Added command_line auth provider that validates credentials by calling a command

[bob1de]

Description:

A new authentication provider that checks username/password by calling an external program, passing the values as environment variables. If the program exits with exit code 0, authentication succeeds.

Additionally, the program can print out lines of the form

KEY=VALUE

to give HA some information about the authenticating user. Currently, only name is supported, but groups are thinkable as well when there will be an official API for interfacing with HA's group system in the future.

As an example, I wrote a script to do authentication against LDAP, that I'll link here soon.

Related issue (if applicable): Closes #19975

Pull request in home-assistant-polymer: home-assistant/frontend#2561

Pull request in home-assistant.io with documentation (if applicable): home-assistant/home-assistant.io#8321

Example entry for configuration.yaml (if applicable):

homeassistant:
  auth_providers:
  - type: command_line
    command: /config/auth.sh
    # Optionally, a list of arguments.
    #args: []
    # Optionally, accept meta variables.
    #meta: true

Checklist:

• The code change is tested and works locally.
• Local tests pass with tox. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated in home-assistant.io

If the code does not interact with devices:

• Tests have been added to verify that the new code works.

[awarecan]

Please add unit test.

You can include a script to mock external program in your unit test to return valid or invalid result

[bob1de]

I'll create an unit test when the API is final.

[balloob]

This looks good. Will need some tests written.

[balloob]

I suggest that for MVP we remove the metadata and just look at the return code. Keep it simple.

[bob1de]

Ah I see, MVP... Removing the metadata sounds not desirable to me. I don't want to see "You're logged in as ." in the UI because HA doesn't know my name. Could become more problematic when HA maybe logs user actions some day.

Having to turn it on explicitly sounds more appropriate to me.

[bob1de]

And here's a working example for authentication against LDAP:

https://github.com/efficiosoft/ldap-auth-sh

[frenck]

Could not find a matching documentation PR on our documentation repository, adding docs-missing label.

[awarecan]

There are two stuffs are missing besides the documentation pointed by Frenck

• unit test for login flow
• a front-end PR to include string resources, you can use leagcy_api_password auth provider as example: https://github.com/home-assistant/home-assistant-polymer/blob/f98fff9ffdd101b029f44e8ffe5a59545d388e84/src/translations/en.json#L939

[bob1de]

@frenck and @awarecan

I won't create any docs until we mutually agreed on the API, won't do it twice when it needs to be changed. Are you happy with meta being optional and False by default?

I'll look into testing the login flow as well... Just took the existing tests from insecure_example, which didn't include the login flow.

Strings for the frontend... alright.

[awarecan]

I am fine with meta being optional and False by default

[awarecan]

Here is the example of login flow test, https://github.com/home-assistant/home-assistant/blob/201fd4afeec56f031dab027f0b84debea5bced77/tests/auth/providers/test_homeassistant.py#L67

[klaasnicolaas]

home-assistant/home-assistant.io#8321

[bob1de]

I think this PR is ready for final review and merge now.

[balloob]

It looks good 🎉 Just one question about the username stripping. Probably easiest to implement the username stripping in the config flow btw.

[bob1de]

@balloob Hmm, I'm not sure I understand correctly. Usernames aren't stripped by this auth provider, as with any other existing provider I think.

[bob1de]

The only things that are stripped are the meta variables(currently only the user's real name).

[awarecan]

Balloob is referencing a recent merged PR, #20150

[balloob]

If a user enters "hello ", and the next time it enters "hello", the command line will probably see it as the same (or not?), the credentials are matched on user input, not on what script understood of it being.

[bob1de]

No, it won't. Environment variables preserve all characters. However, it depends on the script the user configures to run to not strip them itself. I can add a note about that to the docs.

[bob1de]

Did it.

[bob1de]

On the other hand, I see nothing that stands against stripping usernames from the beginning on. So do you think it should simply be done before it get's released to prevent having a breaking change later?

[bob1de]

@balloob Considering the modernized homeassistant auth provider from #20150, I'd probably start stripping usernames with the command_line auth provider from the beginning. Will change it in code & docs.

[balloob]

Niiiiiice 🎉