2016-11-25 21:04:06 +00:00
|
|
|
"""Ban logic for HTTP component."""
|
|
|
|
from collections import defaultdict
|
|
|
|
from datetime import datetime
|
|
|
|
from ipaddress import ip_address
|
|
|
|
import logging
|
2020-08-18 21:32:19 +00:00
|
|
|
from socket import gethostbyaddr, herror
|
2019-08-12 03:38:18 +00:00
|
|
|
from typing import List, Optional
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2017-11-06 02:42:31 +00:00
|
|
|
from aiohttp.web import middleware
|
2017-02-25 00:33:58 +00:00
|
|
|
from aiohttp.web_exceptions import HTTPForbidden, HTTPUnauthorized
|
2016-11-25 21:04:06 +00:00
|
|
|
import voluptuous as vol
|
|
|
|
|
|
|
|
from homeassistant.config import load_yaml_config_file
|
2020-04-09 19:43:42 +00:00
|
|
|
from homeassistant.const import HTTP_BAD_REQUEST
|
2019-02-14 15:01:46 +00:00
|
|
|
from homeassistant.core import HomeAssistant, callback
|
2016-11-25 21:04:06 +00:00
|
|
|
from homeassistant.exceptions import HomeAssistantError
|
|
|
|
import homeassistant.helpers.config_validation as cv
|
|
|
|
from homeassistant.util.yaml import dump
|
2019-02-14 15:01:46 +00:00
|
|
|
|
2019-09-20 15:23:34 +00:00
|
|
|
# mypy: allow-untyped-defs, no-check-untyped-defs
|
2019-08-12 03:38:18 +00:00
|
|
|
|
2017-06-08 13:53:12 +00:00
|
|
|
_LOGGER = logging.getLogger(__name__)
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
KEY_BANNED_IPS = "ha_banned_ips"
|
|
|
|
KEY_FAILED_LOGIN_ATTEMPTS = "ha_failed_login_attempts"
|
|
|
|
KEY_LOGIN_THRESHOLD = "ha_login_threshold"
|
2018-02-15 21:06:14 +00:00
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
NOTIFICATION_ID_BAN = "ip-ban"
|
|
|
|
NOTIFICATION_ID_LOGIN = "http-login"
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
IP_BANS_FILE = "ip_bans.yaml"
|
|
|
|
ATTR_BANNED_AT = "banned_at"
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
SCHEMA_IP_BAN_ENTRY = vol.Schema(
|
|
|
|
{vol.Optional("banned_at"): vol.Any(None, cv.datetime)}
|
|
|
|
)
|
2016-11-25 21:04:06 +00:00
|
|
|
|
|
|
|
|
2018-02-15 21:06:14 +00:00
|
|
|
@callback
|
|
|
|
def setup_bans(hass, app, login_threshold):
|
|
|
|
"""Create IP Ban middleware for the app."""
|
2018-11-21 19:55:21 +00:00
|
|
|
app.middlewares.append(ban_middleware)
|
|
|
|
app[KEY_FAILED_LOGIN_ATTEMPTS] = defaultdict(int)
|
|
|
|
app[KEY_LOGIN_THRESHOLD] = login_threshold
|
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
async def ban_startup(app):
|
2018-02-15 21:06:14 +00:00
|
|
|
"""Initialize bans when app starts up."""
|
2018-11-21 19:55:21 +00:00
|
|
|
app[KEY_BANNED_IPS] = await async_load_ip_bans_config(
|
2019-07-31 19:25:30 +00:00
|
|
|
hass, hass.config.path(IP_BANS_FILE)
|
|
|
|
)
|
2018-02-15 21:06:14 +00:00
|
|
|
|
|
|
|
app.on_startup.append(ban_startup)
|
|
|
|
|
|
|
|
|
2017-11-06 02:42:31 +00:00
|
|
|
@middleware
|
2018-03-09 01:51:49 +00:00
|
|
|
async def ban_middleware(request, handler):
|
2016-11-25 21:04:06 +00:00
|
|
|
"""IP Ban middleware."""
|
2017-11-06 02:42:31 +00:00
|
|
|
if KEY_BANNED_IPS not in request.app:
|
2019-02-14 15:01:46 +00:00
|
|
|
_LOGGER.error("IP Ban middleware loaded but banned IPs not loaded")
|
2018-03-09 01:51:49 +00:00
|
|
|
return await handler(request)
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2017-11-06 02:42:31 +00:00
|
|
|
# Verify if IP is not banned
|
2020-08-11 20:57:50 +00:00
|
|
|
ip_address_ = ip_address(request.remote)
|
2019-07-31 19:25:30 +00:00
|
|
|
is_banned = any(
|
|
|
|
ip_ban.ip_address == ip_address_ for ip_ban in request.app[KEY_BANNED_IPS]
|
|
|
|
)
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2017-11-06 02:42:31 +00:00
|
|
|
if is_banned:
|
|
|
|
raise HTTPForbidden()
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2017-11-06 02:42:31 +00:00
|
|
|
try:
|
2018-03-09 01:51:49 +00:00
|
|
|
return await handler(request)
|
2017-11-06 02:42:31 +00:00
|
|
|
except HTTPUnauthorized:
|
2018-03-09 01:51:49 +00:00
|
|
|
await process_wrong_login(request)
|
2017-11-06 02:42:31 +00:00
|
|
|
raise
|
2016-11-25 21:04:06 +00:00
|
|
|
|
|
|
|
|
2018-07-24 08:09:52 +00:00
|
|
|
def log_invalid_auth(func):
|
2018-08-24 08:28:43 +00:00
|
|
|
"""Decorate function to handle invalid auth or failed login attempts."""
