mirror of
https://github.com/home-assistant/core.git
synced 2025-07-22 04:37:06 +00:00
Block cloud explicitely from trusted networks (#59333)
* Block cloud explicitely from trusted networks * Lint
This commit is contained in:
parent
13067003cb
commit
e30e4d5c6d
@ -194,6 +194,12 @@ class TrustedNetworksAuthProvider(AuthProvider):
|
||||
if any(ip_addr in trusted_proxy for trusted_proxy in self.trusted_proxies):
|
||||
raise InvalidAuthError("Can't allow access from a proxy server")
|
||||
|
||||
if "cloud" in self.hass.config.components:
|
||||
from hass_nabucasa import remote # pylint: disable=import-outside-toplevel
|
||||
|
||||
if remote.is_cloud_request.get():
|
||||
raise InvalidAuthError("Can't allow access from Home Assistant Cloud")
|
||||
|
||||
@callback
|
||||
def async_validate_refresh_token(
|
||||
self, refresh_token: RefreshToken, remote_ip: str | None = None
|
||||
|
@ -2,6 +2,7 @@
|
||||
from ipaddress import ip_address, ip_network
|
||||
from unittest.mock import Mock, patch
|
||||
|
||||
from hass_nabucasa import remote
|
||||
import pytest
|
||||
import voluptuous as vol
|
||||
|
||||
@ -169,6 +170,27 @@ async def test_validate_access_proxy(hass, provider):
|
||||
provider.async_validate_access(ip_address("fd00::1"))
|
||||
|
||||
|
||||
async def test_validate_access_cloud(hass, provider):
|
||||
"""Test validate access from trusted networks are blocked from cloud."""
|
||||
await async_setup_component(
|
||||
hass,
|
||||
"http",
|
||||
{
|
||||
"http": {
|
||||
CONF_TRUSTED_PROXIES: ["192.168.128.0/31", "fd00::1"],
|
||||
CONF_USE_X_FORWARDED_FOR: True,
|
||||
}
|
||||
},
|
||||
)
|
||||
hass.config.components.add("cloud")
|
||||
|
||||
provider.async_validate_access(ip_address("192.168.128.2"))
|
||||
|
||||
remote.is_cloud_request.set(True)
|
||||
with pytest.raises(tn_auth.InvalidAuthError):
|
||||
provider.async_validate_access(ip_address("192.168.128.2"))
|
||||
|
||||
|
||||
async def test_validate_refresh_token(provider):
|
||||
"""Verify re-validation of refresh token."""
|
||||
with patch.object(provider, "async_validate_access") as mock:
|
||||
|
Loading…
x
Reference in New Issue
Block a user