feat(grouped wifi): route updates through user-defined SSID groups + verify

User-defined SSID groups (configured on the WiFi Networks page and stored in unifi.ssid_groups) now drive PPSK sibling propagation. The previous same-SSID-name detection missed cases where two grouped WLANs have *different* names — e.g. "VCS Guest" on 2.4 and "VCS Guest 5G" on 5GHz manually grouped by the operator. Falls back to same-name siblings when no group is configured. Match-by-name fix: embedded PPSKs on this controller don't carry a name field — the human "GUEST" label is the *network's* name, with the entry referenced via networkconf_id. updateEmbeddedPpsk and verifyEmbeddedPpsk now resolve name → networkconf_id first and match on that, with entry-name and current-passphrase as fallbacks for other controller variants. After every rotation we re-fetch each affected WLAN and verify the new passphrase is actually present on the named network. Failures ("mismatch" or "fetch_failed" on the primary, anything other than "not_found" on a sibling) surface in the cron run details as failed PPSKs so the operator sees what didn't propagate. v1.10.4. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 20:58:10 -04:00
parent bb74edf4c1
commit f533208b37
4 changed files with 135 additions and 22 deletions
--- a/src/Services/UnifiApiClient.php
+++ b/src/Services/UnifiApiClient.php
@@ -312,6 +312,88 @@ class UnifiApiClient
        return $this->put("/rest/wlanconf/{$wlanId}", $data);
    }

+    /**
+     * Find every other WLAN that should rotate/update together with this
+     * one. Authoritative source: the user-defined "SSID groups" setting
+     * (unifi.ssid_groups) from the WiFi Networks page, which lets the
+     * operator manually couple WLANs that may have different SSID names.
+     *
+     * Falls back to same-SSID-name siblings for installs that haven't
+     * configured groups yet.
+     *
+     * Returns an array of sibling wlan IDs (excludes $wlanId itself).
+     */
+    public function getGroupedWlans(string $wlanId): array
+    {
+        $groupsJson = Setting::get('unifi.ssid_groups', '{}');
+        $groups     = json_decode($groupsJson, true);
+        if (is_array($groups)) {
+            foreach ($groups as $wlanIds) {
+                if (! is_array($wlanIds)) continue;
+                if (in_array($wlanId, $wlanIds, true)) {
+                    return array_values(array_filter($wlanIds, fn ($id) => $id !== $wlanId));
+                }
+            }
+        }
+        return $this->getWlanSiblings($wlanId);
+    }
+
+    /**
+     * Verify an embedded PPSK has the expected passphrase right now.
+     * Used after an update to confirm the change actually applied —
+     * UniFi sometimes 200s an update that didn't stick (cluster sync
+     * race, hot-restart in progress, etc.).
+     *
+     * Returns ['ok' => true] on a clean match, or
+     * ['ok' => false, 'reason' => 'fetch_failed'|'not_found'|'mismatch']
+     * with optional 'error' on fetch failures.
+     */
+    public function verifyEmbeddedPpsk(string $wlanId, string $name, string $expectedPassphrase): array
+    {
+        try {
+            $entries = $this->getPpskEntries($wlanId);
+        } catch (\Throwable $e) {
+            return ['ok' => false, 'reason' => 'fetch_failed', 'error' => $e->getMessage()];
+        }
+
+        $networkconfId = $this->findNetworkconfIdByName($name);
+
+        foreach ($entries as $e) {
+            $entryName     = $e['name'] ?? $e['label'] ?? $e['username'] ?? $e['privatePskName'] ?? null;
+            $entryNetId    = $e['networkconf_id'] ?? null;
+            $entryMatches  = ($networkconfId !== null && $entryNetId === $networkconfId)
+                          || ($entryName !== null && $entryName === $name);
+            if (! $entryMatches) continue;
+
+            $entryPass = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null;
+            return $entryPass === $expectedPassphrase
+                ? ['ok' => true]
+                : ['ok' => false, 'reason' => 'mismatch'];
+        }
+        return ['ok' => false, 'reason' => 'not_found'];
+    }
+
+    /**
+     * Look up a networkconf (VLAN/network) by its display name. Embedded
+     * PPSKs on this controller use networkconf_id as their stable
+     * identifier — the human "name" the operator sees is actually the
+     * network's name.
+     */
+    private function findNetworkconfIdByName(string $name): ?string
+    {
+        try {
+            $networks = $this->getNetworkConfs();
+        } catch (\Throwable) {
+            return null;
+        }
+        foreach ($networks as $n) {
+            if (($n['name'] ?? null) === $name) {
+                return $n['_id'] ?? null;
+            }
+        }
+        return null;
+    }
+
    /**
     * Find sibling WLAN configs — same SSID name, different _id. UniFi
     * splits a "banded" SSID (band-steering disabled) into one wlanconf
@@ -548,10 +630,13 @@ class UnifiApiClient
            throw new \RuntimeException('WLAN has no embedded PPSKs to update.');
        }

-        // Match in this order — most reliable first:
-        //   1. by PPSK name (if provided) — survives passphrase drift
-        //      caused by manual edits or previous out-of-sync rotations.
-        //   2. by current passphrase (legacy)
+        // Embedded PPSKs on this controller don't carry a name field —
+        // the human label ("GUEST", "3DPrinters", …) is the *network's*
+        // name, and each entry references it via networkconf_id. So when
+        // the caller passes a name, first resolve it to a networkconf_id
+        // and match on that. Falls back to entry-level name (other
+        // controller versions DO put a name on the entry) and finally
+        // to current passphrase.
        $applyUpdate = function (array &$e) use ($newPassphrase) {
            if (array_key_exists('x_passphrase', $e)) $e['x_passphrase'] = $newPassphrase;
            if (array_key_exists('password',     $e)) $e['password']     = $newPassphrase;
@@ -561,8 +646,21 @@ class UnifiApiClient
            }
        };

+        $networkconfId = ($name !== null && $name !== '') ? $this->findNetworkconfIdByName($name) : null;
+
        $matched = false;
-        if ($name !== null && $name !== '') {
+        if ($networkconfId !== null) {
+            foreach ($entries as &$e) {
+                if (($e['networkconf_id'] ?? null) === $networkconfId) {
+                    $applyUpdate($e);
+                    $matched = true;
+                    break;
+                }
+            }
+            unset($e);
+        }
+
+        if (! $matched && $name !== null && $name !== '') {
            foreach ($entries as &$e) {
                $entryName = $e['name'] ?? $e['label'] ?? $e['username'] ?? $e['privatePskName'] ?? null;
                if ($entryName === $name) {
@@ -589,7 +687,7 @@ class UnifiApiClient
        if (! $matched) {
            throw new \RuntimeException(
                'Embedded PPSK not found' .
-                ($name !== null ? " by name \"{$name}\"" : '') .
+                ($name !== null ? " for network \"{$name}\"" : '') .
                ' or by current passphrase.'
            );
        }