Allow creating signed urls (#17759)

* Allow creating signed urls * Fix parameter * Lint
2018-10-25 16:44:57 +02:00 · 2018-10-25 16:44:57 +02:00 · 312d49caec
commit 312d49caec
parent b5284aa445
5 changed files with 174 additions and 4 deletions
--- a/tests/components/http/test_auth.py
+++ b/tests/components/http/test_auth.py
@ -1,5 +1,5 @@
 """The tests for the Home Assistant HTTP component."""
-# pylint: disable=protected-access
+from datetime import timedelta
 from ipaddress import ip_network
 from unittest.mock import patch

@ -7,7 +7,7 @@ import pytest
 from aiohttp import BasicAuth, web
 from aiohttp.web_exceptions import HTTPUnauthorized

-from homeassistant.components.http.auth import setup_auth
+from homeassistant.components.http.auth import setup_auth, async_sign_path
 from homeassistant.components.http.const import KEY_AUTHENTICATED
 from homeassistant.components.http.real_ip import setup_real_ip
 from homeassistant.const import HTTP_HEADER_HA_AUTH
@ -33,7 +33,16 @@ async def mock_handler(request):
    """Return if request was authenticated."""
    if not request[KEY_AUTHENTICATED]:
        raise HTTPUnauthorized
-    return web.Response(status=200)
+
+    token = request.get('hass_refresh_token')
+    token_id = token.id if token else None
+    user = request.get('hass_user')
+    user_id = user.id if user else None
+
+    return web.json_response(status=200, data={
+        'refresh_token_id': token_id,
+        'user_id': user_id,
+    })


@pytest.fixture
@ -248,3 +257,47 @@ async def test_auth_legacy_support_api_password_access(app, aiohttp_client):
        '/',
        auth=BasicAuth('homeassistant', API_PASSWORD))
    assert req.status == 200
+
+
+async def test_auth_access_signed_path(
+        hass, app, aiohttp_client, hass_access_token):
+    """Test access with signed url."""
+    app.router.add_post('/', mock_handler)
+    app.router.add_get('/another_path', mock_handler)
+    setup_auth(app, [], True, api_password=None)
+    client = await aiohttp_client(app)
+
+    refresh_token = await hass.auth.async_validate_access_token(
+        hass_access_token)
+
+    signed_path = async_sign_path(
+        hass, refresh_token.id, '/', timedelta(seconds=5)
+    )
+
+    req = await client.get(signed_path)
+    assert req.status == 200
+    data = await req.json()
+    assert data['refresh_token_id'] == refresh_token.id
+    assert data['user_id'] == refresh_token.user.id
+
+    # Use signature on other path
+    req = await client.get(
+        '/another_path?{}'.format(signed_path.split('?')[1]))
+    assert req.status == 401
+
+    # We only allow GET
+    req = await client.post(signed_path)
+    assert req.status == 401
+
+    # Never valid as expired in the past.
+    expired_signed_path = async_sign_path(
+        hass, refresh_token.id, '/', timedelta(seconds=-5)
+    )
+
+    req = await client.get(expired_signed_path)
+    assert req.status == 401
+
+    # refresh token gone should also invalidate signature
+    await hass.auth.async_remove_refresh_token(refresh_token)
+    req = await client.get(signed_path)
+    assert req.status == 401