diff --git a/DUOAUTH.md b/DUOAUTH.md new file mode 100644 index 0000000..6611aff --- /dev/null +++ b/DUOAUTH.md @@ -0,0 +1 @@ +## Duo Push authentication Nuki Hub supports the use of the [Cisco Duo Auth API](https://duo.com/docs/authapi) for Multi-factor authentication (MFA). Cisco Duo can be used for free with unlimited pushes using Duo Push authentication with the Duo application running on an Android device or iPhone. ## Setup - Signup for a [free Duo account](https://duo.com/editions-and-pricing/duo-free) at https://signup.duo.com/ - Follow the guided Duo setup to create an administrator account - Optionally add a separate user specifically for Nuki Hub. - On the user page add a Phone to the user and follow the instructions to setup and authorize the Duo app on an Android device or iPhone. - In the Duo Admin panel go to "Applications" and select "Protect an Application" - Search for "Partner Auth API" and click "Protect" - Optionally change the name to "Nuki Hub" under settings and click "Save" - Enter the Integration key, Secret key and API hostname on the "Credentials" page of Nuki Hub by using the buttons to copy the unredacted values. - Enter the username of your Duo user that you want to receive the push notification in the "Duo user" field in Nuki Hub - Check the box next to "Duo Push authentication enabled" - Optionally check the box next to "Require Duo Push authentication for all sensitive Nuki Hub operations" to require Duo Push approval on all sensitive Nuki Hub operations (changing/exporting settings) - Optionally (but very much preferred) set HTTP authentication type to "Form" - Click "Save" - Approve the Duo Push notification on your device. Note: If the first authentication after a change to these settings fails or is not approved (in time), MFA will be disabled to prevent a lockout. - Reboot the Nuki Hub device, logout and confirm that you are required to reauthenticate using Duo Push (and your Nuki Hub username and password) \ No newline at end of file diff --git a/HYBRID.md b/HYBRID.md index cba8669..f79b99b 100644 --- a/HYBRID.md +++ b/HYBRID.md @@ -2,6 +2,28 @@ The purpose of this mode is to have Nuki Hub work in conjunction with the official MQTT implementation by Nuki. +For Nuki Hub to work properly it is essential that Nuki Hub is notified by the lock of state changes (e.g. locking/unlocking) as soon as possible. +Starting from the first versions of Nuki Hub this was achieved by registering Nuki Hub as a Nuki Bridge. + +When a Nuki Bridge is registered with a Nuki lock or opener the device will signal state changes using a Bluetooth Low Energy (BLE) iBeacon. +If this state change is seen by Nuki Hub the Nuki Hub device will connect to the lock/opener over BLE and receive additional information about the state change. +The beacon itself contains no information other than that a state change has occured. +After the Nuki Bridge device (e.g. Nuki Hub in this case) has connected and requested the state change report the Nuki device will reset the iBeacon state to the "unchanged" state. + +With the introduction of WiFi/Thread and MQTT enabled locks there now was a second method of retrieving state changes, which we call "Hybrid mode". +In Hybrid mode Nuki Hub subscribes to the MQTT topics that the Nuki lock writes to itself using the official Nuki MQTT implementation over WiFi/Thread. +Nuki Hub will now pick up state changes from these official MQTT topics. +Part of these state changes is directly proxied to Nuki Hubs own MQTT topics (that your smart home system (e.g.) HomeAssistant is subscribed to) making this (in practise) just as fast as connecting your smart home application directly to the official MQTT implementation. +Nuki Hub will however also request additional information from the lock using BLE that is not available using the official Nuki MQTT implementation and publish this to Nuki Hubs MQTT topics. +If you have setup Hybrid mode consider taking a look at the information published on the official MQTT topics (base path "nuki/") and comparing this with the information Nuki Hub publishes (base topic "nukihub/" by default) + +All functionality of Nuki Hub is available in both regular and hybrid mode. +In hybrid mode Nuki Hub will automatically choose the best way to communicate with the lock for retrieving information from the lock and pushing information (e.g. lock/unlock commands, change settings) to the lock based on the capabilities of the MQTT API and Bluetooth API. +When compared to regular/bridge mode this leads to speed increases in getting state changes and pushing state changes (because we can send and receive usefull information directly over MQTT without having to connect over BLE) +When compared to the official MQTT implementation this adds many many features that are not available in the official MQTT implementation and would normally require you to use the app or Web API (which has its own issues, downtime and cloud requirement). + +**As the Nuki Smartlock Ultra has no support for the Nuki Bridge it is mandatory to setup Hybrid mode to receive prompt state changes from the lock in Nuki Hub.** + ### Requirements ### - ESP32 running Nuki Hub 9.08 or higher @@ -40,11 +62,12 @@ The Hybrid Official MQTT over Thread + Nuki Hub solution allows for the best com - Install Nuki Hub 9.08 or higher on a supported ESP32 device - Make sure you are not paired as a bridge. Unpair your Nuki lock in Nuki Hub if Nuki Hub was paired as a bridge (this is mandatory even if you removed the bridge connection from the Nuki lock). -- Enable `Enable hybrid official MQTT and Nuki Hub setup`. The `Lock: Nuki Bridge is running alongside Nuki Hub (needs re-pairing if changed)` setting will be automatically be enabled. +- Enable `Enable hybrid official MQTT and Nuki Hub setup`. The `Lock: Nuki Bridge is running alongside Nuki Hub (needs re-pairing if changed)` setting will automatically be enabled. - Optionally enable `Enable sending actions through official MQTT`, if not enabled lock actions will be sent over BLE as usual (slower) - Set `Time between status updates when official MQTT is offline (seconds)` to a positive integer. If the Nuki lock MQTT connection goes offline for whatever reason Nuki Hub will update the lock state with the set interval in seconds. - +- Optionally enable `Retry command sent using official MQTT over BLE if failed`. If sending a lock action over the official MQTT implementation fails the command will be resent over BLE if this is enabled. Requires `Enable sending actions through official MQTT` to be enabled. +- Optionally enable `Reboot Nuki lock on official MQTT failure`. If Nuki Hub determains that the official MQTT implementation is offline (usually because of the Nuki lock losing Thread/WiFi connection and not properly reconnecting) for more than 3 minutes Nuki Hub will try to reboot the Nuki lock (equivalent to removing and reinstalling the batteries). - Save your configuration - Consider setting the `Query intervals` on the `Advanced Nuki configuration` to high numbers (e.g. 86400) to further reduce battery drain. - Pair your Nuki Lock with Nuki Hub -- Test that state changes are recieved and processed by Nuki Hub by looking at the MQTT topics using an application like `MQTT Explorer` +- Test that state changes are recieved and processed by Nuki Hub by looking at the MQTT topics using an application like `MQTT Explorer` \ No newline at end of file diff --git a/README.md b/README.md index ba2f523..534f994 100644 --- a/README.md +++ b/README.md @@ -54,12 +54,14 @@ See the "[Connecting via Ethernet](#connecting-via-ethernet-optional)" section f ## Recommended ESP32 devices We don't recommend using single-core ESP32 devices (ESP32-C3, ESP32-C6, ESP32-H2, ESP32-Solo1).
-Although NukiHub supports single-core devices, NukiHub uses both CPU cores (if available) to process tasks (e.g. HTTP server/MQTT client/BLE scanner/BLE client) and thus runs much better on dual-core devices.
+Although Nuki Hub supports single-core devices, Nuki Hub uses both CPU cores (if available) to process tasks (e.g. HTTP server/MQTT client/BLE scanner/BLE client) and thus runs much better on dual-core devices.
When buying a new device in 2025 we can only recommend the ESP32-S3 with PSRAM (look for an ESP32-S3 with the designation N>=4 and R>=2 such as an ESP32-S3 N16R8).
The ESP32-S3 is a dual-core CPU with many GPIO's, ability to enlarge RAM using PSRAM, ability to connect Ethernet modules over SPI and optionally power the device with a PoE splitter.
The only functions missing from the ESP32-S3 as compared to other ESP devices is the ability to use some Ethernet modules only supported by the original ESP32 (and ESP32-P4) and the ability to connect over WIFI6 (C6 or ESP32-P4 with C6 module) +If/When the ESP32-P4 with ESP32-C6-MINI-1 module for BLE/WiFi is supported this will probably become the preferred device for Nuki Hub. + Other considerations: - If Ethernet/PoE is required: An ESP32-S3 with PSRAM in combination with a SPI Ethernet module ([W5500](https://www.aliexpress.com/w/wholesale-w5500.html)) and [PoE to Ethernet and USB type B/C splitter](https://aliexpress.com/w/wholesale-poe-splitter-usb-c.html) or the LilyGO-T-ETH ELite, LilyGO-T-ETH-Lite-ESP32S3 or M5stack Atom S3R with the M5stack AtomPoe W5500 module - If WIFI6 is absolutely required (it probably isn't): ESP32-C6 @@ -70,12 +72,12 @@ Devices ranked best-to-worst: - ...... - ESP32 with PSRAM - ......
-(Devices below will not support some NukiHub functions) +(Devices below will not support some Nuki Hub functions) - ...... - ESP32-S3 without PSRAM - ESP32 without PSRAM - ......
-(Devices below will not support more NukiHub functions) +(Devices below will not support more Nuki Hub functions) - ...... - ESP32-C6 - ESP32-solo1 @@ -153,7 +155,7 @@ See the "[MQTT Encryption](#mqtt-encryption-optional)" section of this README. Make sure "Bluetooth pairing" is enabled for the Nuki device by enabling this setting in the official Nuki App in "Settings" > "Features & Configuration" > "Button and LED". After enabling the setting press the button on the Nuki device for a few seconds.
Pairing should be automatic whenever the ESP32 is powered on and no lock is paired.
-To pair with an opener you need to first enable the opener on the "Nuki configuration" page of NukiHub.
+To pair with an opener you need to first enable the opener on the "Nuki configuration" page of Nuki Hub.

When pairing is successful, the web interface should show "Paired: Yes".
MQTT nodes like lock state and battery level should now reflect the reported values from the lock.
@@ -166,18 +168,17 @@ Enable "Register as app" before pairing to allow this. Otherwise the Bridge will Make sure "Bluetooth pairing" is enabled for the Nuki device by enabling this setting in the official Nuki App in "Settings" > "Features & Configuration" > "Button and LED". -Before enabling pairing mode using the button on the Lock Ultra first setup NukiHub as follows: +Before enabling pairing mode using the button on the Lock Ultra first setup Nuki Hub as follows: - Enable both "Nuki Smartlock enabled" and "Nuki Smartlock Ultra enabled" settings on the "Basic Nuki Configuration" page and Save. Setting the "Nuki Smartlock Ultra enabled" will change multiple other NukiHub settings. - Input your 6-digit Nuki Lock Ultra PIN on the "Credentials" page and Save -- Press the button on the Nuki device for a few seconds -- It is **strongly** recommended to setup and enable Hybrid mode over Thread/WiFi + official MQTT as NukiHub works best in Hybrid or Bridge mode and the Ultra does not support Bridge mode +- Press the button on the Nuki device for a few seconds until the LED ring lights up and remains lit. +- It is **strongly** recommended(/mandatory) to setup and enable Hybrid mode over Thread/WiFi + official MQTT as Nuki Hub works best in Hybrid or Bridge mode and the Ultra does not support Bridge mode -Pairing should be automatic if no lock is paired.
