async def test_basic_auth_works(app, aiohttp_client, hass, legacy_auth):
"""Test access with basic authentication."""
setup_auth(hass, app)
client = await aiohttp_client(app)
user = await get_legacy_user(hass.auth)
req = await client.get(
'/',
auth=BasicAuth('homeassistant', API_PASSWORD))
assert req.status == 200
assert await req.json() == {
'user_id': user.id,
}
req = await client.get(
'/',
auth=BasicAuth('wrong_username', API_PASSWORD))
assert req.status == 401
req = await client.get(
'/',
auth=BasicAuth('homeassistant', 'wrong password'))
assert req.status == 401
req = await client.get(
'/',
headers={
'authorization': 'NotBasic abcdefg'
})
assert req.status == 401
async def test_basic_auth_works(app, aiohttp_client):
"""Test access with basic authentication."""
setup_auth(app, [], False, api_password=API_PASSWORD)
client = await aiohttp_client(app)
req = await client.get(
'/',
auth=BasicAuth('homeassistant', API_PASSWORD))
assert req.status == 200
req = await client.get(
'/',
auth=BasicAuth('wrong_username', API_PASSWORD))
assert req.status == 401
req = await client.get(
'/',
auth=BasicAuth('homeassistant', 'wrong password'))
assert req.status == 401
req = await client.get(
'/',
headers={
'authorization': 'NotBasic abcdefg'
})
assert req.status == 401
async def test_access_without_password(app, aiohttp_client):
"""Test access without password."""
setup_auth(app, [], False, api_password=None)
client = await aiohttp_client(app)
resp = await client.get('/')
assert resp.status == 200
def test_access_without_password(app, test_client):
"""Test access without password."""
setup_auth(app, [], None)
client = yield from test_client(app)
resp = yield from client.get('/')
assert resp.status == 200
async def test_auth_legacy_support_api_password_access(app, aiohttp_client,
legacy_auth, hass):
"""Test access using api_password if auth.support_legacy."""
setup_auth(app, [], API_PASSWORD)
client = await aiohttp_client(app)
user = await legacy_api_password.async_get_user(hass)
req = await client.get('/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
assert await req.json() == {
'refresh_token_id': None,
'user_id': user.id,
}
resp = await client.get('/', params={'api_password': API_PASSWORD})
assert resp.status == 200
assert await resp.json() == {
'refresh_token_id': None,
'user_id': user.id,
}
req = await client.get('/', auth=BasicAuth('homeassistant', API_PASSWORD))
assert req.status == 200
assert await req.json() == {
'refresh_token_id': None,
'user_id': user.id,
}
async def test_auth_active_access_with_access_token_in_header(
hass, app, aiohttp_client, hass_access_token):
"""Test access with access token in header."""
token = hass_access_token
setup_auth(hass, app)
client = await aiohttp_client(app)
refresh_token = await hass.auth.async_validate_access_token(
hass_access_token)
req = await client.get("/", headers={"Authorization": f"Bearer {token}"})
assert req.status == HTTPStatus.OK
assert await req.json() == {"user_id": refresh_token.user.id}
req = await client.get("/", headers={"AUTHORIZATION": f"Bearer {token}"})
assert req.status == HTTPStatus.OK
assert await req.json() == {"user_id": refresh_token.user.id}
req = await client.get("/", headers={"authorization": f"Bearer {token}"})
assert req.status == HTTPStatus.OK
assert await req.json() == {"user_id": refresh_token.user.id}
req = await client.get("/", headers={"Authorization": token})
assert req.status == HTTPStatus.UNAUTHORIZED
req = await client.get("/", headers={"Authorization": f"BEARER {token}"})
assert req.status == HTTPStatus.UNAUTHORIZED
refresh_token = await hass.auth.async_validate_access_token(
hass_access_token)
refresh_token.user.is_active = False
req = await client.get("/", headers={"Authorization": f"Bearer {token}"})
assert req.status == HTTPStatus.UNAUTHORIZED
async def test_auth_active_access_with_access_token_in_header(
app, aiohttp_client):
"""Test access with access token in header."""
