Enable CAS for Add-ons (#3506)

* Revert "Disable CAS until it work (#3504)"

This reverts commit 435241bccf3f3c678161b50cfefd4b036f1daba9.

* Revert exception that are not forwarded

* enable for add-ons

* Apply suggestions from code review

Co-authored-by: Mike Degatano <michael.degatano@gmail.com>

* fix black

Co-authored-by: Mike Degatano <michael.degatano@gmail.com>

.github/workflows/builder.yml

@@ -293,7 +293,6 @@ jobs:
       - name: Check the Supervisor code sign
         if: needs.init.outputs.publish == 'true'
         run: |
-          exit 0
           echo "Enable Content-Trust"
           test=$(docker exec hassio_cli ha security options --content-trust=true --no-progress --raw-json | jq -r '.result')
           if [ "$test" != "ok" ]; then

supervisor/resolution/checks/core_trust.py

@@ -4,7 +4,7 @@ from typing import Optional
 
 from ...const import CoreState
 from ...coresys import CoreSys
-from ...exceptions import CodeNotaryBackendError, CodeNotaryError, CodeNotaryUntrusted
+from ...exceptions import CodeNotaryError, CodeNotaryUntrusted
 from ..const import ContextType, IssueType, UnhealthyReason
 from .base import CheckBase
 
@@ -32,8 +32,6 @@ class CheckCoreTrust(CheckBase):
         except CodeNotaryUntrusted:
             self.sys_resolution.unhealthy = UnhealthyReason.UNTRUSTED
             self.sys_resolution.create_issue(IssueType.TRUST, ContextType.CORE)
-        except CodeNotaryBackendError:
-            _LOGGER.warning("CAS backend issue, skipping check")
         except CodeNotaryError:
             pass
 

supervisor/resolution/checks/plugin_trust.py

@@ -4,7 +4,7 @@ from typing import Optional
 
 from ...const import CoreState
 from ...coresys import CoreSys
-from ...exceptions import CodeNotaryBackendError, CodeNotaryError, CodeNotaryUntrusted
+from ...exceptions import CodeNotaryError, CodeNotaryUntrusted
 from ..const import ContextType, IssueType, UnhealthyReason
 from .base import CheckBase
 
@@ -35,9 +35,6 @@ class CheckPluginTrust(CheckBase):
                 self.sys_resolution.create_issue(
                     IssueType.TRUST, ContextType.PLUGIN, reference=plugin.slug
                 )
-            except CodeNotaryBackendError:
-                _LOGGER.warning("CAS backend issue, skipping check")
-                return
             except CodeNotaryError:
                 pass
 

supervisor/security.py

@@ -1,6 +1,5 @@
 """Fetch last versions from webserver."""
 import logging
-from typing import Awaitable
 
 from .const import (
     ATTR_CONTENT_TRUST,
@@ -71,9 +70,11 @@ class Security(FileConfiguration, CoreSysAttributes):
                 raise
             return
 
-    def verify_own_content(self, checksum: str) -> Awaitable[None]:
+    async def verify_own_content(self, checksum: str) -> None:
         """Verify content from HA org."""
-        return self.verify_content("notary@home-assistant.io", checksum)
+        return
+        # pylint: disable=unreachable
+        return await self.verify_content("notary@home-assistant.io", checksum)
 
     async def verify_secret(self, pwned_hash: str) -> None:
         """Verify pwned state of a secret."""

supervisor/utils/codenotary.py

@@ -44,8 +44,6 @@ async def cas_validate(
     checksum: str,
 ) -> None:
     """Validate data against CodeNotary."""
-    return
-    # pylint: disable=unreachable
     if (checksum, signer) in _CACHE:
         return
 

tests/test_security.py

@@ -7,7 +7,6 @@ from supervisor.coresys import CoreSys
 from supervisor.exceptions import CodeNotaryError
 
 
-@pytest.mark.skip()
 async def test_content_trust(coresys: CoreSys):
     """Test Content-Trust."""
 
@@ -16,15 +15,7 @@ async def test_content_trust(coresys: CoreSys):
         assert cas_validate.called
         cas_validate.assert_called_once_with("test@mail.com", "ffffffffffffff")
 
-    with patch("supervisor.security.cas_validate", AsyncMock()) as cas_validate:
-        await coresys.security.verify_own_content("ffffffffffffff")
-        assert cas_validate.called
-        cas_validate.assert_called_once_with(
-            "notary@home-assistant.io", "ffffffffffffff"
-        )
 
-
-@pytest.mark.skip()
 async def test_disabled_content_trust(coresys: CoreSys):
     """Test Content-Trust."""
     coresys.security.content_trust = False
@@ -33,12 +24,7 @@ async def test_disabled_content_trust(coresys: CoreSys):
         await coresys.security.verify_content("test@mail.com", "ffffffffffffff")
         assert not cas_validate.called
 
-    with patch("supervisor.security.cas_validate", AsyncMock()) as cas_validate:
-        await coresys.security.verify_own_content("ffffffffffffff")
-        assert not cas_validate.called
 
-
-@pytest.mark.skip()
 async def test_force_content_trust(coresys: CoreSys):
     """Force Content-Trust tests."""
 

tests/utils/test_codenotary.py

@@ -46,7 +46,6 @@ def fixture_subprocess_exec(request):
         yield subprocess_exec
 
 
-@pytest.mark.skip()
 def test_checksum_calc():
     """Calc Checkusm as test."""
     assert calc_checksum("test") == calc_checksum(b"test")
@@ -56,7 +55,6 @@ def test_checksum_calc():
     )
 
 
-@pytest.mark.skip()
 async def test_valid_checksum():
     """Test a valid autorization."""
     await cas_validate(
@@ -65,7 +63,6 @@ async def test_valid_checksum():
     )
 
 
-@pytest.mark.skip()
 async def test_invalid_checksum():
     """Test a invalid autorization."""
     with pytest.raises(CodeNotaryUntrusted):
@@ -75,7 +72,6 @@ async def test_invalid_checksum():
         )
 
 
-@pytest.mark.skip()
 @pytest.mark.parametrize(
     "subprocess_exec",
     [
@@ -93,7 +89,6 @@ async def test_cas_backend_error(subprocess_exec):
         )
 
 
-@pytest.mark.skip()
 @pytest.mark.parametrize(
     "subprocess_exec",
     [SubprocessResponse(returncode=0, data='{"status":1}')],
@@ -108,7 +103,6 @@ async def test_cas_notarized_untrusted(subprocess_exec):
         )
 
 
-@pytest.mark.skip()
 @pytest.mark.parametrize(
     "subprocess_exec", [SubprocessResponse(exception=OSError())], indirect=True
 )