|
2019-07-31 19:25:30 +00:00
|
|
|
|
2018-07-24 08:09:52 +00:00
|
|
|
async def handle_req(view, request, *args, **kwargs):
|
|
|
|
"""Try to log failed login attempts if response status >= 400."""
|
|
|
|
resp = await func(view, request, *args, **kwargs)
|
2020-04-09 19:43:42 +00:00
|
|
|
if resp.status >= HTTP_BAD_REQUEST:
|
2018-07-24 08:09:52 +00:00
|
|
|
await process_wrong_login(request)
|
|
|
|
return resp
|
2019-07-31 19:25:30 +00:00
|
|
|
|
2018-07-24 08:09:52 +00:00
|
|
|
return handle_req
|
|
|
|
|
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
async def process_wrong_login(request):
|
2018-07-20 10:09:48 +00:00
|
|
|
"""Process a wrong login attempt.
|
|
|
|
|
|
|
|
Increase failed login attempts counter for remote IP address.
|
|
|
|
Add ip ban entry if failed login attempts exceeds threshold.
|
|
|
|
"""
|
2020-08-18 21:32:19 +00:00
|
|
|
hass = request.app["hass"]
|
|
|
|
|
2020-08-11 20:57:50 +00:00
|
|
|
remote_addr = ip_address(request.remote)
|
2020-08-18 21:32:19 +00:00
|
|
|
remote_host = request.remote
|
|
|
|
try:
|
|
|
|
remote_host, _, _ = await hass.async_add_executor_job(
|
|
|
|
gethostbyaddr, request.remote
|
|
|
|
)
|
|
|
|
except herror:
|
|
|
|
pass
|
|
|
|
|
|
|
|
msg = f"Login attempt or request with invalid authentication from {remote_host} ({remote_addr})"
|
|
|
|
|
|
|
|
user_agent = request.headers.get("user-agent")
|
|
|
|
if user_agent:
|
|
|
|
msg = f"{msg} ({user_agent})"
|
2017-02-25 00:33:58 +00:00
|
|
|
|
|
|
|
_LOGGER.warning(msg)
|
2018-09-11 09:39:30 +00:00
|
|
|
|
|
|
|
hass.components.persistent_notification.async_create(
|
2019-07-31 19:25:30 +00:00
|
|
|
msg, "Login attempt failed", NOTIFICATION_ID_LOGIN
|
|
|
|
)
|
2017-02-25 00:33:58 +00:00
|
|
|
|
2018-02-15 21:06:14 +00:00
|
|
|
# Check if ban middleware is loaded
|
2019-07-31 19:25:30 +00:00
|
|
|
if KEY_BANNED_IPS not in request.app or request.app[KEY_LOGIN_THRESHOLD] < 1:
|
2016-11-25 21:04:06 +00:00
|
|
|
return
|
|
|
|
|
|
|
|
request.app[KEY_FAILED_LOGIN_ATTEMPTS][remote_addr] += 1
|
|
|
|
|
2020-04-08 17:31:44 +00:00
|
|
|
# Supervisor IP should never be banned
|
2020-08-27 11:56:20 +00:00
|
|
|
if (
|
|
|
|
"hassio" in hass.config.components
|
|
|
|
and hass.components.hassio.get_supervisor_ip() == str(remote_addr)
|
2020-04-08 17:31:44 +00:00
|
|
|
):
|
|
|
|
return
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
if (
|
|
|
|
request.app[KEY_FAILED_LOGIN_ATTEMPTS][remote_addr]
|
|
|
|
>= request.app[KEY_LOGIN_THRESHOLD]
|
|
|
|
):
|
2016-11-25 21:04:06 +00:00
|
|
|
new_ban = IpBan(remote_addr)
|
|
|
|
request.app[KEY_BANNED_IPS].append(new_ban)
|
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
await hass.async_add_job(
|
2019-07-31 19:25:30 +00:00
|
|
|
update_ip_bans_config, hass.config.path(IP_BANS_FILE), new_ban
|
|
|
|
)
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
_LOGGER.warning("Banned IP %s for too many login attempts", remote_addr)
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2018-09-11 09:39:30 +00:00
|
|
|
hass.components.persistent_notification.async_create(
|
2019-08-23 16:53:33 +00:00
|
|
|
f"Too many login attempts from {remote_addr}",
|
2019-07-31 19:25:30 +00:00
|
|
|
"Banning IP address",
|
|
|
|
NOTIFICATION_ID_BAN,
|
|
|
|
)
|
2016-11-25 21:04:06 +00:00
|
|
|
|
|
|
|
|
2018-07-20 10:09:48 +00:00
|
|
|
async def process_success_login(request):
|
|
|
|
"""Process a success login attempt.
|
|
|
|
|
|
|
|
Reset failed login attempts counter for remote IP address.
|
|
|
|
No release IP address from banned list function, it can only be done by
|
|
|
|
manual modify ip bans config file.
|
|
|
|
"""
|
2020-08-11 20:57:50 +00:00
|
|
|
remote_addr = ip_address(request.remote)
|
2018-07-20 10:09:48 +00:00
|
|
|
|
|
|
|
# Check if ban middleware is loaded
|
2019-07-31 19:25:30 +00:00
|
|
|
if KEY_BANNED_IPS not in request.app or request.app[KEY_LOGIN_THRESHOLD] < 1:
|
2018-07-20 10:09:48 +00:00
|
|
|
return
|
|
|
|
|
2019-07-31 19:25:30 +00:00
|
|
|
if (
|
|
|
|
remote_addr in request.app[KEY_FAILED_LOGIN_ATTEMPTS]
|
|
|
|
and request.app[KEY_FAILED_LOGIN_ATTEMPTS][remote_addr] > 0
|
|
|
|
):
|
|
|
|
_LOGGER.debug(
|
2020-01-02 19:17:10 +00:00
|
|
|
"Login success, reset failed login attempts counter from %s", remote_addr
|
2019-07-31 19:25:30 +00:00
|
|
|
)
|
2018-07-20 10:09:48 +00:00
|
|
|
request.app[KEY_FAILED_LOGIN_ATTEMPTS].pop(remote_addr)
|
|
|
|
|
|
|
|
|
2018-07-20 08:45:20 +00:00
|
|
|
class IpBan:
|
2016-11-25 21:04:06 +00:00
|
|
|
"""Represents banned IP address."""
|
|
|
|
|
2019-08-12 03:38:18 +00:00
|
|
|
def __init__(self, ip_ban: str, banned_at: Optional[datetime] = None) -> None:
|
2017-04-30 05:04:49 +00:00
|
|
|
"""Initialize IP Ban object."""
|
2016-11-25 21:04:06 +00:00
|
|
|
self.ip_address = ip_address(ip_ban)
|
|
|
|
self.banned_at = banned_at or datetime.utcnow()
|
|
|
|
|
|
|
|
|
2019-09-20 15:23:34 +00:00
|
|
|
async def async_load_ip_bans_config(hass: HomeAssistant, path: str) -> List[IpBan]:
|
2017-04-30 05:04:49 +00:00
|
|
|
"""Load list of banned IPs from config file."""
|
2019-08-12 03:38:18 +00:00
|
|
|
ip_list: List[IpBan] = []
|
2016-11-25 21:04:06 +00:00
|
|
|
|
|
|
|
try:
|
2018-11-21 19:55:21 +00:00
|
|
|
list_ = await hass.async_add_executor_job(load_yaml_config_file, path)
|
2019-05-19 10:01:29 +00:00
|
|
|
except FileNotFoundError:
|
|
|
|
return ip_list
|
2016-11-25 21:04:06 +00:00
|
|
|
except HomeAssistantError as err:
|
2019-07-31 19:25:30 +00:00
|
|
|
_LOGGER.error("Unable to load %s: %s", path, str(err))
|
2017-03-05 09:53:21 +00:00
|
|
|
return ip_list
|
2016-11-25 21:04:06 +00:00
|
|
|
|
|
|
|
for ip_ban, ip_info in list_.items():
|
|
|
|
try:
|
|
|
|
ip_info = SCHEMA_IP_BAN_ENTRY(ip_info)
|
2019-07-31 19:25:30 +00:00
|
|
|
ip_list.append(IpBan(ip_ban, ip_info["banned_at"]))
|
2016-11-25 21:04:06 +00:00
|
|
|
except vol.Invalid as err:
|
2017-04-30 05:04:49 +00:00
|
|
|
_LOGGER.error("Failed to load IP ban %s: %s", ip_info, err)
|
2016-11-25 21:04:06 +00:00
|
|
|
continue
|
|
|
|
|
|
|
|
return ip_list
|
|
|
|
|
|
|
|
|
2019-09-20 15:23:34 +00:00
|
|
|
def update_ip_bans_config(path: str, ip_ban: IpBan) -> None:
|
2016-11-25 21:04:06 +00:00
|
|
|
"""Update config file with new banned IP address."""
|
2019-07-31 19:25:30 +00:00
|
|
|
with open(path, "a") as out:
|
|
|
|
ip_ = {
|
|
|
|
str(ip_ban.ip_address): {
|
|
|
|
ATTR_BANNED_AT: ip_ban.banned_at.strftime("%Y-%m-%dT%H:%M:%S")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
out.write("\n")
|
2016-11-25 21:04:06 +00:00
|
|
|
out.write(dump(ip_))
|