Enable Security API (#710)

* Enable Security API

* Update addons.py

* Update proxy.py

* Update __init__.py

* Update security.py

* Fix lint

hassio/addons/__init__.py

@@ -43,13 +43,6 @@ class AddonManager(CoreSysAttributes):
         """Return an add-on from slug."""
         return self.addons_obj.get(addon_slug)
 
-    def from_uuid(self, uuid):
-        """Return an add-on from UUID."""
-        for addon in self.list_addons:
-            if addon.is_installed and uuid == addon.uuid:
-                return addon
-        return None
-
     def from_token(self, token):
         """Return an add-on from Hass.io token."""
         for addon in self.list_addons:

hassio/api/addons.py

@@ -24,7 +24,6 @@ from ..const import (
     CONTENT_TYPE_PNG, CONTENT_TYPE_BINARY, CONTENT_TYPE_TEXT, REQUEST_FROM)
 from ..coresys import CoreSysAttributes
 from ..validate import DOCKER_PORTS, ALSA_DEVICE
-from ..exceptions import APINotSupportedError
 
 _LOGGER = logging.getLogger(__name__)
 
@@ -196,13 +195,6 @@ class APIAddons(CoreSysAttributes):
     async def security(self, request):
         """Store security options for add-on."""
         addon = self._extract_addon(request)
-
-        # Have Access
-        # REMOVE: don't needed anymore
-        if addon.slug == request[REQUEST_FROM]:
-            _LOGGER.error("Can't self modify his security!")
-            raise APINotSupportedError()
-
         body = await api_validate(SCHEMA_SECURITY, request)
 
         if ATTR_PROTECTED in body:

hassio/api/proxy.py

@@ -25,10 +25,6 @@ class APIProxy(CoreSysAttributes):
         hassio_token = request.headers.get(HEADER_HA_ACCESS)
         addon = self.sys_addons.from_token(hassio_token)
 
-        # REMOVE 132
-        if not addon:
-            addon = self.sys_addons.from_uuid(hassio_token)
-
         if not addon:
             _LOGGER.warning("Unknown Home Assistant API access!")
         elif not addon.access_homeassistant_api:
@@ -184,10 +180,6 @@ class APIProxy(CoreSysAttributes):
                             response.get('access_token'))
             addon = self.sys_addons.from_token(hassio_token)
 
-            # REMOVE 132
-            if not addon:
-                addon = self.sys_addons.from_uuid(hassio_token)
-
             if not addon or not addon.access_homeassistant_api:
                 _LOGGER.warning("Unauthorized WebSocket access!")
                 await server.send_json({

hassio/api/security.py

@@ -12,6 +12,14 @@ from ..coresys import CoreSysAttributes
 
 _LOGGER = logging.getLogger(__name__)
 
+
+# Block Anytime
+BLACKLIST = re.compile(
+    r"^(?:"
+    r"|/homeassistant/api/hassio/.*"
+    r")$"
+)
+
 # Free to call or have own security concepts
 NO_SECURITY_CHECK = re.compile(
     r"^(?:"
@@ -74,6 +82,10 @@ class SecurityMiddleware(CoreSysAttributes):
         request_from = None
         hassio_token = request.headers.get(HEADER_TOKEN)
 
+        # Blacklist
+        if BLACKLIST.match(request.path):
+            raise HTTPForbidden()
+
         # Ignore security check
         if NO_SECURITY_CHECK.match(request.path):
             _LOGGER.debug("Passthrough %s", request.path)
@@ -100,9 +112,6 @@ class SecurityMiddleware(CoreSysAttributes):
         addon = None
         if hassio_token and not request_from:
             addon = self.sys_addons.from_token(hassio_token)
-            # REMOVE 132
-            if not addon:
-                addon = self.sys_addons.from_uuid(hassio_token)
 
         # Check Add-on API access
         if addon and ADDONS_API_BYPASS.match(request.path):
@@ -115,7 +124,6 @@ class SecurityMiddleware(CoreSysAttributes):
                 request_from = addon.slug
             else:
                 _LOGGER.warning("%s no role for %s", request.path, addon.slug)
-                request_from = addon.slug  # REMOVE: 132
 
         if request_from:
             request[REQUEST_FROM] = request_from