mobile_app component (#21475)

* Initial pass of a mobile_app component * Fully support encryption, validation for the webhook payloads, and other general improvements * Return same format as original API calls * Minor encryption fixes, logging improvements * Migrate Owntracks to use the superior PyNaCl instead of libnacl, mark it as a requirement in mobile_app * Add mobile_app to .coveragerc * Dont manually b64decode on OT * Initial requested changes * Round two of fixes * Initial mobile_app tests * Dont allow making registration requests for same/existing device * Test formatting fixes * Add mobile_app to default_config * Add some more keys allowed in registration payloads * Add support for getting a single device, updating a device, getting all devices. Also change from /api/mobile_app/register to /api/mobile_app/devices * Change device_id to fingerprint * Next round of changes * Add keyword args and pass context on all relevant calls * Remove SingleDeviceView in favor of webhook type to update registration * Only allow some properties to be updated on registrations, rename integration_data to app_data * Add call service test, ensure events actually fire, only run the encryption tests if sodium is installed * pylint * Fix OwnTracks test * Fix iteration of devices and remove device_for_webhook_id
2019-03-01 23:08:20 -08:00 · 2019-03-01 23:08:20 -08:00 · 655ada1374
parent 0903bd92f0
commit 655ada1374
12 changed files with 666 additions and 21 deletions
--- a/.coveragerc
+++ b/.coveragerc
@ -320,6 +320,7 @@ omit =
    homeassistant/components/media_player/yamaha.py
    homeassistant/components/media_player/ziggo_mediabox_xl.py
    homeassistant/components/meteo_france/*
+    homeassistant/components/mobile_app/*
    homeassistant/components/mochad/*
    homeassistant/components/modbus/*
    homeassistant/components/mychevy/*
@ -384,7 +385,7 @@ omit =
    homeassistant/components/point/*
    homeassistant/components/prometheus/*
    homeassistant/components/ps4/__init__.py
-    homeassistant/components/ps4/media_player.py    
+    homeassistant/components/ps4/media_player.py
    homeassistant/components/qwikswitch/*
    homeassistant/components/rachio/*
    homeassistant/components/rainbird/*
--- a/homeassistant/components/default_config/init.py
+++ b/homeassistant/components/default_config/init.py
@ -11,6 +11,7 @@ DEPENDENCIES = (
    'history',
    'logbook',
    'map',
+    'mobile_app',
    'person',
    'script',
    'sun',
--- a/homeassistant/components/mobile_app/init.py
+++ b/homeassistant/components/mobile_app/init.py
@ -0,0 +1,355 @@
+"""Support for native mobile apps."""
+import logging
+import json
+from functools import partial
+
+import voluptuous as vol
+from aiohttp.web import json_response, Response
+from aiohttp.web_exceptions import HTTPBadRequest
+
+from homeassistant import config_entries
+from homeassistant.auth.util import generate_secret
+import homeassistant.core as ha
+from homeassistant.core import Context
+from homeassistant.components import webhook
+from homeassistant.components.http import HomeAssistantView
+from homeassistant.components.http.data_validator import RequestDataValidator
+from homeassistant.components.device_tracker import (
+    DOMAIN as DEVICE_TRACKER_DOMAIN, SERVICE_SEE as DEVICE_TRACKER_SEE,
+    SERVICE_SEE_PAYLOAD_SCHEMA as SEE_SCHEMA)
+from homeassistant.const import (ATTR_DOMAIN, ATTR_SERVICE, ATTR_SERVICE_DATA,
+                                 HTTP_BAD_REQUEST, HTTP_CREATED,
+                                 HTTP_INTERNAL_SERVER_ERROR, CONF_WEBHOOK_ID)
+from homeassistant.exceptions import (HomeAssistantError, ServiceNotFound,
+                                      TemplateError)
+from homeassistant.helpers import config_validation as cv, template
