feat: improve diagnostics anonymization with per-endpoint redact fields and bump to 0.7.0

Add per-endpoint redact field sets so profile-specific PII (name, birthDate,
address, city, postalCode, phone, maintainerCode) is redacted without
affecting device/room name fields. Also truncate device_id, masterMac,
and mac fields in diagnostics output.

Author: acesyde

custom_components/mylight_systems/const.py

@@ -10,7 +10,7 @@
 NAME = "MyLight Systems"
 DOMAIN = "mylight_systems"
 PLATFORMS = [Platform.SENSOR, Platform.SWITCH]
-VERSION = "0.6.0"
+VERSION = "0.7.0"
 ATTRIBUTION = "Data provided by https://www.mylight-systems.com/"
 DEFAULT_SCAN_INTERVAL_IN_MINUTES = 15
 MIN_SCAN_INTERVAL_IN_MINUTES = 5

custom_components/mylight_systems/diagnostics.py

@@ -35,22 +35,43 @@
 
 TO_REDACT = {CONF_EMAIL, CONF_PASSWORD, CONF_SUBSCRIPTION_ID, CONF_MASTER_ID, CONF_MASTER_RELAY_ID}
 
+# --- Global anonymization rules (applied to all endpoints) ---
+
 # Fields to fully replace with "***"
 _REDACT_FIELDS = {"email", "firstName", "lastName", "tenant"}
 
 # Fields to truncate to first 4 chars + "***"
-_TRUNCATE_FIELDS = {"id", "deviceId", "sensorId", "serialNumber"}
+_TRUNCATE_FIELDS = {"id", "deviceId", "device_id", "sensorId", "serialNumber", "masterMac", "mac"}
 
 # Fields to zero out
 _ZERO_FIELDS = {"latitude", "longitude"}
 
 # Fields to remove entirely
 _REMOVE_FIELDS = {"authToken"}
 
+# --- Per-endpoint extra redact fields ---
+
+_PROFILE_REDACT_FIELDS = {
+    "name",
+    "birthDate",
+    "postalCode",
+    "city",
+    "address",
+    "additionalAddress",
+    "phoneNumber",
+    "mobileNumber",
+    "maintainerCode",
+}
+
+_DEVICES_REDACT_FIELDS: set[str] = set()
+_MEASURES_REDACT_FIELDS: set[str] = set()
+_STATES_REDACT_FIELDS: set[str] = set()
+_ROOMS_REDACT_FIELDS: set[str] = set()
+
 
-def _anonymize_value(key: str, value: Any) -> Any:
+def _anonymize_value(key: str, value: Any, extra_redact: set[str]) -> Any:
     """Anonymize a single value based on its key."""
-    if key in _REDACT_FIELDS:
+    if key in _REDACT_FIELDS or key in extra_redact:
         return "***"
     if key in _ZERO_FIELDS:
         return 0.0
@@ -59,34 +80,36 @@ def _anonymize_value(key: str, value: Any) -> Any:
     return value
 
 
-def _anonymize_response(data: Any) -> Any:
+def _anonymize_response(data: Any, extra_redact: set[str] | None = None) -> Any:
     """Recursively anonymize sensitive fields in an API response."""
+    redact = extra_redact or set()
     if isinstance(data, dict):
         result = {}
         for key, value in data.items():
             if key in _REMOVE_FIELDS:
                 continue
-            result[key] = _anonymize_value(key, _anonymize_response(value))
+            result[key] = _anonymize_value(key, _anonymize_response(value, redact), redact)
         return result
     if isinstance(data, list):
-        return [_anonymize_response(item) for item in data]
+        return [_anonymize_response(item, redact) for item in data]
     return data
 
 
-# Each entry: (endpoint_path, param_builder)
+# Each entry: (endpoint_path, param_builder, extra_redact_fields)
 # The callable receives (auth_token, entry_data, today, tomorrow) and returns params.
-DiagnosticEndpoint = tuple[str, Callable[[str, dict, str, str], dict]]
+DiagnosticEndpoint = tuple[str, Callable[[str, dict, str, str], dict], set[str]]
 
 DIAGNOSTIC_ENDPOINTS: list[DiagnosticEndpoint] = [
-    (PROFILE_URL, lambda tok, data, t, tm: {"authToken": tok}),
-    (DEVICES_URL, lambda tok, data, t, tm: {"authToken": tok}),
+    (PROFILE_URL, lambda tok, data, t, tm: {"authToken": tok}, _PROFILE_REDACT_FIELDS),
+    (DEVICES_URL, lambda tok, data, t, tm: {"authToken": tok}, _DEVICES_REDACT_FIELDS),
     (
         MEASURES_TOTAL_URL,
         lambda tok, data, t, tm: {
             "authToken": tok,
             "measureType": data[CONF_GRID_TYPE],
             "deviceId": data[CONF_VIRTUAL_DEVICE_ID],
         },
+        _MEASURES_REDACT_FIELDS,
     ),
     (
         MEASURES_GROUPING_URL,
@@ -98,9 +121,10 @@ def _anonymize_response(data: Any) -> Any:
             "measureType": data[CONF_GRID_TYPE],
             "deviceId": data[CONF_VIRTUAL_DEVICE_ID],
         },
+        _MEASURES_REDACT_FIELDS,
     ),
-    (STATES_URL, lambda tok, data, t, tm: {"authToken": tok}),
-    (ROOMS_URL, lambda tok, data, t, tm: {"authToken": tok}),
+    (STATES_URL, lambda tok, data, t, tm: {"authToken": tok}, _STATES_REDACT_FIELDS),
+    (ROOMS_URL, lambda tok, data, t, tm: {"authToken": tok}, _ROOMS_REDACT_FIELDS),
 ]
 
 
@@ -128,18 +152,23 @@ async def async_get_config_entry_diagnostics(
         entry_data = dict(entry.data)
 
         tasks = {
-            path: coordinator.client.async_raw_request(
-                "get", path, params=param_builder(auth_token, entry_data, today, tomorrow)
+            path: (
+                coordinator.client.async_raw_request(
+                    "get", path, params=param_builder(auth_token, entry_data, today, tomorrow)
+                ),
+                extra_redact,
             )
-            for path, param_builder in DIAGNOSTIC_ENDPOINTS
+            for path, param_builder, extra_redact in DIAGNOSTIC_ENDPOINTS
         }
-        results = await asyncio.gather(*tasks.values(), return_exceptions=True)
+        results = await asyncio.gather(
+            *[coro for coro, _ in tasks.values()], return_exceptions=True
+        )
 
-        for path, result in zip(tasks.keys(), results):
+        for (path, (_, extra_redact)), result in zip(tasks.items(), results):
             if isinstance(result, Exception):
                 payload = {"error": type(result).__name__, "message": str(result)}
             else:
-                payload = _anonymize_response(result)
+                payload = _anonymize_response(result, extra_redact)
             raw_api_responses[path] = base64.b64encode(
                 json.dumps(payload, default=str).encode()
             ).decode()

custom_components/mylight_systems/manifest.json

@@ -9,5 +9,5 @@
   "integration_type": "hub",
   "iot_class": "cloud_polling",
   "issue_tracker": "https://github.com/acesyde/hassio_mylight_integration/issues",
-  "version": "0.6.0"
+  "version": "0.7.0"
 }

tests/test_diagnostics.py

@@ -167,7 +167,7 @@ async def test_diagnostics_returns_all_endpoint_keys():
     ):
         result = await async_get_config_entry_diagnostics(hass, entry)
 
-    expected_keys = {path for path, _ in DIAGNOSTIC_ENDPOINTS}
+    expected_keys = {path for path, *_ in DIAGNOSTIC_ENDPOINTS}
     assert set(result["raw_api_responses"].keys()) == expected_keys
 
 
@@ -260,7 +260,7 @@ async def _mock_raw_request(method, path, params=None):
         result = await async_get_config_entry_diagnostics(hass, entry)
 
     # All endpoints should still be present
-    expected_keys = {path for path, _ in DIAGNOSTIC_ENDPOINTS}
+    expected_keys = {path for path, *_ in DIAGNOSTIC_ENDPOINTS}
     assert set(result["raw_api_responses"].keys()) == expected_keys
 
     # The failed endpoint should have an error payload