Clear dynamic encryption key in ESPHome on remove (#155858)

arturpragacz · web-flow · commit bb44987af1d4 · 2025-11-06T02:11:32.000+01:00
diff --git a/homeassistant/components/esphome/__init__.py b/homeassistant/components/esphome/__init__.py
@@ -2,7 +2,9 @@
 
 from __future__ import annotations
 
-from aioesphomeapi import APIClient
+import logging
+
+from aioesphomeapi import APIClient, APIConnectionError
 
 from homeassistant.components import zeroconf
 from homeassistant.components.bluetooth import async_remove_scanner
@@ -20,9 +22,12 @@
 from . import assist_satellite, dashboard, ffmpeg_proxy
 from .const import CONF_BLUETOOTH_MAC_ADDRESS, CONF_NOISE_PSK, DOMAIN
 from .domain_data import DomainData
+from .encryption_key_storage import async_get_encryption_key_storage
 from .entry_data import ESPHomeConfigEntry, RuntimeEntryData
 from .manager import DEVICE_CONFLICT_ISSUE_FORMAT, ESPHomeManager, cleanup_instance
 
+_LOGGER = logging.getLogger(__name__)
+
 CONFIG_SCHEMA = cv.config_entry_only_config_schema(DOMAIN)
 
 CLIENT_INFO = f"Home Assistant {ha_version}"
@@ -91,3 +96,57 @@ async def async_remove_entry(hass: HomeAssistant, entry: ESPHomeConfigEntry) ->
         hass, DOMAIN, DEVICE_CONFLICT_ISSUE_FORMAT.format(entry.entry_id)
     )
     await DomainData.get(hass).get_or_create_store(hass, entry).async_remove()
+
+    await _async_clear_dynamic_encryption_key(hass, entry)
+
+
+async def _async_clear_dynamic_encryption_key(
+    hass: HomeAssistant, entry: ESPHomeConfigEntry
+) -> None:
+    """Clear the dynamic encryption key on the device and from storage."""
+    if entry.unique_id is None or entry.data.get(CONF_NOISE_PSK) is None:
+        return
+
+    # Only clear the key if it's stored in our storage, meaning it was
+    # dynamically generated by us and not user-provided
+    storage = await async_get_encryption_key_storage(hass)
+    if await storage.async_get_key(entry.unique_id) is None:
+        return
+
+    host: str = entry.data[CONF_HOST]
+    port: int = entry.data[CONF_PORT]
+    password: str | None = entry.data[CONF_PASSWORD]
+    noise_psk: str | None = entry.data.get(CONF_NOISE_PSK)
+
+    zeroconf_instance = await zeroconf.async_get_instance(hass)
+
+    cli = APIClient(
+        host,
+        port,
+        password,
+        client_info=CLIENT_INFO,
+        zeroconf_instance=zeroconf_instance,
+        noise_psk=noise_psk,
+        timezone=hass.config.time_zone,
+    )
+
+    try:
+        await cli.connect()
+        # Clear the encryption key on the device by passing an empty key
+        if not await cli.noise_encryption_set_key(b""):
+            _LOGGER.debug(
+                "Could not clear dynamic encryption key for ESPHome device %s: Device rejected key removal",
+                entry.unique_id,
+            )
+            return
+    except APIConnectionError as exc:
+        _LOGGER.debug(
+            "Could not connect to ESPHome device %s to clear dynamic encryption key: %s",
+            entry.unique_id,
+            exc,
+        )
+        return
+    finally:
+        await cli.disconnect()
+
+    await storage.async_remove_key(entry.unique_id)
diff --git a/tests/components/esphome/test_init.py b/tests/components/esphome/test_init.py
@@ -1,17 +1,24 @@
 """ESPHome set up tests."""
 
+from unittest.mock import AsyncMock
+
+from aioesphomeapi import APIConnectionError
 import pytest
 
 from homeassistant.components.esphome import DOMAIN
+from homeassistant.components.esphome.const import CONF_NOISE_PSK
+from homeassistant.components.esphome.encryption_key_storage import (
+    async_get_encryption_key_storage,
+)
 from homeassistant.const import CONF_HOST, CONF_PASSWORD, CONF_PORT
 from homeassistant.core import HomeAssistant
 
 from tests.common import MockConfigEntry
 
 
 @pytest.mark.usefixtures("mock_client", "mock_zeroconf")
-async def test_delete_entry(hass: HomeAssistant) -> None:
-    """Test we can delete an entry without error."""
+async def test_remove_entry(hass: HomeAssistant) -> None:
+    """Test we can remove an entry without error."""
     entry = MockConfigEntry(
         domain=DOMAIN,
         data={CONF_HOST: "test.local", CONF_PORT: 6053, CONF_PASSWORD: ""},
@@ -22,3 +29,128 @@ async def test_delete_entry(hass: HomeAssistant) -> None:
     await hass.async_block_till_done()
     assert await hass.config_entries.async_remove(entry.entry_id)
     await hass.async_block_till_done()
+
+
+@pytest.mark.usefixtures("mock_zeroconf")
+async def test_remove_entry_clears_dynamic_encryption_key(
+    hass: HomeAssistant,
+    mock_client,
+    mock_config_entry: MockConfigEntry,
+) -> None:
+    """Test that removing an entry clears the dynamic encryption key from device and storage."""
+    # Store the encryption key to simulate it was dynamically generated
+    storage = await async_get_encryption_key_storage(hass)
+    await storage.async_store_key(
+        mock_config_entry.unique_id, mock_config_entry.data[CONF_NOISE_PSK]
+    )
+    assert (
+        await storage.async_get_key(mock_config_entry.unique_id)
+        == mock_config_entry.data[CONF_NOISE_PSK]
+    )
+
+    mock_client.noise_encryption_set_key = AsyncMock(return_value=True)
+
+    assert await hass.config_entries.async_remove(mock_config_entry.entry_id)
+    await hass.async_block_till_done()
+
+    mock_client.connect.assert_called_once()
+    mock_client.noise_encryption_set_key.assert_called_once_with(b"")
+    mock_client.disconnect.assert_called_once()
+
+    assert await storage.async_get_key(mock_config_entry.unique_id) is None
+
+
+@pytest.mark.usefixtures("mock_zeroconf")
+async def test_remove_entry_no_noise_psk(hass: HomeAssistant, mock_client) -> None:
+    """Test that removing an entry without noise_psk does not attempt to clear encryption key."""
+    mock_config_entry = MockConfigEntry(
+        domain=DOMAIN,
+        data={
+            CONF_HOST: "test.local",
+            CONF_PORT: 6053,
+            # No CONF_NOISE_PSK
+        },
+        unique_id="11:22:33:44:55:aa",
+    )
+    mock_config_entry.add_to_hass(hass)
+
+    mock_client.noise_encryption_set_key = AsyncMock(return_value=True)
+
+    assert await hass.config_entries.async_remove(mock_config_entry.entry_id)
+    await hass.async_block_till_done()
+
+    mock_client.noise_encryption_set_key.assert_not_called()
+
+
+@pytest.mark.usefixtures("mock_zeroconf")
+async def test_remove_entry_user_provided_key(
+    hass: HomeAssistant,
+    mock_client,
+    mock_config_entry: MockConfigEntry,
+) -> None:
+    """Test that removing an entry with user-provided key does not clear it."""
+    # Do not store the key in storage - simulates user-provided key
+    storage = await async_get_encryption_key_storage(hass)
+    assert await storage.async_get_key(mock_config_entry.unique_id) is None
+
+    mock_client.noise_encryption_set_key = AsyncMock(return_value=True)
+
+    assert await hass.config_entries.async_remove(mock_config_entry.entry_id)
+    await hass.async_block_till_done()
+
+    mock_client.noise_encryption_set_key.assert_not_called()
+
+
+@pytest.mark.usefixtures("mock_zeroconf")
+async def test_remove_entry_device_rejects_key_removal(
+    hass: HomeAssistant,
+    mock_client,
+    mock_config_entry: MockConfigEntry,
+) -> None:
+    """Test that when device rejects key removal, key remains in storage."""
+    # Store the encryption key to simulate it was dynamically generated
+    storage = await async_get_encryption_key_storage(hass)
+    await storage.async_store_key(
+        mock_config_entry.unique_id, mock_config_entry.data[CONF_NOISE_PSK]
+    )
+
+    mock_client.noise_encryption_set_key = AsyncMock(return_value=False)
+
+    assert await hass.config_entries.async_remove(mock_config_entry.entry_id)
+    await hass.async_block_till_done()
+
+    mock_client.connect.assert_called_once()
+    mock_client.noise_encryption_set_key.assert_called_once_with(b"")
+    mock_client.disconnect.assert_called_once()
+
+    assert (
+        await storage.async_get_key(mock_config_entry.unique_id)
+        == mock_config_entry.data[CONF_NOISE_PSK]
+    )
+
+
+@pytest.mark.usefixtures("mock_zeroconf")
+async def test_remove_entry_connection_error(
+    hass: HomeAssistant,
+    mock_client,
+    mock_config_entry: MockConfigEntry,
+) -> None:
+    """Test that connection error during key clearing does not remove key from storage."""
+    # Store the encryption key to simulate it was dynamically generated
+    storage = await async_get_encryption_key_storage(hass)
+    await storage.async_store_key(
+        mock_config_entry.unique_id, mock_config_entry.data[CONF_NOISE_PSK]
+    )
+
+    mock_client.connect = AsyncMock(side_effect=APIConnectionError("Connection failed"))
+
+    assert await hass.config_entries.async_remove(mock_config_entry.entry_id)
+    await hass.async_block_till_done()
+
+    mock_client.connect.assert_called_once()
+    mock_client.disconnect.assert_called_once()
+
+    assert (
+        await storage.async_get_key(mock_config_entry.unique_id)
+        == mock_config_entry.data[CONF_NOISE_PSK]
+    )
