From 982ca8967d21475436f8f92b4594762fdd0a1510 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 7 Dec 2023 02:38:01 +0100
Subject: [PATCH] home-assistant: don't depend on matter implicitly

The matter integration is still stuck on OpenSSL 1.1, which is marked
as insecure. Propagating matter through `after_dependencies` makes
most of home-assistant transitively insecure.

Unfortunately that requires disabling a number of core tests.
---
 .../home-assistant/component-packages.nix     | 38 -------------------
 pkgs/servers/home-assistant/default.nix       | 14 +++++++
 .../home-assistant/parse-requirements.py      |  9 ++++-
 3 files changed, 22 insertions(+), 39 deletions(-)

diff --git a/pkgs/servers/home-assistant/component-packages.nix b/pkgs/servers/home-assistant/component-packages.nix
index 8fd46bf70e87..9cbb9981bada 100644
--- a/pkgs/servers/home-assistant/component-packages.nix
+++ b/pkgs/servers/home-assistant/component-packages.nix
@@ -631,7 +631,6 @@
       plexwebsocket
       psutil-home-assistant
       pychromecast
-      python-matter-server
       pyturbojpeg
       sqlalchemy
       webrtc-noise-gain
@@ -670,16 +669,12 @@
       aiohttp-cors
       aiohttp-fast-url-dispatcher
       aiohttp-zlib-ng
-      fnv-hash-fast
       ha-ffmpeg
       hass-nabucasa
       hassil
       home-assistant-intents
       mutagen
-      psutil-home-assistant
-      python-matter-server
       pyturbojpeg
-      sqlalchemy
       webrtc-noise-gain
     ];
     "cloudflare" = ps: with ps; [
@@ -820,7 +815,6 @@
       psutil-home-assistant
       pynacl
       pyserial
-      python-matter-server
       pyturbojpeg
       pyudev
       scapy
@@ -1631,11 +1625,7 @@
       aiohttp-cors
       aiohttp-fast-url-dispatcher
       aiohttp-zlib-ng
-      fnv-hash-fast
-      psutil-home-assistant
-      python-matter-server
       pyturbojpeg
-      sqlalchemy
     ];
     "google_assistant_sdk" = ps: with ps; [
       aiohttp-cors
@@ -2668,17 +2658,13 @@
       aiohttp-cors
       aiohttp-fast-url-dispatcher
       aiohttp-zlib-ng
-      fnv-hash-fast
       ha-ffmpeg
       hass-nabucasa
       hassil
       home-assistant-intents
       loqedapi
       mutagen
-      psutil-home-assistant
-      python-matter-server
       pyturbojpeg
-      sqlalchemy
       webrtc-noise-gain
     ];
     "lovelace" = ps: with ps; [
@@ -2958,7 +2944,6 @@
       pillow
       psutil-home-assistant
       pynacl
-      python-matter-server
       pyturbojpeg
       sqlalchemy
       webrtc-noise-gain
@@ -3165,7 +3150,6 @@
       mutagen
       psutil-home-assistant
       pyatmo
-      python-matter-server
       pyturbojpeg
       sqlalchemy
       webrtc-noise-gain
@@ -3480,7 +3464,6 @@
       aiohttp-cors
       aiohttp-fast-url-dispatcher
       aiohttp-zlib-ng
-      fnv-hash-fast
       ha-ffmpeg
       hass-nabucasa
       hassil
@@ -3488,11 +3471,8 @@
       janus
       mutagen
       paho-mqtt
-      psutil-home-assistant
       pynacl
-      python-matter-server
       pyturbojpeg
-      sqlalchemy
       webrtc-noise-gain
     ];
     "p1_monitor" = ps: with ps; [
@@ -3582,17 +3562,13 @@
       aiohttp-cors
       aiohttp-fast-url-dispatcher
       aiohttp-zlib-ng
-      fnv-hash-fast
       ha-ffmpeg
       hass-nabucasa
       hassil
       home-assistant-intents
       mutagen
-      psutil-home-assistant
       pyplaato
-      python-matter-server
       pyturbojpeg
-      sqlalchemy
       webrtc-noise-gain
     ];
     "plant" = ps: with ps; [
@@ -3783,17 +3759,13 @@
       aiohttp-cors
       aiohttp-fast-url-dispatcher
       aiohttp-zlib-ng
-      fnv-hash-fast
       ha-ffmpeg
       hass-nabucasa
       hassil
       home-assistant-intents
       mutagen
-      psutil-home-assistant
-      python-matter-server
       pyturbojpeg
       rachiopy
-      sqlalchemy
       webrtc-noise-gain
     ];
     "radarr" = ps: with ps; [