setup_auth(app, [], True, api_password=None)
client = await aiohttp_client(app)
req = await client.get(
'/', headers={'Authorization': 'Bearer {}'.format(ACCESS_TOKEN)})
assert req.status == 200
req = await client.get(
'/', headers={'AUTHORIZATION': 'Bearer {}'.format(ACCESS_TOKEN)})
assert req.status == 200
req = await client.get(
'/', headers={'authorization': 'Bearer {}'.format(ACCESS_TOKEN)})
assert req.status == 200
req = await client.get('/', headers={'Authorization': ACCESS_TOKEN})
assert req.status == 401
req = await client.get(
'/', headers={'Authorization': 'BEARER {}'.format(ACCESS_TOKEN)})
assert req.status == 401
req = await client.get('/', headers={'Authorization': 'Bearer wrong-pass'})
assert req.status == 401
def test_access_without_password(app, test_client):
"""Test access without password."""
setup_auth(app, [], None)
client = yield from test_client(app)
resp = yield from client.get('/')
assert resp.status == 200
async def test_auth_active_access_with_access_token_in_header(
app, aiohttp_client):
"""Test access with access token in header."""
setup_auth(app, [], True, api_password=None)
client = await aiohttp_client(app)
req = await client.get(
'/', headers={'Authorization': 'Bearer {}'.format(ACCESS_TOKEN)})
assert req.status == 200
req = await client.get(
'/', headers={'AUTHORIZATION': 'Bearer {}'.format(ACCESS_TOKEN)})
assert req.status == 200
req = await client.get(
'/', headers={'authorization': 'Bearer {}'.format(ACCESS_TOKEN)})
assert req.status == 200
req = await client.get(
'/', headers={'Authorization': ACCESS_TOKEN})
assert req.status == 401
req = await client.get(
'/', headers={'Authorization': 'BEARER {}'.format(ACCESS_TOKEN)})
assert req.status == 401
req = await client.get(
'/', headers={'Authorization': 'Bearer wrong-pass'})
assert req.status == 401
async def test_auth_legacy_support_api_password_access(
app, aiohttp_client, legacy_auth, hass):
"""Test access using api_password if auth.support_legacy."""
setup_auth(hass, app)
client = await aiohttp_client(app)
user = await get_legacy_user(hass.auth)
req = await client.get(
'/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
assert await req.json() == {
'user_id': user.id,
}
resp = await client.get('/', params={
'api_password': API_PASSWORD
})
assert resp.status == 200
assert await resp.json() == {
'user_id': user.id,
}
req = await client.get(
'/',
auth=BasicAuth('homeassistant', API_PASSWORD))
assert req.status == 200
assert await req.json() == {
'user_id': user.id,
}
async def test_access_without_password(app, aiohttp_client):
"""Test access without password."""
setup_auth(app, [], False, api_password=None)
client = await aiohttp_client(app)
resp = await client.get('/')
assert resp.status == 200
async def test_basic_auth_works(app, aiohttp_client):
"""Test access with basic authentication."""
setup_auth(app, [], False, api_password=API_PASSWORD)
client = await aiohttp_client(app)
req = await client.get(
'/',
auth=BasicAuth('homeassistant', API_PASSWORD))
assert req.status == 200
req = await client.get(
'/',
auth=BasicAuth('wrong_username', API_PASSWORD))
assert req.status == 401
req = await client.get(
'/',
auth=BasicAuth('homeassistant', 'wrong password'))
assert req.status == 401
req = await client.get(
'/',
headers={
'authorization': 'NotBasic abcdefg'
})
assert req.status == 401
def test_basic_auth_works(app, test_client):
"""Test access with basic authentication."""
