Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add config for trusted networks auth provider #21111

Merged
merged 9 commits into from
Feb 26, 2019
Merged

Add config for trusted networks auth provider #21111

merged 9 commits into from
Feb 26, 2019

Conversation

awarecan
Copy link
Contributor

@awarecan awarecan commented Feb 16, 2019
edited
Loading

Description:

Add config for trusted networks auth provider.

Breaking changes
It is a breaking changes for user who manual configured trusted network auth provider. An invalid config error will be thrown and HA won't be able to fully started.

It is NOT a breaking changes for user who didn't manual configured trusted network auth provider.

If trusted_networks configured in http component, and no auth_provider configured in core config, http.trusted_networks value will be used for default loaded trusted network auth provider.

Related issue (if applicable): fixes #16149

Pull request in home-assistant.io with documentation (if applicable): home-assistant/home-assistant.io#8605

Example entry for configuration.yaml (if applicable):

homeassistant:
  auth_providers:
   - type: trusted_networks
     trusted_networks:
      - 127.0.0.1
      - ::1
      - 192.168.0.0/24
      - fd00::/8

Checklist:

  • The code change is tested and works locally.
  • Local tests pass with tox. Your PR cannot be merged unless tests pass
  • There is no commented out code in this PR.

If user exposed functionality or configuration variables are added/changed:

If the code does not interact with devices:

  • Tests have been added to verify that the new code works.

@awarecan awarecan requested a review from a team as a code owner February 16, 2019 05:54
@ghost ghost assigned awarecan Feb 16, 2019
@ghost ghost added the in progress label Feb 16, 2019
@awarecan awarecan mentioned this pull request Feb 16, 2019
Merged
2 tasks
@elupus
Copy link
Contributor

elupus commented Feb 16, 2019

May I suggest a different syntax now that this is changed? May not be required, but id like to mention it.

It would be nice to be able to map a range to a user. Also allow X-Forwarded-User header from some ip:s to map to hass user.

So we'd need config options on each ip entry.

Simplest might be to just make it a dict instead of list.

@awarecan
Copy link
Contributor Author

IP / user mapping could be done in separate pull request. I want to keep PR small.

I won't add X-Forwarded-User support, that should be done by another "trusted proxy" auth provider, not trusted networks auth provider

@elupus
Copy link
Contributor

elupus commented Feb 16, 2019 via email
edited
Loading

@awarecan awarecan added the auth label Feb 17, 2019
@balloob
Copy link
Member

balloob commented Feb 18, 2019

@elupus I think it's fine. We can always add a new key user_trusted_networks.

balloob
balloob reviewed Feb 18, 2019
View reviewed changes
homeassistant/bootstrap.py
has_trusted_networks = bool((config.get('http') or {})
.get('trusted_networks'))
has_api_password = bool(config.get('http', {}).get('api_password'))
trusted_networks = config.get('http', {}).get('trusted_networks')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason we had an or is because people can have a config like this:

http:

And then it can be None? Although if I remember correctly, we do replace None with {}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

trusted_networks will be None for the case

http:

@elupus
Copy link
Contributor

elupus commented Feb 18, 2019
edited
Loading

My idea was just to be able to do:


192.168.1.1/32:
    mapped_user: pete
192.168.1.2/32:
    mapped_user: dave
192.168.1.3/32:
    mapped_user_from_proxy: true

But sure it's no problem to handle this in a different format.

@awarecan
Copy link
Contributor Author

@elupus that feature will change several places in the login flow, not only in the config of trusted networks auth provider. A separate pull request is need.

balloob
balloob reviewed Feb 26, 2019
View reviewed changes
homeassistant/config.py Outdated Show resolved Hide resolved
balloob
balloob reviewed Feb 26, 2019
View reviewed changes
homeassistant/config.py Outdated

mfa_conf = config.get(CONF_AUTH_MFA_MODULES, [
{'type': 'totp', 'id': 'totp', 'name': 'Authenticator app'},
])
_LOGGER.info('A Authenticator app MFA module is automatic configured')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's drop this one.

@ghost ghost assigned balloob Feb 26, 2019
@balloob balloob merged commit 7bae768 into home-assistant:dev Feb 26, 2019
@ghost ghost removed the in progress label Feb 26, 2019
@balloob balloob mentioned this pull request Mar 6, 2019
Merged
@dpembo dpembo mentioned this pull request Mar 7, 2019
Closed
@awarecan awarecan deleted the trust-network-auth-provider-config branch March 12, 2019 05:50
@Aeroid Aeroid mentioned this pull request Jan 9, 2022
Merged
22 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@houndci-bot houndci-bot houndci-bot left review comments

@balloob balloob balloob approved these changes

Assignees

@balloob balloob

@awarecan awarecan

Labels
auth breaking-change cla-signed core
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Trusted networks auth provider needs to have its own config
5 participants
@awarecan @elupus @balloob @houndci-bot @homeassistant