From e8314fb286b9ff9fb6356f71bed52dc66ead07d8 Mon Sep 17 00:00:00 2001
From: Erik Montnemery <erik@montnemery.com>
Date: Wed, 5 Feb 2025 12:14:06 +0100
Subject: [PATCH] Adjust logic for per-backup agent encryption (#137420)

---
 homeassistant/components/backup/manager.py |  6 ++-
 tests/components/backup/test_manager.py    | 55 +++++++++++++++++++++-
 2 files changed, 58 insertions(+), 3 deletions(-)

diff --git a/homeassistant/components/backup/manager.py b/homeassistant/components/backup/manager.py
index 24639ad4008..25393a872cc 100644
--- a/homeassistant/components/backup/manager.py
+++ b/homeassistant/components/backup/manager.py
@@ -1439,7 +1439,11 @@ class CoreBackupReaderWriter(BackupReaderWriter):
         manager = self._hass.data[DATA_MANAGER]
 
         agent_config = manager.config.data.agents.get(self._local_agent_id)
-        if agent_config and not agent_config.protected:
+        if (
+            self._local_agent_id in agent_ids
+            and agent_config
+            and not agent_config.protected
+        ):
             password = None
 
         backup = AgentBackup(
diff --git a/tests/components/backup/test_manager.py b/tests/components/backup/test_manager.py
index aa7d7ebd95c..beaf942b21f 100644
--- a/tests/components/backup/test_manager.py
+++ b/tests/components/backup/test_manager.py
@@ -46,6 +46,7 @@ from homeassistant.components.backup.manager import (
     RestoreBackupState,
     WrittenBackup,
 )
+from homeassistant.components.backup.util import password_to_key
 from homeassistant.core import HomeAssistant
 from homeassistant.exceptions import HomeAssistantError
 from homeassistant.helpers import issue_registry as ir
@@ -3207,17 +3208,21 @@ async def test_restore_backup_file_error(
 
 
 @pytest.mark.parametrize(
-    ("commands", "password", "protected_backup"),
+    ("commands", "agent_ids", "password", "protected_backup", "inner_tar_key"),
     [
         (
             [],
+            ["backup.local", "test.remote"],
             None,
             {"backup.local": False, "test.remote": False},
+            None,
         ),
         (
             [],
+            ["backup.local", "test.remote"],
             "hunter2",
             {"backup.local": True, "test.remote": True},
+            password_to_key("hunter2"),
         ),
         (
             [
@@ -3229,8 +3234,10 @@ async def test_restore_backup_file_error(
                     },
                 }
             ],
+            ["backup.local", "test.remote"],
             "hunter2",
             {"backup.local": False, "test.remote": False},
+            None,  # None of the agents are protected
         ),
         (
             [
@@ -3242,8 +3249,10 @@ async def test_restore_backup_file_error(
                     },
                 }
             ],
+            ["backup.local", "test.remote"],
             "hunter2",
             {"backup.local": False, "test.remote": True},
+            None,  # Local agent is not protected
         ),
         (
             [
@@ -3255,8 +3264,10 @@ async def test_restore_backup_file_error(
                     },
                 }
             ],
+            ["backup.local", "test.remote"],
             "hunter2",
             {"backup.local": True, "test.remote": False},
+            password_to_key("hunter2"),  # Local agent is protected
         ),
         (
             [
@@ -3268,8 +3279,10 @@ async def test_restore_backup_file_error(
                     },
                 }
             ],
+            ["backup.local", "test.remote"],
             "hunter2",
             {"backup.local": True, "test.remote": True},
+            password_to_key("hunter2"),
         ),
         (
             [
@@ -3281,8 +3294,40 @@ async def test_restore_backup_file_error(
                     },
                 }
             ],
+            ["backup.local", "test.remote"],
             None,
             {"backup.local": False, "test.remote": False},
+            None,  # No password supplied
+        ),
+        (
+            [
+                {
+                    "type": "backup/config/update",
+                    "agents": {
+                        "backup.local": {"protected": False},
+                        "test.remote": {"protected": True},
+                    },
+                }
+            ],
+            ["test.remote"],
+            "hunter2",
+            {"test.remote": True},
+            password_to_key("hunter2"),
+        ),
+        (
+            [
+                {
+                    "type": "backup/config/update",
+                    "agents": {
+                        "backup.local": {"protected": False},
+                        "test.remote": {"protected": False},
+                    },
+                }
+            ],
+            ["test.remote"],
+            "hunter2",
+            {"test.remote": False},
+            password_to_key("hunter2"),  # Temporary backup protected when password set
         ),
     ],
 )
@@ -3291,13 +3336,15 @@ async def test_initiate_backup_per_agent_encryption(
     hass: HomeAssistant,
     hass_ws_client: WebSocketGenerator,
     generate_backup_id: MagicMock,
+    mocked_tarfile: Mock,
     path_glob: MagicMock,
     commands: dict[str, Any],
+    agent_ids: list[str],
     password: str | None,
     protected_backup: dict[str, bool],
+    inner_tar_key: bytes | None,
 ) -> None:
     """Test generate backup where encryption is selectively set on agents."""
-    agent_ids = ["backup.local", "test.remote"]
     local_agent = local_backup_platform.CoreLocalBackupAgent(hass)
     remote_agent = BackupAgentTest("remote", backups=[])
 
@@ -3373,6 +3420,10 @@ async def test_initiate_backup_per_agent_encryption(
 
         await hass.async_block_till_done()
 
+    mocked_tarfile.return_value.create_inner_tar.assert_called_once_with(
+        ANY, gzip=True, key=inner_tar_key
+    )
+
     result = await ws_client.receive_json()
     assert result["event"] == {
         "manager_state": BackupManagerState.CREATE_BACKUP,