hotspot-to-wpa: support settings from template

doc/hotspot-to-wpa.md

@@ -49,14 +49,32 @@ On first run a disabled access list entry acting as marker (with comment
 "`--- hotspot-to-wpa above ---`") is added. Move this entry to define where new
 entries are to be added.
 
-Usage and invocation
---------------------
-
 Create hotspot login credentials:
 
     / ip hotspot user add add comment="Test User 1" name=user1 password=v3ry;
     / ip hotspot user add add comment="Test User 2" name=user2 password=s3cr3t;
 
+Additionally templates can be created to give more options for access list:
+
+* `private-passphrase`: do **not** use passphrase from hotspot's user
+  credentials, but given one - or unset (use default passphrase) with
+  special word `ignore`
+* `ssid-regexp`: set a different SSID regular expression to match
+* `vlan-id`: connect device to specific VLAN
+* `vlan-mode`: set the VLAN mode for device
+
+For a hotspot called `example` the template could look like this:
+
+    / caps-man access-list add comment="hotspot-to-wpa template example" disabled=yes private-passphrase="ignore" ssid-regexp="^example\$" vlan-id=10 vlan-mode=use-tag;
+
+The same settings are available in hotspot user's comment and take precedence
+over the template settings:
+
+    / ip hotspot user add comment="private-passphrase=ignore, ssid-regexp=^example\\\$, vlan-id=10, vlan-mode=use-tag" name=user password=v3ry-s3cr3t;
+
+Usage and invocation
+--------------------
+
 Now let the users connect and login to the hotspot. After that the devices
 (identified by MAC address) can connect to the WPA2 network, using the
 passphrase from hotspot credentials.

global-config

@@ -8,7 +8,7 @@
 
 # Make sure all configuration properties are up to date and this
 # value is in sync with value in script 'global-functions'!
-:global GlobalConfigVersion 73;
+:global GlobalConfigVersion 74;
 
 # This is used for DNS and backup file.
 :global Domain "example.com";

global-config-overlay

@@ -8,7 +8,7 @@
 # Make sure all configuration properties are up to date and this
 # value is in sync with value in script 'global-functions'!
 # Comment or remove to disable news and change notifications.
-:global GlobalConfigVersion 73;
+:global GlobalConfigVersion 74;
 
 # Copy configuration from global-config here and modify it.
 

global-config.changes

@@ -77,6 +77,7 @@
   71="MikroTik is pushing RouterOS v7 even more, in parallel branches. If you want to keep RouterOS v6 for some time see https://git.eworm.de/cgit/routeros-scripts/about/#changes-for-routeros-v6";
   72="Introduced new script 'netwatch-dns' to manage DNS and DoH servers from netwatch.";
   73="Renamed backup scripts ('cloud-backup' -> 'backup-cloud', 'email-backup' -> 'backup-email', 'upload-backup' -> 'backup-upload').";
+  74="Extended 'hotspot-to-wpa', it can now read additional configuration from templates and hotspot users.";
 };
 
 # Migration steps to be applied on script updates

global-functions

@@ -8,7 +8,7 @@
 # https://git.eworm.de/cgit/routeros-scripts/about/
 
 # expected configuration version
-:global ExpectedConfigVersion 73;
+:global ExpectedConfigVersion 74;
 
 # global variables not to be changed by user
 :global GlobalFunctionsReady false;

hotspot-to-wpa

@@ -10,12 +10,15 @@
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 
+:global EitherOr;
 :global LogPrintExit2;
+:global ParseKeyValueStore;
 
 :local MacAddress $"mac-address";
 :local UserName $username;
 :local Date [ / system clock get date ];
-:local PassWord [ / ip hotspot user get [ find where name=$UserName ] password ];
+:local Hotspot [ / ip hotspot host get [ find where mac-address=$MacAddress authorized ] server ];
+:local UserVal [ / ip hotspot user get [ find where name=$UserName ] ];
 
 :if ([ :len [ / caps-man access-list find where comment="--- hotspot-to-wpa above ---" disabled ] ] = 0) do={
   / caps-man access-list add comment="--- hotspot-to-wpa above ---" disabled=yes;
@@ -28,4 +31,30 @@ $LogPrintExit2 info $0 ("Adding/updating accesslist entry for mac address " . $M
 
 / caps-man access-list remove [ find where mac-address=$MacAddress comment~"^hotspot-to-wpa: " ];
 / caps-man access-list add comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) \
-    mac-address=$MacAddress private-passphrase=$PassWord ssid-regexp="-wpa\$" place-before=$PlaceBefore;
+    mac-address=$MacAddress private-passphrase=($UserVal->"password") ssid-regexp="-wpa\$" place-before=$PlaceBefore;
+
+:local Template [ / caps-man access-list get ([ find where comment=("hotspot-to-wpa template " . $Hotspot) disabled ]->0) ];
+:local UserInfo [ $ParseKeyValueStore ($UserVal->"comment") ];
+:local Entry [ / caps-man access-list find where mac-address=$MacAddress \
+    comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) ];
+
+:local PrivatePassphrase [ $EitherOr ($UserInfo->"private-passphrase") ($Template->"private-passphrase") ];
+:if ([ :len $PrivatePassphrase ] > 0) do={
+  :if ($PrivatePassphrase = "ignore") do={
+    / caps-man access-list set $Entry !private-passphrase;
+  } else={
+    / caps-man access-list set $Entry private-passphrase=$PrivatePassphrase;
+  }
+}
+:local SsidRegexp [ $EitherOr ($UserInfo->"ssid-regexp") ($Template->"ssid-regexp") ];
+:if ([ :len $SsidRegexp ] > 0) do={
+  / caps-man access-list set $Entry ssid-regexp=$SsidRegexp;
+}
+:local VlanId [ $EitherOr ($UserInfo->"vlan-id") ($Template->"vlan-id") ];
+:if ([ :len $VlanId ] > 0) do={
+  / caps-man access-list set $Entry vlan-id=$VlanId;
+}
+:local VlanMode [ $EitherOr ($UserInfo->"vlan-mode") ($Template->"vlan-mode") ];
+:if ([ :len $VlanMode] > 0) do={
+  / caps-man access-list set $Entry vlan-mode=$VlanMode;
+}