@@ -3883,7 +3855,6 @@
       mutagen
       pillow
       psutil-home-assistant
-      python-matter-server
       pyturbojpeg
       sqlalchemy
       webrtc-noise-gain
@@ -4354,18 +4325,14 @@
       aiohttp-cors
       aiohttp-fast-url-dispatcher
       aiohttp-zlib-ng
-      fnv-hash-fast
       ha-ffmpeg
       hass-nabucasa
       hassil
       home-assistant-intents
       mutagen
-      psutil-home-assistant
       pysmartapp
       pysmartthings
-      python-matter-server
       pyturbojpeg
-      sqlalchemy
       webrtc-noise-gain
     ];
     "smarttub" = ps: with ps; [
@@ -4902,16 +4869,12 @@
       aiohttp-cors
       aiohttp-fast-url-dispatcher
       aiohttp-zlib-ng
-      fnv-hash-fast
       ha-ffmpeg
       hass-nabucasa
       hassil
       home-assistant-intents
       mutagen
-      psutil-home-assistant
-      python-matter-server
       pyturbojpeg
-      sqlalchemy
       toonapi
       webrtc-noise-gain
     ];
@@ -5282,7 +5245,6 @@
       home-assistant-intents
       mutagen
       psutil-home-assistant
-      python-matter-server
       pyturbojpeg
       sqlalchemy
       webrtc-noise-gain
diff --git a/pkgs/servers/home-assistant/default.nix b/pkgs/servers/home-assistant/default.nix
index 71ef528549f9..dfa87bc04552 100644
--- a/pkgs/servers/home-assistant/default.nix
+++ b/pkgs/servers/home-assistant/default.nix
@@ -469,6 +469,18 @@ in python.pkgs.buildPythonApplication rec {
     "--deselect=tests/helpers/test_script.py::test_multiple_runs_repeat_choose"
     # SystemError: PyThreadState_SetAsyncExc failed
     "--deselect=tests/helpers/test_template.py::test_template_timeout"
+    # Various test failures, because we don't provide matter
+    # dependencies, because they depend on OpenSSL 1.1
+    # https://github.com/home-assistant-libs/chip-wheels/issues/24
+    # https://github.com/project-chip/connectedhomeip/issues/25688
+    "--deselect=tests/helpers/test_config_entry_flow.py::test_webhook_create_cloudhook"
+    "--deselect=tests/helpers/test_config_entry_flow.py::test_webhook_create_cloudhook_aborts_not_connected"
+    "--deselect=tests/helpers/test_script.py::test_validate_action_config"
+    "--deselect=tests/test_bootstrap.py::test_setup_hass_invalid_core_config"
+    "--deselect=tests/test_bootstrap.py::test_setup_hass_invalid_yaml"
+    "--deselect=tests/test_bootstrap.py::test_setup_hass_recovery_mode"
+    "--deselect=tests/test_bootstrap.py::test_setup_hass_recovery_mode_and_safe_mode"
+    "--deselect=tests/test_bootstrap.py::test_setup_recovery_mode_if_no_frontend"
     # tests are located in tests/
     "tests"
   ];
@@ -480,6 +492,8 @@ in python.pkgs.buildPythonApplication rec {
     "tests/pylint"
     # don't bulk test all components
     "tests/components"
+    # depends on matter depenency
+    "tests/helpers/test_network.py"
   ];
 
   preCheck = ''
diff --git a/pkgs/servers/home-assistant/parse-requirements.py b/pkgs/servers/home-assistant/parse-requirements.py
index bb5e70994320..ca1dc70909f5 100755
--- a/pkgs/servers/home-assistant/parse-requirements.py
+++ b/pkgs/servers/home-assistant/parse-requirements.py
@@ -119,7 +119,14 @@ def parse_components(version: str = "master"):
 def get_reqs(components: Dict[str, Dict[str, Any]], component: str, processed: Set[str]) -> Set[str]:
     requirements = set(components[component].get("requirements", []))
     deps = components[component].get("dependencies", [])
-    deps.extend(components[component].get("after_dependencies", []))
+    after_deps = components[component].get("after_dependencies", [])
+    try:
+        # Don't propagate matter dependency through after_dependencies
+        # TODO: remove after matter integration moves past OpenSSL 1.1
+        after_deps.remove("matter")
+    except ValueError:
+        pass
+    deps.extend(after_deps)
     processed.add(component)
     for dependency in deps:
         if dependency not in processed: