Merge pull request #1343 from home-assistant/dev

Release 191

.devcontainer/Dockerfile

@@ -34,10 +34,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 # Install Python dependencies from requirements.txt if it exists
-COPY requirements.txt requirements_tests.txt /workspaces/
-RUN pip install -r requirements.txt \
-    && pip3 install -r requirements_tests.txt \
-    && pip install black tox
+COPY requirements.txt requirements_tests.txt ./
+RUN pip3 install -r requirements.txt -r requirements_tests.txt \
+    && pip3 install black tox \
+    && rm -f requirements.txt requirements_tests.txt
 
 # Set the default shell to bash instead of sh
 ENV SHELL /bin/bash

.devcontainer/devcontainer.json

@@ -6,11 +6,13 @@
 	"appPort": "9123:8123",
 	"runArgs": [
 		"-e",
-		"GIT_EDITOR=\"code --wait\"",
+		"GIT_EDITOR=code --wait",
 		"--privileged"
 	],
 	"extensions": [
-		"ms-python.python"
+		"ms-python.python",
+		"visualstudioexptteam.vscodeintellicode",
+		"esbenp.prettier-vscode"
 	],
 	"settings": {
 		"python.pythonPath": "/usr/local/bin/python",
@@ -26,4 +28,4 @@
 		"editor.formatOnType": true,
 		"files.trimTrailingWhitespace": true
 	}
-}
+}

API.md

@@ -350,6 +350,10 @@ Load host configs from a USB stick.
 }
 ```
 
+- POST `/hardware/trigger`
+
+Trigger an udev reload
+
 ### Home Assistant
 
 - GET `/homeassistant/info`

hassio/__main__.py

@@ -12,6 +12,7 @@ _LOGGER: logging.Logger = logging.getLogger(__name__)
 def initialize_event_loop():
     """Attempt to use uvloop."""
     try:
+        # pylint: disable=import-outside-toplevel
         import uvloop
 
         uvloop.install()

hassio/addons/__init__.py

@@ -285,6 +285,9 @@ class AddonManager(CoreSysAttributes):
 
         for addon in needs_repair:
             _LOGGER.info("Start repair for add-on: %s", addon.slug)
+            await self.sys_run_in_executor(
+                self.sys_docker.network.stale_cleanup, addon.instance.name
+            )
 
             with suppress(DockerAPIError, KeyError):
                 # Need pull a image again
@@ -293,7 +296,7 @@ class AddonManager(CoreSysAttributes):
                     continue
 
                 # Need local lookup
-                elif addon.need_build and not addon.is_detached:
+                if addon.need_build and not addon.is_detached:
                     store = self.store[addon.slug]
                     # If this add-on is available for rebuild
                     if addon.version == store.version:

hassio/addons/addon.py

@@ -51,6 +51,7 @@ from ..exceptions import (
 )
 from ..utils.apparmor import adjust_profile
 from ..utils.json import read_json_file, write_json_file
+from ..utils.tar import exclude_filter, secure_path
 from .model import AddonModel, Data
 from .utils import remove_data
 from .validate import SCHEMA_ADDON_SNAPSHOT, validate_options
@@ -345,13 +346,16 @@ class Addon(AddonModel):
         """Save data of add-on."""
         self.sys_addons.data.save_data()
 
-    def write_options(self):
+    async def write_options(self):
         """Return True if add-on options is written to data."""
         schema = self.schema
         options = self.options
 
+        # Update secrets for validation
+        await self.sys_secrets.reload()
+
         try:
-            schema(options)
+            options = schema(options)
             write_json_file(self.path_options, options)
         except vol.Invalid as ex:
             _LOGGER.error(
@@ -438,7 +442,9 @@ class Addon(AddonModel):
         options = {**self.persist[ATTR_OPTIONS], **default_options}
 
         # create voluptuous
-        new_schema = vol.Schema(vol.All(dict, validate_options(new_raw_schema)))
+        new_schema = vol.Schema(
+            vol.All(dict, validate_options(self.coresys, new_raw_schema))
+        )
 
         # validate
         try:
@@ -465,12 +471,13 @@ class Addon(AddonModel):
         self.save_persist()
 
         # Options
-        self.write_options()
+        await self.write_options()
 
         # Sound
         if self.with_audio:
             self.write_asound()
 
+        # Start Add-on
         try:
             await self.instance.run()
         except DockerAPIError:
@@ -519,7 +526,7 @@ class Addon(AddonModel):
 
     async def snapshot(self, tar_file: tarfile.TarFile) -> None:
         """Snapshot state of an add-on."""
-        with TemporaryDirectory(dir=str(self.sys_config.path_tmp)) as temp:
+        with TemporaryDirectory(dir=self.sys_config.path_tmp) as temp:
             # store local image
             if self.need_build:
                 try:
@@ -554,8 +561,15 @@ class Addon(AddonModel):
             def _write_tarfile():
                 """Write tar inside loop."""
                 with tar_file as snapshot:
+                    # Snapshot system
                     snapshot.add(temp, arcname=".")
-                    snapshot.add(self.path_data, arcname="data")
+
+                    # Snapshot data
+                    snapshot.add(
+                        self.path_data,
+                        arcname="data",
+                        filter=exclude_filter(self.snapshot_exclude),
+                    )
 
             try:
                 _LOGGER.info("Build snapshot for add-on %s", self.slug)
@@ -568,12 +582,12 @@ class Addon(AddonModel):
 
     async def restore(self, tar_file: tarfile.TarFile) -> None:
         """Restore state of an add-on."""
-        with TemporaryDirectory(dir=str(self.sys_config.path_tmp)) as temp:
+        with TemporaryDirectory(dir=self.sys_config.path_tmp) as temp:
             # extract snapshot
             def _extract_tarfile():
                 """Extract tar snapshot."""
                 with tar_file as snapshot:
-                    snapshot.extractall(path=Path(temp))
+                    snapshot.extractall(path=Path(temp), members=secure_path(snapshot))
 
             try:
                 await self.sys_run_in_executor(_extract_tarfile)
@@ -634,7 +648,7 @@ class Addon(AddonModel):
             # Restore data
             def _restore_data():
                 """Restore data."""
