Enable CAS for Add-ons (#3506)

* Revert "Disable CAS until it work (#3504)"

This reverts commit 435241bccf3f3c678161b50cfefd4b036f1daba9.

* Revert exception that are not forwarded

* enable for add-ons

* Apply suggestions from code review

Co-authored-by: Mike Degatano <michael.degatano@gmail.com>

* fix black

Co-authored-by: Mike Degatano <michael.degatano@gmail.com>
This commit is contained in:
Pascal Vizeli 2022-03-31 16:59:34 +02:00 committed by GitHub
parent 0de190268f
commit e445a8aabf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 6 additions and 33 deletions

View File

@ -293,7 +293,6 @@ jobs:
- name: Check the Supervisor code sign
if: needs.init.outputs.publish == 'true'
run: |
exit 0
echo "Enable Content-Trust"
test=$(docker exec hassio_cli ha security options --content-trust=true --no-progress --raw-json | jq -r '.result')
if [ "$test" != "ok" ]; then

View File

@ -4,7 +4,7 @@ from typing import Optional
from ...const import CoreState
from ...coresys import CoreSys
from ...exceptions import CodeNotaryBackendError, CodeNotaryError, CodeNotaryUntrusted
from ...exceptions import CodeNotaryError, CodeNotaryUntrusted
from ..const import ContextType, IssueType, UnhealthyReason
from .base import CheckBase
@ -32,8 +32,6 @@ class CheckCoreTrust(CheckBase):
except CodeNotaryUntrusted:
self.sys_resolution.unhealthy = UnhealthyReason.UNTRUSTED
self.sys_resolution.create_issue(IssueType.TRUST, ContextType.CORE)
except CodeNotaryBackendError:
_LOGGER.warning("CAS backend issue, skipping check")
except CodeNotaryError:
pass

View File

@ -4,7 +4,7 @@ from typing import Optional
from ...const import CoreState
from ...coresys import CoreSys
from ...exceptions import CodeNotaryBackendError, CodeNotaryError, CodeNotaryUntrusted
from ...exceptions import CodeNotaryError, CodeNotaryUntrusted
from ..const import ContextType, IssueType, UnhealthyReason
from .base import CheckBase
@ -35,9 +35,6 @@ class CheckPluginTrust(CheckBase):
self.sys_resolution.create_issue(
IssueType.TRUST, ContextType.PLUGIN, reference=plugin.slug
)
except CodeNotaryBackendError:
_LOGGER.warning("CAS backend issue, skipping check")
return
except CodeNotaryError:
pass

View File

@ -1,6 +1,5 @@
"""Fetch last versions from webserver."""
import logging
from typing import Awaitable
from .const import (
ATTR_CONTENT_TRUST,
@ -71,9 +70,11 @@ class Security(FileConfiguration, CoreSysAttributes):
raise
return
def verify_own_content(self, checksum: str) -> Awaitable[None]:
async def verify_own_content(self, checksum: str) -> None:
"""Verify content from HA org."""
return self.verify_content("notary@home-assistant.io", checksum)
return
# pylint: disable=unreachable
return await self.verify_content("notary@home-assistant.io", checksum)
async def verify_secret(self, pwned_hash: str) -> None:
"""Verify pwned state of a secret."""

View File

@ -44,8 +44,6 @@ async def cas_validate(
checksum: str,
) -> None:
"""Validate data against CodeNotary."""
return
# pylint: disable=unreachable
if (checksum, signer) in _CACHE:
return

View File

@ -7,7 +7,6 @@ from supervisor.coresys import CoreSys
from supervisor.exceptions import CodeNotaryError
@pytest.mark.skip()
async def test_content_trust(coresys: CoreSys):
"""Test Content-Trust."""
@ -16,15 +15,7 @@ async def test_content_trust(coresys: CoreSys):
assert cas_validate.called
cas_validate.assert_called_once_with("test@mail.com", "ffffffffffffff")
with patch("supervisor.security.cas_validate", AsyncMock()) as cas_validate:
await coresys.security.verify_own_content("ffffffffffffff")
assert cas_validate.called
cas_validate.assert_called_once_with(
"notary@home-assistant.io", "ffffffffffffff"
)
@pytest.mark.skip()
async def test_disabled_content_trust(coresys: CoreSys):
"""Test Content-Trust."""
coresys.security.content_trust = False
@ -33,12 +24,7 @@ async def test_disabled_content_trust(coresys: CoreSys):
await coresys.security.verify_content("test@mail.com", "ffffffffffffff")
assert not cas_validate.called
with patch("supervisor.security.cas_validate", AsyncMock()) as cas_validate:
await coresys.security.verify_own_content("ffffffffffffff")
assert not cas_validate.called
@pytest.mark.skip()
async def test_force_content_trust(coresys: CoreSys):
"""Force Content-Trust tests."""

View File

@ -46,7 +46,6 @@ def fixture_subprocess_exec(request):
yield subprocess_exec
@pytest.mark.skip()
def test_checksum_calc():
"""Calc Checkusm as test."""
assert calc_checksum("test") == calc_checksum(b"test")
@ -56,7 +55,6 @@ def test_checksum_calc():
)
@pytest.mark.skip()
async def test_valid_checksum():
"""Test a valid autorization."""
await cas_validate(
@ -65,7 +63,6 @@ async def test_valid_checksum():
)
@pytest.mark.skip()
async def test_invalid_checksum():
"""Test a invalid autorization."""
with pytest.raises(CodeNotaryUntrusted):
@ -75,7 +72,6 @@ async def test_invalid_checksum():
)
@pytest.mark.skip()
@pytest.mark.parametrize(
"subprocess_exec",
[
@ -93,7 +89,6 @@ async def test_cas_backend_error(subprocess_exec):
)
@pytest.mark.skip()
@pytest.mark.parametrize(
"subprocess_exec",
[SubprocessResponse(returncode=0, data='{"status":1}')],
@ -108,7 +103,6 @@ async def test_cas_notarized_untrusted(subprocess_exec):
)
@pytest.mark.skip()
@pytest.mark.parametrize(
"subprocess_exec", [SubprocessResponse(exception=OSError())], indirect=True
)