+from homeassistant.helpers.typing import HomeAssistantType
+
+REQUIREMENTS = ['PyNaCl==1.3.0']
+
+_LOGGER = logging.getLogger(__name__)
+
+DOMAIN = 'mobile_app'
+
+DEPENDENCIES = ['device_tracker', 'http', 'webhook']
+
+STORAGE_KEY = DOMAIN
+STORAGE_VERSION = 1
+
+CONF_SECRET = 'secret'
+CONF_USER_ID = 'user_id'
+
+ATTR_APP_DATA = 'app_data'
+ATTR_APP_ID = 'app_id'
+ATTR_APP_NAME = 'app_name'
+ATTR_APP_VERSION = 'app_version'
+ATTR_DEVICE_NAME = 'device_name'
+ATTR_MANUFACTURER = 'manufacturer'
+ATTR_MODEL = 'model'
+ATTR_OS_VERSION = 'os_version'
+ATTR_SUPPORTS_ENCRYPTION = 'supports_encryption'
+
+ATTR_EVENT_DATA = 'event_data'
+ATTR_EVENT_TYPE = 'event_type'
+
+ATTR_TEMPLATE = 'template'
+ATTR_TEMPLATE_VARIABLES = 'variables'
+
+ATTR_WEBHOOK_DATA = 'data'
+ATTR_WEBHOOK_ENCRYPTED = 'encrypted'
+ATTR_WEBHOOK_ENCRYPTED_DATA = 'encrypted_data'
+ATTR_WEBHOOK_TYPE = 'type'
+
+WEBHOOK_TYPE_CALL_SERVICE = 'call_service'
+WEBHOOK_TYPE_FIRE_EVENT = 'fire_event'
+WEBHOOK_TYPE_RENDER_TEMPLATE = 'render_template'
+WEBHOOK_TYPE_UPDATE_LOCATION = 'update_location'
+WEBHOOK_TYPE_UPDATE_REGISTRATION = 'update_registration'
+
+WEBHOOK_TYPES = [WEBHOOK_TYPE_CALL_SERVICE, WEBHOOK_TYPE_FIRE_EVENT,
+                 WEBHOOK_TYPE_RENDER_TEMPLATE, WEBHOOK_TYPE_UPDATE_LOCATION,
+                 WEBHOOK_TYPE_UPDATE_REGISTRATION]
+
+REGISTER_DEVICE_SCHEMA = vol.Schema({
+    vol.Optional(ATTR_APP_DATA, default={}): dict,
+    vol.Required(ATTR_APP_ID): cv.string,
+    vol.Optional(ATTR_APP_NAME): cv.string,
+    vol.Required(ATTR_APP_VERSION): cv.string,
+    vol.Required(ATTR_DEVICE_NAME): cv.string,
+    vol.Required(ATTR_MANUFACTURER): cv.string,
+    vol.Required(ATTR_MODEL): cv.string,
+    vol.Optional(ATTR_OS_VERSION): cv.string,
+    vol.Required(ATTR_SUPPORTS_ENCRYPTION, default=False): cv.boolean,
+})
+
+UPDATE_DEVICE_SCHEMA = vol.Schema({
+    vol.Optional(ATTR_APP_DATA, default={}): dict,
+    vol.Required(ATTR_APP_VERSION): cv.string,
+    vol.Required(ATTR_DEVICE_NAME): cv.string,
+    vol.Required(ATTR_MANUFACTURER): cv.string,
+    vol.Required(ATTR_MODEL): cv.string,
+    vol.Optional(ATTR_OS_VERSION): cv.string,
+})
+
+WEBHOOK_PAYLOAD_SCHEMA = vol.Schema({
+    vol.Required(ATTR_WEBHOOK_TYPE): vol.In(WEBHOOK_TYPES),
+    vol.Required(ATTR_WEBHOOK_DATA, default={}): dict,
+    vol.Optional(ATTR_WEBHOOK_ENCRYPTED, default=False): cv.boolean,
+    vol.Optional(ATTR_WEBHOOK_ENCRYPTED_DATA): cv.string,
+})
+
+CALL_SERVICE_SCHEMA = vol.Schema({
+    vol.Required(ATTR_DOMAIN): cv.string,
+    vol.Required(ATTR_SERVICE): cv.string,
+    vol.Optional(ATTR_SERVICE_DATA, default={}): dict,
+})
+
+FIRE_EVENT_SCHEMA = vol.Schema({
+    vol.Required(ATTR_EVENT_TYPE): cv.string,
+    vol.Optional(ATTR_EVENT_DATA, default={}): dict,
+})
+
+RENDER_TEMPLATE_SCHEMA = vol.Schema({
+    vol.Required(ATTR_TEMPLATE): cv.string,
+    vol.Optional(ATTR_TEMPLATE_VARIABLES, default={}): dict,
+})
+
+WEBHOOK_SCHEMAS = {
+    WEBHOOK_TYPE_CALL_SERVICE: CALL_SERVICE_SCHEMA,
+    WEBHOOK_TYPE_FIRE_EVENT: FIRE_EVENT_SCHEMA,
+    WEBHOOK_TYPE_RENDER_TEMPLATE: RENDER_TEMPLATE_SCHEMA,
+    WEBHOOK_TYPE_UPDATE_LOCATION: SEE_SCHEMA,
+    WEBHOOK_TYPE_UPDATE_REGISTRATION: UPDATE_DEVICE_SCHEMA,
+}
+
+
+def get_cipher():
+    """Return decryption function and length of key.
+
+    Async friendly.
+    """
+    from nacl.secret import SecretBox
+    from nacl.encoding import Base64Encoder
+
+    def decrypt(ciphertext, key):
+        """Decrypt ciphertext using key."""
+        return SecretBox(key).decrypt(ciphertext, encoder=Base64Encoder)
+    return (SecretBox.KEY_SIZE, decrypt)
+
+
+def _decrypt_payload(key, ciphertext):
+    """Decrypt encrypted payload."""
+    try:
+        keylen, decrypt = get_cipher()
+    except OSError:
+        _LOGGER.warning(
