Trusted networks auth provider warns if detects a requests with x-forwarded-for header while the http integration is not configured for reverse proxies

[balloob]

Breaking change

Trusted networks need explicit configuration of the HTTP integration to work with x-forwarded-for headers to authenticate IPs from requests that contain the x-forwarded-for header.

This is a warning and will become an error in Home Assistant 2021.7.

Proposed change

This PR will make the trusted network auth provider warn on all requests that contain an x-forwarded-for header unless the http integration is configured to parse these headers.

This means that if a request comes from a reverse-proxy but Home Assistant is not configured to work with reverse proxies, it will warn while authenticating with that request.

I will issue a follow-up PR to make this an error for Home Assistant 2021.7.

If a user wants to allow such requests, the bare minimum configuration is:

http:
  use_x_forwarded_for: true
  trusted_proxies: []

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request:

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• The code has been formatted using Black (black --fast homeassistant tests)
• Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• Untested files have been added to .coveragerc.

The integration reached or maintains the following Integration Quality Scale:

• No score or internal
• 🥈 Silver
• 🥇 Gold
• 🏆 Platinum

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[balloob]

This is a temporary constant to automatically fail the tests when we bump the version. It's my intention to remove it directly in a follow-up PR such that this PR can be cherry-picked into the beta.

[balloob]

I rewrote the if-for-if spaghetti to individual statements to make it easier to read.

[balloob]

Changed if-statement to a guard clause to improve readability.

[elupus]

Can this be reformulated/split a bit. My head has a heard time with all the nots,ands and ors.

[elupus]

Perhaps even Invert the function to is_blocked_request since that is how it's used.

[frenck]

I think in the end, the question is; should we even ever process forwarded-for requests, without a reverse proxy being configured at all...

If so, we can move this hole logic into the middleware of the HTTP server, instead of having it in the authentication.

I think a warning and getting this into the beta is fine for now, lets re-evaluate the handling for the next release.

[elupus]

I wasn't against the warning. I was against the hard to read logic with many negations.

[frenck]

Yes, I agree, but I think it is good to have in the beta. Given the time is close, we should improve later.

I'm opening a PR as a follow-up, that moves it out of here, into the HTTP server directly.
If that is an acceptable solution, this can be reverted.

[frenck]

Alternative approach in #51332