-                shutil.copytree(str(Path(temp, "data")), str(self.path_data))
+                shutil.copytree(Path(temp, "data"), self.path_data)
 
             _LOGGER.info("Restore data for addon %s", self.slug)
             if self.path_data.is_dir():

hassio/addons/model.py

@@ -1,8 +1,8 @@
 """Init file for Hass.io add-ons."""
-from distutils.version import StrictVersion
 from pathlib import Path
 from typing import Any, Awaitable, Dict, List, Optional
 
+from packaging import version as pkg_version
 import voluptuous as vol
 
 from ..const import (
@@ -47,6 +47,7 @@ from ..const import (
     ATTR_SCHEMA,
     ATTR_SERVICES,
     ATTR_SLUG,
+    ATTR_SNAPSHOT_EXCLUDE,
     ATTR_STARTUP,
     ATTR_STDIN,
     ATTR_TIMEOUT,
@@ -324,6 +325,11 @@ class AddonModel(CoreSysAttributes):
         """Return Hass.io role for API."""
         return self.data[ATTR_HASSIO_ROLE]
 
+    @property
+    def snapshot_exclude(self) -> List[str]:
+        """Return Exclude list for snapshot."""
+        return self.data.get(ATTR_SNAPSHOT_EXCLUDE, [])
+
     @property
     def with_stdin(self) -> bool:
         """Return True if the add-on access use stdin input."""
@@ -461,7 +467,7 @@ class AddonModel(CoreSysAttributes):
 
         if isinstance(raw_schema, bool):
             return vol.Schema(dict)
-        return vol.Schema(vol.All(dict, validate_options(raw_schema)))
+        return vol.Schema(vol.All(dict, validate_options(self.coresys, raw_schema)))
 
     def __eq__(self, other):
         """Compaired add-on objects."""
@@ -482,7 +488,9 @@ class AddonModel(CoreSysAttributes):
 
         # Home Assistant
         version = config.get(ATTR_HOMEASSISTANT) or self.sys_homeassistant.version
-        if StrictVersion(self.sys_homeassistant.version) < StrictVersion(version):
+        if pkg_version.parse(self.sys_homeassistant.version) < pkg_version.parse(
+            version
+        ):
             return False
 
         return True

hassio/addons/validate.py

@@ -2,6 +2,7 @@
 import logging
 import re
 import secrets
+from typing import Any, Dict
 import uuid
 
 import voluptuous as vol
@@ -61,6 +62,7 @@ from ..const import (
     ATTR_SCHEMA,
     ATTR_SERVICES,
     ATTR_SLUG,
+    ATTR_SNAPSHOT_EXCLUDE,
     ATTR_SQUASH,
     ATTR_STARTUP,
     ATTR_STATE,
@@ -85,6 +87,7 @@ from ..const import (
     STATE_STARTED,
     STATE_STOPPED,
 )
+from ..coresys import CoreSys
 from ..discovery.validate import valid_discovery_service
 from ..validate import (
     ALSA_DEVICE,
@@ -109,16 +112,21 @@ V_EMAIL = "email"
 V_URL = "url"
 V_PORT = "port"
 V_MATCH = "match"
+V_LIST = "list"
 
 RE_SCHEMA_ELEMENT = re.compile(
     r"^(?:"
-    r"|str|bool|email|url|port"
+    r"|bool|email|url|port"
+    r"|str(?:\((?P<s_min>\d+)?,(?P<s_max>\d+)?\))?"
     r"|int(?:\((?P<i_min>\d+)?,(?P<i_max>\d+)?\))?"
     r"|float(?:\((?P<f_min>[\d\.]+)?,(?P<f_max>[\d\.]+)?\))?"
     r"|match\((?P<match>.*)\)"
+    r"|list\((?P<list>.+)\)"
     r")\??$"
 )
 
+_SCHEMA_LENGTH_PARTS = ("i_min", "i_max", "f_min", "f_max", "s_min", "s_max")
+
 RE_DOCKER_IMAGE = re.compile(r"^([a-zA-Z\-\.:\d{}]+/)*?([\-\w{}]+)/([\-\w{}]+)$")
 RE_DOCKER_IMAGE_BUILD = re.compile(
     r"^([a-zA-Z\-\.:\d{}]+/)*?([\-\w{}]+)/([\-\w{}]+)(:[\.\-\w{}]+)?$"
@@ -207,6 +215,7 @@ SCHEMA_ADDON_CONFIG = vol.Schema(
         vol.Optional(ATTR_AUTH_API, default=False): vol.Boolean(),
         vol.Optional(ATTR_SERVICES): [vol.Match(RE_SERVICE)],
         vol.Optional(ATTR_DISCOVERY): [valid_discovery_service],
+        vol.Optional(ATTR_SNAPSHOT_EXCLUDE): [vol.Coerce(str)],
         vol.Required(ATTR_OPTIONS): dict,
         vol.Required(ATTR_SCHEMA): vol.Any(
             vol.Schema(
@@ -305,7 +314,7 @@ SCHEMA_ADDON_SNAPSHOT = vol.Schema(
 )
 
 
-def validate_options(raw_schema):
+def validate_options(coresys: CoreSys, raw_schema: Dict[str, Any]):
     """Validate schema."""
 
     def validate(struct):
@@ -323,13 +332,13 @@ def validate_options(raw_schema):
             try:
                 if isinstance(typ, list):
                     # nested value list
-                    options[key] = _nested_validate_list(typ[0], value, key)
+                    options[key] = _nested_validate_list(coresys, typ[0], value, key)
                 elif isinstance(typ, dict):
                     # nested value dict
-                    options[key] = _nested_validate_dict(typ, value, key)
+                    options[key] = _nested_validate_dict(coresys, typ, value, key)
                 else:
                     # normal value
-                    options[key] = _single_validate(typ, value, key)
+                    options[key] = _single_validate(coresys, typ, value, key)
             except (IndexError, KeyError):
                 raise vol.Invalid(f"Type error for {key}") from None
 
@@ -341,24 +350,31 @@ def validate_options(raw_schema):
 
 # pylint: disable=no-value-for-parameter
 # pylint: disable=inconsistent-return-statements
-def _single_validate(typ, value, key):
+def _single_validate(coresys: CoreSys, typ: str, value: Any, key: str):
     """Validate a single element."""
