2016-11-25 21:04:06 +00:00
|
|
|
"""The tests for the Home Assistant HTTP component."""
|
|
|
|
|
# pylint: disable=protected-access
|
2018-02-15 21:06:14 +00:00
|
|
|
from ipaddress import ip_network
|
2016-11-25 21:04:06 +00:00
|
|
|
from unittest.mock import patch
|
|
|
|
|
|
2018-02-15 21:06:14 +00:00
|
|
|
from aiohttp import BasicAuth, web
|
|
|
|
|
from aiohttp.web_exceptions import HTTPUnauthorized
|
2017-05-19 14:37:39 +00:00
|
|
|
import pytest
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2018-02-15 21:06:14 +00:00
|
|
|
from homeassistant.const import HTTP_HEADER_HA_AUTH
|
2017-05-19 14:37:39 +00:00
|
|
|
from homeassistant.setup import async_setup_component
|
2018-02-15 21:06:14 +00:00
|
|
|
from homeassistant.components.http.auth import setup_auth
|
|
|
|
|
from homeassistant.components.http.real_ip import setup_real_ip
|
|
|
|
|
from homeassistant.components.http.const import KEY_AUTHENTICATED
|
|
|
|
|
|
|
|
|
|
from . import mock_real_ip
|
2016-11-25 21:04:06 +00:00
|
|
|
|
|
|
|
|
API_PASSWORD = 'test1234'
|
2017-05-19 14:37:39 +00:00
|
|
|
|
2016-11-25 21:04:06 +00:00
|
|
|
# Don't add 127.0.0.1/::1 as trusted, as it may interfere with other test cases
|
2018-02-15 21:06:14 +00:00
|
|
|
TRUSTED_NETWORKS = [
|
|
|
|
|
ip_network('192.0.2.0/24'),
|
|
|
|
|
ip_network('2001:DB8:ABCD::/48'),
|
|
|
|
|
ip_network('100.64.0.1'),
|
|
|
|
|
ip_network('FD01:DB8::1'),
|
|
|
|
|
]
|
2016-11-25 21:04:06 +00:00
|
|
|
TRUSTED_ADDRESSES = ['100.64.0.1', '192.0.2.100', 'FD01:DB8::1',
|
|
|
|
|
'2001:DB8:ABCD::1']
|
|
|
|
|
UNTRUSTED_ADDRESSES = ['198.51.100.1', '2001:DB8:FA1::1', '127.0.0.1', '::1']
|
|
|
|
|
|
|
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
async def mock_handler(request):
|
2018-02-15 21:06:14 +00:00
|
|
|
"""Return if request was authenticated."""
|
|
|
|
|
if not request[KEY_AUTHENTICATED]:
|
|
|
|
|
raise HTTPUnauthorized
|
|
|
|
|
return web.Response(status=200)
|
2016-11-25 21:04:06 +00:00
|
|
|
|
|
|
|
|
|
2018-02-15 21:06:14 +00:00
|
|
|
@pytest.fixture
|
|
|
|
|
def app():
|
|
|
|
|
"""Fixture to setup a web.Application."""
|
|
|
|
|
app = web.Application()
|
|
|
|
|
app.router.add_get('/', mock_handler)
|
|
|
|
|
setup_real_ip(app, False)
|
|
|
|
|
return app
|
2016-11-25 21:04:06 +00:00
|
|
|
|
|
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
async def test_auth_middleware_loaded_by_default(hass):
|
2018-02-15 21:06:14 +00:00
|
|
|
"""Test accessing to server from banned IP when feature is off."""
|
|
|
|
|
with patch('homeassistant.components.http.setup_auth') as mock_setup:
|
2018-03-09 01:51:49 +00:00
|
|
|
await async_setup_component(hass, 'http', {
|
2018-02-15 21:06:14 +00:00
|
|
|
'http': {}
|
|
|
|
|
})
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2018-02-15 21:06:14 +00:00
|
|
|
assert len(mock_setup.mock_calls) == 1
|
2016-11-25 21:04:06 +00:00
|
|
|
|
|
|
|
|
|
2018-03-15 20:49:49 +00:00
|
|
|
async def test_access_without_password(app, aiohttp_client):
|
2018-02-15 21:06:14 +00:00
|
|
|
"""Test access without password."""
|
|
|
|
|
setup_auth(app, [], None)
|
2018-03-15 20:49:49 +00:00
|
|
|
client = await aiohttp_client(app)
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
resp = await client.get('/')
|
2018-02-15 21:06:14 +00:00
|
|
|
assert resp.status == 200
|
2016-11-25 21:04:06 +00:00
|
|
|
|
|
|
|
|
|
2018-03-15 20:49:49 +00:00
|
|
|
async def test_access_with_password_in_header(app, aiohttp_client):
|
2017-05-19 14:37:39 +00:00
|
|
|
"""Test access with password in URL."""
