2025.5.1 (home-assistant#144564)

Author: frenck

homeassistant/components/backup/http.py

@@ -22,7 +22,7 @@
 from .agent import BackupAgent
 from .const import DATA_MANAGER
 from .manager import BackupManager
-from .models import BackupNotFound
+from .models import AgentBackup, BackupNotFound
 
 
 @callback
@@ -85,7 +85,15 @@ async def get(
                     request, headers, backup_id, agent_id, agent, manager
                 )
             return await self._send_backup_with_password(
-                hass, request, headers, backup_id, agent_id, password, agent, manager
+                hass,
+                backup,
+                request,
+                headers,
+                backup_id,
+                agent_id,
+                password,
+                agent,
+                manager,
             )
         except BackupNotFound:
             return Response(status=HTTPStatus.NOT_FOUND)
@@ -116,6 +124,7 @@ async def _send_backup_no_password(
     async def _send_backup_with_password(
         self,
         hass: HomeAssistant,
+        backup: AgentBackup,
         request: Request,
         headers: dict[istr, str],
         backup_id: str,
@@ -144,7 +153,8 @@ def on_done(error: Exception | None) -> None:
 
         stream = util.AsyncIteratorWriter(hass)
         worker = threading.Thread(
-            target=util.decrypt_backup, args=[reader, stream, password, on_done, 0, []]
+            target=util.decrypt_backup,
+            args=[backup, reader, stream, password, on_done, 0, []],
         )
         try:
             worker.start()

homeassistant/components/backup/util.py

@@ -295,13 +295,26 @@ def validate_password_stream(
     raise BackupEmpty
 
 
+def _get_expected_archives(backup: AgentBackup) -> set[str]:
+    """Get the expected archives in the backup."""
+    expected_archives = set()
+    if backup.homeassistant_included:
+        expected_archives.add("homeassistant")
+    for addon in backup.addons:
+        expected_archives.add(addon.slug)
+    for folder in backup.folders:
+        expected_archives.add(folder.value)
+    return expected_archives
+
+
 def decrypt_backup(
+    backup: AgentBackup,
     input_stream: IO[bytes],
     output_stream: IO[bytes],
     password: str | None,
     on_done: Callable[[Exception | None], None],
     minimum_size: int,
-    nonces: list[bytes],
+    nonces: NonceGenerator,
 ) -> None:
     """Decrypt a backup."""
     error: Exception | None = None
@@ -315,7 +328,7 @@ def decrypt_backup(
                     fileobj=output_stream, mode="w|", bufsize=BUF_SIZE
                 ) as output_tar,
             ):
-                _decrypt_backup(input_tar, output_tar, password)
+                _decrypt_backup(backup, input_tar, output_tar, password)
         except (DecryptError, SecureTarError, tarfile.TarError) as err:
             LOGGER.warning("Error decrypting backup: %s", err)
             error = err
@@ -333,15 +346,18 @@ def decrypt_backup(
 
 
 def _decrypt_backup(
+    backup: AgentBackup,
     input_tar: tarfile.TarFile,
     output_tar: tarfile.TarFile,
     password: str | None,
 ) -> None:
     """Decrypt a backup."""
+    expected_archives = _get_expected_archives(backup)
     for obj in input_tar:
         # We compare with PurePath to avoid issues with different path separators,
         # for example when backup.json is added as "./backup.json"
-        if PurePath(obj.name) == PurePath("backup.json"):
+        object_path = PurePath(obj.name)
+        if object_path == PurePath("backup.json"):
             # Rewrite the backup.json file to indicate that the backup is decrypted
             if not (reader := input_tar.extractfile(obj)):
                 raise DecryptError
@@ -352,7 +368,13 @@ def _decrypt_backup(
             metadata_obj.size = len(updated_metadata_b)
             output_tar.addfile(metadata_obj, BytesIO(updated_metadata_b))
             continue
-        if not obj.name.endswith((".tar", ".tgz", ".tar.gz")):
+        prefix, _, suffix = object_path.name.partition(".")
+        if suffix not in ("tar", "tgz", "tar.gz"):
+            LOGGER.debug("Unknown file %s will not be decrypted", obj.name)
+            output_tar.addfile(obj, input_tar.extractfile(obj))
+            continue
+        if prefix not in expected_archives:
+            LOGGER.debug("Unknown inner tar file %s will not be decrypted", obj.name)
             output_tar.addfile(obj, input_tar.extractfile(obj))
             continue
         istf = SecureTarFile(
@@ -371,12 +393,13 @@ def _decrypt_backup(
 
 
 def encrypt_backup(
+    backup: AgentBackup,
     input_stream: IO[bytes],
     output_stream: IO[bytes],
     password: str | None,
     on_done: Callable[[Exception | None], None],
     minimum_size: int,
-    nonces: list[bytes],
+    nonces: NonceGenerator,
 ) -> None:
     """Encrypt a backup."""
     error: Exception | None = None
@@ -390,7 +413,7 @@ def encrypt_backup(
                     fileobj=output_stream, mode="w|", bufsize=BUF_SIZE
                 ) as output_tar,
             ):
-                _encrypt_backup(input_tar, output_tar, password, nonces)
+                _encrypt_backup(backup, input_tar, output_tar, password, nonces)
         except (EncryptError, SecureTarError, tarfile.TarError) as err:
             LOGGER.warning("Error encrypting backup: %s", err)
             error = err
@@ -408,17 +431,20 @@ def encrypt_backup(
 
 
 def _encrypt_backup(
+    backup: AgentBackup,
     input_tar: tarfile.TarFile,
     output_tar: tarfile.TarFile,
     password: str | None,
-    nonces: list[bytes],
+    nonces: NonceGenerator,
 ) -> None:
     """Encrypt a backup."""
     inner_tar_idx = 0
+    expected_archives = _get_expected_archives(backup)
     for obj in input_tar:
         # We compare with PurePath to avoid issues with different path separators,
         # for example when backup.json is added as "./backup.json"
-        if PurePath(obj.name) == PurePath("backup.json"):
+        object_path = PurePath(obj.name)
+        if object_path == PurePath("backup.json"):
             # Rewrite the backup.json file to indicate that the backup is encrypted
             if not (reader := input_tar.extractfile(obj)):
                 raise EncryptError
@@ -429,16 +455,21 @@ def _encrypt_backup(
             metadata_obj.size = len(updated_metadata_b)
             output_tar.addfile(metadata_obj, BytesIO(updated_metadata_b))
             continue
-        if not obj.name.endswith((".tar", ".tgz", ".tar.gz")):
+        prefix, _, suffix = object_path.name.partition(".")
+        if suffix not in ("tar", "tgz", "tar.gz"):
+            LOGGER.debug("Unknown file %s will not be encrypted", obj.name)
             output_tar.addfile(obj, input_tar.extractfile(obj))
             continue
+        if prefix not in expected_archives:
+            LOGGER.debug("Unknown inner tar file %s will not be encrypted", obj.name)
+            continue
         istf = SecureTarFile(
             None,  # Not used
             gzip=False,
             key=password_to_key(password) if password is not None else None,
             mode="r",
             fileobj=input_tar.extractfile(obj),
-            nonce=nonces[inner_tar_idx],
+            nonce=nonces.get(inner_tar_idx),
         )
         inner_tar_idx += 1
         with istf.encrypt(obj) as encrypted:
@@ -456,17 +487,33 @@ class _CipherWorkerStatus:
     writer: AsyncIteratorWriter
 
 
+class NonceGenerator:
+    """Generate nonces for encryption."""
+
+    def __init__(self) -> None:
+        """Initialize the generator."""
+        self._nonces: dict[int, bytes] = {}
+
+    def get(self, index: int) -> bytes:
+        """Get a nonce for the given index."""
+        if index not in self._nonces:
+            # Generate a new nonce for the given index
+            self._nonces[index] = os.urandom(16)
+        return self._nonces[index]
+
+
 class _CipherBackupStreamer:
     """Encrypt or decrypt a backup."""
 
     _cipher_func: Callable[
         [
+            AgentBackup,
             IO[bytes],
             IO[bytes],
             str | None,
             Callable[[Exception | None], None],
             int,
-            list[bytes],
+            NonceGenerator,
         ],
         None,
     ]
@@ -484,7 +531,7 @@ def __init__(
         self._hass = hass
         self._open_stream = open_stream
         self._password = password
-        self._nonces: list[bytes] = []
+        self._nonces = NonceGenerator()
 
     def size(self) -> int:
         """Return the maximum size of the decrypted or encrypted backup."""
@@ -508,7 +555,15 @@ def on_done(error: Exception | None) -> None:
         writer = AsyncIteratorWriter(self._hass)
         worker = threading.Thread(
             target=self._cipher_func,
-            args=[reader, writer, self._password, on_done, self.size(), self._nonces],
+            args=[
+                self._backup,
+                reader,
+                writer,
+                self._password,
+                on_done,
+                self.size(),
+                self._nonces,
+            ],
         )
         worker_status = _CipherWorkerStatus(
             done=asyncio.Event(), reader=reader, thread=worker, writer=writer
@@ -538,17 +593,6 @@ def backup(self) -> AgentBackup:
 class EncryptedBackupStreamer(_CipherBackupStreamer):
     """Encrypt a backup."""
 