     # if required argument
     if value is None:
         raise vol.Invalid(f"Missing required option '{key}'")
 
+    # Lookup secret
+    if str(value).startswith("!secret "):
+        secret: str = value.partition(" ")[2]
+        value = coresys.secrets.get(secret)
+        if value is None:
+            raise vol.Invalid(f"Unknown secret {secret}")
+
     # parse extend data from type
     match = RE_SCHEMA_ELEMENT.match(typ)
 
     # prepare range
     range_args = {}
-    for group_name in ("i_min", "i_max", "f_min", "f_max"):
+    for group_name in _SCHEMA_LENGTH_PARTS:
         group_value = match.group(group_name)
         if group_value:
             range_args[group_name[2:]] = float(group_value)
 
     if typ.startswith(V_STR):
-        return str(value)
+        return vol.All(str(value), vol.Range(**range_args))(value)
     elif typ.startswith(V_INT):
         return vol.All(vol.Coerce(int), vol.Range(**range_args))(value)
     elif typ.startswith(V_FLOAT):
@@ -373,26 +389,28 @@ def _single_validate(typ, value, key):
         return NETWORK_PORT(value)
     elif typ.startswith(V_MATCH):
         return vol.Match(match.group("match"))(str(value))
+    elif typ.startswith(V_LIST):
+        return vol.In(match.group("list").split("|"))(str(value))
 
     raise vol.Invalid(f"Fatal error for {key} type {typ}")
 
 
-def _nested_validate_list(typ, data_list, key):
+def _nested_validate_list(coresys, typ, data_list, key):
     """Validate nested items."""
     options = []
 
     for element in data_list:
         # Nested?
         if isinstance(typ, dict):
-            c_options = _nested_validate_dict(typ, element, key)
+            c_options = _nested_validate_dict(coresys, typ, element, key)
             options.append(c_options)
         else:
-            options.append(_single_validate(typ, element, key))
+            options.append(_single_validate(coresys, typ, element, key))
 
     return options
 
 
-def _nested_validate_dict(typ, data_dict, key):
+def _nested_validate_dict(coresys, typ, data_dict, key):
     """Validate nested items."""
     options = {}
 
@@ -404,9 +422,11 @@ def _nested_validate_dict(typ, data_dict, key):
 
         # Nested?
         if isinstance(typ[c_key], list):
-            options[c_key] = _nested_validate_list(typ[c_key][0], c_value, c_key)
+            options[c_key] = _nested_validate_list(
+                coresys, typ[c_key][0], c_value, c_key
+            )
         else:
-            options[c_key] = _single_validate(typ[c_key], c_value, c_key)
+            options[c_key] = _single_validate(coresys, typ[c_key], c_value, c_key)
 
     _check_missing_options(typ, options, key)
     return options

hassio/api/__init__.py

@@ -101,6 +101,7 @@ class RestAPI(CoreSysAttributes):
             [
                 web.get("/hardware/info", api_hardware.info),
                 web.get("/hardware/audio", api_hardware.audio),
+                web.post("/hardware/trigger", api_hardware.trigger),
             ]
         )
 

hassio/api/addons.py

@@ -5,7 +5,6 @@ from typing import Any, Awaitable, Dict, List
 
 from aiohttp import web
 import voluptuous as vol
-from voluptuous.humanize import humanize_error
 
 from ..addons import AnyAddon
 from ..docker.stats import DockerStats
@@ -266,11 +265,16 @@ class APIAddons(CoreSysAttributes):
         """Store user options for add-on."""
         addon: AnyAddon = self._extract_addon(request)
 
+        # Update secrets for validation
+        await self.sys_secrets.reload()
+
+        # Extend schema with add-on specific validation
         addon_schema = SCHEMA_OPTIONS.extend(
             {vol.Optional(ATTR_OPTIONS): vol.Any(None, addon.schema)}
         )
-        body: Dict[str, Any] = await api_validate(addon_schema, request)
 
+        # Validate/Process Body
+        body = await api_validate(addon_schema, request, origin=[ATTR_OPTIONS])
         if ATTR_OPTIONS in body:
             addon.options = body[ATTR_OPTIONS]
         if ATTR_BOOT in body:
@@ -334,14 +338,6 @@ class APIAddons(CoreSysAttributes):
     def start(self, request: web.Request) -> Awaitable[None]:
         """Start add-on."""
         addon: AnyAddon = self._extract_addon(request)
-
-        # check options
-        options = addon.options
-        try:
-            addon.schema(options)
-        except vol.Invalid as ex:
-            raise APIError(humanize_error(options, ex)) from None
-
         return asyncio.shield(addon.start())
 
     @api_process

hassio/api/hardware.py

@@ -1,5 +1,9 @@
 """Init file for Hass.io hardware RESTful API."""
+import asyncio
 import logging
+from typing import Any, Dict
+
+from aiohttp import web
 
 from .utils import api_process
 from ..const import (
@@ -19,7 +23,7 @@ class APIHardware(CoreSysAttributes):
     """Handle RESTful API for hardware functions."""
 
     @api_process
-    async def info(self, request):
+    async def info(self, request: web.Request) -> Dict[str, Any]:
         """Show hardware info."""
         return {
             ATTR_SERIAL: list(
@@ -32,7 +36,7 @@ class APIHardware(CoreSysAttributes):
         }
 
     @api_process
-    async def audio(self, request):
+    async def audio(self, request: web.Request) -> Dict[str, Any]:
         """Show ALSA audio devices."""
         return {
             ATTR_AUDIO: {
@@ -40,3 +44,8 @@ class APIHardware(CoreSysAttributes):
                 ATTR_OUTPUT: self.sys_host.alsa.output_devices,
             }
         }
+
+    @api_process
+    def trigger(self, request: web.Request) -> None:
+        """Trigger a udev device reload."""
+        return asyncio.shield(self.sys_hardware.udev_trigger())

hassio/api/security.py

@@ -40,7 +40,9 @@ NO_SECURITY_CHECK = re.compile(
 ADDONS_API_BYPASS = re.compile(
     r"^(?:"
     r"|/addons/self/(?!security|update)[^/]+"
+    r"|/secrets/.+"
     r"|/info"
+    r"|/hardware/trigger"
     r"|/services.*"
     r"|/discovery.*"
     r"|/auth"

hassio/api/supervisor.py

@@ -161,7 +161,9 @@ class APISupervisor(CoreSysAttributes):
     @api_process
     def reload(self, request: web.Request) -> Awaitable[None]:
         """Reload add-ons, configuration, etc."""