setup_auth(app, [], API_PASSWORD)
client = yield from test_client(app)
req = yield from client.get(
'/',
auth=BasicAuth('homeassistant', API_PASSWORD))
assert req.status == 200
req = yield from client.get(
'/',
auth=BasicAuth('wrong_username', API_PASSWORD))
assert req.status == 401
req = yield from client.get(
'/',
auth=BasicAuth('homeassistant', 'wrong password'))
assert req.status == 401
req = yield from client.get(
'/',
headers={
'authorization': 'NotBasic abcdefg'
})
assert req.status == 401
async def test_auth_active_access_with_access_token_in_header(
hass, app, aiohttp_client, hass_access_token):
"""Test access with access token in header."""
token = hass_access_token
setup_auth(app, [], True, api_password=None)
client = await aiohttp_client(app)
req = await client.get(
'/', headers={'Authorization': 'Bearer {}'.format(token)})
assert req.status == 200
req = await client.get(
'/', headers={'AUTHORIZATION': 'Bearer {}'.format(token)})
assert req.status == 200
req = await client.get(
'/', headers={'authorization': 'Bearer {}'.format(token)})
assert req.status == 200
req = await client.get('/', headers={'Authorization': token})
assert req.status == 401
req = await client.get(
'/', headers={'Authorization': 'BEARER {}'.format(token)})
assert req.status == 401
refresh_token = await hass.auth.async_validate_access_token(
hass_access_token)
refresh_token.user.is_active = False
req = await client.get(
'/', headers={'Authorization': 'Bearer {}'.format(token)})
assert req.status == 401
async def test_auth_active_access_with_access_token_in_header(
hass, app, aiohttp_client, hass_access_token):
"""Test access with access token in header."""
token = hass_access_token
setup_auth(app, [], True, api_password=None)
client = await aiohttp_client(app)
req = await client.get(
'/', headers={'Authorization': 'Bearer {}'.format(token)})
assert req.status == 200
req = await client.get(
'/', headers={'AUTHORIZATION': 'Bearer {}'.format(token)})
assert req.status == 200
req = await client.get(
'/', headers={'authorization': 'Bearer {}'.format(token)})
assert req.status == 200
req = await client.get(
'/', headers={'Authorization': token})
assert req.status == 401
req = await client.get(
'/', headers={'Authorization': 'BEARER {}'.format(token)})
assert req.status == 401
refresh_token = await hass.auth.async_validate_access_token(
hass_access_token)
refresh_token.user.is_active = False
req = await client.get(
'/', headers={'Authorization': 'Bearer {}'.format(token)})
assert req.status == 401
async def test_access_with_password_in_header(app, aiohttp_client):
"""Test access with password in header."""
setup_auth(app, [], False, api_password=API_PASSWORD)
client = await aiohttp_client(app)
req = await client.get('/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
req = await client.get('/', headers={HTTP_HEADER_HA_AUTH: 'wrong-pass'})
assert req.status == 401
async def test_cant_access_with_password_in_header(app, aiohttp_client,
legacy_auth, hass):
"""Test access with password in header."""
setup_auth(hass, app)
client = await aiohttp_client(app)
req = await client.get("/", headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == HTTPStatus.UNAUTHORIZED
req = await client.get("/", headers={HTTP_HEADER_HA_AUTH: "wrong-pass"})
assert req.status == HTTPStatus.UNAUTHORIZED
async def test_access_with_password_in_header(app, aiohttp_client):
"""Test access with password in header."""
setup_auth(app, [], False, api_password=API_PASSWORD)
client = await aiohttp_client(app)
req = await client.get(
'/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
req = await client.get(
'/', headers={HTTP_HEADER_HA_AUTH: 'wrong-pass'})
assert req.status == 401
def test_access_with_password_in_header(app, test_client):
"""Test access with password in URL."""
setup_auth(app, [], API_PASSWORD)
client = yield from test_client(app)
req = yield from client.get('/',
headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
req = yield from client.get('/',
headers={HTTP_HEADER_HA_AUTH: 'wrong-pass'})
assert req.status == 401
async def test_access_with_password_in_header(app, aiohttp_client, legacy_auth, hass):
"""Test access with password in header."""
setup_auth(hass, app)
client = await aiohttp_client(app)
user = await get_legacy_user(hass.auth)
req = await client.get("/", headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
assert await req.json() == {"user_id": user.id}
req = await client.get("/", headers={HTTP_HEADER_HA_AUTH: "wrong-pass"})
assert req.status == 401
def test_access_with_password_in_header(app, test_client):
"""Test access with password in URL."""
setup_auth(app, [], API_PASSWORD)
client = yield from test_client(app)
req = yield from client.get(
'/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
req = yield from client.get(
'/', headers={HTTP_HEADER_HA_AUTH: 'wrong-pass'})
assert req.status == 401
async def test_auth_legacy_support_api_password_access(app, aiohttp_client):
"""Test access using api_password if auth.support_legacy."""
setup_auth(app, [], True, support_legacy=True, api_password=API_PASSWORD)
client = await aiohttp_client(app)
req = await client.get('/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
resp = await client.get('/', params={'api_password': API_PASSWORD})
assert resp.status == 200
req = await client.get('/', auth=BasicAuth('homeassistant', API_PASSWORD))
assert req.status == 200
async def test_access_with_password_in_query(app, test_client):
"""Test access without password."""
setup_auth(app, [], API_PASSWORD)
client = await test_client(app)
resp = await client.get('/', params={'api_password': API_PASSWORD})
assert resp.status == 200
resp = await client.get('/')
assert resp.status == 401
resp = await client.get('/', params={'api_password': '******'})
assert resp.status == 401
async def test_auth_active_blocked_api_password_access(app, aiohttp_client):
"""Test access using api_password should be blocked when auth.active."""
setup_auth(app, [], True, api_password=API_PASSWORD)
client = await aiohttp_client(app)
req = await client.get('/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 401
resp = await client.get('/', params={'api_password': API_PASSWORD})
assert resp.status == 401
req = await client.get('/', auth=BasicAuth('homeassistant', API_PASSWORD))
assert req.status == 401
async def test_access_with_password_in_query(app, aiohttp_client):
"""Test access with password in URL."""
setup_auth(app, [], False, api_password=API_PASSWORD)
client = await aiohttp_client(app)
resp = await client.get('/', params={'api_password': API_PASSWORD})
assert resp.status == 200
resp = await client.get('/')
assert resp.status == 401
resp = await client.get('/', params={'api_password': '******'})
assert resp.status == 401
async def test_cant_access_with_password_in_query(app, aiohttp_client,
legacy_auth, hass):
"""Test access with password in URL."""
setup_auth(hass, app)
client = await aiohttp_client(app)
resp = await client.get("/", params={"api_password": API_PASSWORD})
assert resp.status == HTTPStatus.UNAUTHORIZED
resp = await client.get("/")
assert resp.status == HTTPStatus.UNAUTHORIZED
resp = await client.get("/", params={"api_password": "******"})
assert resp.status == HTTPStatus.UNAUTHORIZED
async def test_auth_legacy_support_api_password_cannot_access(
app, aiohttp_client, legacy_auth, hass):
"""Test access using api_password if auth.support_legacy."""
setup_auth(hass, app)
client = await aiohttp_client(app)
req = await client.get("/", headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == HTTPStatus.UNAUTHORIZED
resp = await client.get("/", params={"api_password": API_PASSWORD})
assert resp.status == HTTPStatus.UNAUTHORIZED
req = await client.get("/", auth=BasicAuth("homeassistant", API_PASSWORD))
assert req.status == HTTPStatus.UNAUTHORIZED
async def test_access_with_password_in_query(app, aiohttp_client, legacy_auth, hass):
"""Test access with password in URL."""
setup_auth(hass, app)
client = await aiohttp_client(app)
user = await get_legacy_user(hass.auth)
resp = await client.get("/", params={"api_password": API_PASSWORD})
assert resp.status == 200
assert await resp.json() == {"user_id": user.id}
resp = await client.get("/")
assert resp.status == 401
resp = await client.get("/", params={"api_password": "******"})
assert resp.status == 401
async def test_basic_auth_does_not_work(app, aiohttp_client, hass, legacy_auth):
"""Test access with basic authentication."""
