Require admin on APIs to create/delete config entries from Supervisor discovery

[mdegat01]

Breaking change

An admin role is now required to use POST /api/hassio_push/discovery/{uuid} and DELETE /api/hassio_push/discovery/{uuid}, the APIs that inform core about new discovery items in Supervisor in order to create or delete config entries.

Proposed change

The APIs that Supervisor uses to inform core about the addition or removal discovery items in order to create or delete config entries now require an admin role to use.

The only input to these APIs is the UUID and service of a discovery item in Supervisor. And before processing the request it confirms with Supervisor. If Supervisor does not know about the discovery item the create call will fail. And if Supervisor still has record of a discovery item with a given UUID and service the delete call will fail. So they weren't really vulnerable to any particular spoofing but as the only intended client is Supervisor they should require admin.

When adding a new non-admin user, the UI tells the operator:

The user group feature is a work in progress. The user will be unable to administer the instance via the UI. We're still auditing all management API endpoints to ensure that they correctly limit access to administrators.

This PR is part of that audit.

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request:
• Link to developer documentation pull request:
• Link to frontend pull request:

Checklist

• I understand the code I am submitting and can explain how it works.
• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Ruff (ruff format homeassistant tests)
• Tests have been added to verify that the new code works.
• Any generated code has been carefully reviewed for correctness and compliance with project standards.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies a diff between library versions and ideally a link to the changelog/release notes is added to the PR description.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[home-assistant]

Hey there @home-assistant/supervisor, mind taking a look at this pull request as it has been labeled with an integration (hassio) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of hassio can trigger bot actions by commenting:

• @home-assistant close Closes the pull request.
• @home-assistant mark-draft Mark the pull request as draft.
• @home-assistant ready-for-review Remove the draft status from the pull request.
• @home-assistant rename Awesome new title Renames the pull request.
• @home-assistant reopen Reopen the pull request.
• @home-assistant unassign hassio Removes the current integration label and assignees on the pull request, add the integration domain after the command.
• @home-assistant update-branch Update the pull request branch with the base branch.
• @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component, problem in config, problem in device, feature-request) to the pull request.
• @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component, problem in config, problem in device, feature-request) on the pull request.

[Copilot]

Pull request overview

This PR tightens access control for Supervisor discovery push endpoints by requiring an admin user to create or delete config entries via Hass.io discovery.

Changes:

• Add @require_admin enforcement to POST and DELETE /api/hassio_push/discovery/{uuid}.
• Add/extend tests to assert non-admin requests are rejected and to cover delete behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
homeassistant/components/hassio/discovery.py	Requires admin access for discovery push create/delete endpoints.
tests/components/hassio/test_discovery.py	Adds tests for non-admin rejection and for delete behavior around discovery removal.

[Copilot]

Use distinct variables for the config entry UUID and the discovery UUID so the test actually verifies that an existing discovery item prevents removal of the matching config entry.

[agners]

LGTM!