Skip to content

Create decorator to check service permissions #22667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bachya merged 17 commits into from
Apr 13, 2019
Merged

Create decorator to check service permissions #22667

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
ed5598e
Create decorator to check service permissions
bachya Apr 2, 2019
50222ad
Typing
bachya Apr 2, 2019
e280e47
Linting
bachya Apr 2, 2019
ce6282a
Member comments
bachya Apr 2, 2019
e3b154c
Linting
bachya Apr 3, 2019
4cd97ce
Member comments
bachya Apr 3, 2019
17b2fda
Updated import
bachya Apr 3, 2019
e4adf9f
Owner comments
bachya Apr 3, 2019
b1f19d2
Linting
bachya Apr 3, 2019
a5ef40b
Linting
bachya Apr 3, 2019
25e5dc3
More work
bachya Apr 4, 2019
0de9785
Fixed tests
bachya Apr 10, 2019
cc20152
Removed service helper tests in RainMachine
bachya Apr 10, 2019
2e94494
Linting
bachya Apr 11, 2019
fba5e09
Owner comments
bachya Apr 11, 2019
4b9435b
Linting
bachya Apr 11, 2019
bc5f3d2
Owner comments
balloob Apr 13, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 15 additions & 53 deletions homeassistant/components/rainmachine/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,20 @@
"""Support for RainMachine devices."""
import logging
from datetime import timedelta
from functools import wraps

import voluptuous as vol

from homeassistant.auth.permissions.const import POLICY_CONTROL
from homeassistant.config_entries import SOURCE_IMPORT
from homeassistant.const import (
ATTR_ATTRIBUTION, CONF_BINARY_SENSORS, CONF_IP_ADDRESS, CONF_PASSWORD,
CONF_PORT, CONF_SCAN_INTERVAL, CONF_SENSORS, CONF_SSL,
CONF_MONITORED_CONDITIONS, CONF_SWITCHES)
from homeassistant.exceptions import (
ConfigEntryNotReady, Unauthorized, UnknownUser)
from homeassistant.exceptions import ConfigEntryNotReady
from homeassistant.helpers import aiohttp_client, config_validation as cv
from homeassistant.helpers.dispatcher import async_dispatcher_send
from homeassistant.helpers.entity import Entity
from homeassistant.helpers.event import async_track_time_interval
from homeassistant.helpers.service import verify_domain_control

from .config_flow import configured_instances
from .const import (
Expand Down Expand Up @@ -131,44 +129,6 @@
}, extra=vol.ALLOW_EXTRA)


def _check_valid_user(hass):
"""Ensure the user of a service call has proper permissions."""
def decorator(service):
"""Decorate."""
@wraps(service)
async def check_permissions(call):
"""Check user permission and raise before call if unauthorized."""
if not call.context.user_id:
return

user = await hass.auth.async_get_user(call.context.user_id)
if user is None:
raise UnknownUser(
context=call.context,
permission=POLICY_CONTROL
)

# RainMachine services don't interact with specific entities.
# Therefore, we examine _all_ RainMachine entities and if the user
# has permission to control _any_ of them, the user has permission
# to call the service:
en_reg = await hass.helpers.entity_registry.async_get_registry()
rainmachine_entities = [
entity.entity_id for entity in en_reg.entities.values()
if entity.platform == DOMAIN
]
for entity_id in rainmachine_entities:
if user.permissions.check_entity(entity_id, POLICY_CONTROL):
return await service(call)

raise Unauthorized(
context=call.context,
permission=POLICY_CONTROL,
)
return check_permissions
return decorator


async def async_setup(hass, config):
"""Set up the RainMachine component."""
hass.data[DOMAIN] = {}
Expand Down Expand Up @@ -198,6 +158,8 @@ async def async_setup_entry(hass, config_entry):
from regenmaschine import login
from regenmaschine.errors import RainMachineError

_verify_domain_control = verify_domain_control(hass, DOMAIN)

websession = aiohttp_client.async_get_clientsession(hass)

try:
Expand Down Expand Up @@ -238,69 +200,69 @@ async def refresh(event_time):
refresh,
timedelta(seconds=config_entry.data[CONF_SCAN_INTERVAL]))

@_check_valid_user(hass)
@_verify_domain_control
async def disable_program(call):
"""Disable a program."""
await rainmachine.client.programs.disable(
call.data[CONF_PROGRAM_ID])
async_dispatcher_send(hass, PROGRAM_UPDATE_TOPIC)

@_check_valid_user(hass)
@_verify_domain_control
async def disable_zone(call):
"""Disable a zone."""
await rainmachine.client.zones.disable(call.data[CONF_ZONE_ID])
async_dispatcher_send(hass, ZONE_UPDATE_TOPIC)

@_check_valid_user(hass)
@_verify_domain_control
async def enable_program(call):
"""Enable a program."""
await rainmachine.client.programs.enable(call.data[CONF_PROGRAM_ID])
async_dispatcher_send(hass, PROGRAM_UPDATE_TOPIC)