setup_auth(hass, app)
client = await aiohttp_client(app)
req = await client.get("/", auth=BasicAuth("homeassistant", API_PASSWORD))
assert req.status == 401
req = await client.get("/", auth=BasicAuth("wrong_username", API_PASSWORD))
assert req.status == 401
req = await client.get("/", auth=BasicAuth("homeassistant", "wrong password"))
assert req.status == 401
req = await client.get("/", headers={"authorization": "NotBasic abcdefg"})
assert req.status == 401
async def test_access_with_password_in_header(app, aiohttp_client, legacy_auth,
hass):
"""Test access with password in header."""
setup_auth(app, [], api_password=API_PASSWORD)
client = await aiohttp_client(app)
user = await legacy_api_password.async_get_user(hass)
req = await client.get('/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
assert await req.json() == {
'refresh_token_id': None,
'user_id': user.id,
}
req = await client.get('/', headers={HTTP_HEADER_HA_AUTH: 'wrong-pass'})
assert req.status == 401
async def test_cannot_access_with_trusted_ip(hass, app2, trusted_networks_auth,
aiohttp_client, hass_owner_user):
"""Test access with an untrusted ip address."""
setup_auth(hass, app2)
set_mock_ip = mock_real_ip(app2)
client = await aiohttp_client(app2)
for remote_addr in UNTRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = await client.get("/")
assert resp.status == 401, f"{remote_addr} shouldn't be trusted"
for remote_addr in TRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = await client.get("/")
assert resp.status == 401, f"{remote_addr} shouldn't be trusted"
async def test_access_with_password_in_header(app, aiohttp_client,
legacy_auth, hass):
"""Test access with password in header."""
setup_auth(hass, app)
client = await aiohttp_client(app)
user = await get_legacy_user(hass.auth)
req = await client.get(
'/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
assert await req.json() == {
'user_id': user.id,
}
req = await client.get(
'/', headers={HTTP_HEADER_HA_AUTH: 'wrong-pass'})
assert req.status == 401
def test_access_with_password_in_query(app, test_client):
"""Test access without password."""
setup_auth(app, [], API_PASSWORD)
client = yield from test_client(app)
resp = yield from client.get('/', params={
'api_password': API_PASSWORD
})
assert resp.status == 200
resp = yield from client.get('/')
assert resp.status == 401
resp = yield from client.get('/', params={
'api_password': '******'
})
assert resp.status == 401
async def test_access_with_password_in_query(app, aiohttp_client):
"""Test access with password in URL."""
setup_auth(app, [], False, api_password=API_PASSWORD)
client = await aiohttp_client(app)
resp = await client.get('/', params={
'api_password': API_PASSWORD
})
assert resp.status == 200
resp = await client.get('/')
assert resp.status == 401
resp = await client.get('/', params={
'api_password': '******'
})
assert resp.status == 401
async def test_access_with_password_in_header(app, aiohttp_client,
legacy_auth, hass):
"""Test access with password in header."""
setup_auth(app, [], False, api_password=API_PASSWORD)
client = await aiohttp_client(app)
user = await legacy_api_password.async_get_user(hass)
req = await client.get(
'/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
assert await req.json() == {
'refresh_token_id': None,
'user_id': user.id,
}
req = await client.get(
'/', headers={HTTP_HEADER_HA_AUTH: 'wrong-pass'})
assert req.status == 401
async def test_basic_auth_works(app, aiohttp_client, hass, legacy_auth):
"""Test access with basic authentication."""
setup_auth(hass, app)
client = await aiohttp_client(app)
user = await get_legacy_user(hass.auth)
req = await client.get("/", auth=BasicAuth("homeassistant", API_PASSWORD))
assert req.status == 200
assert await req.json() == {"user_id": user.id}
req = await client.get("/", auth=BasicAuth("wrong_username", API_PASSWORD))
assert req.status == 401
req = await client.get("/", auth=BasicAuth("homeassistant", "wrong password"))
assert req.status == 401
req = await client.get("/", headers={"authorization": "NotBasic abcdefg"})
assert req.status == 401
async def test_auth_legacy_support_api_password_access(app, aiohttp_client):
"""Test access using api_password if auth.support_legacy."""
