jwed
27c1584dc3
Embedded PPSKs live inside the parent WLAN's private_preshared_keys
array — they have no controller-side _id and the synthetic emb_<hash>
we generate locally isn't a real REST id. Hitting /rest/ppsk/emb_xxx
returns HTTP 400/503, which is what the GUEST PPSK rotation was
failing on at the scheduled 3pm run.
* New UnifiApiClient::updateEmbeddedPpsk($wlanId, $oldPass, $newPass):
GETs /rest/wlanconf/{wlanId}, finds the matching entry in
private_preshared_keys by current passphrase, swaps the value while
preserving whichever field name the controller uses (x_passphrase /
password / passphrase), and PUTs the whole WLAN object back.
* RotatePasswords detects emb_-prefixed unifi_ids and routes through
the embedded path. The synthetic id is rederived from the new
passphrase so the DB row stays addressable.
* WifiController::ppskUpdate (manual modal save) does the same — this
is why manual edits sometimes appeared to succeed but the controller
side actually rejected them.
Verified live against the GUEST PPSK on 10.81.0.1.
v1.5.5.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
422 lines
18 KiB
PHP
422 lines
18 KiB
PHP
<?php
|
|
|
|
namespace Dashboard\Unifi\Http\Controllers;
|
|
|
|
use App\Models\Setting;
|
|
use Dashboard\Unifi\Models\UnifiPpsk;
|
|
use Dashboard\Unifi\Services\UnifiApiClient;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Routing\Controller;
|
|
use Inertia\Inertia;
|
|
|
|
class WifiController extends Controller
|
|
{
|
|
public function index(UnifiApiClient $unifi)
|
|
{
|
|
try {
|
|
$wlans = collect($unifi->getWlans())->map(fn ($w) => $this->mapWlan($w))->values();
|
|
|
|
$raw = Setting::get('unifi.ssid_groups', '{}');
|
|
$groups = json_decode($raw, true);
|
|
if (! is_array($groups) || array_is_list($groups)) $groups = [];
|
|
$groups = (object) $groups;
|
|
|
|
$rotateWlanIds = json_decode(Setting::get('unifi.password_rotation.wlan_ids', '[]'), true) ?: [];
|
|
|
|
return Inertia::render('Unifi/Wifi', [
|
|
'wlans' => $wlans,
|
|
'groups' => $groups,
|
|
'rotateWlanIds' => $rotateWlanIds,
|
|
'ppskSchedulingEnabled' => (bool) Setting::get('unifi.ppsk_scheduling.enabled', false),
|
|
]);
|
|
} catch (\Throwable $e) {
|
|
return Inertia::render('Unifi/Wifi', [
|
|
'wlans' => [], 'groups' => [], 'rotateWlanIds' => [], 'error' => $e->getMessage(),
|
|
]);
|
|
}
|
|
}
|
|
|
|
public function update(Request $request, string $wlanId, UnifiApiClient $unifi)
|
|
{
|
|
$data = $request->validate([
|
|
'x_passphrase' => 'sometimes|string|min:8|max:63',
|
|
'hide_ssid' => 'sometimes|boolean',
|
|
'mac_filter_enabled' => 'sometimes|boolean',
|
|
'mac_filter_policy' => 'sometimes|string|in:allow,deny',
|
|
'rotate_password' => 'sometimes|boolean',
|
|
]);
|
|
|
|
try {
|
|
// Password/hide changes apply to all grouped WLANs
|
|
$shared = array_filter($data, fn ($k) => in_array($k, ['x_passphrase', 'hide_ssid']), ARRAY_FILTER_USE_KEY);
|
|
$groups = json_decode(Setting::get('unifi.ssid_groups', '{}'), true) ?: [];
|
|
$groupedIds = collect($groups)->first(fn ($ids) => in_array($wlanId, $ids));
|
|
|
|
if (! empty($shared)) {
|
|
if ($groupedIds) {
|
|
foreach ($groupedIds as $id) {
