-
-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trusted networks auth provider warns if detects a requests with x-forwarded-for header while the http integration is not configured for reverse proxies #51319
Conversation
… for proxies to allow logging in with requests with x-forwarded-for header
from homeassistant.auth import auth_store | ||
from homeassistant.auth.providers import trusted_networks as tn_auth | ||
from homeassistant.data_entry_flow import RESULT_TYPE_ABORT, RESULT_TYPE_CREATE_ENTRY | ||
from homeassistant.setup import async_setup_component | ||
|
||
FORWARD_FOR_IS_WARNING = (const.MAJOR_VERSION, const.MINOR_VERSION) < (2021, 8) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a temporary constant to automatically fail the tests when we bump the version. It's my intention to remove it directly in a follow-up PR such that this PR can be cherry-picked into the beta.
cred = self.async_create_credentials({"user_id": user_id}) | ||
await self.store.async_link_user(user, cred) | ||
return cred | ||
if user.id != user_id: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I rewrote the if-for-if spaghetti to individual statements to make it easier to read.
) | ||
] | ||
break | ||
if ip_addr not in ip_net: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed if-statement to a guard clause to improve readability.
if request is not None and ( | ||
self.hass.http.use_x_forwarded_for | ||
or hdrs.X_FORWARDED_FOR not in request.headers | ||
): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this be reformulated/split a bit. My head has a heard time with all the nots,ands and ors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps even Invert the function to is_blocked_request since that is how it's used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think in the end, the question is; should we even ever process forwarded-for requests, without a reverse proxy being configured at all...
If so, we can move this hole logic into the middleware of the HTTP server, instead of having it in the authentication.
I think a warning and getting this into the beta is fine for now, lets re-evaluate the handling for the next release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't against the warning. I was against the hard to read logic with many negations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I agree, but I think it is good to have in the beta. Given the time is close, we should improve later.
I'm opening a PR as a follow-up, that moves it out of here, into the HTTP server directly.
If that is an acceptable solution, this can be reverted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternative approach in #51332
…warded-for header while the http integration is not configured for reverse proxies (#51319) * Trusted networks auth provider to require http integration configured for proxies to allow logging in with requests with x-forwarded-for header * Make it a warning
Breaking change
Trusted networks need explicit configuration of the HTTP integration to work with
x-forwarded-for
headers to authenticate IPs from requests that contain thex-forwarded-for
header.This is a warning and will become an error in Home Assistant 2021.7.
Proposed change
This PR will make the trusted network auth provider warn on all requests that contain an
x-forwarded-for
header unless thehttp
integration is configured to parse these headers.This means that if a request comes from a reverse-proxy but Home Assistant is not configured to work with reverse proxies, it will warn while authenticating with that request.
I will issue a follow-up PR to make this an error for Home Assistant 2021.7.
If a user wants to allow such requests, the bare minimum configuration is:
Type of change
Additional information
Checklist
black --fast homeassistant tests
)If user exposed functionality or configuration variables are added/changed:
If the code communicates with devices, web services, or third-party tools:
Updated and included derived files by running:
python3 -m script.hassfest
.requirements_all.txt
.Updated by running
python3 -m script.gen_requirements_all
..coveragerc
.The integration reached or maintains the following Integration Quality Scale:
To help with the load of incoming pull requests: