Cleanup security layer - Add-on default access role (#2954)

* Allow access to network info (add-on)

* fix check

* make it nice

* cleanup

* cleanup

* fix tests

* Add warning

* allow access to addons/store/snapshot infos

* revert

supervisor/api/__init__.py

@@ -19,7 +19,7 @@ from .host import APIHost
 from .info import APIInfo
 from .ingress import APIIngress
 from .jobs import APIJobs
-from .middleware_security import SecurityMiddleware
+from .middleware.security import SecurityMiddleware
 from .multicast import APIMulticast
 from .network import APINetwork
 from .observer import APIObserver
@@ -223,7 +223,6 @@ class RestAPI(CoreSysAttributes):
             [
                 web.get("/hardware/info", api_hardware.info),
                 web.get("/hardware/audio", api_hardware.audio),
-                web.post("/hardware/trigger", api_hardware.trigger),
             ]
         )
 

supervisor/api/hardware.py

@@ -1,6 +1,6 @@
 """Init file for Supervisor hardware RESTful API."""
 import logging
-from typing import Any, Awaitable, Dict
+from typing import Any, Dict
 
 from aiohttp import web
 
@@ -58,8 +58,3 @@ class APIHardware(CoreSysAttributes):
                 },
             }
         }
-
-    @api_process
-    async def trigger(self, request: web.Request) -> Awaitable[None]:
-        """Trigger a udev device reload."""
-        _LOGGER.debug("Ignoring DEPRECATED hardware trigger function call.")

supervisor/api/middleware/__init__.py

@@ -0,0 +1 @@
+"""API middleware for aiohttp."""

supervisor/api/middleware/security.py

@@ -5,7 +5,7 @@ import re
 from aiohttp.web import Request, RequestHandler, Response, middleware
 from aiohttp.web_exceptions import HTTPForbidden, HTTPUnauthorized
 
-from ..const import (
+from ...const import (
     REQUEST_FROM,
     ROLE_ADMIN,
     ROLE_BACKUP,
@@ -14,8 +14,8 @@ from ..const import (
     ROLE_MANAGER,
     CoreState,
 )
-from ..coresys import CoreSys, CoreSysAttributes
+from ...coresys import CoreSys, CoreSysAttributes
-from .utils import api_return_error, excract_supervisor_token
+from ..utils import api_return_error, excract_supervisor_token
 
 _LOGGER: logging.Logger = logging.getLogger(__name__)
 
@@ -53,7 +53,6 @@ ADDONS_API_BYPASS = re.compile(
     r"|/addons/self/(?!security|update)[^/]+"
     r"|/addons/self/options/config"
     r"|/info"
-    r"|/hardware/trigger"
     r"|/services.*"
     r"|/discovery.*"
     r"|/auth"
@@ -65,22 +64,24 @@ ADDONS_ROLE_ACCESS = {
     ROLE_DEFAULT: re.compile(
         r"^(?:"
         r"|/.+/info"
-        r"|/addons"
         r")$"
     ),
     ROLE_HOMEASSISTANT: re.compile(
         r"^(?:"
+        r"|/.+/info"
         r"|/core/.+"
         r"|/homeassistant/.+"
         r")$"
     ),
     ROLE_BACKUP: re.compile(
         r"^(?:"
+        r"|/.+/info"
         r"|/snapshots.*"
         r")$"
     ),
     ROLE_MANAGER: re.compile(
         r"^(?:"
+        r"|/.+/info"
         r"|/addons(?:/[^/]+/(?!security).+|/reload)?"
         r"|/audio/.+"
         r"|/auth/cache"
@@ -101,6 +102,7 @@ ADDONS_ROLE_ACCESS = {
         r"|/snapshots.*"
         r"|/store.*"
         r"|/supervisor/.+"
+        r"|/security/.+"
         r")$"
     ),
     ROLE_ADMIN: re.compile(
@@ -191,6 +193,10 @@ class SecurityMiddleware(CoreSysAttributes):
                 request_from = addon
             else:
                 _LOGGER.warning("%s no role for %s", request.path, addon.slug)
+        elif addon:
+            _LOGGER.warning(
+                "%s missing API permission for %s", addon.slug, request.path
+            )
 
         if request_from:
             request[REQUEST_FROM] = request_from

tests/api/middleware/__init__.py

@@ -0,0 +1 @@
+"""Test for API middleware."""