Improve security layer (#352)

* Improve security layer * Update logger * Fix access * Validate token * fix * fix some bugs * fix lint
2025-12-24 12:29:08 +00:00 · 2018-02-11 00:05:20 +01:00
parent 0c67cc13a1
commit 3bf446cbdb
3 changed files with 61 additions and 15 deletions
--- a/hassio/api/security.py
+++ b/hassio/api/security.py
@@ -1,12 +1,19 @@
 """Handle security part of this API."""
 import logging
+import re

 from aiohttp.web import middleware
+from aiohttp.web_exceptions import HTTPUnauthorized

 from ..const import HEADER_TOKEN, REQUEST_FROM

 _LOGGER = logging.getLogger(__name__)

+NO_SECURITY_CHECK = set((
+    re.compile(r"^/homeassistant/api/.*$"),
+    re.compile(r"^/homeassistant/websocket$")
+))
+

@middleware
 async def security_layer(request, handler):
@@ -14,21 +21,29 @@ async def security_layer(request, handler):
    coresys = request.app['coresys']
    hassio_token = request.headers.get(HEADER_TOKEN)

+    # Ignore security check
+    for rule in NO_SECURITY_CHECK:
+        if rule.match(request.path):
+            _LOGGER.debug("Passthrough %s", request.path)
+            return await handler(request)
+
    # Need to be removed later
    if not hassio_token:
-        _LOGGER.warning("No valid hassio token for API access!")
+        _LOGGER.warning("No valid Hass.io token for API access!")
        request[REQUEST_FROM] = 'UNKNOWN'
+        return await handler(request)

-    # From Home-Assistant
-    elif hassio_token == coresys.homeassistant.uuid:
+    # Home-Assistant
+    if hassio_token == coresys.homeassistant.uuid:
+        _LOGGER.debug("%s access from Home-Assistant", request.path)
        request[REQUEST_FROM] = 'homeassistant'
+        return await handler(request)

-    # From Add-on
-    else:
-        for addon in coresys.addons.list_addons:
-            if hassio_token != addon.uuid:
-                continue
-            request[REQUEST_FROM] = addon.slug
-            break
+    # Add-on
+    addon = coresys.addons.from_uuid(hassio_token)
+    if addon:
+        _LOGGER.info("%s access from %s", request.path, addon.slug)
+        request[REQUEST_FROM] = addon.slug
+        return await handler(request)

-    return await handler(request)
+    raise HTTPUnauthorized()