Handle encryption being disabled on an ESPHome device (#141887)

fixes #121442
2025-04-24 17:27:52 +00:00 · 2025-03-30 15:25:24 -10:00 · 2025-03-30 15:25:24 -10:00 · 1639163c2e
commit 1639163c2e
parent f043404cd9
4 changed files with 50 additions and 0 deletions
--- a/homeassistant/components/esphome/config_flow.py
+++ b/homeassistant/components/esphome/config_flow.py
@ -128,8 +128,23 @@ class EsphomeFlowHandler(ConfigFlow, domain=DOMAIN):
            self._password = ""
            return await self._async_authenticate_or_add()

+        if error is None and entry_data.get(CONF_NOISE_PSK):
+            return await self.async_step_reauth_encryption_removed_confirm()
        return await self.async_step_reauth_confirm()

+    async def async_step_reauth_encryption_removed_confirm(
+        self, user_input: dict[str, Any] | None = None
+    ) -> ConfigFlowResult:
+        """Handle reauthorization flow when encryption was removed."""
+        if user_input is not None:
+            self._noise_psk = None
+            return self._async_get_entry()
+
+        return self.async_show_form(
+            step_id="reauth_encryption_removed_confirm",
+            description_placeholders={"name": self._name},
+        )
+
    async def async_step_reauth_confirm(
        self, user_input: dict[str, Any] | None = None
    ) -> ConfigFlowResult:
--- a/homeassistant/components/esphome/manager.py
+++ b/homeassistant/components/esphome/manager.py
@ -13,6 +13,7 @@ from aioesphomeapi import (
    APIConnectionError,
    APIVersion,
    DeviceInfo as EsphomeDeviceInfo,
+    EncryptionHelloAPIError,
    EntityInfo,
    HomeassistantServiceCall,
    InvalidAuthAPIError,
@ -570,6 +571,7 @@ class ESPHomeManager:
        if isinstance(
            err,
            (
+                EncryptionHelloAPIError,
                RequiresEncryptionAPIError,
                InvalidEncryptionKeyAPIError,
                InvalidAuthAPIError,
--- a/homeassistant/components/esphome/strings.json
+++ b/homeassistant/components/esphome/strings.json
@ -43,6 +43,9 @@
        },
        "description": "The ESPHome device {name} enabled transport encryption or changed the encryption key. Please enter the updated key. You can find it in the ESPHome Dashboard or in your device configuration."
      },
+      "reauth_encryption_removed_confirm": {
+        "description": "The ESPHome device {name} disabled transport encryption. Please confirm that you want to remove the encryption key and allow unencrypted connections."
+      },
      "discovery_confirm": {
        "description": "Do you want to add the ESPHome node `{name}` to Home Assistant?",
        "title": "Discovered ESPHome node"
--- a/tests/components/esphome/test_config_flow.py
+++ b/tests/components/esphome/test_config_flow.py
@ -1047,6 +1047,36 @@ async def test_reauth_confirm_invalid_with_unique_id(
    assert entry.data[CONF_NOISE_PSK] == VALID_NOISE_PSK


+@pytest.mark.usefixtures("mock_zeroconf")
+async def test_reauth_encryption_key_removed(
+    hass: HomeAssistant, mock_client, mock_setup_entry: None
+) -> None:
+    """Test reauth when the encryption key was removed."""
+    entry = MockConfigEntry(
+        domain=DOMAIN,
+        data={
+            CONF_HOST: "127.0.0.1",
+            CONF_PORT: 6053,
+            CONF_PASSWORD: "",
+            CONF_NOISE_PSK: VALID_NOISE_PSK,
+        },
+        unique_id="test",
+    )
+    entry.add_to_hass(hass)
+
+    result = await entry.start_reauth_flow(hass)
+    assert result["type"] is FlowResultType.FORM
+    assert result["step_id"] == "reauth_encryption_removed_confirm"
+
+    result = await hass.config_entries.flow.async_configure(
+        result["flow_id"], user_input={}
+    )
+
+    assert result["type"] is FlowResultType.ABORT
+    assert result["reason"] == "reauth_successful"
+    assert entry.data[CONF_NOISE_PSK] == ""
+
+
 async def test_discovery_dhcp_updates_host(
    hass: HomeAssistant, mock_client: APIClient, mock_setup_entry: None
 ) -> None: