github
/
ha-supervisor
mirror of https://github.com/home-assistant/supervisor
1
Fork 0
Code Releases Activity

Cleanup security layer - Add-on default access role (#2954) 

* Allow access to network info (add-on)

* fix check

* make it nice

* cleanup

* cleanup

* fix tests

* Add warning

* allow access to addons/store/snapshot infos

* revert
This commit is contained in:
Pascal Vizeli 2021-06-14 10:05:37 +02:00 committed by GitHub
parent 6b58970354
commit cd8fc16bcb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
supervisor/api/__init__.py
View File

@ -19,7 +19,7 @@ from .host import APIHost
from .info import APIInfo
from .ingress import APIIngress
from .jobs import APIJobs
from .middleware_security import SecurityMiddleware
from .middleware.security import SecurityMiddleware
from .multicast import APIMulticast
from .network import APINetwork
from .observer import APIObserver
@ -223,7 +223,6 @@ class RestAPI(CoreSysAttributes):
[
web.get("/hardware/info", api_hardware.info),
web.get("/hardware/audio", api_hardware.audio),
web.post("/hardware/trigger", api_hardware.trigger),
]
)

7
supervisor/api/hardware.py
View File

@ -1,6 +1,6 @@
"""Init file for Supervisor hardware RESTful API."""
import logging
from typing import Any, Awaitable, Dict
from typing import Any, Dict
from aiohttp import web
@ -58,8 +58,3 @@ class APIHardware(CoreSysAttributes):
},
}
}
@api_process
async def trigger(self, request: web.Request) -> Awaitable[None]:
"""Trigger a udev device reload."""
_LOGGER.debug("Ignoring DEPRECATED hardware trigger function call.")

1
supervisor/api/middleware/__init__.py Normal file
View File

@ -0,0 +1 @@
"""API middleware for aiohttp."""

16
supervisor/api/middleware_security.py → supervisor/api/middleware/security.py
View File

@ -5,7 +5,7 @@ import re
from aiohttp.web import Request, RequestHandler, Response, middleware
from aiohttp.web_exceptions import HTTPForbidden, HTTPUnauthorized
from ..const import (
from ...const import (
REQUEST_FROM,
ROLE_ADMIN,
ROLE_BACKUP,
@ -14,8 +14,8 @@ from ..const import (
ROLE_MANAGER,
CoreState,
)
from ..coresys import CoreSys, CoreSysAttributes
from .utils import api_return_error, excract_supervisor_token
from ...coresys import CoreSys, CoreSysAttributes
from ..utils import api_return_error, excract_supervisor_token
_LOGGER: logging.Logger = logging.getLogger(__name__)
@ -53,7 +53,6 @@ ADDONS_API_BYPASS = re.compile(
r"|/addons/self/(?!security|update)[^/]+"
r"|/addons/self/options/config"
r"|/info"
r"|/hardware/trigger"
r"|/services.*"
r"|/discovery.*"
r"|/auth"
@ -65,22 +64,24 @@ ADDONS_ROLE_ACCESS = {
ROLE_DEFAULT: re.compile(
r"^(?:"
r"|/.+/info"
r"|/addons"
r")$"
),
ROLE_HOMEASSISTANT: re.compile(
r"^(?:"
r"|/.+/info"
r"|/core/.+"
r"|/homeassistant/.+"
r")$"
),
ROLE_BACKUP: re.compile(
r"^(?:"
r"|/.+/info"
r"|/snapshots.*"
r")$"
),
ROLE_MANAGER: re.compile(
r"^(?:"
r"|/.+/info"
r"|/addons(?:/[^/]+/(?!security).+|/reload)?"
r"|/audio/.+"
r"|/auth/cache"
@ -101,6 +102,7 @@ ADDONS_ROLE_ACCESS = {
r"|/snapshots.*"
r"|/store.*"
r"|/supervisor/.+"
r"|/security/.+"
r")$"
),
ROLE_ADMIN: re.compile(
@ -191,6 +193,10 @@ class SecurityMiddleware(CoreSysAttributes):
request_from = addon
else:
_LOGGER.warning("%s no role for %s", request.path, addon.slug)
elif addon:
_LOGGER.warning(
"%s missing API permission for %s", addon.slug, request.path
)
if request_from:
request[REQUEST_FROM] = request_from

1
tests/api/middleware/__init__.py Normal file
View File

@ -0,0 +1 @@
"""Test for API middleware."""

0
tests/api/test_middleware_security.py → tests/api/middleware/test_security.py
View File