|
2018-02-15 21:06:14 +00:00
|
|
|
setup_auth(app, [], API_PASSWORD)
|
2018-03-15 20:49:49 +00:00
|
|
|
client = await aiohttp_client(app)
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
req = await client.get(
|
2018-02-15 21:06:14 +00:00
|
|
|
'/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
|
2017-05-19 14:37:39 +00:00
|
|
|
assert req.status == 200
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
req = await client.get(
|
2018-02-15 21:06:14 +00:00
|
|
|
'/', headers={HTTP_HEADER_HA_AUTH: 'wrong-pass'})
|
|
|
|
|
assert req.status == 401
|
2016-11-25 21:04:06 +00:00
|
|
|
|
|
|
|
|
|
2018-03-15 20:49:49 +00:00
|
|
|
async def test_access_with_password_in_query(app, aiohttp_client):
|
2018-02-15 21:06:14 +00:00
|
|
|
"""Test access without password."""
|
|
|
|
|
setup_auth(app, [], API_PASSWORD)
|
2018-03-15 20:49:49 +00:00
|
|
|
client = await aiohttp_client(app)
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
resp = await client.get('/', params={
|
2018-02-15 21:06:14 +00:00
|
|
|
'api_password': API_PASSWORD
|
|
|
|
|
})
|
|
|
|
|
assert resp.status == 200
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
resp = await client.get('/')
|
2018-02-15 21:06:14 +00:00
|
|
|
assert resp.status == 401
|
2016-11-25 21:04:06 +00:00
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
resp = await client.get('/', params={
|
2018-02-15 21:06:14 +00:00
|
|
|
'api_password': 'wrong-password'
|
|
|
|
|
})
|
|
|
|
|
assert resp.status == 401
|
2017-09-28 07:49:35 +00:00
|
|
|
|
|
|
|
|
|
2018-03-15 20:49:49 +00:00
|
|
|
async def test_basic_auth_works(app, aiohttp_client):
|
2017-09-28 07:49:35 +00:00
|
|
|
"""Test access with basic authentication."""
|
2018-02-15 21:06:14 +00:00
|
|
|
setup_auth(app, [], API_PASSWORD)
|
2018-03-15 20:49:49 +00:00
|
|
|
client = await aiohttp_client(app)
|
2017-09-28 07:49:35 +00:00
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
req = await client.get(
|
2018-02-15 21:06:14 +00:00
|
|
|
'/',
|
|
|
|
|
auth=BasicAuth('homeassistant', API_PASSWORD))
|
2017-09-28 07:49:35 +00:00
|
|
|
assert req.status == 200
|
|
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
req = await client.get(
|
2018-02-15 21:06:14 +00:00
|
|
|
'/',
|
|
|
|
|
auth=BasicAuth('wrong_username', API_PASSWORD))
|
|
|
|
|
assert req.status == 401
|
2017-09-28 07:49:35 +00:00
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
req = await client.get(
|
2018-02-15 21:06:14 +00:00
|
|
|
'/',
|
|
|
|
|
auth=BasicAuth('homeassistant', 'wrong password'))
|
|
|
|
|
assert req.status == 401
|
2017-09-28 07:49:35 +00:00
|
|
|
|
2018-03-09 01:51:49 +00:00
|
|
|
req = await client.get(
|
2018-02-15 21:06:14 +00:00
|
|
|
'/',
|
|
|
|
|
headers={
|
|
|
|
|
'authorization': 'NotBasic abcdefg'
|
|
|
|
|
})
|
2017-09-28 07:49:35 +00:00
|
|
|
assert req.status == 401
|
|
|
|
|
|
|
|
|
|
|
2018-03-15 20:49:49 +00:00
|
|
|
async def test_access_with_trusted_ip(aiohttp_client):
|
2018-02-15 21:06:14 +00:00
|
|
|
"""Test access with an untrusted ip address."""
|
|
|
|
|
app = web.Application()
|
|
|
|
|
app.router.add_get('/', mock_handler)
|
2017-09-28 07:49:35 +00:00
|
|
|
|
2018-02-15 21:06:14 +00:00
|
|
|
setup_auth(app, TRUSTED_NETWORKS, 'some-pass')
|
2017-09-28 07:49:35 +00:00
|
|
|
|
2018-02-15 21:06:14 +00:00
|
|
|
set_mock_ip = mock_real_ip(app)
|
2018-03-15 20:49:49 +00:00
|
|
|
client = await aiohttp_client(app)
|
2017-09-28 07:49:35 +00:00
|
|
|
|
2018-02-15 21:06:14 +00:00
|
|
|
for remote_addr in UNTRUSTED_ADDRESSES:
|
|
|
|
|
set_mock_ip(remote_addr)
|
2018-03-09 01:51:49 +00:00
|
|
|
resp = await client.get('/')
|
2018-02-15 21:06:14 +00:00
|
|
|
assert resp.status == 401, \
|
|
|
|
|
"{} shouldn't be trusted".format(remote_addr)
|
2017-09-28 07:49:35 +00:00
|
|
|
|
2018-02-15 21:06:14 +00:00
|
|
|
for remote_addr in TRUSTED_ADDRESSES:
|
|
|
|
|
set_mock_ip(remote_addr)
|
2018-03-09 01:51:49 +00:00
|
|
|
resp = await client.get('/')
|
2018-02-15 21:06:14 +00:00
|
|
|
assert resp.status == 200, \
|
|
|
|
|
"{} should be trusted".format(remote_addr)
|
