[api] Allow clearing noise psk if dynamically set (#11429)

2025-10-30 22:53:59 +00:00 · 2025-10-22 14:24:56 +13:00
parent c6ae1a5909
commit 2c1927fd12
5 changed files with 101 additions and 22 deletions
--- a/tests/integration/fixtures/noise_encryption_key_clear_protection.yaml
+++ b/tests/integration/fixtures/noise_encryption_key_clear_protection.yaml
@@ -0,0 +1,10 @@
+esphome:
+  name: noise-key-test
+
+host:
+
+api:
+  encryption:
+    key: "zX9/JHxMKwpP0jUGsF0iESCm1wRvNgR6NkKVOhn7kSs="
+
+logger:
--- a/tests/integration/test_noise_encryption_key_protection.py
+++ b/tests/integration/test_noise_encryption_key_protection.py
@@ -49,3 +49,42 @@ async def test_noise_encryption_key_protection(
        with pytest.raises(InvalidEncryptionKeyAPIError):
            async with api_client_connected(noise_psk=wrong_key) as client:
                await client.device_info()
+
+
+@pytest.mark.asyncio
+async def test_noise_encryption_key_clear_protection(
+    yaml_config: str,
+    run_compiled: RunCompiledFunction,
+    api_client_connected: APIClientConnectedFactory,
+) -> None:
+    """Test that noise encryption key set in YAML cannot be changed via API."""
+    # The key that's set in the YAML fixture
+    noise_psk = "zX9/JHxMKwpP0jUGsF0iESCm1wRvNgR6NkKVOhn7kSs="
+
+    # Keep ESPHome process running throughout all tests
+    async with run_compiled(yaml_config):
+        # First connection - test key change attempt
+        async with api_client_connected(noise_psk=noise_psk) as client:
+            # Verify connection is established
+            device_info = await client.device_info()
+            assert device_info is not None
+
+            # Try to set a new encryption key via API
+            new_key = b""  # Empty key to attempt to clear
+
+            # This should fail since key was set in YAML
+            success = await client.noise_encryption_set_key(new_key)
+            assert success is False
+
+        # Reconnect with the original key to verify it still works
+        async with api_client_connected(noise_psk=noise_psk) as client:
+            # Verify connection is still successful with original key
+            device_info = await client.device_info()
+            assert device_info is not None
+            assert device_info.name == "noise-key-test"
+
+        # Verify that connecting with a wrong key fails
+        wrong_key = base64.b64encode(b"y" * 32).decode()  # Different key
+        with pytest.raises(InvalidEncryptionKeyAPIError):
+            async with api_client_connected(noise_psk=wrong_key) as client:
+                await client.device_info()