home-assistant: don't depend on matter implicitly

The matter integration is still stuck on OpenSSL 1.1, which is marked as insecure. Propagating matter through `after_dependencies` makes most of home-assistant transitively insecure. Unfortunately that requires disabling a number of core tests.
2023-12-07 02:38:01 +01:00 · 2023-12-07 02:38:01 +01:00 · 982ca8967d
commit 982ca8967d
parent 4324d082b2
3 changed files with 22 additions and 39 deletions
--- a/pkgs/servers/home-assistant/component-packages.nix
+++ b/pkgs/servers/home-assistant/component-packages.nix
@ -631,7 +631,6 @@
      plexwebsocket
      psutil-home-assistant
      pychromecast
-      python-matter-server
      pyturbojpeg
      sqlalchemy
      webrtc-noise-gain
@ -670,16 +669,12 @@
      aiohttp-cors
      aiohttp-fast-url-dispatcher
      aiohttp-zlib-ng
-      fnv-hash-fast
      ha-ffmpeg
      hass-nabucasa
      hassil
      home-assistant-intents
      mutagen
-      psutil-home-assistant
-      python-matter-server
      pyturbojpeg
-      sqlalchemy
      webrtc-noise-gain
    ];
    "cloudflare" = ps: with ps; [
@ -820,7 +815,6 @@
      psutil-home-assistant
      pynacl
      pyserial
-      python-matter-server
      pyturbojpeg
      pyudev
      scapy
@ -1631,11 +1625,7 @@
      aiohttp-cors
      aiohttp-fast-url-dispatcher
      aiohttp-zlib-ng
-      fnv-hash-fast
-      psutil-home-assistant
-      python-matter-server
      pyturbojpeg
-      sqlalchemy
    ];
    "google_assistant_sdk" = ps: with ps; [
      aiohttp-cors
@ -2668,17 +2658,13 @@
      aiohttp-cors
      aiohttp-fast-url-dispatcher
      aiohttp-zlib-ng
-      fnv-hash-fast
      ha-ffmpeg
      hass-nabucasa
      hassil
      home-assistant-intents
      loqedapi
      mutagen
-      psutil-home-assistant
-      python-matter-server
      pyturbojpeg
-      sqlalchemy
      webrtc-noise-gain
    ];
    "lovelace" = ps: with ps; [
@ -2958,7 +2944,6 @@
      pillow
      psutil-home-assistant
      pynacl
-      python-matter-server
      pyturbojpeg
      sqlalchemy
      webrtc-noise-gain
@ -3165,7 +3150,6 @@
      mutagen
      psutil-home-assistant
      pyatmo
-      python-matter-server
      pyturbojpeg
      sqlalchemy
      webrtc-noise-gain
@ -3480,7 +3464,6 @@
      aiohttp-cors
      aiohttp-fast-url-dispatcher
      aiohttp-zlib-ng
-      fnv-hash-fast
      ha-ffmpeg
      hass-nabucasa
      hassil
@ -3488,11 +3471,8 @@
      janus
      mutagen
      paho-mqtt
-      psutil-home-assistant
      pynacl
-      python-matter-server
      pyturbojpeg
-      sqlalchemy
      webrtc-noise-gain
    ];
    "p1_monitor" = ps: with ps; [
@ -3582,17 +3562,13 @@
      aiohttp-cors
      aiohttp-fast-url-dispatcher
      aiohttp-zlib-ng
-      fnv-hash-fast
      ha-ffmpeg
      hass-nabucasa
      hassil
      home-assistant-intents
      mutagen
-      psutil-home-assistant
      pyplaato
-      python-matter-server
      pyturbojpeg
-      sqlalchemy
      webrtc-noise-gain
    ];
    "plant" = ps: with ps; [
@ -3783,17 +3759,13 @@
      aiohttp-cors
      aiohttp-fast-url-dispatcher
      aiohttp-zlib-ng
-      fnv-hash-fast
      ha-ffmpeg
      hass-nabucasa
      hassil
      home-assistant-intents
      mutagen
-      psutil-home-assistant
-      python-matter-server
      pyturbojpeg
      rachiopy
-      sqlalchemy
      webrtc-noise-gain
    ];
    "radarr" = ps: with ps; [
@ -3883,7 +3855,6 @@
      mutagen
      pillow
      psutil-home-assistant
