Merge pull request #43 from NabuCasa/dev

Release 0.10
NabuCasa · Mar 21, 2019 · be292c7 · be292c7
2 parents 8940148 + 4dbd2c3
commit be292c7
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 4 deletions.
diff --git a/hass_nabucasa/acme.py b/hass_nabucasa/acme.py
@@ -134,6 +134,7 @@ def _generate_csr(self) -> bytes:
             key_pem = OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key)
 
             self.path_private_key.write_bytes(key_pem)
+            self.path_private_key.chmod(0o600)
 
         return crypto_util.make_csr(key_pem, [self._domain])
 
@@ -377,3 +378,21 @@ async def reset_acme(self) -> None:
             self._acme_client = None
             self._account_jwk = None
             self._x509 = None
+
+    async def hardening_files(self) -> None:
+        """Control permission on files."""
+        def _control():
+            # Set file permission to 0600
+            if self.path_account_key.exists():
+                self.path_account_key.chmod(0o600)
+            if self.path_registration_info.exists():
+                self.path_registration_info.chmod(0o600)
+            if self.path_fullchain.exists():
+                self.path_fullchain.chmod(0o600)
+            if self.path_private_key.exists():
+                self.path_private_key.chmod(0o600)
+
+        try:
+            await self.cloud.run_executor(_control)
+        except OSError:
+            _LOGGER.warning("Can't check and hardening file permission")
diff --git a/hass_nabucasa/remote.py b/hass_nabucasa/remote.py
@@ -161,6 +161,7 @@ async def load_backend(self) -> None:
                     "Home Assistant Cloud",
                     const.MESSAGE_REMOTE_READY,
                 )
+        await self._acme.hardening_files()
 
         # Setup snitun / aiohttp wrapper
         context = await self._create_context()
@@ -236,7 +237,7 @@ async def _refresh_snitun_token(self) -> None:
             aes_key,
             aes_iv,
             utils.utc_from_timestamp(data["valid"]),
-            data["throttling"]
+            data["throttling"],
         )
 
     async def connect(self) -> None:
@@ -252,8 +253,10 @@ async def connect(self) -> None:
         try:
             await self._refresh_snitun_token()
             await self._snitun.connect(
-                self._token.fernet, self._token.aes_key, self._token.aes_iv,
-                throttling=self._token.throttling
+                self._token.fernet,
+                self._token.aes_key,
+                self._token.aes_iv,
+                throttling=self._token.throttling,
             )
 
             self.cloud.client.dispatcher_message(const.DISPATCH_REMOTE_CONNECT)

diff --git a/setup.py b/setup.py
@@ -1,6 +1,6 @@
 from setuptools import setup
 
-VERSION = "0.9"
+VERSION = "0.10"
 
 setup(
     name="hass-nabucasa",

diff --git a/tests/common.py b/tests/common.py
@@ -113,6 +113,7 @@ def __init__(self):
         self.call_issue = False
         self.call_reset = False
         self.call_load = False
+        self.call_hardening = False
         self.init_args = None
 
         self.common_name = None
@@ -144,6 +145,10 @@ async def load_certificate(self):
         """Load certificate."""
         self.call_load = True
 
+    async def hardening_files(self):
+        """Hardening files."""
+        self.call_hardening = True
+
     def __call__(self, *args):
         """Init."""
         self.init_args = args

diff --git a/tests/test_remote.py b/tests/test_remote.py
@@ -85,6 +85,7 @@ async def test_load_backend_exists_cert(
         "test.dui.nabu.casa",
         "[email protected]",
     )
+    assert acme_mock.call_hardening
     assert snitun_mock.call_start
     assert snitun_mock.init_args == (None, None)
     assert snitun_mock.init_kwarg == {
@@ -141,6 +142,7 @@ async def test_load_backend_not_exists_cert(
         "test.dui.nabu.casa",
         "[email protected]",
     )
+    assert acme_mock.call_hardening
     assert snitun_mock.call_start
     assert snitun_mock.init_args == (None, None)
     assert snitun_mock.init_kwarg == {
@@ -192,6 +194,7 @@ async def test_load_and_unload_backend(
         "test.dui.nabu.casa",
         "[email protected]",
     )
+    assert acme_mock.call_hardening
     assert snitun_mock.call_start
     assert not snitun_mock.call_stop
     assert snitun_mock.init_args == (None, None)
@@ -251,6 +254,7 @@ async def test_load_backend_exists_wrong_cert(
         "test.dui.nabu.casa",
         "[email protected]",
     )
+    assert acme_mock.call_hardening
     assert snitun_mock.call_start
     assert snitun_mock.init_args == (None, None)
     assert snitun_mock.init_kwarg == {
@@ -332,6 +336,7 @@ async def test_load_backend_no_autostart(
 
     assert remote.snitun_server == "rest-remote.nabu.casa"
     assert not acme_mock.call_issue
+    assert acme_mock.call_hardening
     assert snitun_mock.call_start
 
     assert not snitun_mock.call_connect