setup_auth(app, [], True, support_legacy=True, api_password=API_PASSWORD)
client = await aiohttp_client(app)
req = await client.get(
'/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
resp = await client.get('/', params={
'api_password': API_PASSWORD
})
assert resp.status == 200
req = await client.get(
'/',
auth=BasicAuth('homeassistant', API_PASSWORD))
assert req.status == 200
async def test_auth_active_blocked_api_password_access(app, aiohttp_client):
"""Test access using api_password should be blocked when auth.active."""
setup_auth(app, [], True, api_password=API_PASSWORD)
client = await aiohttp_client(app)
req = await client.get(
'/', headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 401
resp = await client.get('/', params={
'api_password': API_PASSWORD
})
assert resp.status == 401
req = await client.get(
'/',
auth=BasicAuth('homeassistant', API_PASSWORD))
assert req.status == 401
async def test_auth_active_access_with_trusted_ip(app2, aiohttp_client):
"""Test access with an untrusted ip address."""
setup_auth(app2, TRUSTED_NETWORKS, True, api_password=None)
set_mock_ip = mock_real_ip(app2)
client = await aiohttp_client(app2)
for remote_addr in UNTRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = await client.get('/')
assert resp.status == 401, \
"{} shouldn't be trusted".format(remote_addr)
for remote_addr in TRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = await client.get('/')
assert resp.status == 200, \
"{} should be trusted".format(remote_addr)
async def test_auth_active_access_with_trusted_ip(app2, aiohttp_client):
"""Test access with an untrusted ip address."""
setup_auth(app2, TRUSTED_NETWORKS, True, api_password=None)
set_mock_ip = mock_real_ip(app2)
client = await aiohttp_client(app2)
for remote_addr in UNTRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = await client.get('/')
assert resp.status == 401, \
"{} shouldn't be trusted".format(remote_addr)
for remote_addr in TRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = await client.get('/')
assert resp.status == 200, \
"{} should be trusted".format(remote_addr)
async def test_auth_legacy_support_api_password_access(
app, aiohttp_client, legacy_auth, hass
):
"""Test access using api_password if auth.support_legacy."""
setup_auth(hass, app)
client = await aiohttp_client(app)
user = await get_legacy_user(hass.auth)
req = await client.get("/", headers={HTTP_HEADER_HA_AUTH: API_PASSWORD})
assert req.status == 200
assert await req.json() == {"user_id": user.id}
resp = await client.get("/", params={"api_password": API_PASSWORD})
assert resp.status == 200
assert await resp.json() == {"user_id": user.id}
req = await client.get("/", auth=BasicAuth("homeassistant", API_PASSWORD))
assert req.status == 200
assert await req.json() == {"user_id": user.id}
async def test_auth_active_access_with_trusted_ip(
hass, app2, trusted_networks_auth, aiohttp_client, hass_owner_user
):
"""Test access with an untrusted ip address."""
setup_auth(hass, app2)
set_mock_ip = mock_real_ip(app2)
client = await aiohttp_client(app2)
for remote_addr in UNTRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = await client.get("/")
assert resp.status == 401, "{} shouldn't be trusted".format(remote_addr)
for remote_addr in TRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = await client.get("/")
assert resp.status == 200, "{} should be trusted".format(remote_addr)
assert await resp.json() == {"user_id": hass_owner_user.id}
async def test_access_with_password_in_query(app, aiohttp_client, legacy_auth,
hass):
"""Test access with password in URL."""
setup_auth(app, [], api_password=API_PASSWORD)
client = await aiohttp_client(app)
user = await legacy_api_password.async_get_user(hass)
resp = await client.get('/', params={'api_password': API_PASSWORD})
assert resp.status == 200
assert await resp.json() == {
'refresh_token_id': None,
'user_id': user.id,
}
resp = await client.get('/')
assert resp.status == 401
resp = await client.get('/', params={'api_password': '******'})
assert resp.status == 401
async def test_auth_access_signed_path(
hass, app, aiohttp_client, hass_access_token):
"""Test access with signed url."""
