ -0,0 +1,63 @@ +import httpx +from fastapi import APIRouter, Request +from fastapi.responses import JSONResponse +from server.auth.constants import BITBUCKET_DATA_CENTER_HOST + +from openhands.utils.http_session import httpx_verify_option + +router = APIRouter(prefix='/bitbucket-dc-proxy') + +BITBUCKET_DC_TIMEOUT = 10 # seconds + + +# Bitbucket Data Center is not an OIDC provider, so keycloak +# can't retrieve user info from it directly. +# This endpoint proxies requests to bitbucket data center to get user info +# given a Bitbucket Data Center access token. Keycloak +# is configured to use this endpoint as the User Info Endpoint +# for the Bitbucket Data Center OIDC provider. +@router.get('/oauth2/userinfo') +async def userinfo(request: Request): + if not BITBUCKET_DATA_CENTER_HOST: + raise ValueError('BITBUCKET_DATA_CENTER_HOST must be configured') + bitbucket_base_url = f'https://{BITBUCKET_DATA_CENTER_HOST}' + + auth_header = request.headers.get('Authorization', '') + if not auth_header.startswith('Bearer '): + return JSONResponse({'error': 'missing_token'}, status_code=401) + + headers = {'Authorization': auth_header} + async with httpx.AsyncClient(verify=httpx_verify_option()) as client: + # Step 1: get username + whoami_resp = await client.get( + f'{bitbucket_base_url}/plugins/servlet/applinks/whoami', + headers=headers, + timeout=BITBUCKET_DC_TIMEOUT, + ) + if whoami_resp.status_code != 200: + return JSONResponse({'error': 'not_authenticated'}, status_code=401) + username = whoami_resp.text.strip() + if not username: + return JSONResponse({'error': 'not_authenticated'}, status_code=401) + + # Step 2: get user details + user_resp = await client.get( + f'{bitbucket_base_url}/rest/api/latest/users/{username}', + headers=headers, + timeout=BITBUCKET_DC_TIMEOUT, + ) + if user_resp.status_code != 200: + return JSONResponse( + {'error': f'bitbucket_error: {user_resp.status_code}'}, + status_code=user_resp.status_code, + ) + user_data = user_resp.json() + + return JSONResponse( + { + 'sub': str(user_data.get('id', username)), + 'preferred_username': user_data.get('name', username), + 'name': user_data.get('displayName', username), + 'email': user_data.get('emailAddress', ''), + } + ) diff --git a/enterprise/tests/unit/integrations/bitbucket_data_center/__init__.py b/enterprise/tests/unit/integrations/bitbucket_data_center/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/enterprise/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_service.py b/enterprise/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_service.py new file mode 100644 index 0000000000..935c3ef40c --- /dev/null +++ b/enterprise/tests/unit/integrations/bitbucket_data_center/test_bitbucket_dc_service.py @@ -0,0 +1,132 @@ +"""Unit tests for SaaSBitbucketDCService.""" + +from unittest.mock import AsyncMock, patch + +import pytest +from integrations.bitbucket_data_center.bitbucket_dc_service import ( + SaaSBitbucketDCService, +) +from pydantic import SecretStr +from server.auth.token_manager import TokenManager + + +@pytest.fixture +def service(): + return SaaSBitbucketDCService() + + +@pytest.fixture +def service_with_external_auth_token(): + return SaaSBitbucketDCService(external_auth_token=SecretStr('test_keycloak_token')) + + +@pytest.fixture +def service_with_external_auth_id(): + return SaaSBitbucketDCService(external_auth_id='test_user_id') + + +@pytest.fixture +def service_with_user_id(): + return SaaSBitbucketDCService(user_id='test_user_id') + + +class TestSaaSBitbucketDCServiceInit: + def test_refresh_flag_is_true(self): + # self.refresh = True is required so the base class BitbucketDCService + # retries the request with a refreshed token on 401 responses. + # See openhands/integrations/bitbucket_data_center/service/base.py, + # which checks `if self.refresh` before attempting the retry. + service = SaaSBitbucketDCService() + assert service.refresh is True + + def test_token_manager_is_created(self): + service = SaaSBitbucketDCService() + assert isinstance(service.token_manager, TokenManager) + + def test_external_token_manager_flag_passed(self): + service = SaaSBitbucketDCService(external_token_manager=True) + assert service.token_manager.external is True + + +class TestGetLatestToken: + @pytest.mark.asyncio + async def test_get_latest_token_with_external_auth_token( + self, service_with_external_auth_token + ): + expected_token = 'test_bitbucket_dc_token' + with patch.object( + service_with_external_auth_token.token_manager, + 'get_idp_token', + new_callable=AsyncMock, + return_value=expected_token, + ): + token = await service_with_external_auth_token.get_latest_token() + + assert token is not None + assert token.get_secret_value() == expected_token + + @pytest.mark.asyncio + async def test_get_latest_token_with_external_auth_id( + self, service_with_external_auth_id + ): + offline_token = 'test_offline_token' + expected_token = 'test_bitbucket_dc_token' + with patch.object( + service_with_external_auth_id.token_manager, + 'load_offline_token', + new_callable=AsyncMock, + return_value=offline_token, + ), patch.object( + service_with_external_auth_id.token_manager, + 'get_idp_token_from_offline_token', + new_callable=AsyncMock, + return_value=expected_token, + ): + token = await service_with_external_auth_id.get_latest_token() + + assert token is not None + assert token.get_secret_value() == expected_token + + @pytest.mark.asyncio + async def test_get_latest_token_with_user_id(self, service_with_user_id): + expected_token = 'test_bitbucket_dc_token' + with patch.object( + service_with_user_id.token_manager, + 'get_idp_token_from_idp_user_id', + new_callable=AsyncMock, + return_value=expected_token, + ): + token = await service_with_user_id.get_latest_token() + + assert token is not None + assert token.get_secret_value() == expected_token + + @pytest.mark.asyncio + async def test_get_latest_token_no_auth_returns_none(self, service): + token = await service.get_latest_token() + assert token is None + + @pytest.mark.asyncio + async def test_get_latest_token_external_auth_token_priority(self): + """external_auth_token takes priority over external_auth_id.""" + expected_token = 'test_bitbucket_dc_token' + service = SaaSBitbucketDCService( + external_auth_token=SecretStr('test_keycloak_token'), + external_auth_id='test_user_id', + ) + with patch.object( + service.token_manager, + 'get_idp_token', + new_callable=AsyncMock, + return_value=expected_token, + ) as mock_get_idp_token, patch.object( + service.token_manager, + 'load_offline_token', + new_callable=AsyncMock, + ) as mock_load_offline: + token = await service.get_latest_token() + + assert token is not None + assert token.get_secret_value() == expected_token + mock_get_idp_token.assert_called_once() + mock_load_offline.assert_not_called() diff --git a/enterprise/tests/unit/server/routes/test_bitbucket_dc_proxy.py b/enterprise/tests/unit/server/routes/test_bitbucket_dc_proxy.py new file mode 100644 index 0000000000..9fd0b33b64 --- /dev/null +++ b/enterprise/tests/unit/server/routes/test_bitbucket_dc_proxy.py @@ -0,0 +1,182 @@ +from unittest.mock import AsyncMock, MagicMock, call, patch + +import pytest +from fastapi import FastAPI +from fastapi.testclient import TestClient +from server.routes.bitbucket_dc_proxy import router + + +@pytest.fixture +def client(): + app = FastAPI() + app.include_router(router) + with patch( + 'server.routes.bitbucket_dc_proxy.BITBUCKET_DATA_CENTER_HOST', 'bitbucket.test' + ): + yield TestClient(app) + + +def test_missing_authorization_header(client): + response = client.get('/bitbucket-dc-proxy/oauth2/userinfo') + assert response.status_code == 401 + assert response.json() == {'error': 'missing_token'} + + +def test_non_bearer_scheme(client): + response = client.get( + '/bitbucket-dc-proxy/oauth2/userinfo', + headers={'Authorization': 'Basic xyz'}, + ) + assert response.status_code == 401 + assert response.json() == {'error': 'missing_token'} + + +def test_whoami_non_200(client): + whoami_resp = MagicMock() + whoami_resp.status_code = 403 + + with patch('server.routes.bitbucket_dc_proxy.httpx.AsyncClient') as mock_client_cls: + mock_client = AsyncMock() + mock_client.get = AsyncMock(side_effect=[whoami_resp]) + mock_client_cls.return_value.__aenter__ = AsyncMock(return_value=mock_client) + mock_client_cls.return_value.__aexit__ = AsyncMock(return_value=None) + + response = client.get( + '/bitbucket-dc-proxy/oauth2/userinfo', + headers={'Authorization': 'Bearer some_token'}, + ) + + assert response.status_code == 401 + assert response.json() == {'error': 'not_authenticated'} + + +def test_whoami_empty_body(client): + whoami_resp = MagicMock() + whoami_resp.status_code = 200 + whoami_resp.text = ' ' + + with patch('server.routes.bitbucket_dc_proxy.httpx.AsyncClient') as mock_client_cls: + mock_client = AsyncMock() + mock_client.get = AsyncMock(side_effect=[whoami_resp]) + mock_client_cls.return_value.__aenter__ = AsyncMock(return_value=mock_client) + mock_client_cls.return_value.__aexit__ = AsyncMock(return_value=None) + + response = client.get( + '/bitbucket-dc-proxy/oauth2/userinfo', + headers={'Authorization': 'Bearer some_token'}, + ) + + assert response.status_code == 401 + assert response.json() == {'error': 'not_authenticated'} + + +def test_user_details_non_200(client): + whoami_resp = MagicMock() + whoami_resp.status_code = 200 + whoami_resp.text = 'testuser' + + user_resp = MagicMock() + user_resp.status_code = 404 + + with patch('server.routes.bitbucket_dc_proxy.httpx.AsyncClient') as mock_client_cls: + mock_client = AsyncMock() + mock_client.get = AsyncMock(side_effect=[whoami_resp, user_resp]) + mock_client_cls.return_value.__aenter__ = AsyncMock(return_value=mock_client) + mock_client_cls.return_value.__aexit__ = AsyncMock(return_value=None) + + response = client.get( + '/bitbucket-dc-proxy/oauth2/userinfo', + headers={'Authorization': 'Bearer some_token'}, + ) + + assert response.status_code == 404 + assert response.json() == {'error': 'bitbucket_error: 404'} + + +def test_happy_path_full_user_data(client): + whoami_resp = MagicMock() + whoami_resp.status_code = 200 + whoami_resp.text = 'jsmith' + + user_resp = MagicMock() + user_resp.status_code = 200 + user_resp.json.return_value = { + 'id': 42, + 'name': 'jsmith', + 'displayName': 'John Smith', + 'emailAddress': 'john@example.com', + } + + with patch('server.routes.bitbucket_dc_proxy.httpx.AsyncClient') as mock_client_cls: + mock_client = AsyncMock() + mock_client.get = AsyncMock(side_effect=[whoami_resp, user_resp]) + mock_client_cls.return_value.__aenter__ = AsyncMock(return_value=mock_client) + mock_client_cls.return_value.__aexit__ = AsyncMock(return_value=None) + + response = client.get( + '/bitbucket-dc-proxy/oauth2/userinfo', + headers={'Authorization': 'Bearer some_token'}, + ) + + assert response.status_code == 200 + data = response.json() + assert data['sub'] == '42' + assert data['preferred_username'] == 'jsmith' + assert data['name'] == 'John Smith' + assert data['email'] == 'john@example.com' + mock_client.get.assert_has_calls( + [ + call( + 'https://bitbucket.test/plugins/servlet/applinks/whoami', + headers={'Authorization': 'Bearer some_token'}, + timeout=10, + ), + call( + 'https://bitbucket.test/rest/api/latest/users/jsmith', + headers={'Authorization': 'Bearer some_token'}, + timeout=10, + ), + ] + ) + + +def test_happy_path_missing_id_falls_back_to_username(client): + whoami_resp = MagicMock() + whoami_resp.status_code = 200 + whoami_resp.text = 'jsmith' + + user_resp = MagicMock() + user_resp.status_code = 200 + user_resp.json.return_value = { + 'name': 'jsmith', + 'displayName': 'John Smith', + 'emailAddress': 'john@example.com', + } + + with patch('server.routes.bitbucket_dc_proxy.httpx.AsyncClient') as mock_client_cls: + mock_client = AsyncMock() + mock_client.get = AsyncMock(side_effect=[whoami_resp, user_resp]) + mock_client_cls.return_value.__aenter__ = AsyncMock(return_value=mock_client) + mock_client_cls.return_value.__aexit__ = AsyncMock(return_value=None) + + response = client.get( + '/bitbucket-dc-proxy/oauth2/userinfo', + headers={'Authorization': 'Bearer some_token'}, + ) + + assert response.status_code == 200 + assert response.json()['sub'] == 'jsmith' + mock_client.get.assert_has_calls( + [ + call( + 'https://bitbucket.test/plugins/servlet/applinks/whoami', + headers={'Authorization': 'Bearer some_token'}, + timeout=10, + ), + call( + 'https://bitbucket.test/rest/api/latest/users/jsmith', + headers={'Authorization': 'Bearer some_token'}, + timeout=10, + ), + ] + ) diff --git a/enterprise/tests/unit/test_saas_user_auth.py b/enterprise/tests/unit/test_saas_user_auth.py index 1b3355ab1a..92552de3ad 100644 --- a/enterprise/tests/unit/test_saas_user_auth.py +++ b/enterprise/tests/unit/test_saas_user_auth.py @@ -21,6 +21,7 @@ from server.auth.saas_user_auth import ( from storage.user_authorization import UserAuthorizationType from openhands.integrations.provider import ProviderToken, ProviderType +from openhands.storage.data_models.secrets import Secrets @pytest.fixture @@ -238,6 +239,107 @@ async def test_get_provider_tokens(mock_token_manager): pass +class TestGetProviderTokensBitbucketDCHost: + """Tests for Bitbucket DC host fallback from BITBUCKET_DATA_CENTER_HOST.""" + + def _make_auth_token(self): + mock_token = MagicMock() + mock_token.identity_provider = 'bitbucket_data_center' + mock_token.id = 'token-id-1' + return mock_token + + def _make_user_auth(self, mock_session_maker): + mock_session = AsyncMock() + mock_session.__aenter__ = AsyncMock(return_value=mock_session) + mock_session.__aexit__ = AsyncMock(return_value=None) + mock_result = MagicMock() + mock_result.scalars.return_value.all.return_value = [self._make_auth_token()] + mock_session.execute = AsyncMock(return_value=mock_result) + mock_session_maker.return_value = mock_session + + access_payload = {'sub': 'test_user_id', 'exp': int(time.time()) + 3600} + access_token = jwt.encode(access_payload, 'secret', algorithm='HS256') + + user_auth = SaasUserAuth( + user_id='test_user_id', + refresh_token=SecretStr('refresh_token'), + access_token=SecretStr(access_token), + ) + return user_auth, mock_session + + @pytest.mark.asyncio + async def test_host_derived_from_token_url(self): + """host is populated from BITBUCKET_DATA_CENTER_HOST when user secrets lack it.""" + with ( + patch('server.auth.saas_user_auth.token_manager') as mock_tm, + patch('server.auth.saas_user_auth.a_session_maker') as mock_session_maker, + patch( + 'server.auth.saas_user_auth.BITBUCKET_DATA_CENTER_HOST', + 'bitbucket.company.com', + ), + ): + mock_tm.get_idp_token = AsyncMock(return_value='bdc_access_token') + user_auth, mock_session = self._make_user_auth(mock_session_maker) + user_auth.get_secrets = AsyncMock(return_value=None) + + result = await user_auth.get_provider_tokens() + + assert ProviderType.BITBUCKET_DATA_CENTER in result + assert ( + result[ProviderType.BITBUCKET_DATA_CENTER].host == 'bitbucket.company.com' + ) + mock_session.execute.assert_called_once() + + @pytest.mark.asyncio + async def test_host_from_user_secrets_takes_priority(self): + """User-configured host in secrets takes priority over the HOST fallback.""" + with ( + patch('server.auth.saas_user_auth.token_manager') as mock_tm, + patch('server.auth.saas_user_auth.a_session_maker') as mock_session_maker, + patch( + 'server.auth.saas_user_auth.BITBUCKET_DATA_CENTER_HOST', + 'bitbucket.company.com', + ), + ): + mock_tm.get_idp_token = AsyncMock(return_value='bdc_access_token') + user_auth, mock_session = self._make_user_auth(mock_session_maker) + user_secrets = Secrets( + provider_tokens={ + ProviderType.BITBUCKET_DATA_CENTER: ProviderToken( + token=SecretStr('existing_token'), + host='custom.bitbucket.host', + ) + } + ) + user_auth.get_secrets = AsyncMock(return_value=user_secrets) + + result = await user_auth.get_provider_tokens() + + assert ProviderType.BITBUCKET_DATA_CENTER in result + assert ( + result[ProviderType.BITBUCKET_DATA_CENTER].host == 'custom.bitbucket.host' + ) + mock_session.execute.assert_called_once() + + @pytest.mark.asyncio + async def test_host_remains_none_when_host_empty(self): + """host stays None when BITBUCKET_DATA_CENTER_HOST is empty.""" + with ( + patch('server.auth.saas_user_auth.token_manager') as mock_tm, + patch('server.auth.saas_user_auth.a_session_maker') as mock_session_maker, + patch('server.auth.saas_user_auth.BITBUCKET_DATA_CENTER_HOST', ''), + ): + mock_tm.get_idp_token = AsyncMock(return_value='bdc_access_token') + user_auth, mock_session = self._make_user_auth(mock_session_maker) + user_auth.get_secrets = AsyncMock(return_value=None) + + result = await user_auth.get_provider_tokens() + + assert ProviderType.BITBUCKET_DATA_CENTER in result + assert result[ProviderType.BITBUCKET_DATA_CENTER].host is None + mock_session.execute.assert_called_once() + + @pytest.mark.asyncio async def test_get_provider_tokens_cached(mock_token_manager): """Test that get_provider_tokens returns cached tokens if available.""" diff --git a/enterprise/tests/unit/test_token_manager_extended.py b/enterprise/tests/unit/test_token_manager_extended.py index 012fdaa08e..90b7df0a6b 100644 --- a/enterprise/tests/unit/test_token_manager_extended.py +++ b/enterprise/tests/unit/test_token_manager_extended.py @@ -362,6 +362,111 @@ async def test_disable_keycloak_user_exception_handling(token_manager): mock_admin.a_get_user.assert_called_once_with(user_id) +class TestRefreshBitbucketDataCenterToken: + """Tests for the _refresh_bitbucket_data_center_token code path.""" + + @pytest.mark.asyncio + async def test_happy_path(self, token_manager): + """Credentials are sent in the POST body (not Basic auth); response is parsed.""" + mock_response = MagicMock() + mock_response.raise_for_status = MagicMock() + mock_response.json.return_value = { + 'access_token': 'new_bbs_access', + 'refresh_token': 'new_bbs_refresh', + 'expires_in': 3600, + 'refresh_token_expires_in': 86400, + } + + with ( + patch( + 'server.auth.token_manager.BITBUCKET_DATA_CENTER_HOST', + 'bitbucket.example.com', + ), + patch( + 'server.auth.token_manager.BITBUCKET_DATA_CENTER_TOKEN_URL', + 'https://bitbucket.example.com/oauth2/token', + ), + patch( + 'server.auth.token_manager.BITBUCKET_DATA_CENTER_CLIENT_ID', + 'test_client_id', + ), + patch( + 'server.auth.token_manager.BITBUCKET_DATA_CENTER_CLIENT_SECRET', + 'test_client_secret', + ), + patch('httpx.AsyncClient') as mock_client_cls, + ): + mock_client = AsyncMock() + mock_client.post = AsyncMock(return_value=mock_response) + mock_client_cls.return_value.__aenter__ = AsyncMock( + return_value=mock_client + ) + mock_client_cls.return_value.__aexit__ = AsyncMock(return_value=None) + + result = await token_manager._refresh_bitbucket_data_center_token( + 'old_refresh_token' + ) + + # Credentials are sent in the POST body, not in a Basic-auth header + mock_client.post.assert_called_once_with( + 'https://bitbucket.example.com/oauth2/token', + data={ + 'client_id': 'test_client_id', + 'client_secret': 'test_client_secret', + 'refresh_token': 'old_refresh_token', + 'grant_type': 'refresh_token', + }, + ) + + # Response is parsed correctly + assert result['access_token'] == 'new_bbs_access' + assert result['refresh_token'] == 'new_bbs_refresh' + + @pytest.mark.asyncio + async def test_empty_url_raises_value_error(self, token_manager): + """When BITBUCKET_DATA_CENTER_HOST is not set, ValueError is raised immediately.""" + with patch('server.auth.token_manager.BITBUCKET_DATA_CENTER_HOST', ''): + with pytest.raises(ValueError, match='BITBUCKET_DATA_CENTER_HOST'): + await token_manager._refresh_bitbucket_data_center_token( + 'some_refresh_token' + ) + + @pytest.mark.asyncio + async def test_http_error_propagates(self, token_manager): + """When raise_for_status() raises, the exception propagates to the caller.""" + import httpx + + mock_response = MagicMock() + mock_response.raise_for_status.side_effect = httpx.HTTPStatusError( + '401 Unauthorized', + request=MagicMock(), + response=MagicMock(status_code=401), + ) + + with ( + patch( + 'server.auth.token_manager.BITBUCKET_DATA_CENTER_HOST', + 'bitbucket.example.com', + ), + patch( + 'server.auth.token_manager.BITBUCKET_DATA_CENTER_TOKEN_URL', + 'https://bitbucket.example.com/oauth2/token', + ), + patch('httpx.AsyncClient') as mock_client_cls, + ): + mock_client = AsyncMock() + mock_client.post = AsyncMock(return_value=mock_response) + mock_client_cls.return_value.__aenter__ = AsyncMock( + return_value=mock_client + ) + mock_client_cls.return_value.__aexit__ = AsyncMock(return_value=None) + + with pytest.raises(httpx.HTTPStatusError): + await token_manager._refresh_bitbucket_data_center_token( + 'old_refresh_token' + ) + + class TestOrgTokenMethods: """Test cases for store_org_token and load_org_token methods.""" From d1c2185d99a2b2444669b0d5b80b427842b26481 Mon Sep 17 00:00:00 2001 From: Jamie Chicago <87397251+jamiechicago312@users.noreply.github.com> Date: Fri, 6 Mar 2026 15:24:55 -0600 Subject: [PATCH 66/67] [fix] update welcome email to new cloud sign ups (#13254) Co-authored-by: openhands --- enterprise/sync/resend_keycloak.py | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/enterprise/sync/resend_keycloak.py b/enterprise/sync/resend_keycloak.py index 768d423ed7..f9a703b24a 100644 --- a/enterprise/sync/resend_keycloak.py +++ b/enterprise/sync/resend_keycloak.py @@ -16,7 +16,8 @@ Optional environment variables: - KEYCLOAK_PROVIDER_NAME: Provider name for Keycloak - KEYCLOAK_CLIENT_ID: Client ID for Keycloak - KEYCLOAK_CLIENT_SECRET: Client secret for Keycloak -- RESEND_FROM_EMAIL: Email address to use as the sender (default: "All Hands Team ") +- RESEND_FROM_EMAIL: Email address to use as the sender (default: "OpenHands Team ") +- RESEND_REPLY_TO_EMAIL: Email address for replies (default: "contact@openhands.dev") - BATCH_SIZE: Number of users to process in each batch (default: 100) - MAX_RETRIES: Maximum number of retries for API calls (default: 3) - INITIAL_BACKOFF_SECONDS: Initial backoff time for retries (default: 1) @@ -292,7 +293,10 @@ def send_welcome_email( # Prepare email parameters params = { 'from': os.environ.get( - 'RESEND_FROM_EMAIL', 'All Hands Team ' + 'RESEND_FROM_EMAIL', 'OpenHands Team ' + ), + 'reply_to': os.environ.get( + 'RESEND_REPLY_TO_EMAIL', 'contact@openhands.dev' ), 'to': [email], 'subject': 'Welcome to OpenHands Cloud', @@ -302,13 +306,18 @@ def send_welcome_email(

