""" homeassistant.components.http ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module provides an API and a HTTP interface for debug purposes. For more details about the RESTful API, please refer to the documentation at https://home-assistant.io/developers/api/ """ import json import threading import logging import time import gzip import os from datetime import timedelta from http.server import SimpleHTTPRequestHandler, HTTPServer from http import cookies from socketserver import ThreadingMixIn from urllib.parse import urlparse, parse_qs import homeassistant.core as ha from homeassistant.const import ( SERVER_PORT, CONTENT_TYPE_JSON, HTTP_HEADER_HA_AUTH, HTTP_HEADER_CONTENT_TYPE, HTTP_HEADER_ACCEPT_ENCODING, HTTP_HEADER_CONTENT_ENCODING, HTTP_HEADER_VARY, HTTP_HEADER_CONTENT_LENGTH, HTTP_HEADER_CACHE_CONTROL, HTTP_HEADER_EXPIRES, HTTP_OK, HTTP_UNAUTHORIZED, HTTP_NOT_FOUND, HTTP_METHOD_NOT_ALLOWED, HTTP_UNPROCESSABLE_ENTITY) import homeassistant.remote as rem import homeassistant.util as util import homeassistant.util.dt as date_util import homeassistant.bootstrap as bootstrap DOMAIN = "http" CONF_API_PASSWORD = "api_password" CONF_SERVER_HOST = "server_host" CONF_SERVER_PORT = "server_port" CONF_DEVELOPMENT = "development" CONF_SESSIONS_ENABLED = "sessions_enabled" DATA_API_PASSWORD = 'api_password' # Throttling time in seconds for expired sessions check SESSION_CLEAR_INTERVAL = timedelta(seconds=20) SESSION_TIMEOUT_SECONDS = 1800 SESSION_KEY = 'sessionId' _LOGGER = logging.getLogger(__name__) def setup(hass, config): """ Sets up the HTTP API and debug interface. """ conf = config.get(DOMAIN, {}) api_password = util.convert(conf.get(CONF_API_PASSWORD), str) # If no server host is given, accept all incoming requests server_host = conf.get(CONF_SERVER_HOST, '0.0.0.0') server_port = conf.get(CONF_SERVER_PORT, SERVER_PORT) development = str(conf.get(CONF_DEVELOPMENT, "")) == "1" try: server = HomeAssistantHTTPServer( (server_host, server_port), RequestHandler, hass, api_password, development) except OSError: # If address already in use _LOGGER.exception("Error setting up HTTP server") return False hass.bus.listen_once( ha.EVENT_HOMEASSISTANT_START, lambda event: threading.Thread(target=server.start, daemon=True).start()) hass.http = server hass.config.api = rem.API(util.get_local_ip(), api_password, server_port) return True # pylint: disable=too-many-instance-attributes class HomeAssistantHTTPServer(ThreadingMixIn, HTTPServer): """ Handle HTTP requests in a threaded fashion. """ # pylint: disable=too-few-public-methods allow_reuse_address = True daemon_threads = True # pylint: disable=too-many-arguments def __init__(self, server_address, request_handler_class, hass, api_password, development): super().__init__(server_address, request_handler_class) self.server_address = server_address self.hass = hass self.api_password = api_password self.development = development self.paths = [] self.sessions = SessionStore() # We will lazy init this one if needed self.event_forwarder = None if development: _LOGGER.info("running http in development mode") def start(self): """ Starts the HTTP server. """ def stop_http(event): """ Stops the HTTP server. """ self.shutdown() self.hass.bus.listen_once(ha.EVENT_HOMEASSISTANT_STOP, stop_http) _LOGGER.info( "Starting web interface at http://%s:%d", *self.server_address) # 31-1-2015: Refactored frontend/api components out of this component # To prevent stuff from breaking, load the two extracted components bootstrap.setup_component(self.hass, 'api') bootstrap.setup_component(self.hass, 'frontend') self.serve_forever() def register_path(self, method, url, callback, require_auth=True): """ Registers a path with the server. """ self.paths.append((method, url, callback, require_auth)) def log_message(self, fmt, *args): """ Redirect built-in log to HA logging """ # pylint: disable=no-self-use _LOGGER.info(fmt, *args) # pylint: disable=too-many-public-methods,too-many-locals class RequestHandler(SimpleHTTPRequestHandler): """ Handles incoming HTTP requests We extend from SimpleHTTPRequestHandler instead of Base so we can use the guess content type methods. """ server_version = "HomeAssistant/1.0" def __init__(self, req, client_addr, server): """ Contructor, call the base constructor and set up session """ # Track if this was an authenticated request self.authenticated = False SimpleHTTPRequestHandler.