Merge branch 'hotspot-to-wpa' into next

doc/hotspot-to-wpa.md

@@ -38,9 +38,16 @@ Create a scheduler:
 
     /system/scheduler/add interval=1d name=hotspot-to-wpa-cleanup on-event="/system/script/run hotspot-to-wpa-cleanup;" start-time=startup;
 
-And add the lease script to your wpa interfaces' dhcp server:
+And add the lease script and matcher comment to your wpa interfaces' dhcp
+server. You can add more information to the comment, separated by comma. In
+this example the server is called `hotspot-to-wpa`.
 
-    /ip/dhcp-server/set lease-script=lease-script [ find where name~"wpa" ];
+    /ip/dhcp-server/set lease-script=lease-script comment="hotspot-to-wpa=wpa" hotspot-to-wpa;
+
+You can specify the timeout after which a device is removed from leases and
+access-list. The default is four weeks.
+
+    /ip/dhcp-server/set lease-script=lease-script comment="hotspot-to-wpa=wpa, timeout=2w" hotspot-to-wpa;
 
 Configuration
 -------------
@@ -54,6 +61,9 @@ Create hotspot login credentials:
     /ip/hotspot/user/add comment="Test User 1" name=user1 password=v3ry;
     /ip/hotspot/user/add comment="Test User 2" name=user2 password=s3cr3t;
 
+This also works with authentication via radius, but is limited then:
+Additional information is not available, including the password.
+
 Additionally templates can be created to give more options for access list:
 
 * `action`: set to `reject` to ignore logins on that hotspot

global-functions.rsc

@@ -12,7 +12,7 @@
 :local 0 "global-functions";
 
 # expected configuration version
-:global ExpectedConfigVersion 101;
+:global ExpectedConfigVersion 103;
 
 # global variables not to be changed by user
 :global GlobalFunctionsReady false;

hotspot-to-wpa-cleanup.rsc

@@ -12,27 +12,40 @@
 :global GlobalFunctionsReady;
 :while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
 
+:global EitherOr;
 :global LogPrintExit2;
+:global ParseKeyValueStore;
 :global ScriptLock;
 
 $ScriptLock $0 false 10;
 
-:foreach Client in=[ /caps-man/registration-table/find where comment~"^hotspot-to-wpa:" ] do={
-  :local ClientVal [ /caps-man/registration-table/get $Client ];
-  :local Lease [ /ip/dhcp-server/lease/find where server~"wpa" dynamic \
-    mac-address=($ClientVal->"mac-address") ];
-  :if ([ :len $Lease ] > 0) do={
-    $LogPrintExit2 info $0 ("Client with mac address " . ($ClientVal->"mac-address") . \
-      " connected to WPA, making lease static.") false;
-    /ip/dhcp-server/lease/make-static $Lease;
-    /ip/dhcp-server/lease/set comment=($ClientVal->"comment") $Lease;
+:local DHCPServers ({});
+:foreach Server in=[ /ip/dhcp-server/find where comment~"hotspot-to-wpa" ] do={
+  :local ServerVal [ /ip/dhcp-server/get $Server ]
+  :local ServerInfo [ $ParseKeyValueStore ($ServerVal->"comment") ];
+  :if (($ServerInfo->"hotspot-to-wpa") = "wpa") do={
+    :set ($DHCPServers->($ServerVal->"name")) \
+      [ :totime [ $EitherOr ($ServerInfo->"timeout") 4w ] ];
   }
 }
 
-:foreach Client in=[ /caps-man/access-list/find where comment~"^hotspot-to-wpa:" and \
+:foreach Client in=[ /caps-man/registration-table/find where comment~"^hotspot-to-wpa:" ] do={
+  :local ClientVal [ /caps-man/registration-table/get $Client ];
+  :foreach Lease in=[ /ip/dhcp-server/lease/find where dynamic \
+      mac-address=($ClientVal->"mac-address") ] do={
+    :if (($DHCPServers->[ /ip/dhcp-server/lease/get $Lease server ]) > 0s) do={
+      $LogPrintExit2 info $0 ("Client with mac address " . ($ClientVal->"mac-address") . \
+        " connected to WPA, making lease static.") false;
+      /ip/dhcp-server/lease/make-static $Lease;
+      /ip/dhcp-server/lease/set comment=($ClientVal->"comment") $Lease;
+    }
+  }
+}
+
+:foreach Client in=[ /caps-man/access-list/find where comment~"^hotspot-to-wpa:" \
     !(comment~[ /system/clock/get date ]) ] do={
   :local ClientVal [ /caps-man/access-list/get $Client ];
-  :if ([ :len [ /ip/dhcp-server/lease/find where server~"wpa" !dynamic \
+  :if ([ :len [ /ip/dhcp-server/lease/find where !dynamic comment~"^hotspot-to-wpa:" \
        mac-address=($ClientVal->"mac-address") ] ] = 0) do={
     $LogPrintExit2 info $0 ("Client with mac address " . ($ClientVal->"mac-address") . \
       " did not connect to WPA, removing from access list.") false;
@@ -40,12 +53,14 @@ $ScriptLock $0 false 10;
   }
 }
 