When pairing is successful, the web interface should show "Paired: Yes".
## Hybrid mode -Hybrid mode allows you to use the official Nuki MQTT implemenation on a Nuki Lock 3.0 Pro, Nuki Lock 4.0, Nuki Lock 4.0 Pro or Nuki Lock Ultra in conjunction with NukiHub.
+Hybrid mode allows you to use the official Nuki MQTT implemenation on a Nuki Lock 3.0 Pro, Nuki Lock 4.0, Nuki Lock 4.0 Pro or Nuki Lock Ultra in conjunction with Nuki Hub.
See [hybrid mode](/HYBRID.md) for more information. ## Memory constraints @@ -206,7 +207,9 @@ You can check on the info page of the Web configurator if PSRAM is available. Note that there are two builds of Nuki Hub for the ESP32-S3 available.
One for devices with no or Quad SPI PSRAM and one for devices with Octal SPI PSRAM.
-If your ESP32-S3 device has PSRAM but it is not detected please flash the other S3 binary. +Webflash will automatically flash the no/Quad SPI PSRAM build when an ESP32-S3 is connected.
+If your ESP32-S3 device has PSRAM but it is not detected please switch to the other S3 binary.
+You can do this by flashing the correct binaries manually or by selecting the option to switch S3 binary build from the Firmware Update page of the Web Configurator. ## Configuration @@ -224,6 +227,7 @@ In a browser navigate to the IP address assigned to the ESP32. - Check for Firmware Updates every 24h: Enable to allow the Nuki Hub to check the latest release of the Nuki Hub firmware on boot and every 24 hours. Requires the Nuki Hub to be able to connect to github.com. The latest version will be published to MQTT and will be visible on the main page of the Web Configurator. - HTTP SSL Certificate (PSRAM enabled devices only): Optionally set to the SSL certificate of the HTTPS server, see the "[HTTPS Server](#https-server-optional-psram-enabled-devices-only)" section of this README. - HTTP SSL Key (PSRAM enabled devices only): Optionally set to the SSL key of the HTTPS server, see the "[HTTPS Server](#https-server-optional-psram-enabled-devices-only)" section of this README. +- Nuki Hub FQDN for HTTP redirect (PSRAM enabled devices only): FQDN hostname of the Nuki Hub device used for redirecting from HTTP to HTTPS. #### IP Address assignment @@ -241,8 +245,8 @@ In a browser navigate to the IP address assigned to the ESP32. - MQTT Broker port: Set to the Port of the MQTT broker (usually 1883) - MQTT User: If using authentication on the MQTT broker set to a username with read/write rights on the MQTT broker, set to # to clear - MQTT Password : If using authentication on the MQTT broker set to the password belonging to a username with read/write rights on the MQTT broker, set to # to clear -- MQTT NukiHub Path: Set to the preferred MQTT root topic for NukiHub, defaults to "nukihub". Make sure this topic is unique when using multiple ESP32 NukiHub devices -- Enable Home Assistant auto discovery: Enable Home Assistant MQTT auto discovery. Will automatically create entities in Home Assistant for NukiHub and connected Nuki Lock and/or Opener when enabled. +- MQTT Nuki Hub Path: Set to the preferred MQTT root topic for Nuki Hub, defaults to "nukihub". Make sure this topic is unique when using multiple ESP32 Nuki Hub devices +- Enable Home Assistant auto discovery: Enable Home Assistant MQTT auto discovery. Will automatically create entities in Home Assistant for Nuki Hub and connected Nuki Lock and/or Opener when enabled. #### Advanced MQTT Configuration @@ -258,7 +262,7 @@ In a browser navigate to the IP address assigned to the ESP32. - Enable hybrid official MQTT and Nuki Hub setup: Enable to combine the official MQTT over Thread/Wi-Fi with BLE. Improves speed of state changes. Needs the official MQTT to be setup first. Also requires Nuki Hub to be paired as app and unregistered as a bridge using the Nuki app. See [hybrid mode](/HYBRID.md) - Enable sending actions through official MQTT: Enable to sent lock actions through the official MQTT topics (e.g. over Thread/Wi-Fi) instead of using BLE. Needs "Enable hybrid official MQTT and Nuki Hub setup" to be enabled. See [hybrid mode](/HYBRID.md) - Time between status updates when official MQTT is offline (seconds): Set to a positive integer to set the maximum amount of seconds between actively querying the Nuki lock for the current lock state when the official MQTT is offline, default 600. -- Retry command sent using official MQTT over BLE if failed: Enable to publish lock commands over BLE if NukiHub fails to use Hybrid mode to execute the command over MQTT +- Retry command sent using official MQTT over BLE if failed: Enable to publish lock commands over BLE if Nuki Hub fails to use Hybrid mode to execute the command over MQTT - Reboot Nuki lock on official MQTT failure: Enable to reboot the Nuki Lock if official MQTT over WiFi/Thread is offline for more than 180 seconds ### Nuki Configuration @@ -313,6 +317,20 @@ In a browser navigate to the IP address assigned to the ESP32. - User: Pick a username to enable HTTP authentication for the Web Configuration, Set to "#" to disable authentication. - Password/Retype password: Pick a password to enable HTTP authentication for the Web Configuration. - HTTP Authentication type: Select from Basic, Digest or Form based authentication. Digest authentication is more secure than Basic or Form based authentication, especially over unencrypted (HTTP) connections. Form based authentication works best with password managers. Note: Firefox seems to have issues with basic authentication. +- Bypass authentication for reverse proxy with IP: IP for which authentication is bypassed. Use in conjunction with a reverse proxy server with separate authentication. +- Duo Push authentication enabled: Enable to use Duo Push Multi Factor Authentication (MFA). See [Duo Push authentication](/DUOAUTH.md) for instructions on how to setup Duo Push authentication. +- Require Duo Push authentication for all sensitive Nuki Hub operations (changing/exporting settings): Enable to require Duo Push approval on all sensitive operations. +- Bypass Duo Push authentication by pressing the BOOT button during login: Enable to allow bypassing Duo Push authentication by pressing the BOOT button on the ESP during login. Note that this does not work on all ESP's (nor do all ESP's have a boot button to begin with). Test before relying on this function. +- Bypass Duo Push authentication by pulling GPIO High: Set to a GPIO pin to allow bypassing Duo Push authentication by pulling the GPIO high during login. +- Bypass Duo Push authentication by pulling GPIO Low: Set to a GPIO pin to allow bypassing Duo Push authentication by pulling the GPIO low during login. +- Duo API hostname: Set to the Duo API hostname +- Duo integration key: Set to the Duo integration key +- Duo secret key: Set to the Duo secret key +- Duo user: Set to the Duo user that you want to receive the push notification +- Session validity (in seconds): Session validity to use with form authentication when the "Remember me" checkbox is disabled, default 3600 seconds. +- Session validity remember (in hours): Session validity to use with form authentication when the "Remember me" checkbox is enabled, default 720 hours. +- Duo Session validity (in seconds): Session validity to use with Duo authentication when the "Remember me" checkbox is disabled, default 3600 seconds. +- Duo Session validity remember (in hours): Session validity to use with Duo authentication when the "Remember me" checkbox is enabled, default 720 hours. #### Nuki Lock PIN / Nuki Opener PIN @@ -333,15 +351,20 @@ In a browser navigate to the IP address assigned to the ESP32. ### Import/Export Configuration -The "Import/Export Configuration" menu option allows the importing and exporting of the NukiHub settings in JSON format.
+The "Import/Export Configuration" menu option allows the importing and exporting of the Nuki Hub settings in JSON format.

-Create a (partial) backup of the current NukiHub settings by selecting any of the following:
+Create a (partial) backup of the current Nuki Hub settings by selecting any of the following:
- Basic export: Will backup all settings that are not considered confidential (as such passwords and pincodes are not included in this export). - Export with redacted settings: Will backup basic settings and redacted settings such as passwords and pincodes. Both of the above options will not backup pairing data, so you will have to manually pair Nuki devices when importing this export on a factory reset or new device. - Export with redacted settings and pairing data: Will backup all settings and pairing data. Can be used to completely restore a factory reset or new device based on the settings of this device. (Re)pairing Nuki devices will not be needed when importing this export. + +- Export HTTP SSL certificate and key (PSRAM devices only): Export your HTTP server SSL certificate and key +- Export MQTT SSL CA, client certificate and client key: Export your MQTT SSL CA and client certificate and client key +- Export Coredump: Export the complete log gathered from the last ESP crash +
To import settings copy and paste the contents of the JSON file that is created by any of the above export options and select "Import". After importing the device will reboot. @@ -351,10 +374,10 @@ After importing the device will reboot. The advanced configuration menu is not reachable from the main menu of the web configurator by default.
You can reach the menu directly by browsing to http://NUKIHUBIP/get?page=advanced or enable showing it in the main menu by browsing to http://NUKIHUBIP/get?page=debugon once (http://NUKIHUBIP/get?page=debugoff to disable). -Note that the following options can break NukiHub and cause bootloops that will require you to erase your ESP and reflash following the instructions for first-time flashing. +Note that the following options can break Nuki Hub and cause bootloops that will require you to erase your ESP and reflash following the instructions for first-time flashing. -- Disable Network if not connected within 60s: Enable to allow NukiHub to function without a network connection (for example when only using NukiHub with GPIO) -- Enable Bootloop prevention: Enable to reset the following stack size and max entry settings to default if NukiHub detects a bootloop. +- Disable Network if not connected within 60s: Enable to allow Nuki Hub to function without a network connection (for example when only using Nuki Hub with GPIO) +- Enable Bootloop prevention: Enable to reset the following stack size and max entry settings to default if Nuki Hub detects a bootloop. - Char buffer size (min 4096, max 65536): Set the character buffer size, needs to be enlarged to support large amounts of auth/keypad/timecontrol/authorization entries. Default 4096. - Task size Network (min 12288, max 65536): Set the Network task stack size, needs to be enlarged to support large amounts of auth/keypad/timecontrol/authorization entries. Default 12288. - Task size Nuki (min 8192, max 65536): Set the Nuki task stack size. Default 8192. @@ -365,13 +388,13 @@ Note that the following options can break NukiHub and cause bootloops that will - Show Pairing secrets on Info page: Enable to show the pairing secrets on the info page. Will be disabled on reboot. - Manually set lock pairing data: Enable to save the pairing data fields and manually set pairing info for the lock. - Manually set opener pairing data: Enable to save the pairing data fields and manually set pairing info for the opener. -- Custom URL to update Nuki Hub updater: Set to a HTTPS address to update to a custom NukiHub updater binary on next boot of the NukiHub partition. -- Custom URL to update Nuki Hub: Set to a HTTPS address to update to a custom NukiHub binary on next boot of the NukiHub updater partition. +- Custom URL to update Nuki Hub updater: Set to a HTTPS address to update to a custom Nuki Hub updater binary on next boot of the Nuki Hub partition. +- Custom URL to update Nuki Hub: Set to a HTTPS address to update to a custom Nuki Hub binary on next boot of the Nuki Hub updater partition. - Force Lock ID to current ID: Enable to force the current Lock ID, irrespective of the config received from the lock. -- Force Lock Keypad connected: Enable to force NukiHub to function as if a keypad was connected, irrespective of the config received from the lock. -- Force Lock Doorsensor connected: Enable to force NukiHub to function as if a doorsensor was connected, irrespective of the config received from the lock. +- Force Lock Keypad connected: Enable to force Nuki Hub to function as if a keypad was connected, irrespective of the config received from the lock. +- Force Lock Doorsensor connected: Enable to force Nuki Hub to function as if a doorsensor was connected, irrespective of the config received from the lock. - Force Opener ID to current ID: Enable to force the current Opener ID, irrespective of the config received from the opener. -- Force Opener Keypad: Enable to force NukiHub to function as if a keypad was connected, irrespective of the config received from the opener. +- Force Opener Keypad: Enable to force Nuki Hub to function as if a keypad was connected, irrespective of the config received from the opener. - Enable Nuki connect debug logging: Enable to log debug information regarding Nuki BLE connection to MQTT and/or Serial. - Enable Nuki communication debug logging: Enable to log debug information regarding Nuki BLE communication to MQTT and/or Serial. - Enable Nuki readable data debug logging: Enable to log human readable debug information regarding Nuki BLE to MQTT and/or Serial. @@ -651,18 +674,18 @@ openssl req -new -key server.key -out server.csr -subj "/C=US/ST=YourState/L=You ## HTTPS Server (optional, PSRAM enabled devices only) The Webconfigurator can use/force HTTPS on PSRAM enabled devices.