+            "Ignoring encrypted payload because libsodium not installed")
+        return None
+
+    if key is None:
+        _LOGGER.warning(
+            "Ignoring encrypted payload because no decryption key known")
+        return None
+
+    key = key.encode("utf-8")
+    key = key[:keylen]
+    key = key.ljust(keylen, b'\0')
+
+    try:
+        message = decrypt(ciphertext, key)
+        message = json.loads(message.decode("utf-8"))
+        _LOGGER.debug("Successfully decrypted mobile_app payload")
+        return message
+    except ValueError:
+        _LOGGER.warning("Ignoring encrypted payload because unable to decrypt")
+        return None
+
+
+def context(device):
+    """Generate a context from a request."""
+    return Context(user_id=device[CONF_USER_ID])
+
+
+async def handle_webhook(store, hass: HomeAssistantType, webhook_id: str,
+                         request):
+    """Handle webhook callback."""
+    device = hass.data[DOMAIN][webhook_id]
+
+    try:
+        req_data = await request.json()
+    except ValueError:
+        _LOGGER.warning('Received invalid JSON from mobile_app')
+        return json_response([], status=HTTP_BAD_REQUEST)
+
+    try:
+        req_data = WEBHOOK_PAYLOAD_SCHEMA(req_data)
+    except vol.Invalid as ex:
+        err = vol.humanize.humanize_error(req_data, ex)
+        _LOGGER.error('Received invalid webhook payload: %s', err)
+        return Response(status=200)
+
+    webhook_type = req_data[ATTR_WEBHOOK_TYPE]
+
+    webhook_payload = req_data.get(ATTR_WEBHOOK_DATA, {})
+
+    if req_data[ATTR_WEBHOOK_ENCRYPTED]:
+        enc_data = req_data[ATTR_WEBHOOK_ENCRYPTED_DATA]
+        webhook_payload = _decrypt_payload(device[CONF_SECRET], enc_data)
+
+    try:
+        data = WEBHOOK_SCHEMAS[webhook_type](webhook_payload)
+    except vol.Invalid as ex:
+        err = vol.humanize.humanize_error(webhook_payload, ex)
+        _LOGGER.error('Received invalid webhook payload: %s', err)
+        return Response(status=200)
+
+    if webhook_type == WEBHOOK_TYPE_CALL_SERVICE:
+        try:
+            await hass.services.async_call(data[ATTR_DOMAIN],
+                                           data[ATTR_SERVICE],
+                                           data[ATTR_SERVICE_DATA],
+                                           blocking=True,
+                                           context=context(device))
+        except (vol.Invalid, ServiceNotFound):
+            raise HTTPBadRequest()
+
+        return Response(status=200)
+
+    if webhook_type == WEBHOOK_TYPE_FIRE_EVENT:
+        event_type = data[ATTR_EVENT_TYPE]
+        hass.bus.async_fire(event_type, data[ATTR_EVENT_DATA],
+                            ha.EventOrigin.remote, context=context(device))
+        return Response(status=200)
+
+    if webhook_type == WEBHOOK_TYPE_RENDER_TEMPLATE:
+        try:
+            tpl = template.Template(data[ATTR_TEMPLATE], hass)
+            rendered = tpl.async_render(data.get(ATTR_TEMPLATE_VARIABLES))
+            return json_response({"rendered": rendered})
+        except (ValueError, TemplateError) as ex:
+            return json_response(({"error": ex}), status=HTTP_BAD_REQUEST)
+
+    if webhook_type == WEBHOOK_TYPE_UPDATE_LOCATION:
+        await hass.services.async_call(DEVICE_TRACKER_DOMAIN,
+                                       DEVICE_TRACKER_SEE, data,
+                                       blocking=True, context=context(device))
+        return Response(status=200)
+
+    if webhook_type == WEBHOOK_TYPE_UPDATE_REGISTRATION:
+        data[ATTR_APP_ID] = device[ATTR_APP_ID]
+        data[ATTR_APP_NAME] = device[ATTR_APP_NAME]
+        data[ATTR_SUPPORTS_ENCRYPTION] = device[ATTR_SUPPORTS_ENCRYPTION]
+        data[CONF_SECRET] = device[CONF_SECRET]
+        data[CONF_USER_ID] = device[CONF_USER_ID]
+        data[CONF_WEBHOOK_ID] = device[CONF_WEBHOOK_ID]
+
+        hass.data[DOMAIN][webhook_id] = data
+
+        try:
+            await store.async_save(hass.data[DOMAIN])
+        except HomeAssistantError as ex:
+            _LOGGER.error("Error updating mobile_app registration: %s", ex)
+            return Response(status=200)
+
+        return json_response(safe_device(data))
+
+
+def supports_encryption():
+    """Test if we support encryption."""
+    try:
+        import nacl   # noqa pylint: disable=unused-import
+        return True
+    except OSError:
+        return False
+
+
+def safe_device(device: dict):
+    """Return a device without webhook_id or secret."""
+    return {
+        ATTR_APP_DATA: device[ATTR_APP_DATA],
+        ATTR_APP_ID: device[ATTR_APP_ID],
+        ATTR_APP_NAME: device[ATTR_APP_NAME],
+        ATTR_APP_VERSION: device[ATTR_APP_VERSION],
+        ATTR_DEVICE_NAME: device[ATTR_DEVICE_NAME],
+        ATTR_MANUFACTURER: device[ATTR_MANUFACTURER],
+        ATTR_MODEL: device[ATTR_MODEL],
+        ATTR_OS_VERSION: device[ATTR_OS_VERSION],
+        ATTR_SUPPORTS_ENCRYPTION: device[ATTR_SUPPORTS_ENCRYPTION],
+    }
+
+
+def register_device_webhook(hass: HomeAssistantType, store, device):
+    """Register the webhook for a device."""
+    device_name = 'Mobile App: {}'.format(device[ATTR_DEVICE_NAME])
+    webhook_id = device[CONF_WEBHOOK_ID]
+    webhook.async_register(hass, DOMAIN, device_name, webhook_id,
+                           partial(handle_webhook, store))
+
+
+async def async_setup(hass, config):
+    """Set up the mobile app component."""
+    conf = config.get(DOMAIN)
+
+    store = hass.helpers.storage.Store(STORAGE_VERSION, STORAGE_KEY)
+    app_config = await store.async_load()
+    if app_config is None:
+        app_config = {}
+
+    hass.data[DOMAIN] = app_config
+
+    for device in app_config.values():
+        register_device_webhook(hass, store, device)
+
+    if conf is not None:
+        hass.async_create_task(hass.config_entries.flow.async_init(
+            DOMAIN, context={'source': config_entries.SOURCE_IMPORT}))
+
+    hass.http.register_view(DevicesView(store))
+
+    return True
+
+
+async def async_setup_entry(hass, entry):
+    """Set up an mobile_app entry."""
+    return True
+
+
+class DevicesView(HomeAssistantView):
+    """A view that accepts device registration requests."""
+
+    url = '/api/mobile_app/devices'
+    name = 'api:mobile_app:register-device'
+
+    def __init__(self, store):
+        """Initialize the view."""
+        self._store = store
+
+    @RequestDataValidator(REGISTER_DEVICE_SCHEMA)
+    async def post(self, request, data):
+        """Handle the POST request for device registration."""
+        hass = request.app['hass']
+
+        resp = {}
+
+        webhook_id = generate_secret()
+
+        data[CONF_WEBHOOK_ID] = resp[CONF_WEBHOOK_ID] = webhook_id
+
+        if data[ATTR_SUPPORTS_ENCRYPTION] and supports_encryption():
+            secret = generate_secret(16)
+
+            data[CONF_SECRET] = resp[CONF_SECRET] = secret
+
+        data[CONF_USER_ID] = request['hass_user'].id
+
+        hass.data[DOMAIN][webhook_id] = data
+
+        try:
+            await self._store.async_save(hass.data[DOMAIN])
+        except HomeAssistantError:
+            return self.json_message("Error saving device.",
+                                     HTTP_INTERNAL_SERVER_ERROR)
+
+        register_device_webhook(hass, self._store, data)
+
+        return self.json(resp, status_code=HTTP_CREATED)
--- a/homeassistant/components/owntracks/init.py
+++ b/homeassistant/components/owntracks/init.py
@ -16,7 +16,7 @@ from homeassistant.setup import async_when_setup