-        return asyncio.shield(self.sys_updater.reload())
+        return asyncio.shield(
+            asyncio.wait([self.sys_updater.reload(), self.sys_secrets.reload()])
+        )
 
     @api_process
     def repair(self, request: web.Request) -> Awaitable[None]:

hassio/api/utils.py

@@ -1,25 +1,26 @@
 """Init file for Hass.io util for RESTful API."""
 import json
 import logging
+from typing import Any, Dict, List, Optional
 
 from aiohttp import web
 import voluptuous as vol
 from voluptuous.humanize import humanize_error
 
 from ..const import (
-    JSON_RESULT,
+    CONTENT_TYPE_BINARY,
     JSON_DATA,
     JSON_MESSAGE,
-    RESULT_OK,
+    JSON_RESULT,
     RESULT_ERROR,
-    CONTENT_TYPE_BINARY,
+    RESULT_OK,
 )
-from ..exceptions import HassioError, APIError, APIForbidden
+from ..exceptions import APIError, APIForbidden, HassioError
 
 _LOGGER: logging.Logger = logging.getLogger(__name__)
 
 
-def json_loads(data):
+def json_loads(data: Any) -> Dict[str, Any]:
     """Extract json from string with support for '' and None."""
     if not data:
         return {}
@@ -77,24 +78,34 @@ def api_process_raw(content):
     return wrap_method
 
 
-def api_return_error(message=None):
+def api_return_error(message: Optional[str] = None) -> web.Response:
     """Return an API error message."""
     return web.json_response(
         {JSON_RESULT: RESULT_ERROR, JSON_MESSAGE: message}, status=400
     )
 
 
-def api_return_ok(data=None):
+def api_return_ok(data: Optional[Dict[str, Any]] = None) -> web.Response:
     """Return an API ok answer."""
     return web.json_response({JSON_RESULT: RESULT_OK, JSON_DATA: data or {}})
 
 
-async def api_validate(schema, request):
+async def api_validate(
+    schema: vol.Schema, request: web.Request, origin: Optional[List[str]] = None
+) -> Dict[str, Any]:
     """Validate request data with schema."""
-    data = await request.json(loads=json_loads)
+    data: Dict[str, Any] = await request.json(loads=json_loads)
     try:
-        data = schema(data)
+        data_validated = schema(data)
     except vol.Invalid as ex:
         raise APIError(humanize_error(data, ex)) from None
 
-    return data
+    if not origin:
+        return data_validated
+
+    for origin_value in origin:
+        if origin_value not in data_validated:
+            continue
+        data_validated[origin_value] = data[origin_value]
+
+    return data_validated

hassio/bootstrap.py

@@ -27,6 +27,7 @@ from .store import StoreManager
 from .supervisor import Supervisor
 from .tasks import Tasks
 from .updater import Updater
+from .secrets import SecretsManager
 from .utils.dt import fetch_timezone
 
 _LOGGER: logging.Logger = logging.getLogger(__name__)
@@ -61,6 +62,7 @@ async def initialize_coresys():
     coresys.discovery = Discovery(coresys)
     coresys.dbus = DBusManager(coresys)
     coresys.hassos = HassOS(coresys)
+    coresys.secrets = SecretsManager(coresys)
 
     # bootstrap config
     initialize_system_data(coresys)
@@ -234,6 +236,7 @@ def supervisor_debugger(coresys: CoreSys) -> None:
     """Setup debugger if needed."""
     if not coresys.config.debug:
         return
+    # pylint: disable=import-outside-toplevel
     import ptvsd
 
     _LOGGER.info("Initialize Hass.io debugger")

hassio/const.py

@@ -2,7 +2,7 @@
 from pathlib import Path
 from ipaddress import ip_network
 
-HASSIO_VERSION = "184"
+HASSIO_VERSION = "191"
 
 
 URL_HASSIO_ADDONS = "https://github.com/home-assistant/hassio-addons"
@@ -220,6 +220,8 @@ ATTR_DNS = "dns"
 ATTR_SERVERS = "servers"
 ATTR_LOCALS = "locals"
 ATTR_UDEV = "udev"
+ATTR_VALUE = "value"
+ATTR_SNAPSHOT_EXCLUDE = "snapshot_exclude"
 
 PROVIDE_SERVICE = "provide"
 NEED_SERVICE = "need"

hassio/core.py

@@ -72,6 +72,9 @@ class HassIO(CoreSysAttributes):
         # Load ingress
         await self.sys_ingress.load()
 
+        # Load secrets
+        await self.sys_secrets.load()
+
     async def start(self):
         """Start Hass.io orchestration."""
         await self.sys_api.start()

hassio/coresys.py

@@ -24,6 +24,7 @@ if TYPE_CHECKING:
     from .homeassistant import HomeAssistant
     from .host import HostManager
     from .ingress import Ingress
+    from .secrets import SecretsManager
     from .services import ServiceManager
     from .snapshots import SnapshotManager
     from .supervisor import Supervisor
@@ -70,6 +71,7 @@ class CoreSys:
         self._dbus: Optional[DBusManager] = None
         self._hassos: Optional[HassOS] = None
         self._services: Optional[ServiceManager] = None
+        self._secrets: Optional[SecretsManager] = None
         self._store: Optional[StoreManager] = None
         self._discovery: Optional[Discovery] = None
 
@@ -209,6 +211,18 @@ class CoreSys:
             raise RuntimeError("Updater already set!")
         self._updater = value
 
+    @property
+    def secrets(self) -> SecretsManager:
+        """Return SecretsManager object."""
+        return self._secrets
+
+    @secrets.setter
+    def secrets(self, value: SecretsManager):
+        """Set a Updater object."""
+        if self._secrets:
+            raise RuntimeError("SecretsManager already set!")
+        self._secrets = value
+
     @property
     def addons(self) -> AddonManager:
         """Return AddonManager object."""
@@ -437,6 +451,11 @@ class CoreSysAttributes:
         """Return Updater object."""
         return self.coresys.updater
 
+    @property
+    def sys_secrets(self) -> SecretsManager:
+        """Return SecretsManager object."""
+        return self.coresys.secrets
+
     @property
     def sys_addons(self) -> AddonManager:
         """Return AddonManager object."""

hassio/discovery/__init__.py

@@ -31,8 +31,8 @@ class Message:
 
     addon: str = attr.ib()
     service: str = attr.ib()
-    config: Dict[str, Any] = attr.ib(cmp=False)
-    uuid: UUID = attr.ib(factory=lambda: uuid4().hex, cmp=False)
+    config: Dict[str, Any] = attr.ib(eq=False)
+    uuid: UUID = attr.ib(factory=lambda: uuid4().hex, eq=False)
 
 
 class Discovery(CoreSysAttributes, JsonConfig):

hassio/discovery/services/almond.py

@@ -0,0 +1,11 @@
+"""Discovery service for Almond."""
+import voluptuous as vol
+
+from hassio.validate import NETWORK_PORT
+
+from ..const import ATTR_HOST, ATTR_PORT
+
+
+SCHEMA = vol.Schema(
+    {vol.Required(ATTR_HOST): vol.Coerce(str), vol.Required(ATTR_PORT): NETWORK_PORT}
+)

hassio/discovery/services/home_panel.py

@@ -0,0 +1,11 @@
+"""Discovery service for Home Panel."""
+import voluptuous as vol
+
+from hassio.validate import NETWORK_PORT
+
+from ..const import ATTR_HOST, ATTR_PORT
+
+
+SCHEMA = vol.Schema(
+    {vol.Required(ATTR_HOST): vol.Coerce(str), vol.Required(ATTR_PORT): NETWORK_PORT}
+)

hassio/dns.py

@@ -115,14 +115,15 @@ class CoreDNS(JsonConfig, CoreSysAttributes):
 
         # Start DNS forwarder
         self.sys_create_task(self.forwarder.start(self.sys_docker.network.dns))
+        self._update_local_resolv()
 
-        with suppress(CoreDNSError):
-            self._update_local_resolv()
-
-        # Start is not Running
+        # Reset container configuration
         if await self.instance.is_running():
-            await self.restart()
-        else:
+            with suppress(DockerAPIError):
+                await self.instance.stop()
+
+        # Run CoreDNS
+        with suppress(CoreDNSError):
             await self.start()
 
     async def unload(self) -> None:
@@ -148,9 +149,8 @@ class CoreDNS(JsonConfig, CoreSysAttributes):
         self.version = self.instance.version
         self.save_data()
 
-        # Init Hosts / Run server
+        # Init Hosts
         self.write_hosts()
-        await self.start()
 
     async def update(self, version: Optional[str] = None) -> None:
         """Update CoreDNS plugin."""
@@ -207,6 +207,9 @@ class CoreDNS(JsonConfig, CoreSysAttributes):
 
     def _write_corefile(self) -> None:
         """Write CoreDNS config."""
+        dns_servers: List[str] = []
+
+        # Load Template
         try:
             corefile_template: Template = Template(COREDNS_TMPL.read_text())
         except OSError as err:
@@ -214,8 +217,8 @@ class CoreDNS(JsonConfig, CoreSysAttributes):
             raise CoreDNSError() from None
 
         # Prepare DNS serverlist: Prio 1 Local, Prio 2 Manual, Prio 3 Fallback
-        dns_servers = []
-        for server in self.sys_host.network.dns_servers + self.servers + DNS_SERVERS:
+        local_dns: List[str] = self.sys_host.network.dns_servers or ["dns://127.0.0.11"]
+        for server in local_dns + self.servers + DNS_SERVERS:
             try:
                 DNS_URL(server)
                 if server not in dns_servers:
@@ -358,7 +361,7 @@ class CoreDNS(JsonConfig, CoreSysAttributes):
                     resolv_lines.append(line.strip())
         except OSError as err:
             _LOGGER.warning("Can't read local resolv: %s", err)
-            raise CoreDNSError() from None
+            return
 
         if nameserver in resolv_lines:
             return
@@ -372,4 +375,4 @@ class CoreDNS(JsonConfig, CoreSysAttributes):
                     resolv.write(f"{line}\n")
         except OSError as err:
             _LOGGER.warning("Can't write local resolv: %s", err)
-            raise CoreDNSError() from None
+            return

hassio/docker/__init__.py

@@ -54,6 +54,7 @@ class DockerAPI:
         self,
         image: str,
         version: str = "latest",
+        dns: bool = True,
         ipv4: Optional[IPv4Address] = None,
         **kwargs: Dict[str, Any],
     ) -> docker.models.containers.Container:
@@ -61,14 +62,15 @@ class DockerAPI:
 
         Need run inside executor.
         """
-        name: str = kwargs.get("name", image)
+        name: str = kwargs.get("name")
         network_mode: str = kwargs.get("network_mode")
         hostname: str = kwargs.get("hostname")
 
         # Setup DNS
-        kwargs["dns"] = [str(self.network.dns)]
-        kwargs["dns_search"] = [DNS_SUFFIX]
-        kwargs["domainname"] = DNS_SUFFIX
+        if dns:
+            kwargs["dns"] = [str(self.network.dns)]
+            kwargs["dns_search"] = [DNS_SUFFIX]
+            kwargs["domainname"] = DNS_SUFFIX
 
         # Setup network
         if not network_mode:
@@ -176,3 +178,10 @@ class DockerAPI:
             _LOGGER.debug("Volumes prune: %s", output)
         except docker.errors.APIError as err:
             _LOGGER.warning("Error for volumes prune: %s", err)
+
+        _LOGGER.info("Prune stale networks")
+        try:
+            output = self.docker.api.prune_networks()
+            _LOGGER.debug("Networks prune: %s", output)
+        except docker.errors.APIError as err:
+            _LOGGER.warning("Error for networks prune: %s", err)

hassio/docker/dns.py

@@ -41,6 +41,7 @@ class DockerDNS(DockerInterface, CoreSysAttributes):
         docker_container = self.sys_docker.run(
             self.image,
             version=self.sys_dns.version,
+            dns=False,
             ipv4=self.sys_docker.network.dns,
             name=self.name,
             hostname=self.name.replace("_", "-"),

hassio/docker/homeassistant.py

@@ -127,7 +127,9 @@ class DockerHomeAssistant(DockerInterface):
         """
         try:
             docker_container = self.sys_docker.containers.get(self.name)
-            docker_image = self.sys_docker.images.get(self.image)
+            docker_image = self.sys_docker.images.get(
+                f"{self.image}:{self.sys_homeassistant.version}"
+            )
         except docker.errors.DockerException:
             return False
 

hassio/docker/interface.py

@@ -42,6 +42,13 @@ class DockerInterface(CoreSysAttributes):
             return {}
         return self._meta.get("Config", {})
 
+    @property
+    def meta_host(self) -> Dict[str, Any]:
+        """Return meta data of configuration for host."""