|
|
$unifi->updateWlan($id, $shared);
|
|
}
|
|
} else {
|
|
$unifi->updateWlan($wlanId, $shared);
|
|
}
|
|
}
|
|
|
|
// MAC filter changes apply to this WLAN only
|
|
$perWlan = array_filter($data, fn ($k) => in_array($k, ['mac_filter_enabled', 'mac_filter_policy']), ARRAY_FILTER_USE_KEY);
|
|
if (! empty($perWlan)) {
|
|
$unifi->updateWlan($wlanId, $perWlan);
|
|
}
|
|
|
|
// Toggle wlan_id in the rotation list
|
|
if ($request->has('rotate_password')) {
|
|
$rotateIds = json_decode(Setting::get('unifi.password_rotation.wlan_ids', '[]'), true) ?: [];
|
|
$targetIds = $groupedIds ?: [$wlanId];
|
|
if ($request->boolean('rotate_password')) {
|
|
$rotateIds = array_values(array_unique(array_merge($rotateIds, $targetIds)));
|
|
} else {
|
|
$rotateIds = array_values(array_diff($rotateIds, $targetIds));
|
|
}
|
|
Setting::set('unifi.password_rotation.wlan_ids', json_encode($rotateIds));
|
|
}
|
|
|
|
return back()->with('success', 'WiFi network updated.');
|
|
} catch (\Throwable $e) {
|
|
return back()->withErrors(['error' => $e->getMessage()]);
|
|
}
|
|
}
|
|
|
|
public function toggle(Request $request, string $wlanId, UnifiApiClient $unifi)
|
|
{
|
|
$request->validate(['enabled' => 'required|boolean']);
|
|
|
|
try {
|
|
$groups = json_decode(Setting::get('unifi.ssid_groups', '{}'), true) ?: [];
|
|
$groupedIds = collect($groups)->first(fn ($ids) => in_array($wlanId, $ids));
|
|
$enabled = $request->boolean('enabled');
|
|
|
|
if ($groupedIds) {
|
|
foreach ($groupedIds as $id) {
|
|
$unifi->updateWlan($id, ['enabled' => $enabled]);
|
|
}
|
|
} else {
|
|
$unifi->updateWlan($wlanId, ['enabled' => $enabled]);
|
|
}
|
|
|
|
return back()->with('success', 'WiFi network ' . ($enabled ? 'enabled' : 'disabled') . '.');
|
|
} catch (\Throwable $e) {
|
|
return back()->withErrors(['error' => $e->getMessage()]);
|
|
}
|
|
}
|
|
|
|
// ── PPSK ─────────────────────────────────────────────────────────────────
|
|
|
|
public function ppskIndex(string $wlanId, UnifiApiClient $unifi)
|
|
{
|
|
try {
|
|
$liveEntries = $unifi->getPpskEntries($wlanId);
|
|
|
|
// Network confs are best-effort — don't let a failure block PPSK display
|
|
try {
|
|
$networksRaw = $unifi->getNetworkConfs();
|
|
} catch (\Throwable $e) {
|
|
$networksRaw = [];
|
|
}
|
|
$networksById = collect($networksRaw)->keyBy('_id');
|
|
|
|
// ── Sync live entries into DB ────────────────────────────────────
|
|
$liveIds = [];
|
|
foreach ($liveEntries as $entry) {
|
|
$pass = $entry['x_passphrase'] ?? $entry['password'] ?? null;
|
|
$uid = $entry['_id'] ?? $entry['id'] ?? null;
|
|
// wlan_embedded PPSKs have no _id — derive a stable synthetic ID from the passphrase
|
|
if (! $uid && $pass) {
|
|
$uid = 'emb_' . substr(hash('sha256', $wlanId . ':' . $pass), 0, 32);
|
|
}
|
|
if (! $uid) continue;
|
|
$liveIds[] = $uid;
|
|
|
|
$nconfId = $entry['networkconf_id'] ?? null;
|
|
$vlan = ($nconfId && isset($networksById[$nconfId]))
|
|
? ($networksById[$nconfId]['vlan'] ?? null)
|
|
: null;
|
|
if ($vlan === null && ! empty($entry['vlan_id'])) {
|
|
$vlan = (int) $entry['vlan_id'];
|
|
}
|
|
$name = $entry['name'] ?? $entry['label'] ?? $entry['username'] ?? null;