-To enable SSL encryption, supply the certificate and key in the Network configuration page and reboot NukiHub.
+To enable SSL encryption, supply the certificate and key in the Network configuration page and reboot Nuki Hub.
Example self-signed certificate creation for your HTTPS server: ```console -# make a Certificate and key pair, MAKE SURE THE CN MATCHES THE DOMAIN AT WHICH NUKIHUB IS AVAILABLE +# make a Certificate and key pair, MAKE SURE THE CN MATCHES THE DOMAIN AT WHICH NUKI HUB IS AVAILABLE openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout nukihub.key -out nukihub.crt -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/OU=YourUnit/CN=YourCAName" ``` Although you can use the HTTPS server in this way your client device will not trust the certificate by default. -An option would be to configure a proxy SSL server (such as Caddy, Traefik, nginx) with a non-self signed (e.g. let's encrypt) SSL certificate and have this proxy server connect to NukiHub over SSL and trust the self-signed NukiHub certificate for this connection. +An option would be to configure a proxy SSL server (such as Caddy, Traefik, nginx) with a non-self signed (e.g. let's encrypt) SSL certificate and have this proxy server connect to Nuki Hub over SSL and trust the self-signed NukiHub certificate for this connection. ## Home Assistant Discovery (optional) @@ -680,7 +703,7 @@ The following mapping between Home Assistant services and Nuki commands is setup NOTE: MQTT Discovery uses retained MQTT messages to store devices configurations.
In order to avoid orphan configurations on your broker please disable autodiscovery first if you no longer want to use this software.
Retained messages are automatically cleared when unpairing and when changing/disabling autodiscovery topic in MQTT Configuration page.
-If you experience "ghost" entities/devices related to NukiHub you can completely purge NukiHub related Home Assistant discovery topics from your MQTT broker by following the instructions [here](#purging-home-assistant-discovery-mqtt-topics) +If you experience "ghost" entities/devices related to Nuki Hub you can completely purge Nuki Hub related Home Assistant discovery topics from your MQTT broker by following the instructions [here](#purging-home-assistant-discovery-mqtt-topics) ## Keypad control using JSON (optional) @@ -883,7 +906,7 @@ This unfortunately means that older versions of Home Assistant are not supported - Click on the root `homeassistant` topic - Press delete on your keyboard - Click Yes to confirm deletion -- Reboot all NukiHub devices connected to the MQTT broker to recreate the correct topics for Home Assistant +- Reboot all Nuki Hub devices connected to the MQTT broker to recreate the correct topics for Home Assistant ### Nuki Hub in bridge mode doesn't work when Thread or Wi-Fi on a Nuki Smartlock (3.0 Pro / 4.0 / 4.0 Pro) is turned on. @@ -898,7 +921,7 @@ When first setting up the lock (or opener), you have to set a PIN in the Nuki sm Navigate to the Nuki Hub Credentials page, enter this PIN, click save and reboot.
Check the main page of the configurator to see if the entered PIN is valid. -Also make sure that the you have enabled the specific functionality on the "Access Level Configuration" page of NukiHub. +Also make sure that the you have enabled the specific functionality on the "Access Level Configuration" page of Nuki Hub. ### Authorization data isn't published @@ -916,7 +939,7 @@ This button is disabled by default, but can be enabled in the Home Assistant UI. ### When controlling two locks (or openers) connected to two ESPs, both devices react to the same command. When using Home Asistant, the same status is display for both locks. When using multiple Nuki devices, different paths for each device have to be configured.
-Navigate to "MQTT Configuration" and change the "MQTT NukiHub Path" under "Basic MQTT Configuration" for at least one of the devices.
+Navigate to "MQTT Configuration" and change the "MQTT Nuki Hub Path" under "Basic MQTT Configuration" for at least one of the devices.
### The Nuki battery is draining quickly. diff --git a/lib/DuoAuthLibrary/AUTHORS b/lib/DuoAuthLibrary/AUTHORS new file mode 100644 index 0000000..dee7f70 --- /dev/null +++ b/lib/DuoAuthLibrary/AUTHORS @@ -0,0 +1,4 @@ +# Duo Authentication Library for ESP32 Micro Controllers +# List of Authors + +Gary Oppel diff --git a/lib/DuoAuthLibrary/CHANGELOG.md b/lib/DuoAuthLibrary/CHANGELOG.md new file mode 100644 index 0000000..b397015 --- /dev/null +++ b/lib/DuoAuthLibrary/CHANGELOG.md @@ -0,0 +1,7 @@ +Duo Authentication Library for ESP32 Micro Controllers - Change Log +======================= + +v1.0.0 (08/26/2020) +------ + +* Initial Library Release diff --git a/lib/DuoAuthLibrary/CONTRIBUTING.md b/lib/DuoAuthLibrary/CONTRIBUTING.md new file mode 100644 index 0000000..7b8ee15 --- /dev/null +++ b/lib/DuoAuthLibrary/CONTRIBUTING.md @@ -0,0 +1,24 @@ +# Guidance on how to contribute + +Contributions to this code are welcome and appreciated. + +> All contributions to this code will be released under the terms of the [LICENSE](./LICENSE) of this code. By submitting a pull request or filing a bug, issue, or feature request, you are agreeing to comply with this waiver of copyright interest. Details can be found in our [LICENSE](./LICENSE). + +There are two primary ways to contribute: + +1. Using the issue tracker +2. Changing the codebase + + +## Using the issue tracker + +Use the issue tracker to suggest feature requests, report bugs, and ask questions. This is also a great way to connect with the developers of the project as well as others who are interested in this solution. + +Use the issue tracker to find ways to contribute. Find a bug or a feature, mention in the issue that you will take on that effort, then follow the _Changing the codebase_ guidance below. + + +## Changing the codebase + +Generally speaking, you should fork this repository, make changes in your own fork, and then submit a pull request. All new code should have associated unit tests (if applicable) that validate implemented features and the presence or lack of defects. + +Additionally, the code should follow any stylistic and architectural guidelines prescribed by the project. In the absence of such guidelines, mimic the styles and patterns in the existing codebase. diff --git a/lib/DuoAuthLibrary/LICENSE b/lib/DuoAuthLibrary/LICENSE new file mode 100644 index 0000000..d9a10c0 --- /dev/null +++ b/lib/DuoAuthLibrary/LICENSE @@ -0,0 +1,176 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS diff --git a/lib/DuoAuthLibrary/NOTICE b/lib/DuoAuthLibrary/NOTICE new file mode 100644 index 0000000..2f86bc1 --- /dev/null +++ b/lib/DuoAuthLibrary/NOTICE @@ -0,0 +1,5 @@ +Duo Authentication Library for ESP32 Micro Controllers + +Copyright (c) 2020 Cisco Systems, Inc. or its affiliates + +This project includes software developed at Cisco Systems, Inc. or its affiliates. diff --git a/lib/DuoAuthLibrary/README.md b/lib/DuoAuthLibrary/README.md new file mode 100644 index 0000000..f9cab17 --- /dev/null +++ b/lib/DuoAuthLibrary/README.md @@ -0,0 +1,217 @@ +# Duo Authentication Library for ESP32 Micro Controllers + +*An Arduino Library to simplify the operations of performing Duo Multi-Factor Authentication within your ESP32 Micro Controller project* + +--- + +## Overview + +The Duo Authentication Library was created to abstract the [Duo Auth API Authentication Requirements](https://duo.com/docs/authapi#authentication). These requirements, which utilizes the HMAC_SHA1 algorithm, NTP Time Source, and Duo Application details (API Host, Application/Integration Key, and Secret Key) to sign the properly formatted requests before being sent to Duo's Auth API. The library has been targeted for the Espressif ESP32 Micro Controllers, due to the built-in crypto hardware support for both the HTTPS and HMAC Signature requirements. + +Duo Security extends various API Endpoints for use. In particular, this Library's focus is on Duo's [Authentication API ](https://duo.com/docs/authapi). + +## Features + +The Duo Authentication Library enables the following features/functionality: + +- Duo Mobile Push Authentication +- Duo Asynchronous Mobile Push Authentication +- Duo Passcode Authentication +- Ability to set device's IP Address for Duo Auth API Requests +- Ability to set Duo's Mobile Push Notification Type (This string is displayed before the word "Request") +- Various Duo Authentication API Response fields exposed with easy to use functions +- **Includes 4 example sketches** to demonstrate the use of the library + +## Key Design Requirements + +The library was created with the following Key Duo API Requirements in Mind: + +- Accurate Time Source for Signing the Authorization Signature + - *Note: This variable can be declared as Global, Private 'setup();' or 'loop();', or within your own Method/Function that will interface with the Duo Auth Library! It is strongly suggested that you leverage a Global variable if you are using a primary authentication source as well!* + +- Simple to use functions for anyone to get up and quickly as well as incorporating into your existing projects +- Built-in URL Encoding as required for certain usernames or other API properties +- Functions that enable granular 'Authentication' decision making based on Duo's Auth API Responses +- Initial Library scope primarily targeted mainly Duo Push and Passcode functionality + +## Technologies & Frameworks Used +The library was built to provide a simple and easy to use interface for the Duo Auth API on Espressif's ESP32 Micro Controllers. The library is written for the use within the Arduino IDE. + +**Cisco Products & Services:** + +- Duo Security + +**Duo Authentication API Endpoints in use:** + +This library abstracts most of the [Duo Auth API](https://duo.com/docs/authapi) functionality. The specific API Endpoints leveraged by this library are as follows: + +- GET ```/auth/v2/ping``` +- GET ```/auth/v2/check``` +- POST ```/auth/v2/auth``` +- GET ```/auth/v2/auth_status``` + +**Tools & Frameworks:** + +- Arduino IDE (*Tested on v1.8.12*) or PlatformIO for VSCode IDE +- [Arduino Core for the ESP32](https://github.com/espressif/arduino-esp32) +- [ArduinoJson Library for Arduino and IoT Devices](https://github.com/bblanchon/ArduinoJson) + + **I would like to thank all the authors & contributers on the previously mentioned Tools & Frameworks!** + + The Documentation and Guides available from these tools, contained the details needed to bring this Library to life. Below are links to references used for the above Tools & Frameworks: + + - Arduino - Writing a Library for Arduino [https://www.arduino.cc/en/Hacking/LibraryTutorial](https://www.arduino.cc/en/Hacking/LibraryTutorial) + - ArduinoJson - Deserialization Tutorial [https://arduinojson.org/v6/doc/deserialization/](https://arduinojson.org/v6/doc/deserialization/) + +**Hardware Required:** + +- Espressif ESP32 WiFi Micro-controller +- User Input Device + - 10 Digit Keypad + - LCD Touch Screen + - Serial/RS-232 Device + - RFID Reader/NFC Reader + - Etc.. + +## Installation + +#### Arduino IDE +*Note: This document assumes that your Arduino IDE is already setup and configured for Espressif's ESP32 Micro Controllers (Arduino Core for the ESP32)* + +- To install the Duo Authentication Library in your Arduino IDE, follow the instructions below: + - Browse to the Duo Authentication Library Releases GitHub Page + - Download Latest Duo Authentication Library package version (Choose ZIP Package) + - Follow the **"Installing Additional Arduino Libraries"** documentation at [Arduino's Library Documentation Site](https://www.arduino.cc/en/guide/libraries) + +#### PlatformIO for VSCode IDE +- To install the Duo Authentication Library in your PlatformIO for VSCode IDE, follow the instructions below: + - Open VSCode PlatformIO Core CLI + - Execute the following installation command + - `pio lib install https://github.com/CiscoDevNet/Arduino-DuoAuthLibrary-ESP32/archive/v1.0.0.zip` + +## Library Usage + +### Example Sketches + +Included as part of the Duo Authentication Library are 4 Arduino example sketches, which outline and demonstrate how to use the library. The examples included are: +- **Push Authentication** - Provides example on a Duo Library Push Authentication +- **Passcode Authentication** - Provides example on a Duo Library Passcode Authentication +- **Asynchronous Push Authentication** - Provides example on an Asynchronous Duo Push Authentication +- **Common Functions** - Provides examples on the Libraries Common Functions + +### Configuration Requirements + +The following parameters are required inputs into the Duo Authentication Library: + +- NTP Server (Intranet or Internet) and other Time Variables + + ```cpp + const char* ntpServer = "pool.ntp.org"; + + //Adjusting these values from '0' are not necessary + const long gmtOffset_sec = 0; + const int daylightOffset_sec = 0; + ``` + +- WiFi SSID & Pre-Shared Key + ```cpp + const char* ssid = "MyWirelessAP"; + const char* wirelessPsk = "MySecretWiFiPassword"; + ``` + +- Time Info Variable Declaration & Configuration + + The Time Info structure provides the necessary variable for the NTP server to update the time, which is used by the Duo Auth Library. + + ```cpp + //Create timeinfo variable. Note: This can be declared globally or within the function using the Duo Auth Library + struct tm timeinfo; + + //Configure the Time settings + configTime(gmtOffset_sec, daylightOffset_sec, ntpServer); + ``` + +- Root Certificate Authority (CA) Public Certificate for the Duo API Host + + See [Root Certificate Authority Section](/README.md#root-certificate-authority) + +- Duo API Hostname + ```cpp + const char* duo_host = ""; + ``` + +- Duo Application/Integration Key + ```cpp + const char* duo_akey = ""; + ``` + +- Duo Secret Key + ```cpp + const char* duo_skey = ""; + ``` + +- Username + +- Passcode of User, if using Duo Passcode Authentication + +*For a more comprehensive view into the Configuration Requirements and Library use, please view the included example sketches.* + +### Root Certificate Authority +Duo Authentication API calls are performed over HTTPS, and as such we require a trustpoint to know that we are communicating with our trusted Duo API Host. + +You will need to export the Base64 Encoded X.509 Public Key of the Root Certificate Authority for your Duo API Host (```duo_host```). + +Once exported, you will need to format the Base64 Output similar to the example below: + +```cpp +const char* root_ca= \ +"-----BEGIN CERTIFICATE-----\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx\n" \ +"XxXxXxXxXxXx\n" \ +"-----END CERTIFICATE-----\n"; +``` + +## Authors & Maintainers + +The following people are responsible for the creation and/or maintenance of this project: + +- Gary Oppel + +## License + +This project is licensed to you under the terms of the [Apache License, Version 2.0](./LICENSE). + +--- + +Copyright 2020 Cisco Systems, Inc. or its affiliates + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/lib/DuoAuthLibrary/examples/Common-Functions/Common-Functions.ino b/lib/DuoAuthLibrary/examples/Common-Functions/Common-Functions.ino new file mode 100644 index 0000000..e8bd884 --- /dev/null +++ b/lib/DuoAuthLibrary/examples/Common-Functions/Common-Functions.ino @@ -0,0 +1,146 @@ +/** + *@license + *Copyright 2020 Cisco Systems, Inc. or its affiliates + * + *Licensed under the Apache License, Version 2.0 (the "License"); + *you may not use this file except in compliance with the License. + *You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + *Unless required by applicable law or agreed to in writing, software + *distributed under the License is distributed on an "AS IS" BASIS, + *WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + *See the License for the specific language governing permissions and + *limitations under the License. + */ + +//------------------------------------------------------------------------------------------- +//Duo Authentication Library (Common Library Functions Example) +//GitHub: https://github.com/CiscoDevNet/Arduino-DuoAuthLibrary-ESP32 +//------------------------------------------------------------------------------------------- + +//Include WiFi Header File to enable Network Connectivity +#include + +//Include DuoAuthLibrary Header File enabling the functions for Duo Authentication Requests +#include + +//UPDATE: Update the below values with your Wireless SSID and Pre-Shared Key settings +const char* ssid = "MyWirelessAP"; +const char* wirelessPsk = "MySecretWiFiPassword"; + +//------------------------------------------------------------------------------------------- +//START: Duo Authentication Library Required Variables + +//Initialize the Time Variable Globally since it is needed for Duo Auth and potentially the +//primary Authentication Provider +struct tm timeinfo; + +//UPDATE: Provide an accurate Local or Internet Based Time-source (NTP) (IP or FQDN) +//If using a FQDN, please ensure that DNS Servers are configured or provided through DHCP +const char* ntpServer = "pool.ntp.org"; + +//Duo Auth API uses UTC time, which is queried against the above NTP Server. +//Adjusting these values from '0' are not necessary +const long gmtOffset_sec = 0; +const int daylightOffset_sec = 0; + +//UPDATE: Update these variables with the appropriate Duo Application API values +const char* duo_host = ""; +const char* duo_akey = ""; +const char* duo_skey = ""; + +//END: Duo Authentication Library Required Variables +//------------------------------------------------------------------------------------------- + +void setup(){ + //Start Serial Connection at 115200 Baud + Serial.begin(115200); + + delay(1000); + + //Start WiFi with the provided SSID and PSK + WiFi.begin(ssid, wirelessPsk); + + //Wait for a valid WiFi Connection + while (WiFi.status() != WL_CONNECTED){ + delay(1000); + Serial.println("Connecting to WiFi.."); + } + + Serial.println("Connected to the WiFi network"); + + Serial.println("Configuring NTP Client"); + //Configure SNTP Settings for an Accurate Time-source + configTime(gmtOffset_sec, daylightOffset_sec, ntpServer); + + Serial.println("Duo Authentication Library (Common Functions Example)"); + + //Declare Duo Authentication Instance + DuoAuthLib duoAuth; + + //Call the begin(...) function to initialize the Duo Auth Library + duoAuth.begin(duo_host, duo_akey, duo_skey, &timeinfo); + + //This function allows you to check if the Duo API AKey, SKey, and Host are correct and Valid. + //This is good for validating or testing that the Duo variables correctly are correctly set + bool checkAPIKey = duoAuth.checkApiKey(); + + //Let's see the response from the above command + //If it is 'true' we have successfully authenticated against the Duo Auth API + if(checkAPIKey){ + Serial.println("Duo API Credentials are VALID"); + }else{ + //The Credential validation has failed for the Duo Auth API, please check the AKey, SKey, and Duo Hostname + Serial.println("Duo API Credentials are INVALID"); + } + + //Example providing the HTTP Response code from DuoAuthLib's last API request + Serial.print("DuoAuthLib:HTTP Code : "); + Serial.println(String(duoAuth.getHttpCode())); + + //Example providing the Duo Auth API Status from the DuoAuthLib's last API request + Serial.print("DuoAuthLib:getApiStat : "); + Serial.println(duoAuth.getApiStat()); + + //Example providing the Duo Authentication Result from the DuoAuthLib's last API request + //NOTE: This value is the decision on the Authentication Request. This must match "allow" + //for a successful Auth Request. https://duo.com/docs/authapi#/auth under Response Formats + // + //To simplify the ease of use, leverage the 'authSuccessful(...)' function instead of the + //below function, unless advanced control is required. + Serial.print("DuoAuthLib:getAuthResponseResult : "); + Serial.println(duoAuth.getAuthResponseResult()); + + //Example providing Duo's Authentication Status from DuoAuthLib's last API request + Serial.print("DuoAuthLib:getAuthResponseStatus : "); + Serial.println(duoAuth.getAuthResponseStatus()); + + //Example providing the HTTP Response code from DuoAuthLib's last API request + Serial.print("DuoAuthLib:getAuthResponseStatusMessage : "); + Serial.println(duoAuth.getAuthResponseStatusMessage()); + + //Example providing Duo's API Failure code from DuoAuthLib's last API request + //See https://help.duo.com/s/article/1338 for more details + Serial.print("DuoAuthLib:getApiFailureCode : "); + Serial.println(duoAuth.getApiFailureCode()); + + //Example providing Duo's API Failure Message from DuoAuthLib's last API request + //See https://help.duo.com/s/article/1338 for more details + Serial.print("DuoAuthLib:getApiFailureMessage : "); + Serial.println(duoAuth.getApiFailureMessage()); + + //Example providing the RAW HTTP Response from DuoAuthLib's last API request + Serial.print("DuoAuthLib:HTTP Raw Response : \n"); + Serial.println(duoAuth.getHttpResponse()); +} + +void loop(){ + + if ((WiFi.status() == WL_CONNECTED)){ + //------------------------------------------------------------------------------------------- + //Loop Function Code Block - Intentionally Left Blank (Example in 'setup()' function above) + //------------------------------------------------------------------------------------------- + } +} diff --git a/lib/DuoAuthLibrary/examples/Passcode-Authentication/Passcode-Authentication.ino b/lib/DuoAuthLibrary/examples/Passcode-Authentication/Passcode-Authentication.ino new file mode 100644 index 0000000..d9ac933 --- /dev/null +++ b/lib/DuoAuthLibrary/examples/Passcode-Authentication/Passcode-Authentication.ino @@ -0,0 +1,258 @@ +/** + *@license + *Copyright 2020 Cisco Systems, Inc. or its affiliates + * + *Licensed under the Apache License, Version 2.0 (the "License"); + *you may not use this file except in compliance with the License. + *You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + *Unless required by applicable law or agreed to in writing, software + *distributed under the License is distributed on an "AS IS" BASIS, + *WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + *See the License for the specific language governing permissions and + *limitations under the License. + */ + +//------------------------------------------------------------------------------------------- +//Duo Authentication Library (Passcode Authentication Example) +//GitHub: https://github.com/CiscoDevNet/Arduino-DuoAuthLibrary-ESP32 +//------------------------------------------------------------------------------------------- + +//Include WiFi Header File to enable Network Connectivity +#include + +//Include DuoAuthLibrary Header File enabling the functions for Duo Authentication Requests +#include + +//UPDATE: Update the below values with your Wireless SSID and Pre-Shared Key settings +const char* ssid = "MyWirelessAP"; +const char* wirelessPsk = "MySecretWiFiPassword"; + +//Global variables used for example +char duoUsername[25]; +char duoPasscode[7]; +bool duoUser; +const byte numChars = 25; +char userInputChars[numChars]; +bool newUserInput = false; +bool readyToAuth = false; + +//------------------------------------------------------------------------------------------- +//START: Duo Authentication Library Required Variables + +//Initialize the Time Variable Globally since it is needed for Duo Auth and potentially the +//primary Authentication Provider +struct tm timeinfo; + +//UPDATE: Provide an accurate Local or Internet Based Time-source (NTP) (IP or FQDN) +//If using a FQDN, please ensure that DNS Servers are configured or provided through DHCP +const char* ntpServer = "pool.ntp.org"; + +//Duo Auth API uses UTC time, which is queried against the above NTP