+        if not self._meta:
+            return {}
+        return self._meta.get("HostConfig", {})
+
     @property
     def meta_labels(self) -> Dict[str, str]:
         """Return meta data of labels for container/image."""

hassio/docker/network.py

@@ -1,4 +1,5 @@
 """Internal network manager for Hass.io."""
+from contextlib import suppress
 from ipaddress import IPv4Address
 import logging
 from typing import List, Optional
@@ -107,3 +108,11 @@ class DockerNetwork:
         except docker.errors.APIError as err:
             _LOGGER.warning("Can't disconnect container from default: %s", err)
             raise DockerAPIError() from None
+
+    def stale_cleanup(self, container_name: str):
+        """Remove force a container from Network.
+
+        Fix: https://github.com/moby/moby/issues/23302
+        """
+        with suppress(docker.errors.APIError):
+            self.network.disconnect(container_name, force=True)

hassio/docker/supervisor.py

@@ -26,6 +26,11 @@ class DockerSupervisor(DockerInterface, CoreSysAttributes):
         """Return IP address of this container."""
         return self.sys_docker.network.supervisor
 
+    @property
+    def privileged(self) -> bool:
+        """Return True if the container run with Privileged."""
+        return self.meta_host.get("Privileged", False)
+
     def _attach(self, tag: str) -> None:
         """Attach to running docker container.
 

hassio/exceptions.py

@@ -188,3 +188,10 @@ class JsonFileError(HassioError):
 
 class DockerAPIError(HassioError):
     """Docker API error."""
+
+
+# Hardware
+
+
+class HardwareNotSupportedError(HassioNotSupportedError):
+    """Raise if hardware function is not supported."""

hassio/homeassistant.py

@@ -2,7 +2,6 @@
 import asyncio
 from contextlib import asynccontextmanager, suppress
 from datetime import datetime, timedelta
-from distutils.version import StrictVersion
 from ipaddress import IPv4Address
 import logging
 import os
@@ -16,6 +15,7 @@ from uuid import UUID
 import aiohttp
 from aiohttp import hdrs
 import attr
+from packaging import version as pkg_version
 
 from .const import (
     ATTR_ACCESS_TOKEN,
@@ -80,7 +80,9 @@ class HomeAssistant(JsonConfig, CoreSysAttributes):
         try:
             # Evaluate Version if we lost this information
             if not self.version:
-                self.version = await self.instance.get_latest_version(key=StrictVersion)
+                self.version = await self.instance.get_latest_version(
+                    key=pkg_version.parse
+                )
 
             await self.instance.attach(tag=self.version)
         except DockerAPIError:
@@ -573,7 +575,7 @@ class HomeAssistant(JsonConfig, CoreSysAttributes):
                     migration_progress = True
                     _LOGGER.info("Home Assistant record migration in progress")
                 continue
-            elif migration_progress:
+            if migration_progress:
                 migration_progress = False  # Reset start time
                 start_time = time.monotonic()
                 _LOGGER.info("Home Assistant record migration done")
@@ -584,7 +586,7 @@ class HomeAssistant(JsonConfig, CoreSysAttributes):
                     pip_progress = True
                     _LOGGER.info("Home Assistant pip installation in progress")
                 continue
-            elif pip_progress:
+            if pip_progress:
                 pip_progress = False  # Reset start time
                 start_time = time.monotonic()
                 _LOGGER.info("Home Assistant pip installation done")
@@ -603,6 +605,11 @@ class HomeAssistant(JsonConfig, CoreSysAttributes):
             return
 
         _LOGGER.info("Repair Home Assistant %s", self.version)
+        await self.sys_run_in_executor(
+            self.sys_docker.network.stale_cleanup, self.instance.name
+        )
+
+        # Pull image
         try:
             await self.instance.install(self.version)
         except DockerAPIError:

hassio/host/alsa.py

@@ -11,8 +11,13 @@ from ..coresys import CoreSysAttributes
 
 _LOGGER: logging.Logger = logging.getLogger(__name__)
 
-# pylint: disable=invalid-name
-DefaultConfig = attr.make_class("DefaultConfig", ["input", "output"])
+
+@attr.s()
+class DefaultConfig:
+    """Default config input/output ALSA channel."""
+
+    input: str = attr.ib()
+    output: str = attr.ib()
 
 
 AUDIODB_JSON: Path = Path(__file__).parents[1].joinpath("data/audiodb.json")

hassio/host/services.py

@@ -91,9 +91,9 @@ class ServiceManager(CoreSysAttributes):
 class ServiceInfo:
     """Represent a single Service."""
 
-    name = attr.ib(type=str)
-    description = attr.ib(type=str)
-    state = attr.ib(type=str)
+    name: str = attr.ib()
+    description: str = attr.ib()
+    state: str = attr.ib()
 
     @staticmethod
     def read_from(unit):

hassio/misc/hardware.py

@@ -1,4 +1,5 @@
 """Read hardware info from system."""
+import asyncio
 from datetime import datetime
 import logging
 from pathlib import Path
@@ -8,6 +9,7 @@ from typing import Any, Dict, Optional, Set
 import pyudev
 
 from ..const import ATTR_DEVICES, ATTR_NAME, ATTR_TYPE, CHAN_ID, CHAN_TYPE
+from ..exceptions import HardwareNotSupportedError
 
 _LOGGER: logging.Logger = logging.getLogger(__name__)
 
@@ -148,3 +150,14 @@ class Hardware:
             return None
 
         return datetime.utcfromtimestamp(int(found.group(1)))
+
+    async def udev_trigger(self) -> None:
+        """Trigger a udev reload."""
