By default to use access_token if hass.auth.active (#15212)

* Force to use access_token if hass.auth.active * Not allow Basic auth with api_password if hass.auth.active * Block websocket api_password auth when hass.auth.active * Add legacy_api_password auth provider * lint * lint
2018-06-30 19:31:36 -07:00 · 2018-06-30 19:31:36 -07:00 · f874efb224
commit f874efb224
parent 3da4642194
8 changed files with 468 additions and 83 deletions
--- a/tests/components/test_websocket_api.py
+++ b/tests/components/test_websocket_api.py
@ -77,7 +77,7 @@ def test_auth_via_msg_incorrect_pass(no_auth_websocket_client):

    assert mock_process_wrong_login.called
    assert msg['type'] == wapi.TYPE_AUTH_INVALID
-    assert msg['message'] == 'Invalid password'
+    assert msg['message'] == 'Invalid access token or password'


@asyncio.coroutine
@ -316,47 +316,103 @@ def test_unknown_command(websocket_client):
    assert msg['error']['code'] == wapi.ERR_UNKNOWN_COMMAND


-async def test_auth_with_token(hass, aiohttp_client, hass_access_token):
+async def test_auth_active_with_token(hass, aiohttp_client, hass_access_token):
    """Test authenticating with a token."""
    assert await async_setup_component(hass, 'websocket_api', {
-            'http': {
-                'api_password': API_PASSWORD
-            }
-        })
+        'http': {
+            'api_password': API_PASSWORD
+        }
+    })

    client = await aiohttp_client(hass.http.app)

    async with client.ws_connect(wapi.URL) as ws:
-        auth_msg = await ws.receive_json()
-        assert auth_msg['type'] == wapi.TYPE_AUTH_REQUIRED
+        with patch('homeassistant.auth.AuthManager.active') as auth_active:
+            auth_active.return_value = True
+            auth_msg = await ws.receive_json()
+            assert auth_msg['type'] == wapi.TYPE_AUTH_REQUIRED

-        await ws.send_json({
-            'type': wapi.TYPE_AUTH,
-            'access_token': hass_access_token.token
-        })
+            await ws.send_json({
+                'type': wapi.TYPE_AUTH,
+                'access_token': hass_access_token.token
+            })

-        auth_msg = await ws.receive_json()
-        assert auth_msg['type'] == wapi.TYPE_AUTH_OK
+            auth_msg = await ws.receive_json()
+            assert auth_msg['type'] == wapi.TYPE_AUTH_OK
+
+
+async def test_auth_active_with_password_not_allow(hass, aiohttp_client):
+    """Test authenticating with a token."""
+    assert await async_setup_component(hass, 'websocket_api', {
+        'http': {
+            'api_password': API_PASSWORD
+        }
+    })
+
+    client = await aiohttp_client(hass.http.app)
+
+    async with client.ws_connect(wapi.URL) as ws:
+        with patch('homeassistant.auth.AuthManager.active',
+                   return_value=True):
+            auth_msg = await ws.receive_json()
+            assert auth_msg['type'] == wapi.TYPE_AUTH_REQUIRED
+
+            await ws.send_json({
+                'type': wapi.TYPE_AUTH,
+                'api_password': API_PASSWORD
+            })
+
+            auth_msg = await ws.receive_json()
+            assert auth_msg['type'] == wapi.TYPE_AUTH_INVALID
+
+
+async def test_auth_legacy_support_with_password(hass, aiohttp_client):
+    """Test authenticating with a token."""
+    assert await async_setup_component(hass, 'websocket_api', {
+        'http': {
+            'api_password': API_PASSWORD
+        }
+    })
+
+    client = await aiohttp_client(hass.http.app)
+
+    async with client.ws_connect(wapi.URL) as ws:
+        with patch('homeassistant.auth.AuthManager.active',
+                   return_value=True),\
+             patch('homeassistant.auth.AuthManager.support_legacy',
+                   return_value=True):
+            auth_msg = await ws.receive_json()
+            assert auth_msg['type'] == wapi.TYPE_AUTH_REQUIRED
+
+            await ws.send_json({
+                'type': wapi.TYPE_AUTH,
+                'api_password': API_PASSWORD
+            })
+
+            auth_msg = await ws.receive_json()
+            assert auth_msg['type'] == wapi.TYPE_AUTH_OK


 async def test_auth_with_invalid_token(hass, aiohttp_client):
    """Test authenticating with a token."""
    assert await async_setup_component(hass, 'websocket_api', {
-            'http': {
-                'api_password': API_PASSWORD
-            }
-        })
+        'http': {
+            'api_password': API_PASSWORD
+        }
+    })

    client = await aiohttp_client(hass.http.app)

    async with client.ws_connect(wapi.URL) as ws:
-        auth_msg = await ws.receive_json()
-        assert auth_msg['type'] == wapi.TYPE_AUTH_REQUIRED
+        with patch('homeassistant.auth.AuthManager.active') as auth_active:
+            auth_active.return_value = True
+            auth_msg = await ws.receive_json()
+            assert auth_msg['type'] == wapi.TYPE_AUTH_REQUIRED

-        await ws.send_json({
-            'type': wapi.TYPE_AUTH,
-            'access_token': 'incorrect'
-        })
+            await ws.send_json({
+                'type': wapi.TYPE_AUTH,
+                'access_token': 'incorrect'
+            })

-        auth_msg = await ws.receive_json()
-        assert auth_msg['type'] == wapi.TYPE_AUTH_INVALID
+            auth_msg = await ws.receive_json()
+            assert auth_msg['type'] == wapi.TYPE_AUTH_INVALID