Server. +//Adjusting these values from '0' are not necessary +const long gmtOffset_sec = 0; +const int daylightOffset_sec = 0; + +//UPDATE: Update these variables with the appropriate Duo Application API values +const char* duo_host = ""; +const char* duo_akey = ""; +const char* duo_skey = ""; + +//END: Duo Authentication Library Required Variables +//------------------------------------------------------------------------------------------- + +void setup(){ +//Start Serial Connection at 115200 Baud + Serial.begin(115200); + + delay(1000); + + //Start WiFi with the provided SSID and PSK + WiFi.begin(ssid, wirelessPsk); + + //Wait for a valid WiFi Connection + while (WiFi.status() != WL_CONNECTED){ + delay(1000); + Serial.println("Connecting to WiFi.."); + } + + Serial.println("Connected to the WiFi network"); + + Serial.println("Configuring NTP Client"); + //Configure SNTP Settings for an Accurate Time-source + configTime(gmtOffset_sec, daylightOffset_sec, ntpServer); + + Serial.println("Duo Authentication Library (Passcode Example)"); + Serial.print("Please enter your Username :"); +} + +void loop(){ + //Check if Wifi is connected before proceeding + if ((WiFi.status() == WL_CONNECTED)){ + + //Declare Duo Authentication Instance + DuoAuthLib duoAuth; + + //Check for New user input from Serial Interface + //NOTE: See checkSerialInput(...) function below for more details + checkSerialInput(); + + //Check if new data is available to be processed by the application + if (newUserInput == true){ + newUserInput = false; + + Serial.println(userInputChars); + + if(!duoUser){ + //New Username being entered, empty the existing contents of both variables + duoUsername[0] = '\0'; + duoPasscode[0] = '\0'; + + //Copy the user input into the duoUsername Variable + strcat(duoUsername, userInputChars); + userInputChars[0] = '\0'; + + Serial.print("Please enter your Duo Passcode :"); + + duoUser = true; + }else{ + //Copy the user input into the duoUsername Variable + strcat(duoPasscode, userInputChars); + userInputChars[0] = '\0'; + + duoUser = false; + readyToAuth = true; + } + } + + //------------------------------------------------------------------------------------------- + //Primary Identity Authentication will need to be inserted where appropriate + //If we have received both a Username and Passcode, we can proceed to requesting + //Duo Passcode Authentication + //------------------------------------------------------------------------------------------- + if(readyToAuth){ + readyToAuth = false; + + //------------------------------------------------------------------------------------------- + //BEGIN : Duo Authentication + //------------------------------------------------------------------------------------------- + //Declare Variable to hold our Duo Push Request Status + bool duoRequestResult; + + //Reset the new data flag as its being processed + newUserInput = false; + + //Call the begin(...) function to initialize the Duo Auth Library + duoAuth.begin(duo_host, duo_akey, duo_skey, &timeinfo); + + //------------------------------------------------------------------------------------------- + //Optional configuration functions available to control some intermediate features + // + //-------- + //Set HTTP Timeout for the Duo Auth Library HTTP Request. Adjust to your requirements + // Default Setting - 30000ms (30 Seconds) + // + //duoAuth.setHttpTimeout(10000); + //-------- + // + //-------- + //Sets the IP Address of the device for Duo API Auth Requests + // Default: 0.0.0.0 + // + //duoAuth.setIPAddress("255.255.255.255"); + //-------- + // + //------------------------------------------------------------------------------------------- + + //------------------------------------------------------------------------------------------- + //Call passcodeAuth(...) function for user entered + //This is a stopping function and will wait until a response is received, an error occurs, + //or the session times out. NOTE: The default HTTP Timeout for the Duo Library is 30 Seconds + //See 'Asynchronous Push Authentication' example for an alternative Push Method + //------------------------------------------------------------------------------------------- + duoRequestResult = duoAuth.passcodeAuth(duoUsername, duoPasscode); + + //------------------------------------------------------------------------------------------- + //Check if Duo Auth Request was Successful + //This returns the True/False if the Duo Auth Library API + //Request was successful and received the appropriate "OK" response + //If the result returned is 'true' + //------------------------------------------------------------------------------------------- + //https://duo.com/docs/authapi#/auth + //------------------------------------------------------------------------------------------- + if(duoRequestResult == true){ + //Check if Duo Authentication for the user was Allowed + if(duoAuth.authSuccessful()){ + //Duo Authentication was Successful as the "allow" response was received from the API + Serial.println("Successful Auth!"); + + //------------------------------------------------------------------------------------------- + //INSERT Your PROTECTED Code HERE + //------------------------------------------------------------------------------------------- + + }else{ + Serial.println("Failed Auth!"); + //Duo Authentication Failed as the "allow" response was NOT received from the API + + //------------------------------------------------------------------------------------------- + //INSERT Your Authentication FAILURE Code HERE + //------------------------------------------------------------------------------------------- + } + }else{ + Serial.println("Failed Auth!"); + //Duo Authentication Failed as the "allow" response was NOT received from the API + + //------------------------------------------------------------------------------------------- + //INSERT Your Duo API Request FAILURE Code HERE + //------------------------------------------------------------------------------------------- + } + //------------------------------------------------------------------------------------------- + //END : Duo Authentication + //------------------------------------------------------------------------------------------- + + //------------------------------------------------------------------------------------------- + //Reset our Variables for the next User Input/Authentication Request + //------------------------------------------------------------------------------------------- + userInputChars[0] = '\0'; + Serial.println("Duo Authentication Library (Passcode Example)"); + Serial.print("Please enter your Username :"); + } + } +} + +//------------------------------------------------------------------------------------------- +//Check Serial for Input and wait for the "Enter" key to be pressed +//------------------------------------------------------------------------------------------- +void checkSerialInput(){ + static byte index = 0; + //Define Terminating Character + char endingCharacter = '\n'; + char receivedChar; + + //------------------------------------------------------------------------------------------- + //Only check for new Serial Data when new data is available from the Serial Interface and we + //have not seen the "Enter" key press yet. + //------------------------------------------------------------------------------------------- + while (Serial.available() > 0 && newUserInput == false){ + //We have new input + receivedChar = Serial.read(); + + if(receivedChar != endingCharacter){ + //Detected that other characters were entered + userInputChars[index] = receivedChar; + index++; + if (index >= numChars) { + index = numChars - 1; + } + }else{ + //Detected that the 'Enter' button was pressed + userInputChars[index] = '\0'; + index = 0; + + //Update the flag telling the main loop we now have User Input for processing + newUserInput = true; + } + } +} diff --git a/lib/DuoAuthLibrary/examples/Push-ASync-Authentication/Push-ASync-Authentication.ino b/lib/DuoAuthLibrary/examples/Push-ASync-Authentication/Push-ASync-Authentication.ino new file mode 100644 index 0000000..d8d0f2c --- /dev/null +++ b/lib/DuoAuthLibrary/examples/Push-ASync-Authentication/Push-ASync-Authentication.ino @@ -0,0 +1,296 @@ +/** + *@license + *Copyright 2020 Cisco Systems, Inc. or its affiliates + * + *Licensed under the Apache License, Version 2.0 (the "License"); + *you may not use this file except in compliance with the License. + *You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + *Unless required by applicable law or agreed to in writing, software + *distributed under the License is distributed on an "AS IS" BASIS, + *WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + *See the License for the specific language governing permissions and + *limitations under the License. + */ + +//------------------------------------------------------------------------------------------- +//Duo Authentication Library (Asynchronous Push Authentication Example) +//GitHub: https://github.com/CiscoDevNet/Arduino-DuoAuthLibrary-ESP32 +//------------------------------------------------------------------------------------------- + +//Include WiFi Header File to enable Network Connectivity +#include + +//Include DuoAuthLibrary Header File enabling the functions for Duo Authentication Requests +#include + +//UPDATE: Update the below values with your Wireless SSID and Pre-Shared Key settings +const char* ssid = "MyWirelessAP"; +const char* wirelessPsk = "MySecretWiFiPassword"; + +//Global variables used for example +const byte numChars = 25; +char userInputChars[numChars]; +boolean newUserInput = false; + +//------------------------------------------------------------------------------------------- +//START: Duo Authentication Library Example Dependant Variables +String transactionId; +bool activeRequest; +int asyncPollTimeout = 10000; +unsigned long asyncBeginMarker; +//END: Duo Authentication Library Example Dependant Variables +//------------------------------------------------------------------------------------------- + +//------------------------------------------------------------------------------------------- +//START: Duo Authentication Library Required Variables + +//Initialize the Time Variable Globally since it is needed for Duo Auth and potentially the +//primary Authentication Provider +struct tm timeinfo; + +//UPDATE: Provide an accurate Local or Internet Based Time-source (NTP) (IP or FQDN) +//If using a FQDN, please ensure that DNS Servers are configured or provided through DHCP +const char* ntpServer = "pool.ntp.org"; + +//Duo Auth API uses UTC time, which is queried against the above NTP Server. +//Adjusting these values from '0' are not necessary +const long gmtOffset_sec = 0; +const int daylightOffset_sec = 0; + +//UPDATE: Update these variables with the appropriate Duo Application API values +const char* duo_host = ""; +const char* duo_akey = ""; +const char* duo_skey = ""; + +//END: Duo Authentication Library Required Variables +//------------------------------------------------------------------------------------------- + +void setup(){ + //Start Serial Connection at 115200 Baud + Serial.begin(115200); + + delay(1000); + + //Start WiFi with the provided SSID and PSK + WiFi.begin(ssid, wirelessPsk); + + //Wait for a valid WiFi Connection + while (WiFi.status() != WL_CONNECTED){ + delay(1000); + Serial.println("Connecting to WiFi.."); + } + + Serial.println("Connected to the WiFi network"); + + Serial.println("Configuring NTP Client"); + //Configure SNTP Settings for an Accurate Time-source + configTime(gmtOffset_sec, daylightOffset_sec, ntpServer); + + Serial.println("Duo Authentication Library (Asynchronous Push Example)"); + Serial.print("Please enter your Username :"); +} + +void loop(){ + //Check if Wifi is connected before proceeding + if ((WiFi.status() == WL_CONNECTED)){ + + //Declare Duo Authentication Instance + DuoAuthLib duoAuth; + + //Check for New user input from Serial Interface + //NOTE: See checkSerialInput(...) function below for more details + checkSerialInput(); + + //Check if new data is available to be processed by the application + if (newUserInput == true){ + Serial.println(userInputChars); + //------------------------------------------------------------------------------------------- + //PERFORM Primary Identity Authentication Here before proceeding to Duo Authentication + //------------------------------------------------------------------------------------------- + + //------------------------------------------------------------------------------------------- + //Begin Duo Authentication + //Declare Variable to hold our Duo Push Request Status + bool duoRequestResult; + + //Reset the new data flag as its being processed + newUserInput = false; + + //Call the 'begin(...)' function to initialize the Duo Auth Library + duoAuth.begin(duo_host, duo_akey, duo_skey, &timeinfo); + + //------------------------------------------------------------------------------------------- + //Optional configuration functions available to control some intermediate features + // + //-------- + //Set HTTP Timeout for the Duo Auth Library HTTP Request. Adjust to your requirements + // Default Setting - 30000ms (30 Seconds) + // + //duoAuth.setHttpTimeout(10000); + //-------- + // + //-------- + //Sets the IP Address of the device for Duo API Auth Requests + // Default: 0.0.0.0 + // + //duoAuth.setIPAddress("255.255.255.255"); + //-------- + // + //-------- + //Sets the Push Type Notification Text that is displayed to the Enduser's Mobile Device. + // Note: Only supported with Duo Push functionality + // + //duoAuth.setPushType(10000); + //-------- + // + //------------------------------------------------------------------------------------------- + + //------------------------------------------------------------------------------------------- + //Call 'pushAuth(...)' function for user defined in 'userInputChars' + //This is a stopping function and will wait until a response is received, an error occurs, + //or the session times out. NOTE: The default HTTP Timeout for the Duo Library is 30 Seconds + //See 'Asynchronous Push Authentication' example for an alternative Push Method + //------------------------------------------------------------------------------------------- + duoRequestResult = duoAuth.pushAuth(userInputChars, true); + + //------------------------------------------------------------------------------------------- + //Check if Duo Auth Request was Successful + //This returns the True/False if the Duo Auth Library API + //Request was successful and received the approriate "OK" response + //If the result returned is 'true' + //------------------------------------------------------------------------------------------- + //https://duo.com/docs/authapi#/auth + //------------------------------------------------------------------------------------------- + if(duoRequestResult == true){ + //------------------------------------------------------------------------------------------- + //We have a successful Asynchronous Request, Let's Grab the Transaction ID and save it so we + //can continue processing code within our main loop() function. We can check the status of + //Duo Push Authentication Request with the 'authStatus(...)' function + //------------------------------------------------------------------------------------------- + + transactionId = duoAuth.getAuthTxId(); + + activeRequest = true; + + asyncBeginMarker = millis(); + Serial.println(String("Processing other tasks for ") + String(asyncPollTimeout/1000) + String(" seconds")); + }else{ + Serial.println("Failed Auth!"); + //Duo Authentication Failed as the "allow" response was NOT received from the API + + //------------------------------------------------------------------------------------------- + //INSERT Your Duo API Request FAILURE Code HERE + //------------------------------------------------------------------------------------------- + + //Run the Duo Prompt Loop Again + Serial.println("Duo Authentication Library (Asynchronous Push Example)"); + Serial.print("Please enter your Username :"); + } + //Reset Variables + userInputChars[0] = '\0'; + } + + //Note: According to the Duo API, the 'auth_status' endpoint will perform a long Poll + if(activeRequest && (millis() > (asyncBeginMarker + asyncPollTimeout))){ + //Call the 'begin(...)' function to initialize the Duo Auth Library + duoAuth.begin(duo_host, duo_akey, duo_skey, &timeinfo); + + Serial.println("Checking Duo Push Status..."); + + //------------------------------------------------------------------------------------------- + //Call 'authStatus(...)' function to check on the status of our Asynchronous Push Request + //------------------------------------------------------------------------------------------- + duoAuth.authStatus(transactionId); + + //------------------------------------------------------------------------------------------- + //Call 'authStatus(...)' function to check on the status of our Asynchronous Push Request + //------------------------------------------------------------------------------------------- + if(duoAuth.pushWaiting()){ + //------------------------------------------------------------------------------------------- + //Duo Authentication was sucessfully pushed to the user, we are still waiting for user response + //------------------------------------------------------------------------------------------- + Serial.println("Duo Push Waiting..."); + + //Reset the asyncBeginMarker to check for auth again + asyncBeginMarker = millis(); + Serial.println(String("Processing other tasks for ") + String(asyncPollTimeout/1000) + String(" seconds")); + }else{ + if(duoAuth.authSuccessful()){ + //Duo Authentication was Successful as the "allow" response was received from the API + Serial.println("Successful Auth!"); + + //------------------------------------------------------------------------------------------- + //INSERT Your PROTECTED Code HERE + //------------------------------------------------------------------------------------------- + + activeRequest = false; + transactionId = ""; + + //Run the Duo Prompt Loop Again + Serial.println("Duo Authentication Library (Asynchronous Push Example)"); + Serial.print("Please enter your Username :"); + }else{ + //Duo Authentication Failed as the "allow" response was NOT received from the API + Serial.println("Failed Auth!"); + + activeRequest = false; + transactionId = ""; + + //------------------------------------------------------------------------------------------- + //INSERT Your Authentication FAILURE Code HERE + //------------------------------------------------------------------------------------------- + + //Run the Duo Prompt Loop Again + Serial.println("Duo Authentication Library (Asynchronous Push Example)"); + Serial.print("Please enter your Username :"); + } + } + } + + //------------------------------------------------------------------------------------------- + //Insert your normal process code here to process while we wait to check on the Auth Status + //------------------------------------------------------------------------------------------- + } + + //------------------------------------------------------------------------------------------- + //Insert your normal process code here to process while we wait to check on the Auth Status + //------------------------------------------------------------------------------------------- +} + +//------------------------------------------------------------------------------------------- +//Check Serial for Input and wait for the "Enter" key to be pressed +//------------------------------------------------------------------------------------------- +void checkSerialInput(){ + static byte index = 0; + //Define Terminating Character + char endingCharacter = '\n'; + char receivedChar; + + //------------------------------------------------------------------------------------------- + //Only check for new Serial Data when new data is available from the Serial Interface and we + //have not seen the "Enter" key press yet. + //------------------------------------------------------------------------------------------- + while (Serial.available() > 0 && newUserInput == false){ + //We have new input + receivedChar = Serial.read(); + + if(receivedChar != endingCharacter){ + //Detected that other characters were entered + userInputChars[index] = receivedChar; + index++; + if (index >= numChars) { + index = numChars - 1; + } + }else{ + //Detected that the 'Enter' button was pressed + userInputChars[index] = '\0'; + index = 0; + + //Update the flag telling the main loop we now have User Input for processing + newUserInput = true; + } + } +} diff --git a/lib/DuoAuthLibrary/examples/Push-Authentication/Push-Authentication.ino b/lib/DuoAuthLibrary/examples/Push-Authentication/Push-Authentication.ino new file mode 100644 index 0000000..8f9820d --- /dev/null +++ b/lib/DuoAuthLibrary/examples/Push-Authentication/Push-Authentication.ino @@ -0,0 +1,234 @@ +/** + *@license + *Copyright 2020 Cisco Systems, Inc. or its affiliates + * + *Licensed under the Apache License, Version 2.0 (the "License"); + *you may not use this file except in compliance with the License. + *You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + *Unless required by applicable law or agreed to in writing, software + *distributed under the License is distributed on an "AS IS" BASIS, + *WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + *See the License for the specific language governing permissions and + *limitations under the License. + */ + +//------------------------------------------------------------------------------------------- +//Duo Authentication Library (Push Authentication Example) +//GitHub: https://github.com/CiscoDevNet/Arduino-DuoAuthLibrary-ESP32 +//------------------------------------------------------------------------------------------- + +//Include WiFi Header File to enable Network Connectivity +#include + +//Include DuoAuthLibrary Header File enabling the functions for Duo Authentication Requests +#include + +//UPDATE: Update the below values with your Wireless SSID and Pre-Shared Key settings +const char* ssid = "MyWirelessAP"; +const char* wirelessPsk = "MySecretWiFiPassword"; + +//Global variables used for example +const byte numChars = 25; +char userInputChars[numChars]; +bool newUserInput = false; + +//------------------------------------------------------------------------------------------- +//START: Duo Authentication Library Required Variables + +//Initialize the Time Variable Globally since it is needed for Duo Auth and potentially the +//primary Authentication Provider +struct tm timeinfo; + +//UPDATE: Provide an accurate Local or Internet Based Time-source (NTP) (IP or FQDN) +//If using a FQDN, please ensure that DNS Servers are configured or provided through DHCP +const char* ntpServer = "pool.ntp.org"; + +//Duo Auth API uses UTC time, which is queried against the above NTP Server. +//Adjusting these values from '0' are not necessary +const long gmtOffset_sec = 0; +const int daylightOffset_sec = 0; + +//UPDATE: Update these variables with the appropriate Duo Application API values +const char* duo_host = ""; +const char* duo_akey = ""; +const char* duo_skey = ""; + +//END: Duo Authentication Library Required Variables +//------------------------------------------------------------------------------------------- + +void setup(){ + //Start Serial Connection at 115200 Baud + Serial.begin(115200); + + delay(1000); + + //Start WiFi with the provided SSID and PSK + WiFi.begin(ssid, wirelessPsk); + + //Wait for a valid WiFi Connection + while (WiFi.status() != WL_CONNECTED){ + delay(1000); + Serial.println("Connecting to WiFi.."); + } + + Serial.println("Connected to the WiFi network"); + + Serial.println("Configuring NTP Client"); + //Configure SNTP Settings for an Accurate Time-source + configTime(gmtOffset_sec, daylightOffset_sec, ntpServer); + + Serial.println("Duo Authentication Library (Push Example)"); + Serial.print("Please enter your Username :"); +} + +void loop(){ + //Check if Wifi is connected before proceeding + if ((WiFi.status() == WL_CONNECTED)){ + + //Declare Duo Authentication Instance + DuoAuthLib duoAuth; + + //Check for New user input from Serial Interface + //NOTE: See checkSerialInput(...) function below for more details + checkSerialInput(); + + //Check if new data is available to be processed by the application + if (newUserInput == true){ + Serial.println(userInputChars); + //------------------------------------------------------------------------------------------- + //PERFORM Primary Identity Authentication Here before proceeding to Duo Authentication + //------------------------------------------------------------------------------------------- + + + //------------------------------------------------------------------------------------------- + //BEGIN : Duo Authentication + //------------------------------------------------------------------------------------------- + //Declare Variable to hold our Duo Push Request Status + bool duoRequestResult; + + //Reset the new data flag as its being processed + newUserInput = false; + + //Call the begin(...) function to initialize the Duo Auth Library + duoAuth.begin(duo_host, duo_akey, duo_skey, &timeinfo); + + //------------------------------------------------------------------------------------------- + //Optional configuration functions available to control some intermediate features + // + //-------- + //Set HTTP Timeout for the Duo Auth Library HTTP Request. Adjust to your requirements + // Default Setting - 30000ms (30 Seconds) + // + //duoAuth.setHttpTimeout(10000); + //-------- + // + //-------- + //Sets the IP Address of the device for Duo API Auth Requests + // Default: 0.0.0.0 + // + //duoAuth.setIPAddress("255.255.255.255"); + //-------- + // + //-------- + //Sets the Push Type Notification Text that is displayed to the Enduser's Mobile Device. + // Note: Only supported with Duo Push functionality + // + //duoAuth.setPushType(10000); + //-------- + // + //------------------------------------------------------------------------------------------- + + + //------------------------------------------------------------------------------------------- + //Call pushAuth(...) function for user defined in 'userInputChars' + //This is a stopping function and will wait until a response is received, an error occurs, + //or the session times out. NOTE: The default HTTP Timeout for the Duo Library is 30 Seconds + //See 'Asynchronous Push Authentication' example for an alternative Push Method + //------------------------------------------------------------------------------------------- + duoRequestResult = duoAuth.pushAuth(userInputChars); + + //------------------------------------------------------------------------------------------- + //Check if Duo Auth Request was Successful + //This returns the True/False if the Duo Auth Library API + //Request was successful and received the approriate "OK" response + //If the result returned is 'true' + //------------------------------------------------------------------------------------------- + //https://duo.com/docs/authapi#/auth + //------------------------------------------------------------------------------------------- + if(duoRequestResult == true){ + //Check if Duo Authentication for the user was Allowed + if(duoAuth.authSuccessful()){ + //Duo Authentication was Successful as the "allow" response was received from the API + Serial.println("Successful Auth!"); + + //------------------------------------------------------------------------------------------- + //INSERT Your PROTECTED Code HERE + //------------------------------------------------------------------------------------------- + + }else{ + Serial.println("Failed Auth!"); + //Duo Authentication Failed as the "allow" response was NOT received from the API + + //------------------------------------------------------------------------------------------- + //INSERT Your Authentication FAILURE Code HERE + //------------------------------------------------------------------------------------------- + } + }else{ + Serial.println("Failed Auth!"); + //Duo Authentication Failed as the "allow" response was NOT received from the API + + //------------------------------------------------------------------------------------------- + //INSERT Your Duo API Request FAILURE Code HERE + //------------------------------------------------------------------------------------------- + } + //------------------------------------------------------------------------------------------- + //END : Duo Authentication + //------------------------------------------------------------------------------------------- + + //------------------------------------------------------------------------------------------- + //Reset our Variables for the next User Input/Authentication Request + //------------------------------------------------------------------------------------------- + userInputChars[0] = '\0'; + Serial.println("Duo Authentication Library (Push Example)"); + Serial.print("Please enter your [Username] :"); + } + } +} + +//------------------------------------------------------------------------------------------- +//Check Serial for Input and wait for the "Enter" key to be pressed +//------------------------------------------------------------------------------------------- +void checkSerialInput(){ + static byte index = 0; + //Define Terminating Character + char endingCharacter = '\n'; + char receivedChar; + + //------------------------------------------------------------------------------------------- + //Only check for new Serial Data when new data is available from the Serial Interface and we + //have not seen the "Enter" key press yet. + //------------------------------------------------------------------------------------------- + while (Serial.available() > 0 && newUserInput == false){ + //We have new input + receivedChar = Serial.read(); + + if(receivedChar != endingCharacter){ + //Detected that other characters were entered + userInputChars[index] = receivedChar; + index++; + if (index >= numChars) { + index = numChars - 1; + } + }else{ + //Detected that the 'Enter' button was pressed + userInputChars[index] = '\0'; + index = 0; + + //Update the flag telling the main loop we now have User Input for processing + newUserInput = true; + } + } +} diff --git a/lib/DuoAuthLibrary/keywords.txt b/lib/DuoAuthLibrary/keywords.txt new file mode 100644 index 0000000..23120ea --- /dev/null +++ b/lib/DuoAuthLibrary/keywords.txt @@ -0,0 +1,50 @@ +####################################### +# Syntax Coloring Map For Test +####################################### + +####################################### +# Datatypes (KEYWORD1) +####################################### + +DuoAuthLib KEYWORD1 + +####################################### +# Methods and Functions (KEYWORD2) +####################################### + +begin KEYWORD2 + +ping KEYWORD2 +checkApiKey KEYWORD2 + +authStatus KEYWORD2 +pushAuth KEYWORD2 +passcodeAuth KEYWORD2 + +authSuccessful KEYWORD2 +pushWaiting KEYWORD2 + +setHttpTimeout KEYWORD2 +setIPAddress KEYWORD2 +setPushType KEYWORD2 + +getHttpCode KEYWORD2 +getHttpResponse KEYWORD2 +getApiStat KEYWORD2 +getAuthResponseResult KEYWORD2 +getAuthResponseStatus KEYWORD2 +getAuthResponseStatusMessage KEYWORD2 + +getAuthTxId KEYWORD2 + +getApiFailureCode KEYWORD2 +getApiFailureMessage KEYWORD2 + +####################################### +# Instances (KEYWORD2) +####################################### + +####################################### +# Constants (LITERAL1) +####################################### + diff --git a/lib/DuoAuthLibrary/library.properties b/lib/DuoAuthLibrary/library.properties new file mode 100644 index 0000000..5ea5068 --- /dev/null +++ b/lib/DuoAuthLibrary/library.properties @@ -0,0 +1,9 @@ +name=Duo Auth Library +version=1.0.0 +author=Gary Oppel +maintainer=Gary Oppel +sentence=Enables Duo Authentication within your ESP32 Wi-Fi Projects +paragraph=Extends Duo Authentication API's for Push, Passcode, and Asynchronous Push Authentication requests. +category=Other +url=https://github.com/CiscoDevNet/Arduino-DuoAuthLibrary-ESP32 +architectures=esp32 diff --git a/lib/DuoAuthLibrary/src/DuoAuthLib.cpp b/lib/DuoAuthLibrary/src/DuoAuthLib.cpp new file mode 100644 index 0000000..4f3a342 --- /dev/null +++ b/lib/DuoAuthLibrary/src/DuoAuthLib.cpp @@ -0,0 +1,719 @@ +/** + *@license + * + *Copyright 2020 Cisco Systems, Inc. or its affiliates + * + *Licensed under the Apache License, Version 2.0 (the "License"); + *you may not use this file except in compliance with the License. + *You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + *Unless required by applicable law or agreed to in writing, software + *distributed under the License is distributed on an "AS IS" BASIS, + *WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + *See the License for the specific language governing permissions and + *limitations under the License. + */ + + +/** + * @file DuoAuthLib.cpp + * @brief An Arduino Library to simplify the operations of performing Duo Multi-Factor Authentication within your ESP32 Micro Controller project. + * + * @url https://github.com/CiscoDevNet/Arduino-DuoAuthLibrary-ESP32 + * @version 1.0.0 + * @author Gary Oppel + */ + +//Include DuoAuthLib Library Header +#include "DuoAuthLib.h" + +// Include ESP32 MDEDTLS Library +#include "mbedtls/md.h" + +// Load CA CRT BUNDLE +extern const uint8_t x509_crt_imported_bundle_bin_start[] asm("_binary_x509_crt_bundle_start"); +extern const uint8_t x509_crt_imported_bundle_bin_end[] asm("_binary_x509_crt_bundle_end"); + +// Include ESP NetworkClientSecure Library +#include + +// Include ESP HTTPClient Library +#include + +// Include ArduinoJSON Library +#include + +//---------------------------------------------------------------- +//DuoAuthLib Constructor +//---------------------------------------------------------------- + +//Function that handles the creation and setup of instance +DuoAuthLib::DuoAuthLib() +{ + //Initialize Return Variables + _duoApiStat = ""; + _duoAuthTxId = ""; + _duoApiAuthResponseResult = ""; + _duoApiAuthResponseStatus = ""; + + _duoApiAuthResponseStatusMessage = ""; + + _duoApiFailureCode = 0; + _duoApiFailureMessage = ""; + _duoPushType[0] = '\0'; + _init = false; + _async = false; +} + +//Function that handles the deletion/removals of instance +DuoAuthLib::~DuoAuthLib() +{ + +} + +//---------------------------------------------------------------- +//'begin(...)' - used to initialize and prepare for an Auth request. +void DuoAuthLib::begin(const char* duoApiHost, const char* duoApiIKey, const char* duoApiSKey, struct tm* timeInfo) +{ + _timeinfo = timeInfo; + + _duoHost = (char *)duoApiHost; + _duoIkey = (char *)duoApiIKey; + _duoSkey = (char *)duoApiSKey; + + //Set Default HTTP Timeout to 30 Seconds + _httpTimeout = _defaultTimeout; + + //Set Default IP Address to 0.0.0.0 + strcpy(_ipAddress, "0.0.0.0"); + + //Set the library initialized to True + _init = true; +} + +//---------------------------------------------------------------- +//DuoAuthLib Public Methods +//---------------------------------------------------------------- + +//---------------------------------------------------------------- +// Duo Ping API +// https://duo.com/docs/authapi#/ping +bool DuoAuthLib::ping() +{ + if(!