+        proc = await asyncio.create_subprocess_exec("udevadm", "trigger")
+
+        await proc.wait()
+        if proc.returncode == 0:
+            return
+
+        _LOGGER.warning("udevadm device triggering fails!")
+        raise HardwareNotSupportedError()

hassio/secrets.py

@@ -0,0 +1,64 @@
+"""Handle Home Assistant secrets to add-ons."""
+from datetime import timedelta
+import logging
+from pathlib import Path
+from typing import Dict
+
+from ruamel.yaml import YAML, YAMLError
+import voluptuous as vol
+
+from .coresys import CoreSys, CoreSysAttributes
+from .utils import AsyncThrottle
+
+_LOGGER: logging.Logger = logging.getLogger(__name__)
+
+SECRETS_SCHEMA = vol.Schema({str: vol.Any(str, int, None, float)})
+
+
+class SecretsManager(CoreSysAttributes):
+    """Manage Home Assistant secrets."""
+
+    def __init__(self, coresys: CoreSys):
+        """Initialize secret manager."""
+        self.coresys: CoreSys = coresys
+        self.secrets: Dict[str, str] = {}
+
+    @property
+    def path_secrets(self) -> Path:
+        """Return path to secret file."""
+        return Path(self.sys_config.path_homeassistant, "secrets.yaml")
+
+    def get(self, secret: str) -> str:
+        """Get secret from store."""
+        _LOGGER.info("Request secret %s", secret)
+        return self.secrets.get(secret)
+
+    async def load(self) -> None:
+        """Load secrets on start."""
+        await self._read_secrets()
+
+        _LOGGER.info("Load Home Assistant secrets: %s", len(self.secrets))
+
+    async def reload(self) -> None:
+        """Reload secrets."""
+        await self._read_secrets()
+
+    @AsyncThrottle(timedelta(seconds=60))
+    async def _read_secrets(self):
+        """Read secrets.yaml into memory."""
+        if not self.path_secrets.exists():
+            _LOGGER.debug("Home Assistant secrets not exists")
+            return
+
+        # Read secrets
+        try:
+            yaml = YAML()
+            data = await self.sys_run_in_executor(yaml.load, self.path_secrets) or {}
+
+            self.secrets = SECRETS_SCHEMA(data)
+        except YAMLError as err:
+            _LOGGER.error("Can't process Home Assistant secrets: %s", err)
+        except vol.Invalid:
+            _LOGGER.warning("Home Assistant secrets have a invalid format")
+        else:
+            _LOGGER.debug("Reload Home Assistant secrets: %s", len(self.secrets))

hassio/snapshots/snapshot.py

@@ -41,7 +41,7 @@ from ..const import (
 from ..coresys import CoreSys, CoreSysAttributes
 from ..exceptions import AddonsError
 from ..utils.json import write_json_file
-from ..utils.tar import SecureTarFile
+from ..utils.tar import SecureTarFile, secure_path
 from .utils import key_to_iv, password_for_validating, password_to_key, remove_folder
 from .validate import ALL_FOLDERS, SCHEMA_SNAPSHOT
 
@@ -248,7 +248,7 @@ class Snapshot(CoreSysAttributes):
         def _extract_snapshot():
             """Extract a snapshot."""
             with tarfile.open(self.tarfile, "r:") as tar:
-                tar.extractall(path=self._tmp.name)
+                tar.extractall(path=self._tmp.name, members=secure_path(tar))
 
         await self.sys_run_in_executor(_extract_snapshot)
 
@@ -396,7 +396,7 @@ class Snapshot(CoreSysAttributes):
             try:
                 _LOGGER.info("Restore folder %s", name)
                 with SecureTarFile(tar_name, "r", key=self._key) as tar_file:
-                    tar_file.extractall(path=origin_dir)
+                    tar_file.extractall(path=origin_dir, members=tar_file)
                 _LOGGER.info("Restore folder %s done", name)
             except (tarfile.TarError, OSError) as err:
                 _LOGGER.warning("Can't restore folder %s: %s", name, err)

hassio/snapshots/utils.py

@@ -42,7 +42,7 @@ def remove_folder(folder):
     for obj in folder.iterdir():
         try:
             if obj.is_dir():
-                shutil.rmtree(str(obj), ignore_errors=True)
+                shutil.rmtree(obj, ignore_errors=True)
             else:
                 obj.unlink()
         except (OSError, shutil.Error):

hassio/store/git.py

@@ -137,7 +137,7 @@ class GitRepo(CoreSysAttributes):
             """Log error."""
             _LOGGER.warning("Can't remove %s", path)
 
-        shutil.rmtree(str(self.path), onerror=log_err)
+        shutil.rmtree(self.path, onerror=log_err)
 
 
 class GitRepoHassIO(GitRepo):

hassio/supervisor.py

@@ -41,6 +41,12 @@ class Supervisor(CoreSysAttributes):
         with suppress(DockerAPIError):
             await self.instance.cleanup()
 
+        # Check privileged mode
+        if not self.instance.privileged:
+            _LOGGER.error(
+                "Supervisor does not run in Privileged mode. Hassio runs with limited functionality!"
+            )
+
     @property
     def ip_address(self) -> IPv4Address:
         """Return IP of Supervisor instance."""

hassio/tasks.py

@@ -16,7 +16,7 @@ RUN_UPDATE_DNS = 30100
 
 RUN_RELOAD_ADDONS = 10800
 RUN_RELOAD_SNAPSHOTS = 72000
-RUN_RELOAD_HOST = 72000
+RUN_RELOAD_HOST = 7600
 RUN_RELOAD_UPDATER = 7200
 RUN_RELOAD_INGRESS = 930
 

hassio/utils/gdbus.py

@@ -90,7 +90,6 @@ class DBus:
             raise DBusParseError() from None
 
         # Read available methods
-        _LOGGER.debug("Introspect XML: %s", data)
         for interface in xml.findall("./interface"):
             interface_name = interface.get("name")
 

hassio/utils/tar.py

@@ -1,19 +1,22 @@
 """Tarfile fileobject handler for encrypted files."""
 import hashlib
+import logging
 import os
 from pathlib import Path
 import tarfile
-from typing import IO, Optional
+from typing import IO, Callable, Generator, List, Optional
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import padding
 from cryptography.hazmat.primitives.ciphers import (
-    CipherContext,
     Cipher,
+    CipherContext,
     algorithms,
     modes,
 )
 
+_LOGGER: logging.Logger = logging.getLogger(__name__)
+
 BLOCK_SIZE = 16
 BLOCK_SIZE_BITS = 128
 
@@ -111,3 +114,39 @@ def _generate_iv(key: bytes, salt: bytes) -> bytes:
     for _ in range(100):
         temp_iv = hashlib.sha256(temp_iv).digest()
     return temp_iv[:16]
+
+
+def secure_path(tar: tarfile.TarFile) -> Generator[tarfile.TarInfo, None, None]:
+    """Security safe check of path.