-      python-matter-server
      pyturbojpeg
      sqlalchemy
      webrtc-noise-gain
@ -4354,18 +4325,14 @@
      aiohttp-cors
      aiohttp-fast-url-dispatcher
      aiohttp-zlib-ng
-      fnv-hash-fast
      ha-ffmpeg
      hass-nabucasa
      hassil
      home-assistant-intents
      mutagen
-      psutil-home-assistant
      pysmartapp
      pysmartthings
-      python-matter-server
      pyturbojpeg
-      sqlalchemy
      webrtc-noise-gain
    ];
    "smarttub" = ps: with ps; [
@ -4902,16 +4869,12 @@
      aiohttp-cors
      aiohttp-fast-url-dispatcher
      aiohttp-zlib-ng
-      fnv-hash-fast
      ha-ffmpeg
      hass-nabucasa
      hassil
      home-assistant-intents
      mutagen
-      psutil-home-assistant
-      python-matter-server
      pyturbojpeg
-      sqlalchemy
      toonapi
      webrtc-noise-gain
    ];
@ -5282,7 +5245,6 @@
      home-assistant-intents
      mutagen
      psutil-home-assistant
-      python-matter-server
      pyturbojpeg
      sqlalchemy
      webrtc-noise-gain
--- a/pkgs/servers/home-assistant/default.nix
+++ b/pkgs/servers/home-assistant/default.nix
@ -469,6 +469,18 @@ in python.pkgs.buildPythonApplication rec {
    "--deselect=tests/helpers/test_script.py::test_multiple_runs_repeat_choose"
    # SystemError: PyThreadState_SetAsyncExc failed
    "--deselect=tests/helpers/test_template.py::test_template_timeout"
+    # Various test failures, because we don't provide matter
+    # dependencies, because they depend on OpenSSL 1.1
+    # https://github.com/home-assistant-libs/chip-wheels/issues/24
+    # https://github.com/project-chip/connectedhomeip/issues/25688
+    "--deselect=tests/helpers/test_config_entry_flow.py::test_webhook_create_cloudhook"
+    "--deselect=tests/helpers/test_config_entry_flow.py::test_webhook_create_cloudhook_aborts_not_connected"
+    "--deselect=tests/helpers/test_script.py::test_validate_action_config"
+    "--deselect=tests/test_bootstrap.py::test_setup_hass_invalid_core_config"
+    "--deselect=tests/test_bootstrap.py::test_setup_hass_invalid_yaml"
+    "--deselect=tests/test_bootstrap.py::test_setup_hass_recovery_mode"
+    "--deselect=tests/test_bootstrap.py::test_setup_hass_recovery_mode_and_safe_mode"
+    "--deselect=tests/test_bootstrap.py::test_setup_recovery_mode_if_no_frontend"
    # tests are located in tests/
    "tests"
  ];
@ -480,6 +492,8 @@ in python.pkgs.buildPythonApplication rec {
    "tests/pylint"
    # don't bulk test all components
    "tests/components"
+    # depends on matter depenency
+    "tests/helpers/test_network.py"
  ];

  preCheck = ''
--- a/pkgs/servers/home-assistant/parse-requirements.py
+++ b/pkgs/servers/home-assistant/parse-requirements.py
@ -119,7 +119,14 @@ def parse_components(version: str = "master"):
 def get_reqs(components: Dict[str, Dict[str, Any]], component: str, processed: Set[str]) -> Set[str]:
    requirements = set(components[component].get("requirements", []))
    deps = components[component].get("dependencies", [])
-    deps.extend(components[component].get("after_dependencies", []))
+    after_deps = components[component].get("after_dependencies", [])
+    try:
+        # Don't propagate matter dependency through after_dependencies
+        # TODO: remove after matter integration moves past OpenSSL 1.1
+        after_deps.remove("matter")
+    except ValueError:
+        pass
+    deps.extend(after_deps)
    processed.add(component)
    for dependency in deps:
        if dependency not in processed: