jwed/dashboard-unifi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jwed:v1.9.0
Branches Tags
jwed:master
jwed:v1.12.1 jwed:v1.12.0 jwed:v1.11.1 jwed:v1.11.0 jwed:v1.10.4 jwed:v1.10.2 jwed:v1.10.1 jwed:v1.10.0 jwed:v1.9.1 jwed:v1.9.0 jwed:v1.8.1 jwed:v1.8.0 jwed:v1.7.1 jwed:v1.7.0 jwed:v1.6.3 jwed:v1.6.2 jwed:v1.6.1 jwed:v1.6.0 jwed:v1.5.5 jwed:v1.5.4 jwed:v1.5.3 jwed:v1.5.2 jwed:v1.5.1 jwed:v1.5.0 jwed:v1.4.0 jwed:v1.3.1 jwed:v1.3.0 jwed:v1.2.0 jwed:v1.1.0
...
compare: jwed:v1.10.1
Branches Tags
jwed:master
jwed:v1.12.1 jwed:v1.12.0 jwed:v1.11.1 jwed:v1.11.0 jwed:v1.10.4 jwed:v1.10.2 jwed:v1.10.1 jwed:v1.10.0 jwed:v1.9.1 jwed:v1.9.0 jwed:v1.8.1 jwed:v1.8.0 jwed:v1.7.1 jwed:v1.7.0 jwed:v1.6.3 jwed:v1.6.2 jwed:v1.6.1 jwed:v1.6.0 jwed:v1.5.5 jwed:v1.5.4 jwed:v1.5.3 jwed:v1.5.2 jwed:v1.5.1 jwed:v1.5.0 jwed:v1.4.0 jwed:v1.3.1 jwed:v1.3.0 jwed:v1.2.0 jwed:v1.1.0

3 Commits
v1.9.0 ... v1.10.1

Author SHA1 Message Date
jwed
e5cc075938 fix(banded ssid): treat "PPSK not on this band" as a quiet skip 
The sibling-rotation path's "Embedded PPSK not found" error was being
surfaced to the operator as a failure, but it's not — it just means
the PPSK isn't mirrored on that band (GUEST was configured on one
band only, which is a perfectly valid setup). Logging this as a
sibling failure also poisoned the cron run status to "partial".

Now: "not found"-style errors from updateEmbeddedPpsk on a sibling
become info-level log entries and the loop continues. Other errors
(API failures, permissions, etc.) still surface as warnings/failures.

v1.10.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-24 20:43:10 -04:00
jwed
4ec4a293c0 release: 1.10.0 — rolls up 1.9.1 (banded-SSID PPSK match by name) 
Bundled stable cut for prod. Contents since 1.9.0:

* fix(banded ssid): updateEmbeddedPpsk now matches embedded PPSK
  entries by name first (e.g. "GUEST") and falls back to current
  passphrase. Name-matching survives any passphrase drift caused by
  pre-1.8.1 out-of-band manual edits — the sibling-rotation failure
  reported on prod after upgrading to 1.9.0 no longer happens.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-24 20:40:13 -04:00
jwed
720e94c54a fix(banded ssid): match embedded PPSK by name first, passphrase fallback 
The sibling-update path on prod failed with "Embedded PPSK not found
by current passphrase" because the DB-stored x_passphrase on the
unedited band was stale — earlier manual edits (pre-1.8.1) only
touched one band, leaving the other band's row out of sync. When
rotation then tried to use that stale passphrase to find the entry,
no match.

updateEmbeddedPpsk now takes an optional $name parameter and tries it
first. PPSK names within a WLAN are unique, so name-matching survives
any passphrase drift caused by historical out-of-band edits.
Passphrase matching stays as a fallback for callers that don't have
a name (none currently — both rotation and the manual modal pass it).

v1.9.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-24 20:38:10 -04:00
4 changed files with 68 additions and 31 deletions
Expand all files Collapse all files

2
composer.json
View File

@@ -1,7 +1,7 @@
{ {
"name": "dashboard/unifi", "name": "dashboard/unifi",
"description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform", "description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform",
"version": "1.9.0", "version": "1.10.1",
"type": "library", "type": "library",
"license": "MIT", "license": "MIT",
"autoload": { "autoload": {

