core/homeassistant/components/http/auth.py

"""Authentication for HTTP component."""

import base64
import hmac
import logging

from aiohttp import hdrs
from aiohttp.web import middleware

from homeassistant.core import callback
from homeassistant.const import HTTP_HEADER_HA_AUTH
from .const import KEY_AUTHENTICATED, KEY_REAL_IP

DATA_API_PASSWORD = 'api_password'

_LOGGER = logging.getLogger(__name__)


@callback
def setup_auth(app, trusted_networks, api_password):
    """Create auth middleware for the app."""
    @middleware
    async def auth_middleware(request, handler):
        """Authenticate as middleware."""
        # If no password set, just always set authenticated=True
        if api_password is None:
            request[KEY_AUTHENTICATED] = True
            return await handler(request)

        # Check authentication
        authenticated = False

        if (HTTP_HEADER_HA_AUTH in request.headers and
                hmac.compare_digest(
                    api_password.encode('utf-8'),
                    request.headers[HTTP_HEADER_HA_AUTH].encode('utf-8'))):
            # A valid auth header has been set
            authenticated = True

        elif (DATA_API_PASSWORD in request.query and
              hmac.compare_digest(
                  api_password.encode('utf-8'),
                  request.query[DATA_API_PASSWORD].encode('utf-8'))):
            authenticated = True

        elif (hdrs.AUTHORIZATION in request.headers and
              await async_validate_auth_header(api_password, request)):
            authenticated = True

        elif _is_trusted_ip(request, trusted_networks):
            authenticated = True

        request[KEY_AUTHENTICATED] = authenticated
        return await handler(request)

    async def auth_startup(app):
        """Initialize auth middleware when app starts up."""
        app.middlewares.append(auth_middleware)

    app.on_startup.append(auth_startup)


def _is_trusted_ip(request, trusted_networks):
    """Test if request is from a trusted ip."""
    ip_addr = request[KEY_REAL_IP]

    return any(
        ip_addr in trusted_network for trusted_network
        in trusted_networks)


def validate_password(request, api_password):
    """Test if password is valid."""
    return hmac.compare_digest(
        api_password.encode('utf-8'),
        request.app['hass'].http.api_password.encode('utf-8'))


async def async_validate_auth_header(api_password, request):
    """Test an authorization header if valid password."""
    if hdrs.AUTHORIZATION not in request.headers:
        return False

    auth_type, auth_val = request.headers.get(hdrs.AUTHORIZATION).split(' ', 1)

    if auth_type == 'Basic':
        decoded = base64.b64decode(auth_val).decode('utf-8')
        try:
            username, password = decoded.split(':', 1)
        except ValueError:
            # If no ':' in decoded
            return False

        if username != 'homeassistant':
            return False

        return hmac.compare_digest(api_password.encode('utf-8'),
                                   password.encode('utf-8'))

    if auth_type != 'Bearer':
        return False

    hass = request.app['hass']
    access_token = hass.auth.async_get_access_token(auth_val)
    if access_token is None:
        return False

    request['hass_user'] = access_token.refresh_token.user
    return True
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`"""Authentication for HTTP component."""`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00			`import base64`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`import hmac`
			`import logging`

Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00			`from aiohttp import hdrs`
Update aiohttp to 2.3.1 (#10139) * Update aiohttp to 2.3.1 * set timeout 10sec * fix freeze with new middleware handling * Convert middleware auth * Convert mittleware ipban * convert middleware static * fix lint * Update ban.py * Update auth.py * fix lint * Fix tests 2017-11-06 02:42:31 +00:00			`from aiohttp.web import middleware`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`from homeassistant.core import callback`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`from homeassistant.const import HTTP_HEADER_HA_AUTH`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`from .const import KEY_AUTHENTICATED, KEY_REAL_IP`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00
			`DATA_API_PASSWORD = 'api_password'`

			`_LOGGER = logging.getLogger(__name__)`


Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`@callback`
			`def setup_auth(app, trusted_networks, api_password):`
			`"""Create auth middleware for the app."""`
			`@middleware`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`async def auth_middleware(request, handler):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Authenticate as middleware."""`
			`# If no password set, just always set authenticated=True`
			`if api_password is None:`
			`request[KEY_AUTHENTICATED] = True`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`return await handler(request)`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00
			`# Check authentication`
			`authenticated = False`

			`if (HTTP_HEADER_HA_AUTH in request.headers and`
			`hmac.compare_digest(`
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`api_password.encode('utf-8'),`
			`request.headers[HTTP_HEADER_HA_AUTH].encode('utf-8'))):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`# A valid auth header has been set`
			`authenticated = True`

			`elif (DATA_API_PASSWORD in request.query and`
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`hmac.compare_digest(`
			`api_password.encode('utf-8'),`
			`request.query[DATA_API_PASSWORD].encode('utf-8'))):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`authenticated = True`

			`elif (hdrs.AUTHORIZATION in request.headers and`
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`await async_validate_auth_header(api_password, request)):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`authenticated = True`

			`elif _is_trusted_ip(request, trusted_networks):`
			`authenticated = True`

			`request[KEY_AUTHENTICATED] = authenticated`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`return await handler(request)`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`async def auth_startup(app):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Initialize auth middleware when app starts up."""`
			`app.middlewares.append(auth_middleware)`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`app.on_startup.append(auth_startup)`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`def _is_trusted_ip(request, trusted_networks):`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`"""Test if request is from a trusted ip."""`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`ip_addr = request[KEY_REAL_IP]`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`return any(`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`ip_addr in trusted_network for trusted_network`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`in trusted_networks)`
Add websocket API (#4582) * Add websocket API * Add identifiers to interactions * Allow unsubscribing event listeners * Add support for fetching data * Clean up handling code websockets api * Lint * Add Home Assistant version to auth messages * Py.test be less verbose in tox 2016-11-27 02:23:28 +00:00

			`def validate_password(request, api_password):`
			`"""Test if password is valid."""`
Update docstrings (#7361) * Update docstrings * Update docstrings * Update docstrings * Update docstrings * update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update tomato.py * Update isy994.py * Lint + fix tests * Lint 2017-04-30 05:04:49 +00:00			`return hmac.compare_digest(`
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`api_password.encode('utf-8'),`
			`request.app['hass'].http.api_password.encode('utf-8'))`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00

Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`async def async_validate_auth_header(api_password, request):`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00			`"""Test an authorization header if valid password."""`
			`if hdrs.AUTHORIZATION not in request.headers:`
			`return False`

Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`auth_type, auth_val = request.headers.get(hdrs.AUTHORIZATION).split(' ', 1)`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`if auth_type == 'Basic':`
			`decoded = base64.b64decode(auth_val).decode('utf-8')`
			`try:`
			`username, password = decoded.split(':', 1)`
			`except ValueError:`
			`# If no ':' in decoded`
			`return False`

			`if username != 'homeassistant':`
			`return False`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`return hmac.compare_digest(api_password.encode('utf-8'),`
			`password.encode('utf-8'))`

			`if auth_type != 'Bearer':`
			`return False`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00
Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`hass = request.app['hass']`
			`access_token = hass.auth.async_get_access_token(auth_val)`
			`if access_token is None:`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00			`return False`

Foundation for users (#13968) * Add initial user foundation to Home Assistant * Address comments * Address comments * Allow non-ascii passwords * One more utf-8 hmac compare digest * Add new line 2018-05-01 16:20:41 +00:00			`request['hass_user'] = access_token.refresh_token.user`
			`return True`