|
|
// For anonymous PPSKs, use the associated network name as the default label
|
|
if (! $name && $nconfId && isset($networksById[$nconfId])) {
|
|
$name = $networksById[$nconfId]['name'] ?? null;
|
|
}
|
|
|
|
// Match by unifi_id, or by passphrase for a held embedded record re-appearing
|
|
$record = UnifiPpsk::where('unifi_id', $uid)->first()
|
|
?? UnifiPpsk::where('wlan_id', $wlanId)
|
|
->where('x_passphrase', $pass)
|
|
->where('state', 'held')
|
|
->first();
|
|
|
|
if ($record) {
|
|
$upd = ['unifi_id' => $uid, 'state' => 'active'];
|
|
if ($name) $upd['name'] = $name;
|
|
if ($pass) $upd['x_passphrase'] = $pass;
|
|
if ($vlan !== null) $upd['vlan'] = $vlan;
|
|
$record->update($upd);
|
|
} else {
|
|
UnifiPpsk::create([
|
|
'wlan_id' => $wlanId,
|
|
'unifi_id' => $uid,
|
|
'name' => $name ?? 'PPSK',
|
|
'x_passphrase' => $pass ?? '',
|
|
'vlan' => $vlan,
|
|
'state' => 'active',
|
|
]);
|
|
}
|
|
}
|
|
|
|
// Only mark as held when we have confirmed live IDs —
|
|
// never wipe on an empty API response (prevents false-holds on API failures)
|
|
if (! empty($liveIds)) {
|
|
UnifiPpsk::where('wlan_id', $wlanId)
|
|
->where('state', 'active')
|
|
->whereNotNull('unifi_id')
|
|
->whereNotIn('unifi_id', $liveIds)
|
|
->update(['state' => 'held', 'unifi_id' => null]);
|
|
}
|
|
|
|
$dbRecords = UnifiPpsk::where('wlan_id', $wlanId)
|
|
->orderByRaw("FIELD(state, 'active', 'held')")
|
|
->orderBy('name')
|
|
->get();
|
|
|
|
// Fallback: if DB still empty but live entries exist, return live entries directly.
|
|
// Applies the same synthetic-ID and networkconf logic so IDs are always non-null.
|
|
if ($dbRecords->isEmpty() && ! empty($liveEntries)) {
|
|
$entries = collect($liveEntries)->map(function ($e) use ($wlanId, $networksById) {
|
|
$pass = $e['x_passphrase'] ?? $e['password'] ?? null;
|
|
$uid = $e['_id'] ?? $e['id'] ?? null;
|
|
if (! $uid && $pass) {
|
|
$uid = 'emb_' . substr(hash('sha256', $wlanId . ':' . $pass), 0, 32);
|
|
}
|
|
$nconfId = $e['networkconf_id'] ?? null;
|
|
$vlan = ($nconfId && isset($networksById[$nconfId]))
|
|
? ($networksById[$nconfId]['vlan'] ?? null) : null;
|
|
if ($vlan === null && ! empty($e['vlan_id'])) {
|
|
$vlan = (int) $e['vlan_id'];
|
|
}
|
|
$name = $e['name'] ?? $e['label'] ?? $e['username'] ?? null;
|
|
if (! $name && $nconfId && isset($networksById[$nconfId])) {
|
|
$name = $networksById[$nconfId]['name'] ?? null;
|
|
}
|
|
return [
|
|
'id' => $uid,
|
|
'unifi_id' => $uid,
|
|
'name' => $name ?? 'PPSK',
|
|
'x_passphrase' => $pass,
|
|
'vlan' => $vlan,
|
|
'state' => 'active',
|
|
'rotate_password' => false,
|
|
'schedule' => null,
|
|
];
|
|
})->values();
|
|
} else {
|
|
$entries = $dbRecords->map(fn ($r) => $this->mapPpsk($r));
|
|
}
|
|
|
|
$networks = $networksById->values()->map(fn ($n) => [
|
|
'_id' => $n['_id'],
|
|
'name' => $n['name'] ?? 'Unnamed',
|
|
'vlan' => $n['vlan'] ?? null,
|
|
]);
|
|
|
|
return response()->json(['ok' => true, 'entries' => $entries, 'networks' => $networks]);
|
|
} catch (\Throwable $e) {
|
|
return response()->json(['ok' => false, 'error' => $e->getMessage()], 422);
|
|
}
|
|
}
|
|
|
|