26
src/Console/RotatePasswords.php
View File

@@ -81,24 +81,22 @@ class RotatePasswords extends Command
try { try {
if (str_starts_with((string) $ppsk->unifi_id, 'emb_')) { if (str_starts_with((string) $ppsk->unifi_id, 'emb_')) {
// Embedded PPSK: update inside the parent WLAN object. // Embedded PPSK: update inside the parent WLAN object.
// Synthetic ID is derived from the new passphrase, so update it too. // Match by name (most reliable) — falls back to
$unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass); // passphrase if name is missing.
$unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass, $ppsk->name);
$newUid = 'emb_' . substr(hash('sha256', $ppsk->wlan_id . ':' . $newPass), 0, 32); $newUid = 'emb_' . substr(hash('sha256', $ppsk->wlan_id . ':' . $newPass), 0, 32);
$oldPass = $ppsk->x_passphrase;
$ppsk->update(['x_passphrase' => $newPass, 'unifi_id' => $newUid]); $ppsk->update(['x_passphrase' => $newPass, 'unifi_id' => $newUid]);
// Sibling WLANs (same SSID name on a different band): // Sibling WLANs (same SSID name on a different band):
// their embedded PPSK with the same name also needs // rotate the matching-name PPSK in each so the
// to rotate to the same new password so the SSID's // SSID's 2.4/5GHz halves stay in sync.
// 2.4/5GHz halves stay in sync.
foreach ($unifi->getWlanSiblings($ppsk->wlan_id) as $siblingWlanId) { foreach ($unifi->getWlanSiblings($ppsk->wlan_id) as $siblingWlanId) {
$sibling = UnifiPpsk::where('wlan_id', $siblingWlanId) $sibling = UnifiPpsk::where('wlan_id', $siblingWlanId)
->where('name', $ppsk->name) ->where('name', $ppsk->name)
->where('state', 'active') ->where('state', 'active')
->first(); ->first();
$siblingOldPass = $sibling?->x_passphrase ?? $oldPass;
try { try {
$unifi->updateEmbeddedPpsk($siblingWlanId, $siblingOldPass, $newPass); $unifi->updateEmbeddedPpsk($siblingWlanId, $sibling?->x_passphrase, $newPass, $ppsk->name);
if ($sibling) { if ($sibling) {
$sibling->update([ $sibling->update([
'x_passphrase' => $newPass, 'x_passphrase' => $newPass,
@@ -106,6 +104,18 @@ class RotatePasswords extends Command
]); ]);
} }
} catch (\Throwable $e) { } catch (\Throwable $e) {
// "Not found" in a sibling just means the
// PPSK isn't mirrored on that band — totally
// normal if GUEST was only configured on one
// band. Skip quietly; don't poison the
// run status.
if (str_contains($e->getMessage(), 'not found')) {
\Illuminate\Support\Facades\Log::info('unifi.ppsk_sibling_skipped', [
'sibling_wlan' => $siblingWlanId,
'ppsk_name' => $ppsk->name,
]);
continue;
}
$this->error("Sibling rotate failed for wlan {$siblingWlanId}: {$e->getMessage()}"); $this->error("Sibling rotate failed for wlan {$siblingWlanId}: {$e->getMessage()}");
$failedPpsks[] = ['name' => $ppsk->name . ' (sibling wlan ' . $siblingWlanId . ')', 'error' => $e->getMessage()]; $failedPpsks[] = ['name' => $ppsk->name . ' (sibling wlan ' . $siblingWlanId . ')', 'error' => $e->getMessage()];
} }

13
src/Http/Controllers/WifiController.php
View File

@@ -293,9 +293,9 @@ class WifiController extends Controller
if (! empty($unifiUpdate)) { if (! empty($unifiUpdate)) {
if (str_starts_with($record->unifi_id, 'emb_') && isset($unifiUpdate['x_passphrase'])) { if (str_starts_with($record->unifi_id, 'emb_') && isset($unifiUpdate['x_passphrase'])) {
// Embedded PPSK update path — modify the WLAN's embedded array. // Embedded PPSK update path — modify the WLAN's embedded array.
// Match by name (reliable across drift).
$newPass = $unifiUpdate['x_passphrase']; $newPass = $unifiUpdate['x_passphrase'];
$oldPass = $record->x_passphrase; $unifi->updateEmbeddedPpsk($record->wlan_id, $record->x_passphrase, $newPass, $record->name);
$unifi->updateEmbeddedPpsk($record->wlan_id, $oldPass, $newPass);
$data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $newPass), 0, 32); $data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $newPass), 0, 32);
// Also update sibling WLANs (banded SSID — same name // Also update sibling WLANs (banded SSID — same name
@@ -305,9 +305,8 @@ class WifiController extends Controller
->where('name', $record->name) ->where('name', $record->name)
->where('state', 'active') ->where('state', 'active')
->first(); ->first();
$siblingOldPass = $sibling?->x_passphrase ?? $oldPass;
try { try {
$unifi->updateEmbeddedPpsk($siblingWlanId, $siblingOldPass, $newPass); $unifi->updateEmbeddedPpsk($siblingWlanId, $sibling?->x_passphrase, $newPass, $record->name);
if ($sibling) { if ($sibling) {
$sibling->update([ $sibling->update([
'x_passphrase' => $newPass, 'x_passphrase' => $newPass,
@@ -315,7 +314,11 @@ class WifiController extends Controller
]); ]);
} }
} catch (\Throwable $e) { } catch (\Throwable $e) {
\Illuminate\Support\Facades\Log::warning('unifi.ppsk_sibling_update_failed', [ // PPSK absent on this band is fine — just
// means it isn't mirrored. Anything else
// gets warning-logged.
$level = str_contains($e->getMessage(), 'not found') ? 'info' : 'warning';
\Illuminate\Support\Facades\Log::log($level, 'unifi.ppsk_sibling_update', [
'sibling_wlan' => $siblingWlanId, 'sibling_wlan' => $siblingWlanId,
'error' => $e->getMessage(), 'error' => $e->getMessage(),
]); ]);