__init__(self, req, client_addr, server) def log_message(self, fmt, *arguments): """ Redirect built-in log to HA logging """ if self.server.api_password is None: _LOGGER.info(fmt, *arguments) else: _LOGGER.info( fmt, *(arg.replace(self.server.api_password, '*******') if isinstance(arg, str) else arg for arg in arguments)) def _handle_request(self, method): # pylint: disable=too-many-branches """ Does some common checks and calls appropriate method. """ url = urlparse(self.path) # Read query input data = parse_qs(url.query) # parse_qs gives a list for each value, take the latest element for key in data: data[key] = data[key][-1] # Did we get post input ? content_length = int(self.headers.get(HTTP_HEADER_CONTENT_LENGTH, 0)) if content_length: body_content = self.rfile.read(content_length).decode("UTF-8") try: data.update(json.loads(body_content)) except (TypeError, ValueError): # TypeError if JSON object is not a dict # ValueError if we could not parse JSON _LOGGER.exception( "Exception parsing JSON: %s", body_content) self.write_json_message( "Error parsing JSON", HTTP_UNPROCESSABLE_ENTITY) return if self.server.api_password is None: self.authenticated = True elif HTTP_HEADER_HA_AUTH in self.headers: api_password = self.headers.get(HTTP_HEADER_HA_AUTH) if not api_password and DATA_API_PASSWORD in data: api_password = data[DATA_API_PASSWORD] self.authenticated = api_password == self.server.api_password else: self.authenticated = self.verify_session() if '_METHOD' in data: method = data.pop('_METHOD') # Var to keep track if we found a path that matched a handler but # the method was different path_matched_but_not_method = False # Var to hold the handler for this path and method if found handle_request_method = False require_auth = True # Check every handler to find matching result for t_method, t_path, t_handler, t_auth in self.server.paths: # we either do string-comparison or regular expression matching # pylint: disable=maybe-no-member if isinstance(t_path, str): path_match = url.path == t_path else: path_match = t_path.match(url.path) if path_match and method == t_method: # Call the method handle_request_method = t_handler require_auth = t_auth break elif path_match: path_matched_but_not_method = True # Did we find a handler for the incoming request? if handle_request_method: # For some calls we need a valid password if require_auth and not self.authenticated: self.write_json_message( "API password missing or incorrect.", HTTP_UNAUTHORIZED) return handle_request_method(self, path_match, data) elif path_matched_but_not_method: self.send_response(HTTP_METHOD_NOT_ALLOWED) self.end_headers() else: self.send_response(HTTP_NOT_FOUND) self.end_headers() def do_HEAD(self): # pylint: disable=invalid-name """ HEAD request handler. """ self._handle_request('HEAD') def do_GET(self): # pylint: disable=invalid-name """ GET request handler. """ self._handle_request('GET') def do_POST(self): # pylint: disable=invalid-name """ POST request handler. """ self._handle_request('POST') def do_PUT(self): # pylint: disable=invalid-name """ PUT request handler. """ self._handle_request('PUT') def do_DELETE(self): # pylint: disable=invalid-name """ DELETE request handler. """ self._handle_request('DELETE') def write_json_message(self, message, status_code=HTTP_OK): """ Helper method to return a message to the caller. """ self.write_json({'message': message}, status_code=status_code) def write_json(self, data=None, status_code=HTTP_OK, location=None): """ Helper method to return JSON to the caller. """ self.send_response(status_code) self.send_header(HTTP_HEADER_CONTENT_TYPE, CONTENT_TYPE_JSON) if location: self.send_header('Location', location) self.set_session_cookie_header() self.end_headers() if data is not None: self.wfile.write( json.dumps(data, indent=4, sort_keys=True, cls=rem.JSONEncoder).encode("UTF-8")) def write_file(self, path, cache_headers=True): """ Returns a file to the user. """ try: with open(path, 'rb') as inp: self.write_file_pointer(self.guess_type(path), inp, cache_headers) except IOError: self.send_response(HTTP_NOT_FOUND) self.end_headers() _LOGGER.exception("Unable to serve %s", path) def write_file_pointer(self, content_type, inp, cache_headers=True): """ Helper function to write a file pointer to the user. Does not do error handling. """ do_gzip = 'gzip' in self.headers.get(HTTP_HEADER_ACCEPT_ENCODING, '') self.send_response(HTTP_OK) self.send_header(HTTP_HEADER_CONTENT_TYPE, content_type) if cache_headers: self.set_cache_header() self.set_session_cookie_header() if do_gzip: gzip_data = gzip.compress(inp.read()) self.send_header(HTTP_HEADER_CONTENT_ENCODING, "gzip") self.send_header(HTTP_HEADER_VARY, HTTP_HEADER_ACCEPT_ENCODING) self.send_header(HTTP_HEADER_CONTENT_LENGTH, str(len(gzip_data))) else: fst = os.fstat(inp.fileno()) self.send_header(HTTP_HEADER_CONTENT_LENGTH, str(fst[6])) self.end_headers() if self.command == 'HEAD': return elif do_gzip: self.wfile.write(gzip_data) else: self.copyfile(inp, self.wfile) def set_cache_header(self): """ Add cache headers if not in development """ if self.server.development: return # 1 year in seconds cache_time = 365 * 86400 self.send_header( HTTP_HEADER_CACHE_CONTROL, "public, max-age={}".format(cache_time)) self.send_header( HTTP_HEADER_EXPIRES, self.date_time_string(time.time()+cache_time)) def set_session_cookie_header(self): """ Add the header for the session cookie and return session id. """ if not self.authenticated: return session_id = self.get_cookie_session_id() if session_id is not None: self.server.sessions.extend_validation(session_id) return self.send_header( 'Set-Cookie', '{}={}'.format(SESSION_KEY, self.server.sessions.create()) ) return session_id def verify_session(self): """ Verify that we are in a valid session. """ return self.get_cookie_session_id() is not None def get_cookie_session_id(self): """ Extracts the current session id from the cookie or returns None if not set or invalid """ if 'Cookie' not in self.headers: return None cookie = cookies.SimpleCookie() try: cookie.load(self.headers["Cookie"]) except cookies.CookieError: return None morsel = cookie.get(SESSION_KEY) if morsel is None: return None session_id = cookie[SESSION_KEY].value if self.server.sessions.is_valid(session_id): return session_id return None def destroy_session(self): """ Destroys session. """ session_id = self.get_cookie_session_id() if session_id is None: return self.send_header('Set-Cookie', '') self.server.sessions.destroy(session_id) def session_valid_time(): """ Time till when a session will be valid. """ return date_util.utcnow() + timedelta(seconds=SESSION_TIMEOUT_SECONDS) class SessionStore(object): """ Responsible for storing and retrieving http sessions """ def __init__(self, enabled=True): """ Set up the session store """ self._sessions = {} self.lock = threading.RLock() @util.Throttle(SESSION_CLEAR_INTERVAL) def _remove_expired(self): """ Remove any expired sessions. """ now = date_util.utcnow() for key in [key for key, valid_time in self._sessions.items() if valid_time < now]: self._sessions.pop(key) def is_valid(self, key): """ Return True if a valid session is given. """ with self.lock: self._remove_expired() return (key in self._sessions and self._sessions[key] > date_util.utcnow()) def extend_validation(self, key): """ Extend a session validation time. """ with self.lock: self._sessions[key] = session_valid_time() def destroy(self, key): """ Destroy a session by key. """ with self.lock: self._sessions.pop(key, None) def create(self): """ Creates a new session. """ with self.lock: session_id = util.get_random_string(20) while session_id in self._sessions: session_id = util.get_random_string(20) self._sessions[session_id] = session_valid_time() return session_id