Support for group into command_line auth provider (#92906)

Co-authored-by: Franck Nijhof <git@frenck.dev>
Co-authored-by: Erik Montnemery <erik@montnemery.com>

homeassistant/auth/__init__.py

@@ -280,7 +280,8 @@ class AuthManager:
             credentials=credentials,
             name=info.name,
             is_active=info.is_active,
-            group_ids=[GROUP_ID_ADMIN],
+            group_ids=[GROUP_ID_ADMIN if info.group is None else info.group],
+            local_only=info.local_only,
         )
 
         self.hass.bus.async_fire(EVENT_USER_ADDED, {"user_id": user.id})

homeassistant/auth/models.py

@@ -134,3 +134,5 @@ class UserMeta(NamedTuple):
 
     name: str | None
     is_active: bool
+    group: str | None = None
+    local_only: bool | None = None

homeassistant/auth/providers/command_line.py

@@ -44,7 +44,11 @@ class CommandLineAuthProvider(AuthProvider):
     DEFAULT_TITLE = "Command Line Authentication"
 
     # which keys to accept from a program's stdout
-    ALLOWED_META_KEYS = ("name",)
+    ALLOWED_META_KEYS = (
+        "name",
+        "group",
+        "local_only",
+    )
 
     def __init__(self, *args: Any, **kwargs: Any) -> None:
         """Extend parent's __init__.
@@ -118,10 +122,15 @@ class CommandLineAuthProvider(AuthProvider):
     ) -> UserMeta:
         """Return extra user metadata for credentials.
 
-        Currently, only name is supported.
+        Currently, supports name, group and local_only.
         """
         meta = self._user_meta.get(credentials.data["username"], {})
-        return UserMeta(name=meta.get("name"), is_active=True)
+        return UserMeta(
+            name=meta.get("name"),
+            is_active=True,
+            group=meta.get("group"),
+            local_only=meta.get("local_only") == "true",
+        )
 
 
 class CommandLineLoginFlow(LoginFlow):

tests/auth/providers/test_command_line.py

@@ -50,6 +50,9 @@ async def test_create_new_credential(manager, provider) -> None:
 
     user = await manager.async_get_or_create_user(credentials)
     assert user.is_active
+    assert len(user.groups) == 1
+    assert user.groups[0].id == "system-admin"
+    assert not user.local_only
 
 
 async def test_match_existing_credentials(store, provider) -> None:
@@ -100,6 +103,9 @@ async def test_good_auth_with_meta(manager, provider) -> None:
     user = await manager.async_get_or_create_user(credentials)
     assert user.name == "Bob"
     assert user.is_active
+    assert len(user.groups) == 1
+    assert user.groups[0].id == "system-users"
+    assert user.local_only
 
 
 async def test_utf_8_username_password(provider) -> None:

tests/auth/providers/test_command_line_cmd.sh

@@ -4,6 +4,8 @@ if [ "$username" = "good-user" ] && [ "$password" = "good-pass" ]; then
 	echo "Auth should succeed." >&2
 	if [ "$1" = "--with-meta" ]; then
 		echo "name=Bob"
+		echo "group=system-users"
+		echo "local_only=true"
 	fi
 	exit 0
 fi