 from .config_flow import CONF_SECRET

-REQUIREMENTS = ['libnacl==1.6.1']
+REQUIREMENTS = ['PyNaCl==1.3.0']

 _LOGGER = logging.getLogger(__name__)

--- a/homeassistant/components/owntracks/config_flow.py
+++ b/homeassistant/components/owntracks/config_flow.py
@ -9,7 +9,7 @@ CONF_SECRET = 'secret'
 def supports_encryption():
    """Test if we support encryption."""
    try:
-        import libnacl   # noqa pylint: disable=unused-import
+        import nacl   # noqa pylint: disable=unused-import
        return True
    except OSError:
        return False
--- a/homeassistant/components/owntracks/device_tracker.py
+++ b/homeassistant/components/owntracks/device_tracker.py
@ -4,7 +4,6 @@ Device tracker platform that adds support for OwnTracks over MQTT.
 For more details about this platform, please refer to the documentation at
 https://home-assistant.io/components/device_tracker.owntracks/
 """
-import base64
 import json
 import logging

@ -37,13 +36,13 @@ def get_cipher():

    Async friendly.
    """
-    from libnacl import crypto_secretbox_KEYBYTES as KEYLEN
-    from libnacl.secret import SecretBox
+    from nacl.secret import SecretBox
+    from nacl.encoding import Base64Encoder

    def decrypt(ciphertext, key):
        """Decrypt ciphertext using key."""
-        return SecretBox(key).decrypt(ciphertext)
-    return (KEYLEN, decrypt)
+        return SecretBox(key).decrypt(ciphertext, encoder=Base64Encoder)
+    return (SecretBox.KEY_SIZE, decrypt)


 def _parse_topic(topic, subscribe_topic):
@ -141,7 +140,6 @@ def _decrypt_payload(secret, topic, ciphertext):
    key = key.ljust(keylen, b'\0')

    try:
-        ciphertext = base64.b64decode(ciphertext)
        message = decrypt(ciphertext, key)
        message = message.decode("utf-8")
        _LOGGER.debug("Decrypted payload: %s", message)
--- a/requirements_all.txt
+++ b/requirements_all.txt
@ -50,6 +50,10 @@ PyMVGLive==1.1.4
 # homeassistant.components.arduino
 PyMata==2.14

+# homeassistant.components.mobile_app
+# homeassistant.components.owntracks
+PyNaCl==1.3.0
+
 # homeassistant.auth.mfa_modules.totp
 PyQRCode==1.2.1

@ -608,9 +612,6 @@ konnected==0.1.4
 # homeassistant.components.eufy
 lakeside==0.12

-# homeassistant.components.owntracks
-libnacl==1.6.1
-
 # homeassistant.components.dyson
 libpurecoollink==0.4.2

--- a/requirements_test_all.txt
+++ b/requirements_test_all.txt
@ -21,6 +21,10 @@ requests_mock==1.5.2
 # homeassistant.components.homekit
 HAP-python==2.4.2

+# homeassistant.components.mobile_app
+# homeassistant.components.owntracks
+PyNaCl==1.3.0
+
 # homeassistant.components.sensor.rmvtransport
 PyRMVtransport==0.1.3

--- a/script/gen_requirements_all.py
+++ b/script/gen_requirements_all.py
@ -108,6 +108,7 @@ TEST_REQUIREMENTS = (
    'pyupnp-async',
    'pywebpush',
    'pyHS100',
+    'PyNaCl',
    'regenmaschine',
    'restrictedpython',
    'rflink',
--- a/tests/components/device_tracker/test_owntracks.py
+++ b/tests/components/device_tracker/test_owntracks.py
@ -1295,18 +1295,25 @@ async def test_unsupported_message(hass, context):

 def generate_ciphers(secret):
    """Generate test ciphers for the DEFAULT_LOCATION_MESSAGE."""
-    # libnacl ciphertext generation will fail if the module
+    # PyNaCl ciphertext generation will fail if the module
    # cannot be imported. However, the test for decryption
    # also relies on this library and won't be run without it.
    import pickle
    import base64

    try:
-        from libnacl import crypto_secretbox_KEYBYTES as KEYLEN
-        from libnacl.secret import SecretBox
-        key = secret.encode("utf-8")[:KEYLEN].ljust(KEYLEN, b'\0')
-        ctxt = base64.b64encode(SecretBox(key).encrypt(json.dumps(
-            DEFAULT_LOCATION_MESSAGE).encode("utf-8"))).decode("utf-8")
+        from nacl.secret import SecretBox
+        from nacl.encoding import Base64Encoder
+
+        keylen = SecretBox.KEY_SIZE
+        key = secret.encode("utf-8")
+        key = key[:keylen]
+        key = key.ljust(keylen, b'\0')
+
+        msg = json.dumps(DEFAULT_LOCATION_MESSAGE).encode("utf-8")
+
+        ctxt = SecretBox(key).encrypt(msg,
+                                      encoder=Base64Encoder).decode("utf-8")
    except (ImportError, OSError):
        ctxt = ''

@ -1341,7 +1348,8 @@ def mock_cipher():
    def mock_decrypt(ciphertext, key):
        """Decrypt/unpickle."""
        import pickle
-        (mkey, plaintext) = pickle.loads(ciphertext)
+        import base64
+        (mkey, plaintext) = pickle.loads(base64.b64decode(ciphertext))
        if key != mkey:
            raise ValueError()
        return plaintext
@ -1443,9 +1451,9 @@ async def test_encrypted_payload_libsodium(hass, setup_comp):
    """Test sending encrypted message payload."""
    try:
        # pylint: disable=unused-import
-        import libnacl  # noqa: F401
+        import nacl  # noqa: F401
    except (ImportError, OSError):
-        pytest.skip("libnacl/libsodium is not installed")
+        pytest.skip("PyNaCl/libsodium is not installed")
        return

    await setup_owntracks(hass, {
--- a/tests/components/mobile_app/init.py
+++ b/tests/components/mobile_app/init.py
@ -0,0 +1 @@
+"""Tests for mobile_app component."""
--- a/tests/components/mobile_app/test_init.py
+++ b/tests/components/mobile_app/test_init.py
@ -0,0 +1,275 @@
+"""Test the mobile_app_http platform."""
+import pytest
+
+from homeassistant.setup import async_setup_component
+
+from homeassistant.const import CONF_WEBHOOK_ID
+from homeassistant.components.mobile_app import (DOMAIN, STORAGE_KEY,
+                                                 STORAGE_VERSION,
+                                                 CONF_SECRET, CONF_USER_ID)
+from homeassistant.core import callback
+
+from tests.common import async_mock_service
+
+FIRE_EVENT = {
+    'type': 'fire_event',
+    'data': {
+        'event_type': 'test_event',
+        'event_data': {
+            'hello': 'yo world'
+        }
+    }
+}
+
+RENDER_TEMPLATE = {
+    'type': 'render_template',
+    'data': {
+        'template': 'Hello world'
+    }
+}
+
+CALL_SERVICE = {
+    'type': 'call_service',
+    'data': {
+        'domain': 'test',
+        'service': 'mobile_app',
+        'service_data': {
+            'foo': 'bar'
+        }
+    }
+}
+
+REGISTER = {
+    'app_data': {'foo': 'bar'},
+    'app_id': 'io.homeassistant.mobile_app_test',
+    'app_name': 'Mobile App Tests',
+    'app_version': '1.0.0',
+    'device_name': 'Test 1',
+    'manufacturer': 'mobile_app',
+    'model': 'Test',
+    'os_version': '1.0',
+    'supports_encryption': True
+}
+
+UPDATE = {
+    'app_data': {'foo': 'bar'},
+    'app_version': '2.0.0',
+    'device_name': 'Test 1',
+    'manufacturer': 'mobile_app',
+    'model': 'Test',
+    'os_version': '1.0'
+}
+
+# pylint: disable=redefined-outer-name
+
+
+@pytest.fixture
+def mobile_app_client(hass, aiohttp_client, hass_storage, hass_admin_user):
+    """mobile_app mock client."""
+    hass_storage[STORAGE_KEY] = {
+        'version': STORAGE_VERSION,
+        'data': {
+            'mobile_app_test': {
+                CONF_SECRET: '58eb127991594dad934d1584bdee5f27',
+                'supports_encryption': True,
+                CONF_WEBHOOK_ID: 'mobile_app_test',
+                'device_name': 'Test Device',
+                CONF_USER_ID: hass_admin_user.id,
+            }
+        }
+    }
+
+    assert hass.loop.run_until_complete(async_setup_component(
+        hass, DOMAIN, {
+            DOMAIN: {}
+        }))
+
+    return hass.loop.run_until_complete(aiohttp_client(hass.http.app))
+
+
+@pytest.fixture
+async def mock_api_client(hass, hass_client):
+    """Provide an authenticated client for mobile_app to use."""
+    await async_setup_component(hass, DOMAIN, {DOMAIN: {}})
+    return await hass_client()
+
+
+async def test_handle_render_template(mobile_app_client):
+    """Test that we render templates properly."""
+    resp = await mobile_app_client.post(
+        '/api/webhook/mobile_app_test',
+        json=RENDER_TEMPLATE
+    )
+
+    assert resp.status == 200
+
+    json = await resp.json()
+    assert json == {'rendered': 'Hello world'}
+
+
+async def test_handle_call_services(hass, mobile_app_client):
+    """Test that we call services properly."""
+    calls = async_mock_service(hass, 'test', 'mobile_app')
+
+    resp = await mobile_app_client.post(
+        '/api/webhook/mobile_app_test',
+        json=CALL_SERVICE
+    )
+
+    assert resp.status == 200
+
+    assert len(calls) == 1
+
+
+async def test_handle_fire_event(hass, mobile_app_client):
+    """Test that we can fire events."""
+    events = []
+
+    @callback
+    def store_event(event):
+        """Helepr to store events."""
+        events.append(event)
+
+    hass.bus.async_listen('test_event', store_event)
+
+    resp = await mobile_app_client.post(
+        '/api/webhook/mobile_app_test',
+        json=FIRE_EVENT
+    )
+
+    assert resp.status == 200
+    text = await resp.text()
+    assert text == ""
+
+    assert len(events) == 1
+    assert events[0].data['hello'] == 'yo world'
+
+
+async def test_update_registration(mobile_app_client, hass_client):
+    """Test that a we can update an existing registration via webhook."""
+    mock_api_client = await hass_client()
+    register_resp = await mock_api_client.post(
+        '/api/mobile_app/devices', json=REGISTER
+    )
+
+    assert register_resp.status == 201
+    register_json = await register_resp.json()
+
+    webhook_id = register_json[CONF_WEBHOOK_ID]
+
+    update_container = {
+        'type': 'update_registration',
+        'data': UPDATE
+    }
+
+    update_resp = await mobile_app_client.post(
+        '/api/webhook/{}'.format(webhook_id), json=update_container
+    )
+
+    assert update_resp.status == 200
+    update_json = await update_resp.json()
+    assert update_json['app_version'] == '2.0.0'
+    assert CONF_WEBHOOK_ID not in update_json
+    assert CONF_SECRET not in update_json
+
+
+async def test_returns_error_incorrect_json(mobile_app_client, caplog):
+    """Test that an error is returned when JSON is invalid."""
+    resp = await mobile_app_client.post(
+        '/api/webhook/mobile_app_test',
+        data='not json'
+    )
+
+    assert resp.status == 400
+    json = await resp.json()
+    assert json == []
+    assert 'invalid JSON' in caplog.text
+
+
+async def test_handle_decryption(mobile_app_client):
+    """Test that we can encrypt/decrypt properly."""
+    try:
+        # pylint: disable=unused-import
+        from nacl.secret import SecretBox  # noqa: F401
+        from nacl.encoding import Base64Encoder  # noqa: F401
+    except (ImportError, OSError):
+        pytest.skip("libnacl/libsodium is not installed")
+        return
+
+    import json
+
+    keylen = SecretBox.KEY_SIZE
+    key = "58eb127991594dad934d1584bdee5f27".encode("utf-8")
+    key = key[:keylen]
+    key = key.ljust(keylen, b'\0')
+
+    payload = json.dumps({'template': 'Hello world'}).encode("utf-8")
+
+    data = SecretBox(key).encrypt(payload,
+                                  encoder=Base64Encoder).decode("utf-8")
+
+    container = {
+        'type': 'render_template',
+        'encrypted': True,
+        'encrypted_data': data,
+    }
+
+    resp = await mobile_app_client.post(
+        '/api/webhook/mobile_app_test',
+        json=container
+    )
+
+    assert resp.status == 200
+
+    json = await resp.json()
+    assert json == {'rendered': 'Hello world'}
+
+
+async def test_register_device(hass_client, mock_api_client):
+    """Test that a device can be registered."""
+    try:
+        # pylint: disable=unused-import
+        from nacl.secret import SecretBox  # noqa: F401
+        from nacl.encoding import Base64Encoder  # noqa: F401
+    except (ImportError, OSError):
+        pytest.skip("libnacl/libsodium is not installed")
+        return
+
+    import json
+
+    resp = await mock_api_client.post(
+        '/api/mobile_app/devices', json=REGISTER
+    )
+
+    assert resp.status == 201
+    register_json = await resp.json()
+    assert CONF_WEBHOOK_ID in register_json
+    assert CONF_SECRET in register_json
+
+    keylen = SecretBox.KEY_SIZE
+    key = register_json[CONF_SECRET].encode("utf-8")
+    key = key[:keylen]
+    key = key.ljust(keylen, b'\0')
+
+    payload = json.dumps({'template': 'Hello world'}).encode("utf-8")
+
+    data = SecretBox(key).encrypt(payload,
+                                  encoder=Base64Encoder).decode("utf-8")
+
+    container = {
+        'type': 'render_template',
+        'encrypted': True,
+        'encrypted_data': data,
+    }
+
+    mobile_app_client = await hass_client()
+
+    resp = await mobile_app_client.post(
+        '/api/webhook/{}'.format(register_json[CONF_WEBHOOK_ID]),
+        json=container
+    )
+
+    assert resp.status == 200
+
+    webhook_json = await resp.json()
+    assert webhook_json == {'rendered': 'Hello world'}