Merge remote-tracking branch 'upstream/dev' into integration

2025-10-26 04:33:47 +00:00 · 2025-10-21 15:58:30 -10:00
parent ad2e6d1454 2c1927fd12
commit 740a66a4c0
6 changed files with 103 additions and 22 deletions
--- a/esphome/components/api/api_connection.cpp
+++ b/esphome/components/api/api_connection.cpp
@@ -1572,7 +1572,13 @@ bool APIConnection::send_noise_encryption_set_key_response(const NoiseEncryption
  resp.success = false;

  psk_t psk{};
-  if (base64_decode(msg.key, psk.data(), msg.key.size()) != psk.size()) {
+  if (msg.key.empty()) {
+    if (this->parent_->clear_noise_psk(true)) {
+      resp.success = true;
+    } else {
+      ESP_LOGW(TAG, "Failed to clear encryption key");
+    }
+  } else if (base64_decode(msg.key, psk.data(), msg.key.size()) != psk.size()) {
    ESP_LOGW(TAG, "Invalid encryption key length");
  } else if (!this->parent_->save_noise_psk(psk, true)) {
    ESP_LOGW(TAG, "Failed to save encryption key");
--- a/esphome/components/api/api_server.cpp
+++ b/esphome/components/api/api_server.cpp
@@ -468,6 +468,31 @@ uint16_t APIServer::get_port() const { return this->port_; }
 void APIServer::set_reboot_timeout(uint32_t reboot_timeout) { this->reboot_timeout_ = reboot_timeout; }

 #ifdef USE_API_NOISE
+bool APIServer::update_noise_psk_(const SavedNoisePsk &new_psk, const LogString *save_log_msg,
+                                  const LogString *fail_log_msg, const psk_t &active_psk, bool make_active) {
+  if (!this->noise_pref_.save(&new_psk)) {
+    ESP_LOGW(TAG, "%s", LOG_STR_ARG(fail_log_msg));
+    return false;
+  }
+  // ensure it's written immediately
+  if (!global_preferences->sync()) {
+    ESP_LOGW(TAG, "Failed to sync preferences");
+    return false;
+  }
+  ESP_LOGD(TAG, "%s", LOG_STR_ARG(save_log_msg));
+  if (make_active) {
+    this->set_timeout(100, [this, active_psk]() {
+      ESP_LOGW(TAG, "Disconnecting all clients to reset PSK");
+      this->set_noise_psk(active_psk);
+      for (auto &c : this->clients_) {
+        DisconnectRequest req;
+        c->send_message(req, DisconnectRequest::MESSAGE_TYPE);
+      }
+    });
+  }
+  return true;
+}
+
 bool APIServer::save_noise_psk(psk_t psk, bool make_active) {
 #ifdef USE_API_NOISE_PSK_FROM_YAML
  // When PSK is set from YAML, this function should never be called
@@ -482,27 +507,21 @@ bool APIServer::save_noise_psk(psk_t psk, bool make_active) {
  }

  SavedNoisePsk new_saved_psk{psk};
-  if (!this->noise_pref_.save(&new_saved_psk)) {
-    ESP_LOGW(TAG, "Failed to save Noise PSK");
-    return false;
-  }
-  // ensure it's written immediately
-  if (!global_preferences->sync()) {
-    ESP_LOGW(TAG, "Failed to sync preferences");
-    return false;
-  }
-  ESP_LOGD(TAG, "Noise PSK saved");
-  if (make_active) {
-    this->set_timeout(100, [this, psk]() {
-      ESP_LOGW(TAG, "Disconnecting all clients to reset PSK");
-      this->set_noise_psk(psk);
-      for (auto &c : this->clients_) {
-        DisconnectRequest req;
-        c->send_message(req, DisconnectRequest::MESSAGE_TYPE);
-      }
-    });
-  }
-  return true;
+  return this->update_noise_psk_(new_saved_psk, LOG_STR("Noise PSK saved"), LOG_STR("Failed to save Noise PSK"), psk,
+                                 make_active);
+#endif
+}
+bool APIServer::clear_noise_psk(bool make_active) {
+#ifdef USE_API_NOISE_PSK_FROM_YAML
+  // When PSK is set from YAML, this function should never be called
+  // but if it is, reject the change
+  ESP_LOGW(TAG, "Key set in YAML");
+  return false;
+#else
+  SavedNoisePsk empty_psk{};
+  psk_t empty{};
+  return this->update_noise_psk_(empty_psk, LOG_STR("Noise PSK cleared"), LOG_STR("Failed to clear Noise PSK"), empty,
+                                 make_active);
 #endif
 }
 #endif
--- a/esphome/components/api/api_server.h
+++ b/esphome/components/api/api_server.h
@@ -53,6 +53,7 @@ class APIServer : public Component, public Controller {

 #ifdef USE_API_NOISE
  bool save_noise_psk(psk_t psk, bool make_active = true);
+  bool clear_noise_psk(bool make_active = true);
  void set_noise_psk(psk_t psk) { noise_ctx_->set_psk(psk); }
  std::shared_ptr<APINoiseContext> get_noise_ctx() { return noise_ctx_; }
 #endif  // USE_API_NOISE
@@ -174,6 +175,10 @@ class APIServer : public Component, public Controller {

 protected:
  void schedule_reboot_timeout_();
+#ifdef USE_API_NOISE
+  bool update_noise_psk_(const SavedNoisePsk &new_psk, const LogString *save_log_msg, const LogString *fail_log_msg,
+                         const psk_t &active_psk, bool make_active);
+#endif  // USE_API_NOISE
  // Pointers and pointer-like types first (4 bytes each)
  std::unique_ptr<socket::Socket> socket_ = nullptr;
 #ifdef USE_API_CLIENT_CONNECTED_TRIGGER
--- a/esphome/core/defines.h
+++ b/esphome/core/defines.h
@@ -243,8 +243,10 @@
 // Dummy firmware payload for shelly_dimmer
 #define USE_SHD_FIRMWARE_MAJOR_VERSION 56
 #define USE_SHD_FIRMWARE_MINOR_VERSION 5
+// clang-format off
 #define USE_SHD_FIRMWARE_DATA \
  {}
+// clang-format on

 #define USE_WEBSERVER
 #define USE_WEBSERVER_AUTH
--- a/tests/integration/fixtures/noise_encryption_key_clear_protection.yaml
+++ b/tests/integration/fixtures/noise_encryption_key_clear_protection.yaml
@@ -0,0 +1,10 @@
+esphome:
+  name: noise-key-test
+
+host:
+
+api:
+  encryption:
+    key: "zX9/JHxMKwpP0jUGsF0iESCm1wRvNgR6NkKVOhn7kSs="
+
+logger:
--- a/tests/integration/test_noise_encryption_key_protection.py
+++ b/tests/integration/test_noise_encryption_key_protection.py
@@ -49,3 +49,42 @@ async def test_noise_encryption_key_protection(
        with pytest.raises(InvalidEncryptionKeyAPIError):
            async with api_client_connected(noise_psk=wrong_key) as client:
                await client.device_info()
+
+
+@pytest.mark.asyncio
+async def test_noise_encryption_key_clear_protection(
+    yaml_config: str,
+    run_compiled: RunCompiledFunction,
+    api_client_connected: APIClientConnectedFactory,
+) -> None:
+    """Test that noise encryption key set in YAML cannot be changed via API."""
+    # The key that's set in the YAML fixture
+    noise_psk = "zX9/JHxMKwpP0jUGsF0iESCm1wRvNgR6NkKVOhn7kSs="
+
+    # Keep ESPHome process running throughout all tests
+    async with run_compiled(yaml_config):
+        # First connection - test key change attempt
+        async with api_client_connected(noise_psk=noise_psk) as client:
+            # Verify connection is established
+            device_info = await client.device_info()
+            assert device_info is not None
+
+            # Try to set a new encryption key via API
+            new_key = b""  # Empty key to attempt to clear
+
+            # This should fail since key was set in YAML
+            success = await client.noise_encryption_set_key(new_key)
+            assert success is False
+
+        # Reconnect with the original key to verify it still works
+        async with api_client_connected(noise_psk=noise_psk) as client:
+            # Verify connection is still successful with original key
+            device_info = await client.device_info()
+            assert device_info is not None
+            assert device_info.name == "noise-key-test"
+
+        # Verify that connecting with a wrong key fails
+        wrong_key = base64.b64encode(b"y" * 32).decode()  # Different key
+        with pytest.raises(InvalidEncryptionKeyAPIError):
+            async with api_client_connected(noise_psk=wrong_key) as client:
+                await client.device_info()