Block cloud explicitely from trusted networks (#59333)

* Block cloud explicitely from trusted networks

* Lint
This commit is contained in:
Paulus Schoutsen 2021-11-12 01:25:01 -08:00 committed by GitHub
parent 13067003cb
commit e30e4d5c6d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 0 deletions

View File

@ -194,6 +194,12 @@ class TrustedNetworksAuthProvider(AuthProvider):
if any(ip_addr in trusted_proxy for trusted_proxy in self.trusted_proxies):
raise InvalidAuthError("Can't allow access from a proxy server")
if "cloud" in self.hass.config.components:
from hass_nabucasa import remote # pylint: disable=import-outside-toplevel
if remote.is_cloud_request.get():
raise InvalidAuthError("Can't allow access from Home Assistant Cloud")
@callback
def async_validate_refresh_token(
self, refresh_token: RefreshToken, remote_ip: str | None = None

View File

@ -2,6 +2,7 @@
from ipaddress import ip_address, ip_network
from unittest.mock import Mock, patch
from hass_nabucasa import remote
import pytest
import voluptuous as vol
@ -169,6 +170,27 @@ async def test_validate_access_proxy(hass, provider):
provider.async_validate_access(ip_address("fd00::1"))
async def test_validate_access_cloud(hass, provider):
"""Test validate access from trusted networks are blocked from cloud."""
await async_setup_component(
hass,
"http",
{
"http": {
CONF_TRUSTED_PROXIES: ["192.168.128.0/31", "fd00::1"],
CONF_USE_X_FORWARDED_FOR: True,
}
},
)
hass.config.components.add("cloud")
provider.async_validate_access(ip_address("192.168.128.2"))
remote.is_cloud_request.set(True)
with pytest.raises(tn_auth.InvalidAuthError):
provider.async_validate_access(ip_address("192.168.128.2"))
async def test_validate_refresh_token(provider):
"""Verify re-validation of refresh token."""
with patch.object(provider, "async_validate_access") as mock: