From 85324123dd3ad03228d60c452a7eade70f58bd08 Mon Sep 17 00:00:00 2001
From: Jason Hu <awaregit@gmail.com>
Date: Thu, 2 Aug 2018 23:10:07 -0700
Subject: [PATCH] Make sure use_x_forward_for and trusted_proxies must config
 together

---
 homeassistant/components/http/__init__.py |  8 +++----
 tests/components/http/test_init.py        | 28 +++++++++++++++++++++++
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/homeassistant/components/http/__init__.py b/homeassistant/components/http/__init__.py
index 42629f752ad145..9f1b5995839db2 100644
--- a/homeassistant/components/http/__init__.py
+++ b/homeassistant/components/http/__init__.py
@@ -66,8 +66,8 @@
     vol.Optional(CONF_SSL_KEY): cv.isfile,
     vol.Optional(CONF_CORS_ORIGINS, default=[]):
         vol.All(cv.ensure_list, [cv.string]),
-    vol.Optional(CONF_USE_X_FORWARDED_FOR, default=False): cv.boolean,
-    vol.Optional(CONF_TRUSTED_PROXIES, default=[]):
+    vol.Inclusive(CONF_USE_X_FORWARDED_FOR, 'proxy'): cv.boolean,
+    vol.Inclusive(CONF_TRUSTED_PROXIES, 'proxy'):
         vol.All(cv.ensure_list, [ip_network]),
     vol.Optional(CONF_TRUSTED_NETWORKS, default=[]):
         vol.All(cv.ensure_list, [ip_network]),
@@ -96,8 +96,8 @@ async def async_setup(hass, config):
     ssl_peer_certificate = conf.get(CONF_SSL_PEER_CERTIFICATE)
     ssl_key = conf.get(CONF_SSL_KEY)
     cors_origins = conf[CONF_CORS_ORIGINS]
-    use_x_forwarded_for = conf[CONF_USE_X_FORWARDED_FOR]
-    trusted_proxies = conf[CONF_TRUSTED_PROXIES]
+    use_x_forwarded_for = conf.get(CONF_USE_X_FORWARDED_FOR, False)
+    trusted_proxies = conf.get(CONF_TRUSTED_PROXIES, [])
     trusted_networks = conf[CONF_TRUSTED_NETWORKS]
     is_ban_enabled = conf[CONF_IP_BAN_ENABLED]
     login_threshold = conf[CONF_LOGIN_ATTEMPTS_THRESHOLD]
diff --git a/tests/components/http/test_init.py b/tests/components/http/test_init.py
index d5368032a376bb..2ffaf17bebcca1 100644
--- a/tests/components/http/test_init.py
+++ b/tests/components/http/test_init.py
@@ -96,3 +96,31 @@ async def test_not_log_password(hass, aiohttp_client, caplog):
     # Ensure we don't log API passwords
     assert '/api/' in logs
     assert 'some-pass' not in logs
+
+
+async def test_proxy_config(hass):
+    """Test use_x_forwarded_for must config together with trusted_proxies."""
+    assert await async_setup_component(hass, 'http', {
+        'http': {
+            http.CONF_USE_X_FORWARDED_FOR: True,
+            http.CONF_TRUSTED_PROXIES: ['127.0.0.1']
+        }
+    }) is True
+
+
+async def test_proxy_config_only_use_xff(hass):
+    """Test use_x_forwarded_for must config together with trusted_proxies."""
+    assert await async_setup_component(hass, 'http', {
+        'http': {
+            http.CONF_USE_X_FORWARDED_FOR: True
+        }
+    }) is not True
+
+
+async def test_proxy_config_only_trust_proxies(hass):
+    """Test use_x_forwarded_for must config together with trusted_proxies."""
+    assert await async_setup_component(hass, 'http', {
+        'http': {
+            http.CONF_TRUSTED_PROXIES: ['127.0.0.1']
+        }
+    }) is not True