app.router.add_post('/', mock_handler)
app.router.add_get('/another_path', mock_handler)
setup_auth(app, [], True, api_password=None)
client = await aiohttp_client(app)
refresh_token = await hass.auth.async_validate_access_token(
hass_access_token)
signed_path = async_sign_path(
hass, refresh_token.id, '/', timedelta(seconds=5)
)
req = await client.get(signed_path)
assert req.status == 200
data = await req.json()
assert data['refresh_token_id'] == refresh_token.id
assert data['user_id'] == refresh_token.user.id
# Use signature on other path
req = await client.get(
'/another_path?{}'.format(signed_path.split('?')[1]))
assert req.status == 401
# We only allow GET
req = await client.post(signed_path)
assert req.status == 401
# Never valid as expired in the past.
expired_signed_path = async_sign_path(
hass, refresh_token.id, '/', timedelta(seconds=-5)
)
req = await client.get(expired_signed_path)
assert req.status == 401
# refresh token gone should also invalidate signature
await hass.auth.async_remove_refresh_token(refresh_token)
req = await client.get(signed_path)
assert req.status == 401
async def test_auth_access_signed_path(
hass, app, aiohttp_client, hass_access_token):
"""Test access with signed url."""
app.router.add_post('/', mock_handler)
app.router.add_get('/another_path', mock_handler)
setup_auth(app, [], True, api_password=None)
client = await aiohttp_client(app)
refresh_token = await hass.auth.async_validate_access_token(
hass_access_token)
signed_path = async_sign_path(
hass, refresh_token.id, '/', timedelta(seconds=5)
)
req = await client.get(signed_path)
assert req.status == 200
data = await req.json()
assert data['refresh_token_id'] == refresh_token.id
assert data['user_id'] == refresh_token.user.id
# Use signature on other path
req = await client.get(
'/another_path?{}'.format(signed_path.split('?')[1]))
assert req.status == 401
# We only allow GET
req = await client.post(signed_path)
assert req.status == 401
# Never valid as expired in the past.
expired_signed_path = async_sign_path(
hass, refresh_token.id, '/', timedelta(seconds=-5)
)
req = await client.get(expired_signed_path)
assert req.status == 401
# refresh token gone should also invalidate signature
await hass.auth.async_remove_refresh_token(refresh_token)
req = await client.get(signed_path)
assert req.status == 401
def test_access_with_trusted_ip(test_client):
"""Test access with an untrusted ip address."""
app = web.Application()
app.router.add_get('/', mock_handler)
setup_auth(app, TRUSTED_NETWORKS, 'some-pass')
set_mock_ip = mock_real_ip(app)
client = yield from test_client(app)
for remote_addr in UNTRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = yield from client.get('/')
assert resp.status == 401, \
"{} shouldn't be trusted".format(remote_addr)
for remote_addr in TRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = yield from client.get('/')
assert resp.status == 200, \
"{} should be trusted".format(remote_addr)
async def test_basic_auth_works(app, aiohttp_client, hass, legacy_auth):
"""Test access with basic authentication."""
setup_auth(hass, app)
client = await aiohttp_client(app)
user = await get_legacy_user(hass.auth)
req = await client.get('/', auth=BasicAuth('homeassistant', API_PASSWORD))
assert req.status == 200
assert await req.json() == {
'user_id': user.id,
}
req = await client.get('/', auth=BasicAuth('wrong_username', API_PASSWORD))
assert req.status == 401
req = await client.get('/',
auth=BasicAuth('homeassistant', 'wrong password'))
assert req.status == 401
req = await client.get('/', headers={'authorization': 'NotBasic abcdefg'})
assert req.status == 401
def test_access_with_trusted_ip(test_client):
"""Test access with an untrusted ip address."""
app = web.Application()
app.router.add_get('/', mock_handler)
setup_auth(app, TRUSTED_NETWORKS, 'some-pass')
set_mock_ip = mock_real_ip(app)
client = yield from test_client(app)
for remote_addr in UNTRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = yield from client.get('/')
assert resp.status == 401, \
"{} shouldn't be trusted".format(remote_addr)
for remote_addr in TRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = yield from client.get('/')
assert resp.status == 200, \
"{} should be trusted".format(remote_addr)
def test_basic_auth_works(app, test_client):
"""Test access with basic authentication."""
setup_auth(app, [], API_PASSWORD)
client = yield from test_client(app)
req = yield from client.get('/',
auth=BasicAuth('homeassistant', API_PASSWORD))
assert req.status == 200
req = yield from client.get('/',
auth=BasicAuth('wrong_username', API_PASSWORD))
assert req.status == 401
req = yield from client.get('/',
auth=BasicAuth('homeassistant',
'wrong password'))
assert req.status == 401
req = yield from client.get('/',
headers={'authorization': 'NotBasic abcdefg'})
assert req.status == 401
async def test_access_with_trusted_ip(app2, aiohttp_client, hass_owner_user):
"""Test access with an untrusted ip address."""
setup_auth(app2, TRUSTED_NETWORKS, False, api_password='******')
set_mock_ip = mock_real_ip(app2)
client = await aiohttp_client(app2)
for remote_addr in UNTRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = await client.get('/')
assert resp.status == 401, \
"{} shouldn't be trusted".format(remote_addr)
for remote_addr in TRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = await client.get('/')
assert resp.status == 200, \
"{} should be trusted".format(remote_addr)
assert await resp.json() == {
'refresh_token_id': None,
'user_id': hass_owner_user.id,
}
async def test_access_with_password_in_query(app, aiohttp_client, legacy_auth,
hass):
"""Test access with password in URL."""
setup_auth(hass, app)
client = await aiohttp_client(app)
user = await get_legacy_user(hass.auth)
resp = await client.get('/', params={
'api_password': API_PASSWORD
})
assert resp.status == 200
assert await resp.json() == {
'user_id': user.id,
}
resp = await client.get('/')
assert resp.status == 401
resp = await client.get('/', params={
'api_password': '******'
})
assert resp.status == 401
async def test_access_with_trusted_ip(hass, app2, trusted_networks_auth,
aiohttp_client,
hass_owner_user):
"""Test access with an untrusted ip address."""
setup_auth(hass, app2)
set_mock_ip = mock_real_ip(app2)
client = await aiohttp_client(app2)
for remote_addr in UNTRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = await client.get('/')
assert resp.status == 401, \
"{} shouldn't be trusted".format(remote_addr)
for remote_addr in TRUSTED_ADDRESSES:
set_mock_ip(remote_addr)
resp = await client.get('/')
assert resp.status == 200, \
"{} should be trusted".format(remote_addr)
assert await resp.json() == {
'user_id': hass_owner_user.id,
}
async def test_no_auth_no_token(aioclient_mock, hass, aiohttp_client):
"""Test cases where aiohttp_client is not auth."""
await async_setup_component(hass, 'camera', {
'camera': {
'platform': 'push',
'name': 'config_test',
}})
setup_auth(hass.http.app, [], True, api_password=None)
client = await aiohttp_client(hass.http.app)
# no token
files = {'image': io.BytesIO(b'fake')}
resp = await client.post('/api/camera_push/camera.config_test',
data=files)
assert resp.status == 401
# fake token
files = {'image': io.BytesIO(b'fake')}
resp = await client.post(
'/api/camera_push/camera.config_test?token=12345678',
data=files)
assert resp.status == 401
async def test_access_with_password_in_query(app, aiohttp_client, legacy_auth,
hass):
"""Test access with password in URL."""
setup_auth(app, [], False, api_password=API_PASSWORD)
client = await aiohttp_client(app)
user = await legacy_api_password.async_get_user(hass)
resp = await client.get('/', params={
'api_password': API_PASSWORD
})
assert resp.status == 200
assert await resp.json() == {
'refresh_token_id': None,
'user_id': user.id,
}
resp = await client.get('/')
assert resp.status == 401
resp = await client.get('/', params={
'api_password': '******'
})
assert resp.status == 401
