A small configurable service that can validate values against secrets without having to expose the secrets to other configurations. Home Assistant made the choice to not allow secrets inside of templates which makes checking a value against a secret in an automation or script difficult. While there are workarounds they are either insecure, rudimentary, inflexible, or some combination of these. With the Secret Service values can be validated against secrets stored in the secrets.yaml file or even hard coded into the service configuration.
Secrets are hashed using bcrypt with a random salt generated at setup time to ensure as much security as possible and limit where secrets are exposed. Secrets and hashes are not exposed via the service call or stored in the state, again the maintain as much security as possible.
| Name | Description |
|---|---|
| Single Secret Validation | Validation against a single named secret. |
| Grouped Secret Validation | Validation against one or more secrets with a single name. This can be useful when you want to provide different secrets but validate in a single call. Each group can only have one instance of each secret. |
| Name | Description |
|---|---|
| Rate Limiting | Configurable limits on how often secrets can be validated against to prevent brute force attacks. |
| Failure Limits | Configurable limits on how many times a failed validation can occur and options to handle when the limits are reached (eg. lock for a period of time) |
| Conditions | Allow secrets and groups to have conditions on their use allowing for even greater customization. This assumes that there's a way to use the existing condition system within the integration, more research is needed here. |
- Open HACS
- Go to Integrations
- Click the ellipse button in the top right and select Custom Repositories
- Enter the following information
- Repository:
https://github.com/amura11/ha-secret-service - Category:
Integration
- Repository:
- Click "Add"
- Close the modal then click Explore & Download Repositories
- Search for `Secret Checker`` and select the repository
- Click the Download button
- Restart Home Assistant
- Add an entry to your configuration for the Secret Service
- Restart Home Assistant ...again
- Using the tool of choice open the directory (folder) for your HA configuration (where you find
configuration.yaml). - If you do not have a
custom_componentsdirectory (folder) there, you need to create it. - In the
custom_componentsdirectory (folder) create a new folder calledsecret_service. - Download all the files from the
custom_components/secret_service/directory (folder) in this repository. - Place the files you downloaded in the new directory (folder) you created.
- Restart Home Assistant
- Add an entry to your configuration for the Secret Service
- Restart Home Assistant ...again
| Name | Type | Description | Required | Default |
|---|---|---|---|---|
secrets |
array | An array of Secret Configurations | * | |
groups |
array | An array of Group Configurations | * |
*Groups and secrets are not required but you should at least have one otherwise why are you using the service? 🤔
Note: The same secret can appear in the secrets section multiple times and the same secret can appear in the secrets section and in the groups section. However, the same secret cannot appear more than once in the secrets section of a single group. The way secrets are checked in a group uses the secret itself (although hashed) as a key and having the secret appear multiple times wouldn't work.
| Name | Type | Description | Required | Default |
|---|---|---|---|---|
secret |
string | The name of the secret that will be used when calling the service to validate a value against this secret. | ✔ | |
value |
string | The actual value of the secret. This can be pulled from the secrets.yaml file or hard coded. |
✔ |
| Name | Type | Description | Required | Default |
|---|---|---|---|---|
group |
string | The name of the group that will be used when calling the service to validate a value against this group. | ✔ | |
secrets |
array | An array of Secret Configurations | ✔ |
secret_service:
secrets:
- secret: secret_a
value: !secret my_secret
groups:
- group: group_1
secrets:
- secret: secret_1
value: qtPHuwV2vEVanS
- secret: secret_2
value: !secret my_secret
Call the service using the parameters described below.
| Name | Type | Description | Required | Default |
|---|---|---|---|---|
name |
string | The name of the group or secret that the value should be validated against | ✔ | |
value |
array | An array of Secret Configurations | ✔ | |
full_response |
bool | When True the response result field will contain all validation data. When False the result field a simple bool |
False |
When using full_response: False:
{
result: <true|false>
}
When using full_response: True:
{
result: <"success"|"failed_invalid"|"failed_attempts_exceeded"|"failed_rate_exceeded">
}
Note: More data will be added to this in the future but result will always hold the result codes above.
service: secret_service.check_secret
data:
name: "group_or_secret_name"
value: "sEcReTpAsSwOrD"
alias: Test
sequence:
- service: secret_service.check_secret
data:
name: secret_a
value: "{{code}}"
response_variable: check_result
- condition: template
value_template: "{{ check_result.result }}"
- service: system_log.write
data:
level: info
message: Check successful
mode: single
icon: mdi:test-tube
Where the code variable is passed in as data to the script.
If you want to contribute to this please read the Contribution guidelines