core/homeassistant/components/http/auth.py

"""Authentication for HTTP component."""
import asyncio
import base64
import hmac
import logging

from aiohttp import hdrs

from homeassistant.const import HTTP_HEADER_HA_AUTH
from .util import get_real_ip
from .const import KEY_TRUSTED_NETWORKS, KEY_AUTHENTICATED

DATA_API_PASSWORD = 'api_password'

_LOGGER = logging.getLogger(__name__)


@asyncio.coroutine
def auth_middleware(app, handler):
    """Authenticate as middleware."""
    # If no password set, just always set authenticated=True
    if app['hass'].http.api_password is None:
        @asyncio.coroutine
        def no_auth_middleware_handler(request):
            """Auth middleware to approve all requests."""
            request[KEY_AUTHENTICATED] = True
            return handler(request)

        return no_auth_middleware_handler

    @asyncio.coroutine
    def auth_middleware_handler(request):
        """Auth middleware to check authentication."""
        # Auth code verbose on purpose
        authenticated = False

        if (HTTP_HEADER_HA_AUTH in request.headers and
                validate_password(
                    request, request.headers[HTTP_HEADER_HA_AUTH])):
            # A valid auth header has been set
            authenticated = True

        elif (DATA_API_PASSWORD in request.query and
              validate_password(request, request.query[DATA_API_PASSWORD])):
            authenticated = True

        elif (hdrs.AUTHORIZATION in request.headers and
              validate_authorization_header(request)):
            authenticated = True

        elif is_trusted_ip(request):
            authenticated = True

        request[KEY_AUTHENTICATED] = authenticated

        return handler(request)

    return auth_middleware_handler


def is_trusted_ip(request):
    """Test if request is from a trusted ip."""
    ip_addr = get_real_ip(request)

    return ip_addr and any(
        ip_addr in trusted_network for trusted_network
        in request.app[KEY_TRUSTED_NETWORKS])


def validate_password(request, api_password):
    """Test if password is valid."""
    return hmac.compare_digest(
        api_password, request.app['hass'].http.api_password)


def validate_authorization_header(request):
    """Test an authorization header if valid password."""
    if hdrs.AUTHORIZATION not in request.headers:
        return False

    auth_type, auth = request.headers.get(hdrs.AUTHORIZATION).split(' ', 1)

    if auth_type != 'Basic':
        return False

    decoded = base64.b64decode(auth).decode('utf-8')
    username, password = decoded.split(':', 1)

    if username != 'homeassistant':
        return False

    return validate_password(request, password)
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`"""Authentication for HTTP component."""`
			`import asyncio`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00			`import base64`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`import hmac`
			`import logging`

Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00			`from aiohttp import hdrs`

Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`from homeassistant.const import HTTP_HEADER_HA_AUTH`
			`from .util import get_real_ip`
			`from .const import KEY_TRUSTED_NETWORKS, KEY_AUTHENTICATED`

			`DATA_API_PASSWORD = 'api_password'`

			`_LOGGER = logging.getLogger(__name__)`


			`@asyncio.coroutine`
			`def auth_middleware(app, handler):`
Update docstrings (#7361) * Update docstrings * Update docstrings * Update docstrings * Update docstrings * update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update tomato.py * Update isy994.py * Lint + fix tests * Lint 2017-04-30 05:04:49 +00:00			`"""Authenticate as middleware."""`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`# If no password set, just always set authenticated=True`
			`if app['hass'].http.api_password is None:`
			`@asyncio.coroutine`
			`def no_auth_middleware_handler(request):`
			`"""Auth middleware to approve all requests."""`
			`request[KEY_AUTHENTICATED] = True`
			`return handler(request)`

			`return no_auth_middleware_handler`

			`@asyncio.coroutine`
			`def auth_middleware_handler(request):`
			`"""Auth middleware to check authentication."""`
			`# Auth code verbose on purpose`
			`authenticated = False`

Add websocket API (#4582) * Add websocket API * Add identifiers to interactions * Allow unsubscribing event listeners * Add support for fetching data * Clean up handling code websockets api * Lint * Add Home Assistant version to auth messages * Py.test be less verbose in tox 2016-11-27 02:23:28 +00:00			`if (HTTP_HEADER_HA_AUTH in request.headers and`
Update docstrings (#7361) * Update docstrings * Update docstrings * Update docstrings * Update docstrings * update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update tomato.py * Update isy994.py * Lint + fix tests * Lint 2017-04-30 05:04:49 +00:00			`validate_password(`
			`request, request.headers[HTTP_HEADER_HA_AUTH])):`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`# A valid auth header has been set`
			`authenticated = True`

Fix more deprecation warnings (#7778) * Remove setting up an hbmqtt broker * Don't pass loop to web.Application in tests * Use .query instead of deprecated .GET for aiohttp requests * Fix closing file resource * Do not use asyncio mark * Notify.html5 - PyJWT: Use options to disable verify * Yamaha: Test was still using deprecated ip * Remove pytest-asyncio 2017-05-26 20:12:17 +00:00			`elif (DATA_API_PASSWORD in request.query and`
			`validate_password(request, request.query[DATA_API_PASSWORD])):`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`authenticated = True`

Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00			`elif (hdrs.AUTHORIZATION in request.headers and`
			`validate_authorization_header(request)):`
			`authenticated = True`

Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 21:04:06 +00:00			`elif is_trusted_ip(request):`
			`authenticated = True`

			`request[KEY_AUTHENTICATED] = authenticated`

			`return handler(request)`

			`return auth_middleware_handler`


			`def is_trusted_ip(request):`
			`"""Test if request is from a trusted ip."""`
			`ip_addr = get_real_ip(request)`

			`return ip_addr and any(`
			`ip_addr in trusted_network for trusted_network`
			`in request.app[KEY_TRUSTED_NETWORKS])`
Add websocket API (#4582) * Add websocket API * Add identifiers to interactions * Allow unsubscribing event listeners * Add support for fetching data * Clean up handling code websockets api * Lint * Add Home Assistant version to auth messages * Py.test be less verbose in tox 2016-11-27 02:23:28 +00:00

			`def validate_password(request, api_password):`
			`"""Test if password is valid."""`
Update docstrings (#7361) * Update docstrings * Update docstrings * Update docstrings * Update docstrings * update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update tomato.py * Update isy994.py * Lint + fix tests * Lint 2017-04-30 05:04:49 +00:00			`return hmac.compare_digest(`
			`api_password, request.app['hass'].http.api_password)`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 07:49:35 +00:00

			`def validate_authorization_header(request):`
			`"""Test an authorization header if valid password."""`
			`if hdrs.AUTHORIZATION not in request.headers:`
			`return False`

			`auth_type, auth = request.headers.get(hdrs.AUTHORIZATION).split(' ', 1)`

			`if auth_type != 'Basic':`
			`return False`

			`decoded = base64.b64decode(auth).decode('utf-8')`
			`username, password = decoded.split(':', 1)`

			`if username != 'homeassistant':`
			`return False`

			`return validate_password(request, password)`