Cleanup security layer - Add-on default access role (#2954)
* Allow access to network info (add-on) * fix check * make it nice * cleanup * cleanup * fix tests * Add warning * allow access to addons/store/snapshot infos * revert
This commit is contained in:
parent
6b58970354
commit
cd8fc16bcb
|
@ -19,7 +19,7 @@ from .host import APIHost
|
|||
from .info import APIInfo
|
||||
from .ingress import APIIngress
|
||||
from .jobs import APIJobs
|
||||
from .middleware_security import SecurityMiddleware
|
||||
from .middleware.security import SecurityMiddleware
|
||||
from .multicast import APIMulticast
|
||||
from .network import APINetwork
|
||||
from .observer import APIObserver
|
||||
|
@ -223,7 +223,6 @@ class RestAPI(CoreSysAttributes):
|
|||
[
|
||||
web.get("/hardware/info", api_hardware.info),
|
||||
web.get("/hardware/audio", api_hardware.audio),
|
||||
web.post("/hardware/trigger", api_hardware.trigger),
|
||||
]
|
||||
)
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
"""Init file for Supervisor hardware RESTful API."""
|
||||
import logging
|
||||
from typing import Any, Awaitable, Dict
|
||||
from typing import Any, Dict
|
||||
|
||||
from aiohttp import web
|
||||
|
||||
|
@ -58,8 +58,3 @@ class APIHardware(CoreSysAttributes):
|
|||
},
|
||||
}
|
||||
}
|
||||
|
||||
@api_process
|
||||
async def trigger(self, request: web.Request) -> Awaitable[None]:
|
||||
"""Trigger a udev device reload."""
|
||||
_LOGGER.debug("Ignoring DEPRECATED hardware trigger function call.")
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
"""API middleware for aiohttp."""
|
|
@ -5,7 +5,7 @@ import re
|
|||
from aiohttp.web import Request, RequestHandler, Response, middleware
|
||||
from aiohttp.web_exceptions import HTTPForbidden, HTTPUnauthorized
|
||||
|
||||
from ..const import (
|
||||
from ...const import (
|
||||
REQUEST_FROM,
|
||||
ROLE_ADMIN,
|
||||
ROLE_BACKUP,
|
||||
|
@ -14,8 +14,8 @@ from ..const import (
|
|||
ROLE_MANAGER,
|
||||
CoreState,
|
||||
)
|
||||
from ..coresys import CoreSys, CoreSysAttributes
|
||||
from .utils import api_return_error, excract_supervisor_token
|
||||
from ...coresys import CoreSys, CoreSysAttributes
|
||||
from ..utils import api_return_error, excract_supervisor_token
|
||||
|
||||
_LOGGER: logging.Logger = logging.getLogger(__name__)
|
||||
|
||||
|
@ -53,7 +53,6 @@ ADDONS_API_BYPASS = re.compile(
|
|||
r"|/addons/self/(?!security|update)[^/]+"
|
||||
r"|/addons/self/options/config"
|
||||
r"|/info"
|
||||
r"|/hardware/trigger"
|
||||
r"|/services.*"
|
||||
r"|/discovery.*"
|
||||
r"|/auth"
|
||||
|
@ -65,22 +64,24 @@ ADDONS_ROLE_ACCESS = {
|
|||
ROLE_DEFAULT: re.compile(
|
||||
r"^(?:"
|
||||
r"|/.+/info"
|
||||
r"|/addons"
|
||||
r")$"
|
||||
),
|
||||
ROLE_HOMEASSISTANT: re.compile(
|
||||
r"^(?:"
|
||||
r"|/.+/info"
|
||||
r"|/core/.+"
|
||||
r"|/homeassistant/.+"
|
||||
r")$"
|
||||
),
|
||||
ROLE_BACKUP: re.compile(
|
||||
r"^(?:"
|
||||
r"|/.+/info"
|
||||
r"|/snapshots.*"
|
||||
r")$"
|
||||
),
|
||||
ROLE_MANAGER: re.compile(
|
||||
r"^(?:"
|
||||
r"|/.+/info"
|
||||
r"|/addons(?:/[^/]+/(?!security).+|/reload)?"
|
||||
r"|/audio/.+"
|
||||
r"|/auth/cache"
|
||||
|
@ -101,6 +102,7 @@ ADDONS_ROLE_ACCESS = {
|
|||
r"|/snapshots.*"
|
||||
r"|/store.*"
|
||||
r"|/supervisor/.+"
|
||||
r"|/security/.+"
|
||||
r")$"
|
||||
),
|
||||
ROLE_ADMIN: re.compile(
|
||||
|
@ -191,6 +193,10 @@ class SecurityMiddleware(CoreSysAttributes):
|
|||
request_from = addon
|
||||
else:
|
||||
_LOGGER.warning("%s no role for %s", request.path, addon.slug)
|
||||
elif addon:
|
||||
_LOGGER.warning(
|
||||
"%s missing API permission for %s", addon.slug, request.path
|
||||
)
|
||||
|
||||
if request_from:
|
||||
request[REQUEST_FROM] = request_from
|
|
@ -0,0 +1 @@
|
|||
"""Test for API middleware."""
|
Loading…
Reference in New Issue