public function ppskStore(Request $request, string $wlanId, UnifiApiClient $unifi)
|
|
{
|
|
$data = $request->validate([
|
|
'name' => 'required|string|max:100',
|
|
'x_passphrase' => 'required|string|min:8|max:63',
|
|
'networkconf_id' => 'nullable|string',
|
|
'vlan' => 'nullable|integer',
|
|
]);
|
|
|
|
try {
|
|
$pushData = [
|
|
'name' => $data['name'],
|
|
'x_passphrase' => $data['x_passphrase'],
|
|
'wlan_id' => $wlanId,
|
|
];
|
|
if (! empty($data['networkconf_id'])) {
|
|
$pushData['networkconf_id'] = $data['networkconf_id'];
|
|
}
|
|
|
|
$result = $unifi->createPpsk($pushData);
|
|
$raw = $result[0] ?? $result;
|
|
$unifiId = $raw['_id'] ?? null;
|
|
|
|
$record = UnifiPpsk::create([
|
|
'wlan_id' => $wlanId,
|
|
'unifi_id' => $unifiId,
|
|
'name' => $data['name'],
|
|
'x_passphrase' => $data['x_passphrase'],
|
|
'vlan' => $data['vlan'] ?? null,
|
|
'state' => 'active',
|
|
]);
|
|
|
|
return response()->json(['ok' => true, 'entry' => $this->mapPpsk($record)]);
|
|
} catch (\Throwable $e) {
|
|
return response()->json(['ok' => false, 'error' => $e->getMessage()], 422);
|
|
}
|
|
}
|
|
|
|
public function ppskUpdate(Request $request, string $wlanId, string $ppskId, UnifiApiClient $unifi)
|
|
{
|
|
$record = UnifiPpsk::findOrFail($ppskId);
|
|
|
|
$data = $request->validate([
|
|
'name' => 'sometimes|string|max:100',
|
|
'x_passphrase' => 'sometimes|string|min:8|max:63',
|
|
'networkconf_id' => 'nullable|string',
|
|
'vlan' => 'nullable|integer',
|
|
]);
|
|
|
|
try {
|
|
if ($record->unifi_id && $record->state === 'active') {
|
|
$unifiUpdate = array_filter(
|
|
array_intersect_key($data, array_flip(['name', 'x_passphrase', 'networkconf_id'])),
|
|
fn ($v) => $v !== null
|
|
);
|
|
if (! empty($unifiUpdate)) {
|
|
if (str_starts_with($record->unifi_id, 'emb_') && isset($unifiUpdate['x_passphrase'])) {
|
|
// Embedded PPSK update path — modify the WLAN's embedded array.
|
|
$unifi->updateEmbeddedPpsk($record->wlan_id, $record->x_passphrase, $unifiUpdate['x_passphrase']);
|
|
// Synthetic id is derived from the new passphrase.
|
|
$data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $unifiUpdate['x_passphrase']), 0, 32);
|
|
} else {
|
|
$unifi->updatePpsk($record->unifi_id, $unifiUpdate);
|
|
}
|
|
}
|
|
}
|
|
|
|
$dbUpdate = array_intersect_key($data, array_flip(['name', 'x_passphrase', 'unifi_id']));
|
|
// vlan can be explicitly set to null
|
|
if (array_key_exists('vlan', $data)) $dbUpdate['vlan'] = $data['vlan'];
|
|
if (! empty($dbUpdate)) $record->update($dbUpdate);
|
|
|
|
return response()->json(['ok' => true, 'entry' => $this->mapPpsk($record->fresh())]);
|
|
} catch (\Throwable $e) {
|
|
return response()->json(['ok' => false, 'error' => $e->getMessage()], 422);
|
|
}
|
|
}
|
|
|
|
public function ppskDestroy(string $wlanId, string $ppskId, UnifiApiClient $unifi)
|
|
{
|
|
$record = UnifiPpsk::findOrFail($ppskId);
|
|
|
|
try {
|
|
if ($record->unifi_id) {
|
|
try { $unifi->kickClientsForPpsk($record->unifi_id); } catch (\Throwable) {}
|
|
// Embedded PPSKs (synthetic emb_ IDs) aren't deletable via the PPSK REST endpoint;
|
|
// skip the API call — the entry will disappear from UniFi when the WLAN is reconfigured.
|
|
if (! str_starts_with($record->unifi_id, 'emb_')) {
|
|
$unifi->deletePpsk($record->unifi_id);
|
|
}
|
|
}
|
|
$record->delete();
|
|
return response()->json(['ok' => true]);
|
|
} catch (\Throwable $e) {
|
|
return response()->json(['ok' => false, 'error' => $e->getMessage()], 422);
|
|
}
|
|
}
|
|
|
|
public function ppskSchedule(Request $request, string $wlanId, string $ppskId)
|
|
{
|
|
$record = UnifiPpsk::findOrFail($ppskId);
|
|
$request->validate([
|
|
'schedule' => 'nullable|array',
|
|
'schedule.*' => 'boolean',
|
|
]);
|
|
$record->update(['schedule' => $request->schedule]);
|
|
return response()->json(['ok' => true, 'entry' => $this->mapPpsk($record->fresh())]);
|
|
}
|
|
|
|
public function ppskToggleRotation(Request $request, string $wlanId, string $ppskId)
|
|
{
|
|
$record = UnifiPpsk::findOrFail($ppskId);
|
|
$request->validate(['rotate_password' => 'required|boolean']);
|
|
$record->update(['rotate_password' => $request->boolean('rotate_password')]);
|
|
return response()->json(['ok' => true, 'entry' => $this->mapPpsk($record)]);
|
|
}
|
|
|
|
private function mapPpsk(UnifiPpsk $r): array
|
|
{
|
|
return [
|
|
'id' => $r->id,
|
|
'unifi_id' => $r->unifi_id,
|
|
'name' => $r->name,
|
|
'x_passphrase' => $r->x_passphrase,
|
|
'vlan' => $r->vlan,
|
|
'state' => $r->state,
|
|
'rotate_password' => $r->rotate_password,
|
|
'schedule' => $r->schedule,
|
|
];
|
|
}
|
|
|
|
/**
|
|
* Group/ungroup SSIDs. Groups are stored as { "GroupName": ["wlan_id_1", "wlan_id_2"] }
|
|
*/
|
|
public function saveGroups(Request $request)
|
|
{
|
|
$request->validate(['groups' => 'present']);
|
|
$groups = $request->input('groups', []);
|
|
if (is_array($groups) && array_is_list($groups)) $groups = (object) [];
|
|
Setting::set('unifi.ssid_groups', json_encode($groups ?: (object) []));
|
|
return back()->with('success', 'SSID groups saved.');
|
|
}
|
|
|
|
// ── Helpers ───────────────────────────────────────────────────────────────
|
|
|
|
private function mapWlan(array $w): array
|
|
{
|
|
return [
|
|
'id' => $w['_id'],
|
|
'name' => $w['name'],
|
|
'enabled' => $w['enabled'] ?? true,
|
|
'security' => $w['security'] ?? 'open',
|
|
'wpa_mode' => $w['wpa_mode'] ?? '',
|
|
'is_guest' => $w['is_guest'] ?? false,
|
|
'vlan_enabled' => $w['vlan_enabled'] ?? false,
|
|
'vlan' => $w['vlan'] ?? null,
|
|
'hide_ssid' => $w['hide_ssid'] ?? false,
|
|
'passphrase' => $w['x_passphrase'] ?? '',
|
|
'band' => $this->detectBand($w),
|
|
'mac_filter_enabled' => $w['mac_filter_enabled'] ?? false,
|
|
'mac_filter_policy' => $w['mac_filter_policy'] ?? 'deny',
|
|
'ppsk_enabled' => ($w['wpa3_ppsk'] ?? false)
|
|
|| ($w['ppsk'] ?? false)
|
|
|| ($w['private_preshared_keys_enabled'] ?? false)
|
|
|| ! empty($w['private_preshared_keys']),
|
|
];
|
|
}
|
|
|
|
private function detectBand(array $w): string
|
|
{
|
|
$band = $w['wlan_band'] ?? null;
|
|
if ($band === 'ng' || $band === '2g') return '2.4 GHz';
|
|
if ($band === 'na' || $band === '5g') return '5 GHz';
|
|
if ($band === 'a6' || $band === '6g' || $band === '6e') return '6 GHz';
|
|
if ($band === 'both' || $band === null) return 'All bands';
|
|
|
|
$name = strtolower($w['name'] ?? '');
|
|
if (preg_match('/2\.?4\s*g/i', $name)) return '2.4 GHz';
|
|
if (preg_match('/5\s*g/i', $name)) return '5 GHz';
|
|
if (preg_match('/6\s*g/i', $name)) return '6 GHz';
|
|
|
|
return 'All bands';
|
|
}
|
|
}
|