diff --git a/hassio/addons/__init__.py b/hassio/addons/__init__.py index 50c60b443..4fb01969b 100644 --- a/hassio/addons/__init__.py +++ b/hassio/addons/__init__.py @@ -43,13 +43,6 @@ class AddonManager(CoreSysAttributes): """Return an add-on from slug.""" return self.addons_obj.get(addon_slug) - def from_uuid(self, uuid): - """Return an add-on from UUID.""" - for addon in self.list_addons: - if addon.is_installed and uuid == addon.uuid: - return addon - return None - def from_token(self, token): """Return an add-on from Hass.io token.""" for addon in self.list_addons: diff --git a/hassio/api/addons.py b/hassio/api/addons.py index 2d1fb34a8..65028cd14 100644 --- a/hassio/api/addons.py +++ b/hassio/api/addons.py @@ -24,7 +24,6 @@ from ..const import ( CONTENT_TYPE_PNG, CONTENT_TYPE_BINARY, CONTENT_TYPE_TEXT, REQUEST_FROM) from ..coresys import CoreSysAttributes from ..validate import DOCKER_PORTS, ALSA_DEVICE -from ..exceptions import APINotSupportedError _LOGGER = logging.getLogger(__name__) @@ -196,13 +195,6 @@ class APIAddons(CoreSysAttributes): async def security(self, request): """Store security options for add-on.""" addon = self._extract_addon(request) - - # Have Access - # REMOVE: don't needed anymore - if addon.slug == request[REQUEST_FROM]: - _LOGGER.error("Can't self modify his security!") - raise APINotSupportedError() - body = await api_validate(SCHEMA_SECURITY, request) if ATTR_PROTECTED in body: diff --git a/hassio/api/proxy.py b/hassio/api/proxy.py index 4e96c6918..c88042c71 100644 --- a/hassio/api/proxy.py +++ b/hassio/api/proxy.py @@ -25,10 +25,6 @@ class APIProxy(CoreSysAttributes): hassio_token = request.headers.get(HEADER_HA_ACCESS) addon = self.sys_addons.from_token(hassio_token) - # REMOVE 132 - if not addon: - addon = self.sys_addons.from_uuid(hassio_token) - if not addon: _LOGGER.warning("Unknown Home Assistant API access!") elif not addon.access_homeassistant_api: @@ -184,10 +180,6 @@ class APIProxy(CoreSysAttributes): response.get('access_token')) addon = self.sys_addons.from_token(hassio_token) - # REMOVE 132 - if not addon: - addon = self.sys_addons.from_uuid(hassio_token) - if not addon or not addon.access_homeassistant_api: _LOGGER.warning("Unauthorized WebSocket access!") await server.send_json({ diff --git a/hassio/api/security.py b/hassio/api/security.py index a729e49c8..6197c495d 100644 --- a/hassio/api/security.py +++ b/hassio/api/security.py @@ -12,6 +12,14 @@ from ..coresys import CoreSysAttributes _LOGGER = logging.getLogger(__name__) + +# Block Anytime +BLACKLIST = re.compile( + r"^(?:" + r"|/homeassistant/api/hassio/.*" + r")$" +) + # Free to call or have own security concepts NO_SECURITY_CHECK = re.compile( r"^(?:" @@ -74,6 +82,10 @@ class SecurityMiddleware(CoreSysAttributes): request_from = None hassio_token = request.headers.get(HEADER_TOKEN) + # Blacklist + if BLACKLIST.match(request.path): + raise HTTPForbidden() + # Ignore security check if NO_SECURITY_CHECK.match(request.path): _LOGGER.debug("Passthrough %s", request.path) @@ -100,9 +112,6 @@ class SecurityMiddleware(CoreSysAttributes): addon = None if hassio_token and not request_from: addon = self.sys_addons.from_token(hassio_token) - # REMOVE 132 - if not addon: - addon = self.sys_addons.from_uuid(hassio_token) # Check Add-on API access if addon and ADDONS_API_BYPASS.match(request.path): @@ -115,7 +124,6 @@ class SecurityMiddleware(CoreSysAttributes): request_from = addon.slug else: _LOGGER.warning("%s no role for %s", request.path, addon.slug) - request_from = addon.slug # REMOVE: 132 if request_from: request[REQUEST_FROM] = request_from