Thanks for joining OpenHands Cloud — we're excited to help you start building with the world's leading open source AI coding agent!

Here are three quick ways to get started:

    -
  1. Connect your Git repo – Link your GitHub or GitLab repository in seconds so OpenHands can begin understanding your codebase and suggest tasks.
    2. -
  2. Use OpenHands on an issue or pull request – Label an issue with 'openhands' or mention @openhands on any PR comment to generate explanations, tests, refactors, or doc fixes tailored to the exact lines you're reviewing.
    3. -
  3. Join the community – Drop into our Slack Community to share tips, feedback, and help shape the next features on our roadmap.
    4. +
  4. Connect your Git repo – Link your GitHub or GitLab repository in seconds so OpenHands can begin understanding your codebase and suggest tasks.
    5. +
  5. Use OpenHands on an issue or pull request – Label an issue with 'openhands' or mention @openhands on any PR comment to generate explanations, tests, refactors, or doc fixes tailored to the exact lines you're reviewing.
    6. +
  6. Join the community – Join our Slack Community to share tips, feedback, and help shape the next features on our roadmap.

Have questions? Want to share feedback? Just reply to this email—we're here to help.

Happy coding!

-

The All Hands AI team

+

The OpenHands team

+

--

+

OpenHands

+

24 Oak Street

+

Cambridge MA 02139

+

https://openhands.dev

""", } From 3ec999e88a13aabfae02bfcf57a6434de3384337 Mon Sep 17 00:00:00 2001 From: Tim O'Farrell Date: Fri, 6 Mar 2026 21:48:19 -0700 Subject: [PATCH 67/67] Fix LiteLLM key management and user migration SQL queries (#13279) Co-authored-by: openhands --- enterprise/storage/lite_llm_manager.py | 14 +- enterprise/storage/user_store.py | 25 +- .../tests/unit/test_lite_llm_manager.py | 6 +- enterprise/tests/unit/test_user_store.py | 410 ++++++++++++++++++ 4 files changed, 438 insertions(+), 17 deletions(-) diff --git a/enterprise/storage/lite_llm_manager.py b/enterprise/storage/lite_llm_manager.py index 49af669359..a7e240c7d7 100644 --- a/enterprise/storage/lite_llm_manager.py +++ b/enterprise/storage/lite_llm_manager.py @@ -137,11 +137,23 @@ class LiteLlmManager: client, keycloak_user_id, org_id, team_budget ) + # We delete the key if it already exists. In environments where multiple + # installations are using the same keycloak and litellm instance, this + # will mean other installations will have their key invalidated. + key_alias = get_openhands_cloud_key_alias(keycloak_user_id, org_id) + try: + await LiteLlmManager._delete_key_by_alias(client, key_alias) + except httpx.HTTPStatusError as ex: + if ex.status_code == 404: + logger.debug(f'Key "{key_alias}" did not exist - continuing') + else: + raise + key = await LiteLlmManager._generate_key( client, keycloak_user_id, org_id, - get_openhands_cloud_key_alias(keycloak_user_id, org_id), + key_alias, None, ) diff --git a/enterprise/storage/user_store.py b/enterprise/storage/user_store.py index f5d1c9d27a..9d363d10c4 100644 --- a/enterprise/storage/user_store.py +++ b/enterprise/storage/user_store.py @@ -295,29 +295,28 @@ class UserStore: extra={'user_id': user_id}, ) + user_uuid = uuid.UUID(user_id) + # need to migrate conversation metadata await session.execute( text(""" INSERT INTO conversation_metadata_saas (conversation_id, user_id, org_id) SELECT conversation_id, - :user_id, - :user_id + :user_uuid, + :user_uuid FROM conversation_metadata - WHERE user_id = :user_id + WHERE user_id = :user_id_text """), - {'user_id': user_id}, + {'user_uuid': user_uuid, 'user_id_text': user_id}, ) - # Update org_id for tables that had org_id added - user_uuid = uuid.UUID(user_id) - # Update stripe_customers await session.execute( text( 'UPDATE stripe_customers SET org_id = :org_id WHERE keycloak_user_id = :user_id' ), - {'org_id': user_uuid, 'user_id': user_uuid}, + {'org_id': user_uuid, 'user_id': user_id}, ) # Update slack_users @@ -325,7 +324,7 @@ class UserStore: text( 'UPDATE slack_users SET org_id = :org_id WHERE keycloak_user_id = :user_id' ), - {'org_id': user_uuid, 'user_id': user_uuid}, + {'org_id': user_uuid, 'user_id': user_id}, ) # Update slack_conversation @@ -333,13 +332,13 @@ class UserStore: text( 'UPDATE slack_conversation SET org_id = :org_id WHERE keycloak_user_id = :user_id' ), - {'org_id': user_uuid, 'user_id': user_uuid}, + {'org_id': user_uuid, 'user_id': user_id}, ) # Update api_keys await session.execute( text('UPDATE api_keys SET org_id = :org_id WHERE user_id = :user_id'), - {'org_id': user_uuid, 'user_id': user_uuid}, + {'org_id': user_uuid, 'user_id': user_id}, ) # Update custom_secrets @@ -347,7 +346,7 @@ class UserStore: text( 'UPDATE custom_secrets SET org_id = :org_id WHERE keycloak_user_id = :user_id' ), - {'org_id': user_uuid, 