-    def __init__(
-        self,
-        hass: HomeAssistant,
-        backup: AgentBackup,
-        open_stream: Callable[[], Coroutine[Any, Any, AsyncIterator[bytes]]],
-        password: str | None,
-    ) -> None:
-        """Initialize."""
-        super().__init__(hass, backup, open_stream, password)
-        self._nonces = [os.urandom(16) for _ in range(self._num_tar_files())]
-
     _cipher_func = staticmethod(encrypt_backup)
 
     def backup(self) -> AgentBackup:

homeassistant/components/dnsip/config_flow.py

@@ -68,7 +68,7 @@ async def async_check(
         result = False
         with contextlib.suppress(DNSError):
             result = bool(
-                await aiodns.DNSResolver(
+                await aiodns.DNSResolver(  # type: ignore[call-overload]
                     nameservers=[resolver], udp_port=port, tcp_port=port
                 ).query(hostname, qtype)
             )

homeassistant/components/dnsip/manifest.json

@@ -5,5 +5,5 @@
   "config_flow": true,
   "documentation": "https://www.home-assistant.io/integrations/dnsip",
   "iot_class": "cloud_polling",
-  "requirements": ["aiodns==3.3.0"]
+  "requirements": ["aiodns==3.4.0"]
 }

homeassistant/components/dnsip/sensor.py

@@ -106,7 +106,7 @@ def __init__(
     async def async_update(self) -> None:
         """Get the current DNS IP address for hostname."""
         try:
-            response = await self.resolver.query(self.hostname, self.querytype)
+            response = await self.resolver.query(self.hostname, self.querytype)  # type: ignore[call-overload]
         except DNSError as err:
             _LOGGER.warning("Exception while resolving host: %s", err)
             response = None

homeassistant/components/forecast_solar/manifest.json

@@ -6,5 +6,5 @@
   "documentation": "https://www.home-assistant.io/integrations/forecast_solar",
   "integration_type": "service",
   "iot_class": "cloud_polling",
-  "requirements": ["forecast-solar==4.1.0"]
+  "requirements": ["forecast-solar==4.2.0"]
 }

homeassistant/components/fritzbox/coordinator.py

@@ -92,7 +92,7 @@ def cleanup_removed_devices(self, data: FritzboxCoordinatorData) -> None:
 
         available_main_ains = [
             ain
-            for ain, dev in data.devices.items()
+            for ain, dev in data.devices.items() | data.templates.items()
             if dev.device_and_unit_id[1] is None
         ]
         device_reg = dr.async_get(self.hass)

homeassistant/components/fronius/__init__.py

@@ -45,7 +45,15 @@
 async def async_setup_entry(hass: HomeAssistant, entry: FroniusConfigEntry) -> bool:
     """Set up fronius from a config entry."""
     host = entry.data[CONF_HOST]
-    fronius = Fronius(async_get_clientsession(hass), host)
+    fronius = Fronius(
+        async_get_clientsession(
+            hass,
+            # Fronius Gen24 firmware 1.35.4-1 redirects to HTTPS with self-signed
+            # certificate. See https://github.com/home-assistant/core/issues/138881
+            verify_ssl=False,
+        ),
+        host,
+    )
     solar_net = FroniusSolarNet(hass, entry, fronius)
     await solar_net.init_devices()
 

homeassistant/components/frontend/manifest.json

@@ -20,5 +20,5 @@
   "documentation": "https://www.home-assistant.io/integrations/frontend",
   "integration_type": "system",
   "quality_scale": "internal",
-  "requirements": ["home-assistant-frontend==20250507.0"]
+  "requirements": ["home-assistant-frontend==20250509.0"]
 }

homeassistant/components/homekit/type_air_purifiers.py

@@ -8,7 +8,13 @@
 from pyhap.service import Service
 from pyhap.util import callback as pyhap_callback
 
-from homeassistant.const import STATE_ON, STATE_UNAVAILABLE, STATE_UNKNOWN
+from homeassistant.const import (
+    ATTR_UNIT_OF_MEASUREMENT,
+    STATE_ON,
+    STATE_UNAVAILABLE,
+    STATE_UNKNOWN,
+    UnitOfTemperature,
+)
 from homeassistant.core import (
     Event,
     EventStateChangedData,
@@ -43,7 +49,12 @@
     THRESHOLD_FILTER_CHANGE_NEEDED,
 )
 from .type_fans import ATTR_PRESET_MODE, CHAR_ROTATION_SPEED, Fan
-from .util import cleanup_name_for_homekit, convert_to_float, density_to_air_quality
+from .util import (
+    cleanup_name_for_homekit,
+    convert_to_float,
+    density_to_air_quality,
+    temperature_to_homekit,
+)
 
 _LOGGER = logging.getLogger(__name__)
 
@@ -345,8 +356,13 @@ def _async_update_current_temperature(self, new_state: State | None) -> None:
         ):
             return
 
+        unit = new_state.attributes.get(
+            ATTR_UNIT_OF_MEASUREMENT, UnitOfTemperature.CELSIUS
+        )
+        current_temperature = temperature_to_homekit(current_temperature, unit)
+
         _LOGGER.debug(
-            "%s: Linked temperature sensor %s changed to %d",
+            "%s: Linked temperature sensor %s changed to %d °C",
             self.entity_id,
             self.linked_temperature_sensor,
             current_temperature,