From a37bd824d55a4967f2a121e785f60932f977f542 Mon Sep 17 00:00:00 2001
From: Robert Resch <robert@resch.dev>
Date: Wed, 23 Oct 2024 11:53:50 +0200
Subject: [PATCH] Add go2rtc binary config to expose api only on localhost
 (#129025)

---
 homeassistant/components/go2rtc/server.py | 20 ++++++++++++++---
 tests/components/go2rtc/test_server.py    | 27 ++++++++++++++++-------
 2 files changed, 36 insertions(+), 11 deletions(-)

diff --git a/homeassistant/components/go2rtc/server.py b/homeassistant/components/go2rtc/server.py
index a0afb2f8c93..7e824797da2 100644
--- a/homeassistant/components/go2rtc/server.py
+++ b/homeassistant/components/go2rtc/server.py
@@ -9,12 +9,28 @@ from homeassistant.core import HomeAssistant
 _LOGGER = logging.getLogger(__name__)
 _TERMINATE_TIMEOUT = 5
 
+# Default configuration for HA
+# - Api is listening only on localhost
+# - Disable rtsp listener
+# - Clear default ice servers
+_GO2RTC_CONFIG = """
+api:
+  listen: "127.0.0.1:1984"
+
+rtsp:
+  listen: ""
+
+webrtc:
+  ice_servers: []
+"""
+
 
 def _create_temp_file() -> str:
     """Create temporary config file."""
     # Set delete=False to prevent the file from being deleted when the file is closed
     # Linux is clearing tmp folder on reboot, so no need to delete it manually
-    with NamedTemporaryFile(prefix="go2rtc", suffix=".yaml", delete=False) as file:
+    with NamedTemporaryFile(prefix="go2rtc_", suffix=".yaml", delete=False) as file:
+        file.write(_GO2RTC_CONFIG.encode())
         return file.name
 
 
@@ -43,8 +59,6 @@ class Server:
         self._process = await asyncio.create_subprocess_exec(
             self._binary,
             "-c",
-            "webrtc.ice_servers=[]",
-            "-c",
             config_file,
             stdout=asyncio.subprocess.PIPE,
             stderr=asyncio.subprocess.STDOUT,
diff --git a/tests/components/go2rtc/test_server.py b/tests/components/go2rtc/test_server.py
index b81c623722c..80e3b18f175 100644
--- a/tests/components/go2rtc/test_server.py
+++ b/tests/components/go2rtc/test_server.py
@@ -4,7 +4,7 @@ import asyncio
 from collections.abc import Generator
 import logging
 import subprocess
-from unittest.mock import MagicMock, patch
+from unittest.mock import MagicMock, Mock, patch
 
 import pytest
 
@@ -21,13 +21,14 @@ def server(hass: HomeAssistant) -> Server:
 
 
 @pytest.fixture
-def mock_tempfile() -> Generator[MagicMock]:
+def mock_tempfile() -> Generator[Mock]:
     """Fixture to mock NamedTemporaryFile."""
     with patch(
-        "homeassistant.components.go2rtc.server.NamedTemporaryFile"
+        "homeassistant.components.go2rtc.server.NamedTemporaryFile", autospec=True
     ) as mock_tempfile:
-        mock_tempfile.return_value.__enter__.return_value.name = "test.yaml"
-        yield mock_tempfile
+        file = mock_tempfile.return_value.__enter__.return_value
+        file.name = "test.yaml"
+        yield file
 
 
 @pytest.fixture
@@ -42,11 +43,11 @@ def mock_process() -> Generator[MagicMock]:
         yield mock_popen
 
 
-@pytest.mark.usefixtures("mock_tempfile")
 async def test_server_run_success(
     mock_process: MagicMock,
     server: Server,
     caplog: pytest.LogCaptureFixture,
+    mock_tempfile: Mock,
 ) -> None:
     """Test that the server runs successfully."""
     # Simulate process output
@@ -63,13 +64,23 @@ async def test_server_run_success(
     mock_process.assert_called_once_with(
         TEST_BINARY,
         "-c",
-        "webrtc.ice_servers=[]",
-        "-c",
         "test.yaml",
         stdout=subprocess.PIPE,
         stderr=subprocess.STDOUT,
     )
 
+    # Verify that the config file was written
+    mock_tempfile.write.assert_called_once_with(b"""
+api:
+  listen: "127.0.0.1:1984"
+
+rtsp:
+  listen: ""
+
+webrtc:
+  ice_servers: []
+""")
+
     # Check that server read the log lines
     for entry in ("log line 1", "log line 2"):
         assert (