"""The tests for the Home Assistant HTTP component.""" # pylint: disable=protected-access import asyncio from ipaddress import ip_address, ip_network from unittest.mock import patch import aiohttp import pytest from homeassistant import const from homeassistant.setup import async_setup_component import homeassistant.components.http as http from homeassistant.components.http.const import ( KEY_TRUSTED_NETWORKS, KEY_USE_X_FORWARDED_FOR, HTTP_HEADER_X_FORWARDED_FOR) API_PASSWORD = 'test1234' # Don't add 127.0.0.1/::1 as trusted, as it may interfere with other test cases TRUSTED_NETWORKS = ['192.0.2.0/24', '2001:DB8:ABCD::/48', '100.64.0.1', 'FD01:DB8::1'] TRUSTED_ADDRESSES = ['100.64.0.1', '192.0.2.100', 'FD01:DB8::1', '2001:DB8:ABCD::1'] UNTRUSTED_ADDRESSES = ['198.51.100.1', '2001:DB8:FA1::1', '127.0.0.1', '::1'] @pytest.fixture def mock_api_client(hass, test_client): """Start the Hass HTTP component.""" hass.loop.run_until_complete(async_setup_component(hass, 'api', { 'http': { http.CONF_API_PASSWORD: API_PASSWORD, } })) return hass.loop.run_until_complete(test_client(hass.http.app)) @pytest.fixture def mock_trusted_networks(hass, mock_api_client): """Mock trusted networks.""" hass.http.app[KEY_TRUSTED_NETWORKS] = [ ip_network(trusted_network) for trusted_network in TRUSTED_NETWORKS] @asyncio.coroutine def test_access_denied_without_password(mock_api_client): """Test access without password.""" resp = yield from mock_api_client.get(const.URL_API) assert resp.status == 401 @asyncio.coroutine def test_access_denied_with_wrong_password_in_header(mock_api_client): """Test access with wrong password.""" resp = yield from mock_api_client.get(const.URL_API, headers={ const.HTTP_HEADER_HA_AUTH: 'wrongpassword' }) assert resp.status == 401 @asyncio.coroutine def test_access_denied_with_x_forwarded_for(hass, mock_api_client, mock_trusted_networks): """Test access denied through the X-Forwarded-For http header.""" hass.http.use_x_forwarded_for = True for remote_addr in UNTRUSTED_ADDRESSES: resp = yield from mock_api_client.get(const.URL_API, headers={ HTTP_HEADER_X_FORWARDED_FOR: remote_addr}) assert resp.status == 401, \ "{} shouldn't be trusted".format(remote_addr) @asyncio.coroutine def test_access_denied_with_untrusted_ip(mock_api_client, mock_trusted_networks): """Test access with an untrusted ip address.""" for remote_addr in UNTRUSTED_ADDRESSES: with patch('homeassistant.components.http.' 'util.get_real_ip', return_value=ip_address(remote_addr)): resp = yield from mock_api_client.get( const.URL_API, params={'api_password': ''}) assert resp.status == 401, \ "{} shouldn't be trusted".format(remote_addr) @asyncio.coroutine def test_access_with_password_in_header(mock_api_client, caplog): """Test access with password in URL.""" # Hide logging from requests package that we use to test logging req = yield from mock_api_client.get( const.URL_API, headers={const.HTTP_HEADER_HA_AUTH: API_PASSWORD}) assert req.status == 200 logs = caplog.text assert const.URL_API in logs assert API_PASSWORD not in logs @asyncio.coroutine def test_access_denied_with_wrong_password_in_url(mock_api_client): """Test access with wrong password.""" resp = yield from mock_api_client.get( const.URL_API, params={'api_password': 'wrongpassword'}) assert resp.status == 401 @asyncio.coroutine def test_access_with_password_in_url(mock_api_client, caplog): """Test access with password in URL.""" req = yield from mock_api_client.get( const.URL_API, params={'api_password': API_PASSWORD}) assert req.status == 200 logs = caplog.text assert const.URL_API in logs assert API_PASSWORD not in logs @asyncio.coroutine def test_access_granted_with_x_forwarded_for(hass, mock_api_client, caplog, mock_trusted_networks): """Test access denied through the X-Forwarded-For http header.""" hass.http.app[KEY_USE_X_FORWARDED_FOR] = True for remote_addr in TRUSTED_ADDRESSES: resp = yield from mock_api_client.get(const.URL_API, headers={ HTTP_HEADER_X_FORWARDED_FOR: remote_addr}) assert resp.status == 200, \ "{} should be trusted".format(remote_addr) @asyncio.coroutine def test_access_granted_with_trusted_ip(mock_api_client, caplog, mock_trusted_networks): """Test access with trusted addresses.""" for remote_addr in TRUSTED_ADDRESSES: with patch('homeassistant.components.http.' 'auth.get_real_ip', return_value=ip_address(remote_addr)): resp = yield from mock_api_client.get( const.URL_API, params={'api_password': ''}) assert resp.status == 200, \ '{} should be trusted'.format(remote_addr) @asyncio.coroutine def test_basic_auth_works(mock_api_client, caplog): """Test access with basic authentication.""" req = yield from mock_api_client.get( const.URL_API, auth=aiohttp.BasicAuth('homeassistant', API_PASSWORD)) assert req.status == 200 assert const.URL_API in caplog.text @asyncio.coroutine def test_basic_auth_username_homeassistant(mock_api_client, caplog): """Test access with basic auth requires username homeassistant.""" req = yield from mock_api_client.get( const.URL_API, auth=aiohttp.BasicAuth('wrong_username', API_PASSWORD)) assert req.status == 401 @asyncio.coroutine def test_basic_auth_wrong_password(mock_api_client, caplog): """Test access with basic auth not allowed with wrong password.""" req = yield from mock_api_client.get( const.URL_API, auth=aiohttp.BasicAuth('homeassistant', 'wrong password')) assert req.status == 401 @asyncio.coroutine def test_authorization_header_must_be_basic_type(mock_api_client, caplog): """Test only basic authorization is allowed for auth header.""" req = yield from mock_api_client.get( const.URL_API, headers={ 'authorization': 'NotBasic abcdefg' }) assert req.status == 401