from __future__ import annotations from pathlib import Path import hashlib import json import secrets import tempfile import yaml from sqlalchemy import create_engine from sqlalchemy.orm import Session, sessionmaker from app.core import admin_secret from app.core import secret_box from app.db.base import Base from app.models.system_model_setting import SystemModelSetting from app.models.system_setting import SystemSetting from app.models.system_setting_secret import SystemSettingSecret from app.schemas.settings import SettingsWrite from app.services.hermes_sync import get_hermes_config_path from app.services.settings import SettingsService def build_session(db_file: Path) -> Session: engine = create_engine( f"sqlite+pysqlite:///{db_file.as_posix()}", connect_args={"check_same_thread": False}, ) SystemSetting.__table__.create(bind=engine) SystemSettingSecret.__table__.create(bind=engine) SystemModelSetting.__table__.create(bind=engine) session_factory = sessionmaker(bind=engine, autoflush=False, autocommit=False) return session_factory() def build_temp_secret_dir() -> Path: return Path(tempfile.mkdtemp(prefix="xf-settings-test-")) def test_settings_service_persists_non_secret_and_secret_fields(monkeypatch) -> None: temp_dir = build_temp_secret_dir() monkeypatch.setattr(secret_box, "SECRET_KEY_FILE", temp_dir / "settings.key") monkeypatch.setattr(Base.metadata, "create_all", lambda *args, **kwargs: None) monkeypatch.setenv("HERMES_HOME", str(temp_dir / ".hermes")) with build_session(temp_dir / "settings.db") as db: service = SettingsService(db) initial_snapshot = service.get_settings_snapshot() payload = initial_snapshot.model_dump() payload["companyForm"]["companyName"] = "YGSOFT" payload["companyForm"]["displayName"] = "云广软件" payload["adminForm"]["adminAccount"] = "admin-root" payload["adminForm"]["adminEmail"] = "admin@example.com" payload["adminForm"]["newPassword"] = "54321" payload["adminForm"]["confirmPassword"] = "54321" payload["sessionForm"]["conversationRetentionDays"] = 7 payload["llmForm"]["mainModel"] = "glm-4.5" payload["llmForm"]["mainApiKey"] = "main-secret" payload["renderForm"]["enabled"] = True payload["renderForm"]["publicUrl"] = "http://10.10.10.122:8082" payload["renderForm"]["jwtSecret"] = "change-me-onlyoffice" payload["mailForm"]["password"] = "smtp-secret" saved_snapshot = service.save_settings_snapshot(SettingsWrite(**payload)) assert saved_snapshot.companyForm.companyName == "YGSOFT" assert saved_snapshot.companyForm.displayName == "云广软件" assert saved_snapshot.sessionForm.conversationRetentionDays == 7 assert saved_snapshot.llmForm.mainModel == "glm-4.5" assert saved_snapshot.llmForm.mainApiKey == "" assert saved_snapshot.llmForm.mainApiKeyConfigured is True assert saved_snapshot.renderForm.enabled is True assert saved_snapshot.renderForm.publicUrl == "http://10.10.10.122:8082" assert saved_snapshot.renderForm.jwtSecret == "" assert saved_snapshot.renderForm.jwtSecretConfigured is True assert saved_snapshot.mailForm.password == "" assert saved_snapshot.mailForm.passwordConfigured is True assert saved_snapshot.adminForm.newPassword == "" assert saved_snapshot.adminForm.adminPasswordConfigured is True model_row = db.get(SystemModelSetting, "main") settings_row = db.get(SystemSetting, "default") secrets_row = db.get(SystemSettingSecret, "default") assert model_row is not None assert model_row.model_name == "glm-4.5" assert model_row.api_key_encrypted assert settings_row is not None assert settings_row.conversation_retention_days == 7 assert settings_row.onlyoffice_enabled is True assert settings_row.onlyoffice_public_url == "http://10.10.10.122:8082" assert secrets_row is not None assert secrets_row.onlyoffice_jwt_secret_encrypted assert service.load_saved_model_api_key("main") == "main-secret" assert service.verify_admin_login("admin-root", "54321") is not None assert service.verify_admin_login("admin@example.com", "54321") is not None def test_blank_secret_input_does_not_clear_saved_secret(monkeypatch) -> None: temp_dir = build_temp_secret_dir() monkeypatch.setattr(secret_box, "SECRET_KEY_FILE", temp_dir / "settings.key") monkeypatch.setattr(Base.metadata, "create_all", lambda *args, **kwargs: None) monkeypatch.setenv("HERMES_HOME", str(temp_dir / ".hermes")) with build_session(temp_dir / "settings.db") as db: service = SettingsService(db) first_payload = service.get_settings_snapshot().model_dump() first_payload["llmForm"]["mainApiKey"] = "persisted-key" service.save_settings_snapshot(SettingsWrite(**first_payload)) second_payload = service.get_settings_snapshot().model_dump() second_payload["llmForm"]["mainApiKey"] = "" service.save_settings_snapshot(SettingsWrite(**second_payload)) assert service.load_saved_model_api_key("main") == "persisted-key" def test_runtime_model_config_returns_decrypted_main_model(monkeypatch) -> None: temp_dir = build_temp_secret_dir() monkeypatch.setattr(secret_box, "SECRET_KEY_FILE", temp_dir / "settings.key") monkeypatch.setattr(Base.metadata, "create_all", lambda *args, **kwargs: None) monkeypatch.setenv("HERMES_HOME", str(temp_dir / ".hermes")) with build_session(temp_dir / "settings.db") as db: service = SettingsService(db) payload = service.get_settings_snapshot().model_dump() payload["llmForm"]["mainProvider"] = "MiniMax" payload["llmForm"]["mainModel"] = "MiniMax-Text-01" payload["llmForm"]["mainEndpoint"] = "https://api.minimaxi.com/v1" payload["llmForm"]["mainApiKey"] = "shared-main-key" service.save_settings_snapshot(SettingsWrite(**payload)) runtime_model = service.get_runtime_model_config("main") assert runtime_model["slot"] == "main" assert runtime_model["provider"] == "MiniMax" assert runtime_model["model"] == "MiniMax-Text-01" assert runtime_model["endpoint"] == "https://api.minimaxi.com/v1" assert runtime_model["apiKey"] == "shared-main-key" assert runtime_model["capability"] == "chat" def test_legacy_setup_admin_password_is_migrated_to_database(monkeypatch) -> None: temp_dir = build_temp_secret_dir() admin_file = temp_dir / "admin.json" monkeypatch.setattr(admin_secret, "ADMIN_SECRET_FILE", admin_file) monkeypatch.setattr(secret_box, "SECRET_KEY_FILE", temp_dir / "settings.key") monkeypatch.setattr(Base.metadata, "create_all", lambda *args, **kwargs: None) monkeypatch.setenv("HERMES_HOME", str(temp_dir / ".hermes")) password = "setup-secret" salt = secrets.token_bytes(16) derived_key = hashlib.scrypt(password.encode("utf-8"), salt=salt, n=16384, r=8, p=1, dklen=64) admin_file.write_text( json.dumps( { "algorithm": "scrypt", "username": "setup-admin", "salt": salt.hex(), "derived_key": derived_key.hex(), "key_length": 64, "N": 16384, "r": 8, "p": 1, } ), encoding="utf-8", ) with build_session(temp_dir / "settings.db") as db: service = SettingsService(db) snapshot = service.get_settings_snapshot() secrets_row = db.get(SystemSettingSecret, "default") assert snapshot.adminForm.adminPasswordConfigured is True assert secrets_row is not None assert secrets_row.admin_password_hash.startswith("scrypt$") assert service.verify_admin_login("setup-admin", password) is not None def test_settings_service_syncs_models_to_hermes_config(monkeypatch) -> None: temp_dir = build_temp_secret_dir() hermes_home = temp_dir / ".hermes" hermes_home.mkdir(parents=True, exist_ok=True) hermes_config_path = hermes_home / "config.yaml" hermes_config_path.write_text( yaml.safe_dump({"toolsets": ["hermes-cli"], "browser": {"record_sessions": False}}, sort_keys=False), encoding="utf-8", ) monkeypatch.setenv("HERMES_HOME", str(hermes_home)) monkeypatch.setattr(secret_box, "SECRET_KEY_FILE", temp_dir / "settings.key") monkeypatch.setattr(Base.metadata, "create_all", lambda *args, **kwargs: None) with build_session(temp_dir / "settings.db") as db: service = SettingsService(db) payload = service.get_settings_snapshot().model_dump() payload["llmForm"]["mainProvider"] = "Claude" payload["llmForm"]["mainModel"] = "claude-sonnet-4-6" payload["llmForm"]["mainEndpoint"] = "https://api.anthropic.com/v1/" payload["llmForm"]["mainApiKey"] = "anthropic-secret" payload["llmForm"]["backupProvider"] = "GLM" payload["llmForm"]["backupModel"] = "glm-5.1" payload["llmForm"]["backupEndpoint"] = "https://open.bigmodel.cn/api/paas/v4/" payload["llmForm"]["backupApiKey"] = "glm-secret" service.save_settings_snapshot(SettingsWrite(**payload)) hermes_config = yaml.safe_load(get_hermes_config_path().read_text(encoding="utf-8")) assert hermes_config["toolsets"] == ["hermes-cli"] assert hermes_config["browser"] == {"record_sessions": False} assert hermes_config["model"] == { "provider": "custom", "default": "claude-sonnet-4-6", "base_url": "https://api.anthropic.com/v1", "api_key": "anthropic-secret", "api_mode": "anthropic_messages", } assert hermes_config["fallback_model"] == { "provider": "custom", "model": "glm-5.1", "base_url": "https://open.bigmodel.cn/api/paas/v4", "api_key": "glm-secret", } def test_blank_secret_input_keeps_synced_hermes_api_key(monkeypatch) -> None: temp_dir = build_temp_secret_dir() monkeypatch.setenv("HERMES_HOME", str(temp_dir / ".hermes")) monkeypatch.setattr(secret_box, "SECRET_KEY_FILE", temp_dir / "settings.key") monkeypatch.setattr(Base.metadata, "create_all", lambda *args, **kwargs: None) with build_session(temp_dir / "settings.db") as db: service = SettingsService(db) first_payload = service.get_settings_snapshot().model_dump() first_payload["llmForm"]["mainApiKey"] = "persisted-main-key" service.save_settings_snapshot(SettingsWrite(**first_payload)) second_payload = service.get_settings_snapshot().model_dump() second_payload["llmForm"]["mainModel"] = "gpt-5.4-mini" second_payload["llmForm"]["mainApiKey"] = "" service.save_settings_snapshot(SettingsWrite(**second_payload)) hermes_config = yaml.safe_load(get_hermes_config_path().read_text(encoding="utf-8")) assert hermes_config["model"]["default"] == "gpt-5.4-mini" assert hermes_config["model"]["api_key"] == "persisted-main-key"