'user_id': user_uuid}, + {'org_id': user_uuid, 'user_id': user_id}, ) # Update billing_sessions @@ -355,7 +354,7 @@ class UserStore: text( 'UPDATE billing_sessions SET org_id = :org_id WHERE user_id = :user_id' ), - {'org_id': user_uuid, 'user_id': user_uuid}, + {'org_id': user_uuid, 'user_id': user_id}, ) await session.commit() diff --git a/enterprise/tests/unit/test_lite_llm_manager.py b/enterprise/tests/unit/test_lite_llm_manager.py index 04ca2347fc..8c26709aa3 100644 --- a/enterprise/tests/unit/test_lite_llm_manager.py +++ b/enterprise/tests/unit/test_lite_llm_manager.py @@ -180,11 +180,11 @@ class TestLiteLlmManager: assert result.llm_api_key.get_secret_value() == 'test-api-key' assert result.llm_base_url == 'http://test.com' - # Verify API calls were made (get_team + 3 posts) + # Verify API calls were made (get_team + 4 posts) assert mock_client.get.call_count == 1 # get_team assert ( - mock_client.post.call_count == 3 - ) # create_team, add_user_to_team, generate_key + mock_client.post.call_count == 4 + ) # create_team, add_user_to_team, delete_key_by_alias, generate_key @pytest.mark.asyncio async def test_create_entries_inherits_existing_team_budget( diff --git a/enterprise/tests/unit/test_user_store.py b/enterprise/tests/unit/test_user_store.py index 6a2ecb41ac..61ea471883 100644 --- a/enterprise/tests/unit/test_user_store.py +++ b/enterprise/tests/unit/test_user_store.py @@ -833,3 +833,413 @@ async def test_release_user_creation_lock_released(): assert result is True mock_redis.delete.assert_called_once() + + +# --- Tests for migrate_user SQL parameter type handling --- + + +@pytest.mark.asyncio +async def test_migrate_user_sql_type_handling(async_session_maker): + """Test that migrate_user correctly handles UUID vs string types in SQL queries. + + This test verifies the fixes for SQL parameter binding issues in _migrate_personal_data + where UUID and string parameters need to be correctly matched to their column types. + + Note: SQLite doesn't natively support UUID types, so we use string representations. + The key verification is that: + 1. String user_ids in WHERE clauses match source tables correctly + 2. UUID values are inserted into target UUID columns correctly + 3. The migration queries don't fail due to type mismatches + """ + from sqlalchemy import text + + user_id = str(uuid.uuid4()) + user_uuid = uuid.UUID(user_id) + # For SQLite raw SQL, use string representation of UUID + user_uuid_str = str(user_uuid) + + # Set up legacy data with string user_ids (as in the old schema) + async with async_session_maker() as session: + # First, add conversation_metadata with user_id as string column + # The current model doesn't have user_id, but the real DB did before migration + # We use raw SQL to add the column and insert test data + await session.execute( + text('ALTER TABLE conversation_metadata ADD COLUMN user_id VARCHAR') + ) + await session.execute( + text( + """ + INSERT INTO conversation_metadata (conversation_id, user_id, conversation_version, created_at, last_updated_at) + VALUES (:conv_id, :user_id, 'V0', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP) + """ + ), + {'conv_id': 'test-conv-1', 'user_id': user_id}, + ) + + # Create org first (needed for foreign keys) + org = Org(id=user_uuid, name=f'user_{user_id}_org') + session.add(org) + + # Create user (needed for foreign keys) + user = User(id=user_uuid, current_org_id=user_uuid) + session.add(user) + await session.commit() + + # Add stripe_customers with keycloak_user_id as string + from storage.stripe_customer import StripeCustomer + + stripe_customer = StripeCustomer( + keycloak_user_id=user_id, stripe_customer_id='stripe_123' + ) + session.add(stripe_customer) + + # Add slack_users with keycloak_user_id as string + from storage.slack_user import SlackUser + + slack_user = SlackUser( + keycloak_user_id=user_id, + slack_user_id='slack_user_123', + slack_display_name='Test User', + ) + session.add(slack_user) + + # Add slack_conversation with keycloak_user_id as string + from storage.slack_conversation import SlackConversation + + slack_conv = SlackConversation( + conversation_id='slack-conv-1', + channel_id='channel_123', + keycloak_user_id=user_id, + ) + session.add(slack_conv) + + # Add api_keys with user_id as string + from storage.api_key import ApiKey + + api_key = ApiKey(key='api_key_123', user_id=user_id, name='Test API Key') + session.add(api_key) + + # Add custom_secrets with keycloak_user_id as string + from storage.stored_custom_secrets import StoredCustomSecrets + + custom_secret = StoredCustomSecrets( + keycloak_user_id=user_id, + secret_name='test_secret', + secret_value='secret_value', + ) + session.add(custom_secret) + + # Add billing_sessions with user_id as string + from storage.billing_session import BillingSession + + billing_session = BillingSession( + id='billing-session-1', + user_id=user_id, + status='completed', + price=10, + price_code='USD', + ) + session.add(billing_session) + + await session.commit() + + # Now execute the migration SQL statements with the correct parameter types + # This tests the fix: using user_uuid for UUID columns and user_id for string columns + # Note: For SQLite, we use string representation of UUID + + # Test 1: conversation_metadata to conversation_metadata_saas migration + # The fix uses user_uuid (UUID) for inserting into user_id/org_id (UUID columns) + # and user_id_text (string) for comparing with user_id in conversation_metadata (string column) + await session.execute( + text( + """ + INSERT INTO conversation_metadata_saas (conversation_id, user_id, org_id) + SELECT + conversation_id, + :user_uuid, + :user_uuid + FROM conversation_metadata + WHERE user_id = :user_id_text + """ + ), + {'user_uuid': user_uuid_str, 'user_id_text': user_id}, + ) + + # Test 2: Update stripe_customers - org_id is UUID, keycloak_user_id is string + await session.execute( + text( + 'UPDATE stripe_customers SET org_id = :org_id WHERE keycloak_user_id = :user_id' + ), + {'org_id': user_uuid_str, 'user_id': user_id}, + ) + + # Test 3: Update slack_users - org_id is UUID, keycloak_user_id is string + await session.execute( + text( + 'UPDATE slack_users SET org_id = :org_id WHERE keycloak_user_id = :user_id' + ), + {'org_id': user_uuid_str, 'user_id': user_id}, + ) + + # Test 4: Update slack_conversation - org_id is UUID, keycloak_user_id is string + await session.execute( + text( + 'UPDATE slack_conversation SET org_id = :org_id WHERE keycloak_user_id = :user_id' + ), + {'org_id': user_uuid_str, 'user_id': user_id}, + ) + + # Test 5: Update api_keys - org_id is UUID, user_id is string + await session.execute( + text('UPDATE api_keys SET org_id = :org_id WHERE user_id = :user_id'), + {'org_id': user_uuid_str, 'user_id': user_id}, + ) + + # Test 6: Update custom_secrets - org_id is UUID, keycloak_user_id is string + await session.execute( + text( + 'UPDATE custom_secrets SET org_id = :org_id WHERE keycloak_user_id = :user_id' + ), + {'org_id': user_uuid_str, 'user_id': user_id}, + ) + + # Test 7: Update billing_sessions - org_id is UUID, user_id is string + await session.execute( + text( + 'UPDATE billing_sessions SET org_id = :org_id WHERE user_id = :user_id' + ), + {'org_id': user_uuid_str, 'user_id': user_id}, + ) + + await session.commit() + + # Verify the data was migrated correctly + from storage.stored_conversation_metadata_saas import ( + StoredConversationMetadataSaas, + ) + + # Verify conversation_metadata_saas + result = await session.execute( + select(StoredConversationMetadataSaas).filter( + StoredConversationMetadataSaas.conversation_id == 'test-conv-1' + ) + ) + saas_metadata = result.scalars().first() + assert ( + saas_metadata is not None + ), 'conversation_metadata_saas record should exist' + assert saas_metadata.user_id == user_uuid, 'user_id should be UUID type' + assert saas_metadata.org_id == user_uuid, 'org_id should be UUID type' + + # Verify stripe_customers org_id was set + result = await session.execute( + select(StripeCustomer).filter(StripeCustomer.keycloak_user_id == user_id) + ) + stripe_record = result.scalars().first() + assert stripe_record is not None + assert ( + stripe_record.org_id == user_uuid + ), 'stripe_customers.org_id should be UUID' + + # Verify slack_users org_id was set + result = await session.execute( + select(SlackUser).filter(SlackUser.keycloak_user_id == user_id) + ) + slack_user_record = result.scalars().first() + assert slack_user_record is not None + assert ( + slack_user_record.org_id == user_uuid + ), 'slack_users.org_id should be UUID' + + # Verify slack_conversation org_id was set + result = await session.execute( + select(SlackConversation).filter( + SlackConversation.keycloak_user_id == user_id + ) + ) + slack_conv_record = result.scalars().first() + assert slack_conv_record is not None + assert ( + slack_conv_record.org_id == user_uuid + ), 'slack_conversation.org_id should be UUID' + + # Verify api_keys org_id was set + result = await session.execute(select(ApiKey).filter(ApiKey.user_id == user_id)) + api_key_record = result.scalars().first() + assert api_key_record is not None + assert api_key_record.org_id == user_uuid, 'api_keys.org_id should be UUID' + + # Verify custom_secrets org_id was set + result = await session.execute( + select(StoredCustomSecrets).filter( + StoredCustomSecrets.keycloak_user_id == user_id + ) + ) + custom_secret_record = result.scalars().first() + assert custom_secret_record is not None + assert ( + custom_secret_record.org_id == user_uuid + ), 'custom_secrets.org_id should be UUID' + + # Verify billing_sessions org_id was set + result = await session.execute( + select(BillingSession).filter(BillingSession.user_id == user_id) + ) + billing_record = result.scalars().first() + assert billing_record is not None + assert ( + billing_record.org_id == user_uuid + ), 'billing_sessions.org_id should be UUID' + + +@pytest.mark.asyncio +async def test_migrate_user_sql_no_matching_records(async_session_maker): + """Test that migration SQL handles the case where no records match the user_id. + + This verifies that the SQL queries don't fail when there are no matching records. + """ + from sqlalchemy import text + + user_id = str(uuid.uuid4()) + user_uuid = uuid.UUID(user_id) + user_uuid_str = str(user_uuid) + other_user_id = str(uuid.uuid4()) + + # Set up data for a different user + async with async_session_maker() as session: + # Add conversation_metadata with user_id column for a different user + await session.execute( + text('ALTER TABLE conversation_metadata ADD COLUMN user_id VARCHAR') + ) + await session.execute( + text( + """ + INSERT INTO conversation_metadata (conversation_id, user_id, conversation_version, created_at, last_updated_at) + VALUES (:conv_id, :user_id, 'V0', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP) + """ + ), + {'conv_id': 'other-conv-1', 'user_id': other_user_id}, + ) + + # Create org and user for our test user + org = Org(id=user_uuid, name=f'user_{user_id}_org') + session.add(org) + user = User(id=user_uuid, current_org_id=user_uuid) + session.add(user) + await session.commit() + + # Execute migration SQL for our user (no data should match) + await session.execute( + text( + """ + INSERT INTO conversation_metadata_saas (conversation_id, user_id, org_id) + SELECT + conversation_id, + :user_uuid, + :user_uuid + FROM conversation_metadata + WHERE user_id = :user_id_text + """ + ), + {'user_uuid': user_uuid_str, 'user_id_text': user_id}, + ) + await session.commit() + + # Verify no records were created for our user + from storage.stored_conversation_metadata_saas import ( + StoredConversationMetadataSaas, + ) + + result = await session.execute( + select(StoredConversationMetadataSaas).filter( + StoredConversationMetadataSaas.user_id == user_uuid + ) + ) + records = result.scalars().all() + assert ( + len(records) == 0 + ), 'No records should be created for non-matching user_id' + + +@pytest.mark.asyncio +async def test_migrate_user_sql_multiple_conversations(async_session_maker): + """Test that migration SQL correctly handles multiple conversations for a user.""" + from sqlalchemy import text + + user_id = str(uuid.uuid4()) + user_uuid = uuid.UUID(user_id) + user_uuid_str = str(user_uuid) + + async with async_session_maker() as session: + # Create org and user FIRST (needed for foreign keys) + org = Org(id=user_uuid, name=f'user_{user_id}_org') + session.add(org) + user = User(id=user_uuid, current_org_id=user_uuid) + session.add(user) + await session.commit() + + # Add conversation_metadata with user_id column + await session.execute( + text('ALTER TABLE conversation_metadata ADD COLUMN user_id VARCHAR') + ) + await session.commit() + + # Insert multiple conversations for the same user + for i in range(3): + await session.execute( + text( + """ + INSERT INTO conversation_metadata (conversation_id, user_id, conversation_version, created_at, last_updated_at) + VALUES (:conv_id, :user_id, 'V0', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP) + """ + ), + {'conv_id': f'test-conv-{i}', 'user_id': user_id}, + ) + + await session.commit() + + # Verify that conversation_metadata was inserted + result = await session.execute( + text('SELECT conversation_id, user_id FROM conversation_metadata') + ) + conv_rows = result.fetchall() + assert ( + len(conv_rows) == 3 + ), f'Expected 3 conversation_metadata rows, got {len(conv_rows)}' + + # Execute migration SQL + await session.execute( + text( + """ + INSERT INTO conversation_metadata_saas (conversation_id, user_id, org_id) + SELECT + conversation_id, + :user_uuid, + :user_uuid + FROM conversation_metadata + WHERE user_id = :user_id_text + """ + ), + {'user_uuid': user_uuid_str, 'user_id_text': user_id}, + ) + await session.commit() + + # Verify all conversations were migrated using raw SQL + # (SQLite stores UUIDs as strings, ORM comparison may differ) + result = await session.execute( + text( + 'SELECT conversation_id, user_id, org_id FROM conversation_metadata_saas WHERE user_id = :user_uuid' + ), + {'user_uuid': user_uuid_str}, + ) + saas_rows = result.fetchall() + assert len(saas_rows) == 3, 'All 3 conversations should be migrated' + + # Verify the user_id and org_id values + for row in saas_rows: + assert ( + row.user_id == user_uuid_str + ), f'user_id should match: {row.user_id} vs {user_uuid_str}' + assert ( + row.org_id == user_uuid_str + ), f'org_id should match: {row.org_id} vs {user_uuid_str}'