+
+    Prevent ../ or absolut paths
+    """
+    for member in tar:
+        file_path = Path(member.name)
+        try:
+            assert not file_path.is_absolute()
+            Path("/fake", file_path).resolve().relative_to("/fake")
+        except (ValueError, RuntimeError, AssertionError):
+            _LOGGER.warning("Issue with file %s", file_path)
+            continue
+        else:
+            yield member
+
+
+def exclude_filter(
+    exclude_list: List[str]
+) -> Callable[[tarfile.TarInfo], Optional[tarfile.TarInfo]]:
+    """Create callable filter function to check TarInfo for add."""
+
+    def my_filter(tar: tarfile.TarInfo) -> Optional[tarfile.TarInfo]:
+        """Custom exclude filter."""
+        file_path = Path(tar.name)
+        for exclude in exclude_list:
+            if not file_path.match(exclude):
+                continue
+            _LOGGER.debug("Ignore %s because of %s", file_path, exclude)
+            return None
+
+        return tar
+
+    return my_filter

requirements.txt

@@ -1,14 +1,16 @@
-aiohttp==3.5.4
+aiohttp==3.6.1
 async_timeout==3.0.1
-attrs==19.1.0
+attrs==19.3.0
 cchardet==2.1.4
 colorlog==4.0.2
 cpe==1.2.1
-cryptography==2.7
-docker==4.0.2
-gitpython==3.0.2
-pytz==2019.2
+cryptography==2.8
+docker==4.1.0
+gitpython==3.0.4
+packaging==19.2
+pytz==2019.3
 pyudev==0.21.0
-uvloop==0.12.2
+ruamel.yaml==0.15.100
+uvloop==0.13.0
 voluptuous==0.11.7
 ptvsd==4.3.2

requirements_tests.txt

@@ -1,5 +1,5 @@
 flake8==3.7.8
-pylint==2.3.1
-pytest==5.1.1
+pylint==2.4.3
+pytest==5.2.1
 pytest-timeout==1.3.3
 pytest-aiohttp==0.3.0

setup.py

@@ -19,7 +19,7 @@ setup(
         "Intended Audience :: Developers",
         "License :: OSI Approved :: Apache Software License",
         "Operating System :: OS Independent",
-        "Topic :: Home Automation"
+        "Topic :: Home Automation",
         "Topic :: Software Development :: Libraries :: Python Modules",
         "Topic :: Scientific/Engineering :: Atmospheric Science",
         "Development Status :: 5 - Production/Stable",

tests/discovery/test_almond.py

@@ -0,0 +1,19 @@
+"""Test adguard discovery."""
+
+import voluptuous as vol
+import pytest
+
+from hassio.discovery.validate import valid_discovery_config
+
+
+def test_good_config():
+    """Test good deconz config."""
+
+    valid_discovery_config("almond", {"host": "test", "port": 3812})
+
+
+def test_bad_config():
+    """Test good adguard config."""
+
+    with pytest.raises(vol.Invalid):
+        valid_discovery_config("almond", {"host": "test"})

tests/discovery/test_home_panel.py

@@ -0,0 +1,19 @@
+"""Test adguard discovery."""
+
+import voluptuous as vol
+import pytest
+
+from hassio.discovery.validate import valid_discovery_config
+
+
+def test_good_config():
+    """Test good deconz config."""
+
+    valid_discovery_config("home_panel", {"host": "test", "port": 3812})
+
+
+def test_bad_config():
+    """Test good adguard config."""
+
+    with pytest.raises(vol.Invalid):
+        valid_discovery_config("home_panel", {"host": "test"})

tests/utils/test_tarfile.py

@@ -0,0 +1,61 @@
+"""Test Tarfile functions."""
+
+import attr
+import pytest
+
+from hassio.utils.tar import secure_path, exclude_filter
+
+
+@attr.s
+class TarInfo:
+    """Fake TarInfo"""
+
+    name: str = attr.ib()
+
+
+def test_secure_path():
+    """Test Secure Path."""
+    test_list = [
+        TarInfo("test.txt"),
+        TarInfo("data/xy.blob"),
+        TarInfo("bla/blu/ble"),
+        TarInfo("data/../xy.blob"),
+    ]
+    assert test_list == list(secure_path(test_list))
+
+
+def test_not_secure_path():
+    """Test Not secure path."""
+    test_list = [
+        TarInfo("/test.txt"),
+        TarInfo("data/../../xy.blob"),
+        TarInfo("/bla/blu/ble"),
+    ]
+    assert [] == list(secure_path(test_list))
+
+
+def test_exclude_filter_good():
+    """Test exclude filter."""
+    filter_funct = exclude_filter(["not/match", "/dev/xy"])
+    test_list = [
+        TarInfo("test.txt"),
+        TarInfo("data/xy.blob"),
+        TarInfo("bla/blu/ble"),
+        TarInfo("data/../xy.blob"),
+    ]
+
+    assert test_list == [filter_funct(result) for result in test_list]
+
+
+def test_exclude_filter_bad():
+    """Test exclude filter."""
+    filter_funct = exclude_filter(["*.txt", "data/*", "bla/blu/ble"])
+    test_list = [
+        TarInfo("test.txt"),
+        TarInfo("data/xy.blob"),
+        TarInfo("bla/blu/ble"),
+        TarInfo("data/test_files/kk.txt"),
+    ]
+
+    for info in [filter_funct(result) for result in test_list]:
+        assert info is None