jeena/hass-configurator
1
0
Fork 0
Code Issues Pull requests Projects Packages Wiki Activity Actions

Replaced CREDENTIALS by USERNAME and PASSWORD

Browse source
This commit is contained in:
Daniel Perna 2018-07-10 00:23:21 +02:00
parent a48779f4e3
commit 8e3aabb895
3 changed files with 29 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -52,8 +52,12 @@ If you're using SSL, set the paths to your SSL files here. This is similar to th
The configurator fetches some data from your running HASS instance. If the API isn't available through the default URL, modify this variable to fix this. The configurator fetches some data from your running HASS instance. If the API isn't available through the default URL, modify this variable to fix this.
#### HASS_API_PASSWORD (string) #### HASS_API_PASSWORD (string)
If you plan on using the restart button, you have to set your API password. Calling the restart service of HASS is prohibited without authentication. If you plan on using the restart button, you have to set your API password. Calling the restart service of HASS is prohibited without authentication.
#### USERNAME (string)
If you want to enable [HTTP basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) you can set the desired username here. The `:` character is not allowed.
#### PASSWORD (string)
Set the password that should be used for authentication. Only if `USERNAME` __and__ `PASSWORD` are set authentication will be enabled.
#### CREDENTIALS (string) #### CREDENTIALS (string)
Set credentials in the form of `"username:password"` if authentication should be required for access. The credentials in the form of `"username:password"` are now deprecated and should be removed from you configuration. Replace it by specifying `USERNAME` and `PASSWORD`. It will still work though to ensure backwards compatibility.
#### ALLOWED_NETWORKS (list) #### ALLOWED_NETWORKS (list)
Limit access to the configurator by adding allowed IP addresses / networks to the list, e.g `ALLOWED_NETWORKS = ["192.168.0.0/24", "172.16.47.23"]`. If you are using the [hass.io addon](https://www.home-assistant.io/addons/configurator/) of the configurator, add the docker-network `172.30.0.0/16` to this list. Limit access to the configurator by adding allowed IP addresses / networks to the list, e.g `ALLOWED_NETWORKS = ["192.168.0.0/24", "172.16.47.23"]`. If you are using the [hass.io addon](https://www.home-assistant.io/addons/configurator/) of the configurator, add the docker-network `172.30.0.0/16` to this list.
#### BANNED_IPS (list) #### BANNED_IPS (list)

