Add CAS Codenotary & cleanup old stuff (#1213)

* Add CAS Codenotary

* Update docs/add-ons/security.md

Co-authored-by: Joakim Sørensen <joasoe@gmail.com>

Co-authored-by: Joakim Sørensen <joasoe@gmail.com>
This commit is contained in:
Pascal Vizeli 2022-06-23 14:54:21 +02:00 committed by GitHub
parent 0d4a63a449
commit 9cc60fa935
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 16 additions and 33 deletions

View File

@ -183,6 +183,7 @@ Note: Avoid the use of this filename for anything other than add-on configurati
| `backup_pre` | string | | Command to execute in the context of the add-on before the backup is taken.
| `backup_post` | string | | Command to execute in the context of the add-on after the backup was taken.
| `backup_exclude` | list | | List of file/path (with glob support) that are excluded from backups.
| `codenotary` | email | | Email address of the signer of this image used by Codenotary CAS.
| `advanced` | bool | `false` | Set this to `true` to require the user to have enabled "Advanced" mode for it to show.
| `stage` | string | `stable` | Flag add-on with follow attribute: `stable`, `experimental` or `deprecated`. Add-ons set to `experimental` or `deprecated` will not show up in the store unless the user enables advanced mode.
| `init` | bool | `true` | Set this to `false` to disable the Docker default system init. Use this if the image has its own init system (Like [s6-overlay](https://github.com/just-containers/s6-overlay)). *Note: Starting in V3 of S6 setting this to `false` is required or the addon won't start, see [here](https://developers.home-assistant.io/blog/2022/05/12/s6-overlay-base-images) for more information.*

View File

@ -18,6 +18,10 @@ For access to Supervisor API you need to define a role or you run in default mod
| `manager` | Is for Add-ons that run CLIs and need extended rights |
| `admin` | Have access to every API call. That is the only one they can disable/enable the Add-on protection mode |
## Codenotary CAS
You can sign your images and also verify our base image which you build from to provide a full chain of trust. This feature us supported by our [Builder](https://github.com/home-assistant/builder) and the [build config](/docs/add-ons/configuration#add-on-extended-build). For enable this feature on the Supervisor for your Add-on, you simple need add your email address to the Add-on configuration `codenotary`.
## Protection
Default, all add-ons run in protection enabled mode. This mode prevents the add-on from getting any rights on the system. If an add-on requires more rights, you can disable this protection via the API add-on options for that add-on. But be careful, an add-on with disabled protection can destroy your system!
@ -30,6 +34,7 @@ As a developer, follow the following best practices to make your add-on secure:
- Create an AppArmor profile
- Map folders read only if you don't need write access
- If you need any API access, make sure that you do not grant permission that aren't needed
- Sign the image with [Codenotary CAS](https://cas.codenotary.com/)
## Use Home Assistant User backend

View File

@ -13,14 +13,13 @@ To see more details about each endpoint, click on it to expand it.
### Addons
<ApiEndpoint path="/addons" method="get">
Return overview information about add-ons and add-on repositories.
Return overview information about installed add-ons.
**Payload:**
| key | type | description |
| ------------ | ---- | -------------------------------------------------- |
| addons | list | A list of [Addon models](api/supervisor/models.md#addon) |
| repositories | list | A list of [Repository models](api/supervisor/models.md#repository) |
**Example response:**
@ -45,15 +44,6 @@ Return overview information about add-ons and add-on repositories.
"icon": false,
"logo": false
}
],
"repositories": [
{
"slug": "12345678",
"name": "Awesome repository",
"source": "https://github.com/awesome/repository",
"url": null,
"maintainer": "Awesome maintainer <awesome@example.com>"
}
]
}
```
@ -155,6 +145,7 @@ Get details about an add-on
| video | boolean | `true` if video is enabled |
| watchdog | boolean | `true` if watchdog is enabled |
| webui | string or null | The URL to the web UI for the add-on |
| signed | boolean | True if the image is signed and trust |
**Example response:**
@ -233,7 +224,8 @@ Get details about an add-on
"version": "1.0.0",
"video": false,
"watchdog": true,
"webui": "http://[HOST]:1337/xy/zx"
"webui": "http://[HOST]:1337/xy/zx",
"signed": false
}
```
@ -1535,13 +1527,12 @@ Returns information about available updates
**Returned data:**
| key | type | description |
-- | -- | --
update_type | string | `addon`, `os`, `core` or `supervisor`
name | string | Returns the name (only if the `update_type` is `addon`)
icon | string | Returns the path for the icon if any (only if the `update_type` is `addon`)
version_latest | string | Returns the available version
panel_path | string | Returns path where the UI can be loaded
| -- | -- | -- |
| update_type | string | `addon`, `os`, `core` or `supervisor` |
| name | string | Returns the name (only if the `update_type` is `addon`) |
| icon | string | Returns the path for the icon if any (only if the `update_type` is `addon`) |
| version_latest | string | Returns the available version |
| panel_path | string | Returns path where the UI can be loaded |
</ApiEndpoint>
@ -2442,7 +2433,6 @@ Returns information about the supervisor
| debug | bool | Debug is active |
| debug_block | bool | `true` if debug block is enabled |
| diagnostics | bool or null | Sending diagnostics is enabled |
| addons | list | A list of installed [Addon models](api/supervisor/models.md#addon) |
| addons_repositories | list | A list of add-on repository URL's as strings |
**Example response:**
@ -2463,19 +2453,6 @@ Returns information about the supervisor
"debug": false,
"debug_block": false,
"diagnostics": null,
"addons": [
{
"name": "Awesome add-on",
"slug": "7kshd7_awesome",
"description": "Awesome description",
"repository": "https://example.com/addons",
"version": "1.0.0",
"installed": "1.0.0",
"icon": false,
"logo": true,
"state": "started"
}
],
"addons_repositories": ["https://example.com/addons"]
}
```