58
src/Services/UnifiApiClient.php
View File

@@ -538,7 +538,7 @@ class UnifiApiClient
* no controller-side ID. Only changes the entry's passphrase; name * no controller-side ID. Only changes the entry's passphrase; name
* isn't separately addressable on embedded PPSKs. * isn't separately addressable on embedded PPSKs.
*/ */
public function updateEmbeddedPpsk(string $wlanId, string $oldPassphrase, string $newPassphrase): array public function updateEmbeddedPpsk(string $wlanId, ?string $oldPassphrase, string $newPassphrase, ?string $name = null): array
{ {
$wlanResp = $this->get("/rest/wlanconf/{$wlanId}"); $wlanResp = $this->get("/rest/wlanconf/{$wlanId}");
$wlan = $wlanResp[0] ?? $wlanResp; $wlan = $wlanResp[0] ?? $wlanResp;
@@ -548,26 +548,50 @@ class UnifiApiClient
throw new \RuntimeException('WLAN has no embedded PPSKs to update.'); throw new \RuntimeException('WLAN has no embedded PPSKs to update.');
} }
$matched = false; // Match in this order — most reliable first:
foreach ($entries as &$e) { // 1. by PPSK name (if provided) — survives passphrase drift
$current = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null; // caused by manual edits or previous out-of-sync rotations.
if ($current === $oldPassphrase) { // 2. by current passphrase (legacy)
// Preserve whichever field name the controller is using. $applyUpdate = function (array &$e) use ($newPassphrase) {
if (array_key_exists('x_passphrase', $e)) $e['x_passphrase'] = $newPassphrase; if (array_key_exists('x_passphrase', $e)) $e['x_passphrase'] = $newPassphrase;
if (array_key_exists('password', $e)) $e['password'] = $newPassphrase; if (array_key_exists('password', $e)) $e['password'] = $newPassphrase;
if (array_key_exists('passphrase', $e)) $e['passphrase'] = $newPassphrase; if (array_key_exists('passphrase', $e)) $e['passphrase'] = $newPassphrase;
// If none of the above existed, default to password (most common on embedded). if (! isset($e['x_passphrase']) && ! isset($e['password']) && ! isset($e['passphrase'])) {
if (! isset($e['x_passphrase']) && ! isset($e['password']) && ! isset($e['passphrase'])) { $e['password'] = $newPassphrase;
$e['password'] = $newPassphrase;
}
$matched = true;
break;
} }
};
$matched = false;
if ($name !== null && $name !== '') {
foreach ($entries as &$e) {
$entryName = $e['name'] ?? $e['label'] ?? $e['username'] ?? $e['privatePskName'] ?? null;
if ($entryName === $name) {
$applyUpdate($e);
$matched = true;
break;
}
}
unset($e);
}
if (! $matched && $oldPassphrase !== null && $oldPassphrase !== '') {
foreach ($entries as &$e) {
$current = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null;
if ($current === $oldPassphrase) {
$applyUpdate($e);
$matched = true;
break;
}
}
unset($e);
} }
unset($e);
if (! $matched) { if (! $matched) {
throw new \RuntimeException('Embedded PPSK not found by current passphrase.'); throw new \RuntimeException(
'Embedded PPSK not found' .
($name !== null ? " by name \"{$name}\"" : '') .
' or by current passphrase.'
);
} }
// UniFi REST expects the full WLAN object on PUT — send what we // UniFi REST expects the full WLAN object on PUT — send what we