-:foreach Lease in=[ /ip/dhcp-server/lease/find where !dynamic status=waiting \
-    last-seen>4w comment~"^hotspot-to-wpa:" ] do={
-  :local LeaseVal [ /ip/dhcp-server/lease/get $Lease ];
-  $LogPrintExit2 info $0 ("Client with mac address " . ($LeaseVal->"mac-address") . \
-    " was not seen for long time, removing.") false;
-  /caps-man/access-list/remove [ find where comment~"^hotspot-to-wpa:" \
-     mac-address=($LeaseVal->"mac-address") ];
-  /ip/dhcp-server/lease/remove $Lease;
+:foreach Server,Timeout in=$DHCPServers do={
+  :foreach Lease in=[ /ip/dhcp-server/lease/find where !dynamic status="waiting" \
+      server=$Server last-seen>$Timeout comment~"^hotspot-to-wpa:" ] do={
+    :local LeaseVal [ /ip/dhcp-server/lease/get $Lease ];
+    $LogPrintExit2 info $0 ("Client with mac address " . ($LeaseVal->"mac-address") . \
+      " was not seen for " . $Timeout . ", removing.") false;
+    /caps-man/access-list/remove [ find where comment~"^hotspot-to-wpa:" \
+      mac-address=($LeaseVal->"mac-address") ];
+    /ip/dhcp-server/lease/remove $Lease;
+  }
 }

hotspot-to-wpa.rsc

@@ -25,7 +25,10 @@ $ScriptLock $0;
 }
 
 :local Date [ /system/clock/get date ];
-:local UserVal [ /ip/hotspot/user/get [ find where name=$UserName ] ];
+:local UserVal ({});
+:if ([ :len [ /ip/hotspot/user/find where name=$UserName ] ] > 0) do={
+  :set UserVal [ /ip/hotspot/user/get [ find where name=$UserName ] ];
+}
 :local UserInfo [ $ParseKeyValueStore ($UserVal->"comment") ];
 :local Hotspot [ /ip/hotspot/host/get [ find where mac-address=$MacAddress authorized ] server ];
 
@@ -54,7 +57,8 @@ $LogPrintExit2 info $0 ("Adding/updating access-list entry for mac address " . $
   " (user " . $UserName . ").") false;
 /caps-man/access-list/remove [ find where mac-address=$MacAddress comment~"^hotspot-to-wpa: " ];
 /caps-man/access-list/add comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) \
-    mac-address=$MacAddress private-passphrase=($UserVal->"password") ssid-regexp="-wpa\$" place-before=$PlaceBefore;
+    mac-address=$MacAddress private-passphrase=($UserVal->"password") ssid-regexp="-wpa\$" \
+    action=reject place-before=$PlaceBefore;
 
 :local Entry [ /caps-man/access-list/find where mac-address=$MacAddress \
     comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) ];
@@ -78,3 +82,6 @@ $LogPrintExit2 info $0 ("Adding/updating access-list entry for mac address " . $
 :if ([ :len $VlanMode] > 0) do={
   /caps-man/access-list/set $Entry vlan-mode=$VlanMode;
 }
+
+:delay 2s;
+/caps-man/access-list/set $Entry action=accept;

news-and-changes.rsc

@@ -15,6 +15,8 @@
   99="Modified 'dhcp-to-dns', which dropped global configuration. Settings moved to dhcp server's network definitions.";
   100="The script 'ssh-keys-import' became a module 'mod/ssh-keys-import' with enhanced functionality.";
   101="Introduced new script 'fw-addr-lists' to download, import and update firewall address-lists.";
+  102="Modified 'hotspot-to-wpa' to support non-local (radius) users.";
+  103="Dropped hard-coded name and timeout from 'hotspot-to-wpa-cleanup', instead a comment is required for dhcp server now.";
 };
 
 # Migration steps to be applied on script updates