35
configurator.py
View file

@ -42,8 +42,13 @@ HASS_API = "http://127.0.0.1:8123/api/"
# If a password is required to access the API, set it in the form of "password" # If a password is required to access the API, set it in the form of "password"
# if you have HA ignoring SSL locally this is not needed if on same machine. # if you have HA ignoring SSL locally this is not needed if on same machine.
HASS_API_PASSWORD = None HASS_API_PASSWORD = None
# Enable authentication, set the credentials in the form of "username:password" # Using the CREDENTIALS variable is deprecated.
# It will still work though if USERNAME and PASSWORD are not set.
CREDENTIALS = None CREDENTIALS = None
# Set the username used for basic authentication.
USERNAME = None
# Set the password used for basic authentication.
PASSWORD = None
# Limit access to the configurator by adding allowed IP addresses / networks to # Limit access to the configurator by adding allowed IP addresses / networks to
# the list, e.g ALLOWED_NETWORKS = ["192.168.0.0/24", "172.16.47.23"] # the list, e.g ALLOWED_NETWORKS = ["192.168.0.0/24", "172.16.47.23"]
ALLOWED_NETWORKS = [] ALLOWED_NETWORKS = []
@ -3389,7 +3394,7 @@ def load_settings(settingsfile):
global LISTENIP, LISTENPORT, BASEPATH, SSL_CERTIFICATE, SSL_KEY, HASS_API, \ global LISTENIP, LISTENPORT, BASEPATH, SSL_CERTIFICATE, SSL_KEY, HASS_API, \
HASS_API_PASSWORD, CREDENTIALS, ALLOWED_NETWORKS, BANNED_IPS, BANLIMIT, \ HASS_API_PASSWORD, CREDENTIALS, ALLOWED_NETWORKS, BANNED_IPS, BANLIMIT, \
DEV, IGNORE_PATTERN, DIRSFIRST, SESAME, VERIFY_HOSTNAME, ENFORCE_BASEPATH, \ DEV, IGNORE_PATTERN, DIRSFIRST, SESAME, VERIFY_HOSTNAME, ENFORCE_BASEPATH, \
ENV_PREFIX, NOTIFY_SERVICE ENV_PREFIX, NOTIFY_SERVICE, USERNAME, PASSWORD
settings = {} settings = {}
if settingsfile: if settingsfile:
try: try:
@ -3433,6 +3438,11 @@ def load_settings(settingsfile):
SESAME = settings.get("SESAME", SESAME) SESAME = settings.get("SESAME", SESAME)
VERIFY_HOSTNAME = settings.get("VERIFY_HOSTNAME", VERIFY_HOSTNAME) VERIFY_HOSTNAME = settings.get("VERIFY_HOSTNAME", VERIFY_HOSTNAME)
NOTIFY_SERVICE = settings.get("NOTIFY_SERVICE", NOTIFY_SERVICE_DEFAULT) NOTIFY_SERVICE = settings.get("NOTIFY_SERVICE", NOTIFY_SERVICE_DEFAULT)
USERNAME = settings.get("USERNAME", USERNAME)
PASSWORD = settings.get("PASSWORD", PASSWORD)
if CREDENTIALS and (USERNAME is None or PASSWORD is None):
USERNAME = CREDENTIALS.split(":")[0]
PASSWORD = ":".join(CREDENTIALS.split(":")[1:])
def is_safe_path(basedir, path, follow_symlinks=True): def is_safe_path(basedir, path, follow_symlinks=True):
if basedir is None: if basedir is None:
@ -4485,16 +4495,16 @@ class AuthHandler(RequestHandler):
self.end_headers() self.end_headers()
def do_GET(self): def do_GET(self):
global CREDENTIALS
if not verify_hostname(self.headers.get('Host', '')): if not verify_hostname(self.headers.get('Host', '')):
self.do_BLOCK(403, "Forbidden") self.do_BLOCK(403, "Forbidden")
return return
authorization = self.headers.get('Authorization', None) authorization = self.headers.get('Authorization', None)
token = base64.b64encode(bytes("%s:%s" % (USERNAME, PASSWORD), "utf-8"))
if authorization is None: if authorization is None:
self.do_AUTHHEAD() self.do_AUTHHEAD()
self.wfile.write(bytes('no auth header received', 'utf-8')) self.wfile.write(bytes('no auth header received', 'utf-8'))
pass pass
elif authorization == 'Basic %s' % CREDENTIALS.decode('utf-8'): elif authorization == 'Basic %s' % token.decode('utf-8'):
if BANLIMIT: if BANLIMIT:
FAIL2BAN_IPS.pop(self.client_address[0], None) FAIL2BAN_IPS.pop(self.client_address[0], None)
super().do_GET() super().do_GET()
@ -4513,16 +4523,16 @@ class AuthHandler(RequestHandler):
pass pass
def do_POST(self): def do_POST(self):
global CREDENTIALS
if not verify_hostname(self.headers.get('Host', '')): if not verify_hostname(self.headers.get('Host', '')):
self.do_BLOCK(403, "Forbidden") self.do_BLOCK(403, "Forbidden")
return return
authorization = self.headers.get('Authorization', None) authorization = self.headers.get('Authorization', None)
token = base64.b64encode(bytes("%s:%s" % (USERNAME, PASSWORD), "utf-8"))
if authorization is None: if authorization is None:
self.do_AUTHHEAD() self.do_AUTHHEAD()
self.wfile.write(bytes('no auth header received', 'utf-8')) self.wfile.write(bytes('no auth header received', 'utf-8'))
pass pass
elif authorization == 'Basic %s' % CREDENTIALS.decode('utf-8'): elif authorization == 'Basic %s' % token.decode('utf-8'):
if BANLIMIT: if BANLIMIT:
FAIL2BAN_IPS.pop(self.client_address[0], None) FAIL2BAN_IPS.pop(self.client_address[0], None)
super().do_POST() super().do_POST()
@ -4575,7 +4585,7 @@ def notify(title="HASS Configurator",
LOG.warning("Exception while creating notification: %s" % err) LOG.warning("Exception while creating notification: %s" % err)
def main(args): def main(args):
global HTTPD, CREDENTIALS global HTTPD
if args: if args:
load_settings(args[0]) load_settings(args[0])
else: else:
@ -4608,14 +4618,14 @@ def main(args):
notify(**data) notify(**data)
problems = None problems = None
if CREDENTIALS: if PASSWORD:
problems = password_problems(":".join(CREDENTIALS.split(":")[1:]), "CREDENTIALS") problems = password_problems(PASSWORD, "PASSWORD")
if problems: if problems:
data = { data = {
"title": "HASS Configurator - Password warning", "title": "HASS Configurator - Password warning",
"message": "Your CREDENTIALS seems insecure (%i). " \ "message": "Your PASSWORD seems insecure (%i). " \
"Refer to the HASS configurator logs for further information." % problems, "Refer to the HASS configurator logs for further information." % problems,
"notification_id": "HC_CREDENTIALS" "notification_id": "HC_PASSWORD"
} }
notify(**data) notify(**data)
except Exception as err: except Exception as err:
@ -4625,8 +4635,7 @@ def main(args):
if ':' in LISTENIP: if ':' in LISTENIP:
CustomServer.address_family = socket.AF_INET6 CustomServer.address_family = socket.AF_INET6
server_address = (LISTENIP, LISTENPORT) server_address = (LISTENIP, LISTENPORT)
if CREDENTIALS: if USERNAME and PASSWORD:
CREDENTIALS = base64.b64encode(bytes(CREDENTIALS, "utf-8"))
Handler = AuthHandler Handler = AuthHandler
else: else:
Handler = RequestHandler Handler = RequestHandler

3
settings.conf
View file

@ -7,7 +7,8 @@
"SSL_KEY": null, "SSL_KEY": null,
"HASS_API": "http://127.0.0.1:8123/api/", "HASS_API": "http://127.0.0.1:8123/api/",
"HASS_API_PASSWORD": null, "HASS_API_PASSWORD": null,
"CREDENTIALS": null, "USERNAME": null,
"PASSWORD": null,
"ALLOWED_NETWORKS": [], "ALLOWED_NETWORKS": [],
"BANNED_IPS": [], "BANNED_IPS": [],
"BANLIMIT": 0, "BANLIMIT": 0,