hass-core/homeassistant/components/http/auth.py

"""Authentication for HTTP component."""
import asyncio
import base64
import hmac
import logging

from aiohttp import hdrs
from aiohttp.web import middleware

from homeassistant.const import HTTP_HEADER_HA_AUTH
from .util import get_real_ip
from .const import KEY_TRUSTED_NETWORKS, KEY_AUTHENTICATED

DATA_API_PASSWORD = 'api_password'

_LOGGER = logging.getLogger(__name__)


@middleware
@asyncio.coroutine
def auth_middleware(request, handler):
    """Authenticate as middleware."""
    # If no password set, just always set authenticated=True
    if request.app['hass'].http.api_password is None:
        request[KEY_AUTHENTICATED] = True
        return handler(request)

    # Check authentication
    authenticated = False

    if (HTTP_HEADER_HA_AUTH in request.headers and
            validate_password(
                request, request.headers[HTTP_HEADER_HA_AUTH])):
        # A valid auth header has been set
        authenticated = True

    elif (DATA_API_PASSWORD in request.query and
          validate_password(request, request.query[DATA_API_PASSWORD])):
        authenticated = True

    elif (hdrs.AUTHORIZATION in request.headers and
          validate_authorization_header(request)):
        authenticated = True

    elif is_trusted_ip(request):
        authenticated = True

    request[KEY_AUTHENTICATED] = authenticated
    return handler(request)


def is_trusted_ip(request):
    """Test if request is from a trusted ip."""
    ip_addr = get_real_ip(request)

    return ip_addr and any(
        ip_addr in trusted_network for trusted_network
        in request.app[KEY_TRUSTED_NETWORKS])


def validate_password(request, api_password):
    """Test if password is valid."""
    return hmac.compare_digest(
        api_password, request.app['hass'].http.api_password)


def validate_authorization_header(request):
    """Test an authorization header if valid password."""
    if hdrs.AUTHORIZATION not in request.headers:
        return False

    auth_type, auth = request.headers.get(hdrs.AUTHORIZATION).split(' ', 1)

    if auth_type != 'Basic':
        return False

    decoded = base64.b64decode(auth).decode('utf-8')
    username, password = decoded.split(':', 1)

    if username != 'homeassistant':
        return False

    return validate_password(request, password)
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 13:04:06 -08:00			`"""Authentication for HTTP component."""`
			`import asyncio`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 00:49:35 -07:00			`import base64`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 13:04:06 -08:00			`import hmac`
			`import logging`

Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 00:49:35 -07:00			`from aiohttp import hdrs`
Update aiohttp to 2.3.1 (#10139) * Update aiohttp to 2.3.1 * set timeout 10sec * fix freeze with new middleware handling * Convert middleware auth * Convert mittleware ipban * convert middleware static * fix lint * Update ban.py * Update auth.py * fix lint * Fix tests 2017-11-06 03:42:31 +01:00			`from aiohttp.web import middleware`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 00:49:35 -07:00
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 13:04:06 -08:00			`from homeassistant.const import HTTP_HEADER_HA_AUTH`
			`from .util import get_real_ip`
			`from .const import KEY_TRUSTED_NETWORKS, KEY_AUTHENTICATED`

			`DATA_API_PASSWORD = 'api_password'`

			`_LOGGER = logging.getLogger(__name__)`


Update aiohttp to 2.3.1 (#10139) * Update aiohttp to 2.3.1 * set timeout 10sec * fix freeze with new middleware handling * Convert middleware auth * Convert mittleware ipban * convert middleware static * fix lint * Update ban.py * Update auth.py * fix lint * Fix tests 2017-11-06 03:42:31 +01:00			`@middleware`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 13:04:06 -08:00			`@asyncio.coroutine`
Update aiohttp to 2.3.1 (#10139) * Update aiohttp to 2.3.1 * set timeout 10sec * fix freeze with new middleware handling * Convert middleware auth * Convert mittleware ipban * convert middleware static * fix lint * Update ban.py * Update auth.py * fix lint * Fix tests 2017-11-06 03:42:31 +01:00			`def auth_middleware(request, handler):`
Update docstrings (#7361) * Update docstrings * Update docstrings * Update docstrings * Update docstrings * update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update tomato.py * Update isy994.py * Lint + fix tests * Lint 2017-04-30 07:04:49 +02:00			`"""Authenticate as middleware."""`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 13:04:06 -08:00			`# If no password set, just always set authenticated=True`
Update aiohttp to 2.3.1 (#10139) * Update aiohttp to 2.3.1 * set timeout 10sec * fix freeze with new middleware handling * Convert middleware auth * Convert mittleware ipban * convert middleware static * fix lint * Update ban.py * Update auth.py * fix lint * Fix tests 2017-11-06 03:42:31 +01:00			`if request.app['hass'].http.api_password is None:`
			`request[KEY_AUTHENTICATED] = True`
			`return handler(request)`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 13:04:06 -08:00
Update aiohttp to 2.3.1 (#10139) * Update aiohttp to 2.3.1 * set timeout 10sec * fix freeze with new middleware handling * Convert middleware auth * Convert mittleware ipban * convert middleware static * fix lint * Update ban.py * Update auth.py * fix lint * Fix tests 2017-11-06 03:42:31 +01:00			`# Check authentication`
			`authenticated = False`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 13:04:06 -08:00
Update aiohttp to 2.3.1 (#10139) * Update aiohttp to 2.3.1 * set timeout 10sec * fix freeze with new middleware handling * Convert middleware auth * Convert mittleware ipban * convert middleware static * fix lint * Update ban.py * Update auth.py * fix lint * Fix tests 2017-11-06 03:42:31 +01:00			`if (HTTP_HEADER_HA_AUTH in request.headers and`
			`validate_password(`
			`request, request.headers[HTTP_HEADER_HA_AUTH])):`
			`# A valid auth header has been set`
			`authenticated = True`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 00:49:35 -07:00
Update aiohttp to 2.3.1 (#10139) * Update aiohttp to 2.3.1 * set timeout 10sec * fix freeze with new middleware handling * Convert middleware auth * Convert mittleware ipban * convert middleware static * fix lint * Update ban.py * Update auth.py * fix lint * Fix tests 2017-11-06 03:42:31 +01:00			`elif (DATA_API_PASSWORD in request.query and`
			`validate_password(request, request.query[DATA_API_PASSWORD])):`
			`authenticated = True`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 13:04:06 -08:00
Update aiohttp to 2.3.1 (#10139) * Update aiohttp to 2.3.1 * set timeout 10sec * fix freeze with new middleware handling * Convert middleware auth * Convert mittleware ipban * convert middleware static * fix lint * Update ban.py * Update auth.py * fix lint * Fix tests 2017-11-06 03:42:31 +01:00			`elif (hdrs.AUTHORIZATION in request.headers and`
			`validate_authorization_header(request)):`
			`authenticated = True`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 13:04:06 -08:00
Update aiohttp to 2.3.1 (#10139) * Update aiohttp to 2.3.1 * set timeout 10sec * fix freeze with new middleware handling * Convert middleware auth * Convert mittleware ipban * convert middleware static * fix lint * Update ban.py * Update auth.py * fix lint * Fix tests 2017-11-06 03:42:31 +01:00			`elif is_trusted_ip(request):`
			`authenticated = True`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 13:04:06 -08:00
Update aiohttp to 2.3.1 (#10139) * Update aiohttp to 2.3.1 * set timeout 10sec * fix freeze with new middleware handling * Convert middleware auth * Convert mittleware ipban * convert middleware static * fix lint * Update ban.py * Update auth.py * fix lint * Fix tests 2017-11-06 03:42:31 +01:00			`request[KEY_AUTHENTICATED] = authenticated`
			`return handler(request)`
Reorganize HTTP component (#4575) * Move HTTP to own folder * Break HTTP into middlewares * Lint * Split tests per middleware * Clean up HTTP tests * Make HomeAssistantViews more stateless * Lint * Make HTTP setup async 2016-11-25 13:04:06 -08:00

			`def is_trusted_ip(request):`
			`"""Test if request is from a trusted ip."""`
			`ip_addr = get_real_ip(request)`

			`return ip_addr and any(`
			`ip_addr in trusted_network for trusted_network`
			`in request.app[KEY_TRUSTED_NETWORKS])`
Add websocket API (#4582) * Add websocket API * Add identifiers to interactions * Allow unsubscribing event listeners * Add support for fetching data * Clean up handling code websockets api * Lint * Add Home Assistant version to auth messages * Py.test be less verbose in tox 2016-11-26 18:23:28 -08:00

			`def validate_password(request, api_password):`
			`"""Test if password is valid."""`
Update docstrings (#7361) * Update docstrings * Update docstrings * Update docstrings * Update docstrings * update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update docstrings * Update tomato.py * Update isy994.py * Lint + fix tests * Lint 2017-04-30 07:04:49 +02:00			`return hmac.compare_digest(`
			`api_password, request.app['hass'].http.api_password)`
Add OwnTracks over HTTP (#9582) * Add OwnTracks over HTTP * Fix tests 2017-09-28 00:49:35 -07:00

			`def validate_authorization_header(request):`
			`"""Test an authorization header if valid password."""`
			`if hdrs.AUTHORIZATION not in request.headers:`
			`return False`

			`auth_type, auth = request.headers.get(hdrs.AUTHORIZATION).split(' ', 1)`

			`if auth_type != 'Basic':`
			`return False`

			`decoded = base64.b64decode(auth).decode('utf-8')`
			`username, password = decoded.split(':', 1)`

			`if username != 'homeassistant':`
			`return False`

			`return validate_password(request, password)`