@_check_valid_user(hass)
@_verify_domain_control
async def enable_zone(call):
"""Enable a zone."""
await rainmachine.client.zones.enable(call.data[CONF_ZONE_ID])
async_dispatcher_send(hass, ZONE_UPDATE_TOPIC)

@_check_valid_user(hass)
@_verify_domain_control
async def pause_watering(call):
"""Pause watering for a set number of seconds."""
await rainmachine.client.watering.pause_all(call.data[CONF_SECONDS])
async_dispatcher_send(hass, PROGRAM_UPDATE_TOPIC)

@_check_valid_user(hass)
@_verify_domain_control
async def start_program(call):
"""Start a particular program."""
await rainmachine.client.programs.start(call.data[CONF_PROGRAM_ID])
async_dispatcher_send(hass, PROGRAM_UPDATE_TOPIC)

@_check_valid_user(hass)
@_verify_domain_control
async def start_zone(call):
"""Start a particular zone for a certain amount of time."""
await rainmachine.client.zones.start(
call.data[CONF_ZONE_ID], call.data[CONF_ZONE_RUN_TIME])
async_dispatcher_send(hass, ZONE_UPDATE_TOPIC)

@_check_valid_user(hass)
@_verify_domain_control
async def stop_all(call):
"""Stop all watering."""
await rainmachine.client.watering.stop_all()
async_dispatcher_send(hass, PROGRAM_UPDATE_TOPIC)

@_check_valid_user(hass)
@_verify_domain_control
async def stop_program(call):
"""Stop a program."""
await rainmachine.client.programs.stop(call.data[CONF_PROGRAM_ID])
async_dispatcher_send(hass, PROGRAM_UPDATE_TOPIC)

@_check_valid_user(hass)
@_verify_domain_control
async def stop_zone(call):
"""Stop a zone."""
await rainmachine.client.zones.stop(call.data[CONF_ZONE_ID])
async_dispatcher_send(hass, ZONE_UPDATE_TOPIC)

@_check_valid_user(hass)
@_verify_domain_control
async def unpause_watering(call):
"""Unpause watering."""
await rainmachine.client.watering.unpause_all()
Expand Down
51 changes: 49 additions & 2 deletions homeassistant/helpers/service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,20 @@

import voluptuous as vol

from homeassistant.auth.permissions.const import POLICY_CONTROL
from homeassistant.auth.permissions.const import CAT_ENTITIES, POLICY_CONTROL
from homeassistant.const import (
ATTR_ENTITY_ID, ENTITY_MATCH_ALL, ATTR_AREA_ID)
import homeassistant.core as ha
from homeassistant.exceptions import TemplateError, Unauthorized, UnknownUser
from homeassistant.exceptions import (
HomeAssistantError, TemplateError, Unauthorized, UnknownUser)
from homeassistant.helpers import template, typing
from homeassistant.loader import get_component, bind_hass
from homeassistant.util.yaml import load_yaml
import homeassistant.helpers.config_validation as cv
from homeassistant.util.async_ import run_coroutine_threadsafe

from .typing import HomeAssistantType

CONF_SERVICE = 'service'
CONF_SERVICE_TEMPLATE = 'service_template'
CONF_SERVICE_ENTITY_ID = 'entity_id'
Expand Down Expand Up @@ -360,3 +363,47 @@ async def admin_handler(call):
hass.services.async_register(
domain, service, admin_handler, schema
)


@bind_hass
@ha.callback
def verify_domain_control(hass: HomeAssistantType, domain: str) -> Callable:
"""Ensure permission to access any entity under domain in service call."""
def decorator(service_handler: Callable) -> Callable:
"""Decorate."""
if not asyncio.iscoroutinefunction(service_handler):
raise HomeAssistantError(
'Can only decorate async functions.')

async def check_permissions(call):
"""Check user permission and raise before call if unauthorized."""
if not call.context.user_id:
return await service_handler(call)

user = await hass.auth.async_get_user(call.context.user_id)
if user is None:
raise UnknownUser(
context=call.context,
permission=POLICY_CONTROL,
user_id=call.context.user_id)

reg = await hass.helpers.entity_registry.async_get_registry()
entities = [
entity.entity_id for entity in reg.entities.values()
if entity.platform == domain
]

for entity_id in entities:
if user.permissions.check_entity(entity_id, POLICY_CONTROL):
Comment thread
bachya marked this conversation as resolved.
Outdated
return await service_handler(call)

raise Unauthorized(
Comment thread
bachya marked this conversation as resolved.
context=call.context,
permission=POLICY_CONTROL,
user_id=call.context.user_id,
perm_category=CAT_ENTITIES
)

return check_permissions

return decorator
23 changes: 0 additions & 23 deletions tests/components/rainmachine/conftest.py
View file
Open in desktop

This file was deleted.

41 changes: 0 additions & 41 deletions tests/components/rainmachine/test_service_permissions.py
View file
Open in desktop

This file was deleted.

Loading