_init){ + return false; + } + + bool pingSuccess = false; + + bool apiResponse = submitApiRequest(0, (char *)DUO_PING_API_PATH, "", (char *)"", (char *)""); + + if(apiResponse == true){ + if(_httpCode == 200){ + pingSuccess = true; + } + } + + return pingSuccess; +} + +//---------------------------------------------------------------- +// Duo Check API +// https://duo.com/docs/authapi#/check +bool DuoAuthLib::checkApiKey() +{ + if(!_init){ + return false; + } + + bool duoAuthRequestResult = false; + + if(getLocalTime(_timeinfo)){ + char hmac_password[41]; + char timeStringBuffer[TIME_BUF_STR_SIZE]; + + //Get Current time from timeinfo + strftime(timeStringBuffer, sizeof(timeStringBuffer), "%a, %d %b %Y %T %z", _timeinfo); + + // Create empty char array to hold our string + char hmacPayload[SIGNATURE_PAYLOAD_BUFFER_SIZE + CHECK_AUTH_BUFFER_SIZE]; + + // Generate the required URL Request Contents for the DUO API Call + generateHmacPayload(hmacPayload, timeStringBuffer, (char *)"GET", _duoHost, DUO_CHECK_API_PATH, (char *)""); + + // Generate the required URL Request Contents for the DUO API Call + calculateHmacSha1((char *)_duoSkey, hmacPayload, hmac_password); + + bool apiResponse = submitApiRequest(0, timeStringBuffer, DUO_CHECK_API_PATH, hmac_password, (char *)""); + + if(apiResponse == true){ + bool processResult = processResponse(&_lastHttpResponse); + + if(processResult == true){ + duoAuthRequestResult = true; + } + } + } + return duoAuthRequestResult; +} + +//---------------------------------------------------------------- +// Duo Auth Status API +// https://duo.com/docs/authapi#/auth_status +bool DuoAuthLib::authStatus(String transactionId) +{ + if(!_init){ + return false; + } + + bool duoAuthRequestResult = false; + + if(transactionId.length() == 36){ + char txId[37]; + + //Convert String to Character Array + transactionId.toCharArray(txId, 37); + + if(getLocalTime(_timeinfo)){ + char hmac_password[41]; + char timeStringBuffer[TIME_BUF_STR_SIZE]; + + char authRequestContents[CHECK_AUTH_BUFFER_SIZE]; + authRequestContents[0] = '\0'; + + //Get Current time from timeinfo + strftime(timeStringBuffer, sizeof(timeStringBuffer), "%a, %d %b %Y %T %z", _timeinfo); + + addRequestParameter(authRequestContents, (char *)TRANSACTION_PARAM, txId, true); + + // Create empty char array to hold our string + char hmacPayload[SIGNATURE_PAYLOAD_BUFFER_SIZE + CHECK_AUTH_BUFFER_SIZE]; + + // Generate the required URL Request Contents for the DUO API Call + generateHmacPayload(hmacPayload, timeStringBuffer, (char *)"GET", _duoHost, DUO_AUTHSTATUS_API_PATH, authRequestContents); + + // Generate the required URL Request Contents for the DUO API Call + calculateHmacSha1((char *)_duoSkey, hmacPayload, hmac_password); + + bool apiResponse = submitApiRequest(0, timeStringBuffer, DUO_AUTHSTATUS_API_PATH, hmac_password, authRequestContents); + + if(apiResponse == true){ + bool processResult = processResponse(&_lastHttpResponse); + + if(processResult == true){ + duoAuthRequestResult = true; + } + } + } + } + + return duoAuthRequestResult; +} + +//---------------------------------------------------------------- +// Duo Auth API +// https://duo.com/docs/authapi#/auth +// https://duo.com/docs/authapi#authentication +bool DuoAuthLib::pushAuth(char* userName, bool async) +{ + if(!_init){ + return false; + } + + bool authSuccess = false; + _async = async; + + //Create new Buffer using the method below + int userStrLen = encodeUrlBufferSize(userName); + + char encodedUsername[userStrLen]; + + encodeUrl(encodedUsername, userName); + + return performAuth(encodedUsername, (char*)"", PUSH); +} + +//---------------------------------------------------------------- +// Duo Auth API +// https://duo.com/docs/authapi#/auth +// https://duo.com/docs/authapi#authentication +bool DuoAuthLib::passcodeAuth(char* userName, char* userPasscode) +{ + if(!_init){ + return false; + } + + //Create new Buffer using the method below + int userStrLen = encodeUrlBufferSize(userName); + + char encodedUsername[userStrLen]; + + encodeUrl(encodedUsername, userName); + + return performAuth(encodedUsername, userPasscode, PASSCODE); +} + +//---------------------------------------------------------------- +//Duo - Set Public IP Address of Device for Auth API Request +void DuoAuthLib::setIPAddress(char* ipAddress) +{ + if(strlen(ipAddress) < MAX_IP_LENGTH){ + strcpy(_ipAddress, ipAddress); + } +} + +//---------------------------------------------------------------- +//Duo - Set the Push Type String that is displayed to the end user +//See the Parameter 'Type' within the 'Duo Push' Section of the +//Duo API Documentation: https://duo.com/docs/authapi#/auth +void DuoAuthLib::setPushType(char* pushType) +{ + int typeLength = strlen(pushType); + + if(typeLength > 0 && typeLength < MAX_TYPE_LENGTH){ + //Create new Buffer using the method below + int userStrLen = encodeUrlBufferSize(pushType); + + char encodedUsername[userStrLen]; + + encodeUrl(encodedUsername, pushType); + + strcpy(_duoPushType, encodedUsername); + } +} + +//---------------------------------------------------------------- +//Duo - Set the HTTP Timeout from the default of 30 Seconds +void DuoAuthLib::setHttpTimeout(int httpTimeout) +{ + _httpTimeout = httpTimeout; +} + +//---------------------------------------------------------------- +//Duo Authentication API Result +//https://duo.com/docs/authapi#/auth +//https://duo.com/docs/authapi#authentication +//Returns True if the Duo Authentication Result is 'allow' +bool DuoAuthLib::authSuccessful() +{ + if(_duoApiAuthResponseResult == "allow"){ + return true; + }else{ + return false; + } +} + +//---------------------------------------------------------------- +//Duo Authentication API Result +//https://duo.com/docs/authapi#/auth +//https://duo.com/docs/authapi#authentication +//Returns True if the Duo Authentication Result is 'waiting' +bool DuoAuthLib::pushWaiting() +{ + if(_duoApiAuthResponseResult == "waiting"){ + return true; + }else{ + return false; + } +} + +//---------------------------------------------------------------- +String DuoAuthLib::getHttpResponse() +{ + return _lastHttpResponse; +} + +String DuoAuthLib::getApiStat() +{ + return _duoApiStat; +} + +String DuoAuthLib::getAuthResponseResult() +{ + return _duoApiAuthResponseResult; +} + +String DuoAuthLib::getAuthResponseStatus() +{ + return _duoApiAuthResponseStatus; +} + +String DuoAuthLib::getAuthResponseStatusMessage() +{ + return _duoApiAuthResponseStatusMessage; +} + +String DuoAuthLib::getApiFailureCode() +{ + return String(_duoApiFailureCode); +} + +String DuoAuthLib::getApiFailureMessage() +{ + return _duoApiFailureMessage; +} + +String DuoAuthLib::getAuthTxId() +{ + return _duoAuthTxId; +} + +int DuoAuthLib::getHttpCode() { + return _httpCode; +} + +//---------------------------------------------------------------- + +//---------------------------------------------------------------- +//DuoAuthLib Private Methods +//---------------------------------------------------------------- + +//https://duo.com/docs/authapi#/auth +//https://duo.com/docs/authapi#authentication +bool DuoAuthLib::performAuth(char* userName, char* userPasscode, enum DUO_AUTH_METHOD authMethod) +{ + bool duoAuthRequestResult = false; + + if(getLocalTime(_timeinfo)){ + char hmac_password[41]; + char timeStringBuffer[TIME_BUF_STR_SIZE]; + + char authRequestContents[AUTH_REQUEST_BUFFER_SIZE]; + authRequestContents[0] = '\0'; + + //Get Current time from timeinfo + strftime(timeStringBuffer, sizeof(timeStringBuffer), "%a, %d %b %Y %T %z", _timeinfo); + + //Check the authentication method and build the request accordingly. + if(authMethod == PUSH){ + if(_async){ + addRequestParameter(authRequestContents, (char *)ASYNC_PARAM, (char *)"1"); + } + + addRequestParameter(authRequestContents, (char *)DEVICE_PARAM, (char *)AUTO_PARAM); + addRequestParameter(authRequestContents, (char *)FACTOR_PARAM, (char *)PUSH_PARAM); + addRequestParameter(authRequestContents, (char *)IPADDR_PARAM, _ipAddress); + if(strlen(_duoPushType) > 0){ + addRequestParameter(authRequestContents, (char *)TYPE_PARAM, _duoPushType); + } + addRequestParameter(authRequestContents, (char *)USERNAME_PARAM, userName, true); + }else if(authMethod == PASSCODE){ + addRequestParameter(authRequestContents, (char *)FACTOR_PARAM, (char *)PASSCODE_PARAM); + addRequestParameter(authRequestContents, (char *)IPADDR_PARAM, _ipAddress); + addRequestParameter(authRequestContents, (char *)PASSCODE_PARAM, userPasscode); + if(strlen(_duoPushType) > 0){ + addRequestParameter(authRequestContents, (char *)TYPE_PARAM, _duoPushType); + } + addRequestParameter(authRequestContents, (char *)USERNAME_PARAM, userName, true); + + }else{ + return duoAuthRequestResult; + } + + // Create empty char array to hold our string + char hmacPayload[SIGNATURE_PAYLOAD_BUFFER_SIZE + AUTH_REQUEST_BUFFER_SIZE]; + + // Generate the required URL Request Contents for the DUO API Call + generateHmacPayload(hmacPayload, timeStringBuffer, (char *)"POST", _duoHost, DUO_AUTH_API_PATH, authRequestContents); + + // Generate the required URL Request Contents for the DUO API Call + calculateHmacSha1((char *)_duoSkey, hmacPayload, hmac_password); + + bool apiResponse = submitApiRequest(1, timeStringBuffer, DUO_AUTH_API_PATH, hmac_password, authRequestContents); + + if(apiResponse == true){ + bool processResult = processResponse(&_lastHttpResponse); + + if(processResult == true){ + duoAuthRequestResult = true; + } + } + } + + return duoAuthRequestResult; +} + +//---------------------------------------------------------------- +//Create and Submit API Request to Duo API Server +bool DuoAuthLib::submitApiRequest(uint8_t apiMethod, char *timeString, const char* apiPath, char *hmacPassword, char* requestContents) +{ + NetworkClientSecure *clientDuoAuth = new NetworkClientSecure; + if (clientDuoAuth) + { + clientDuoAuth->setCACertBundle(x509_crt_imported_bundle_bin_start, x509_crt_imported_bundle_bin_end - x509_crt_imported_bundle_bin_start); + { + //Create our HTTPClient Instance + HTTPClient http; + + //Build the Request URL based on the Method. + //Append the requestContents to the end of + //the URL for an HTTP GET request + String requestUrl = "https://"; + requestUrl += _duoHost; + requestUrl += apiPath; + + if(apiMethod == 0 && strlen(requestContents) > 0){ + requestUrl += '?'; + requestUrl += requestContents; + } + + http.begin(requestUrl); //Specify the URL + + // HTTP Connection Timeout + http.setTimeout(_httpTimeout); + + //Set User Agent Header + http.setUserAgent(_duoUserAgent); + + //Set Host Header + http.addHeader("Host", _duoHost); + + //Add the required Date Header for DUO API Calls + if(timeString){ + http.addHeader(F("Date"), String(timeString)); + } + + //Add Content Type Header for POST requests + if(apiMethod == 1){ + http.addHeader(F("Content-Type"), F("application/x-www-form-urlencoded")); + } + + //Add the required HTTP Authorization Header for the DUO API Call + if(hmacPassword){ + http.setAuthorization(_duoIkey, hmacPassword); + } + + if(apiMethod == 1){ + _httpCode = http.POST(requestContents); + }else if(apiMethod == 0){ + _httpCode = http.GET(); + }else{ + http.end(); + return false; + } + + //---------------------------------------------------------------------------------------- + //Valid Duo API Endpoints HTTP(S) Response codes. Only respond with a valid request for + //these values: + // 200 - Success + // 400 - Invalid or missing parameters. + // 401 - The "Authorization" and/or "Date" headers were missing or invalid. + //NOTE: Other HTTP Codes exist; however, only those for the API endpoints are noted above, + // Please refer to the Duo Auth API Documentation @ https://duo.com/docs/authapi + //---------------------------------------------------------------------------------------- + if ((_httpCode == 200) || (_httpCode == 400) || (_httpCode == 401)) { //Check for the returning code + _lastHttpResponse = http.getString(); + http.end(); + return true; + }else{ + _lastHttpResponse = ""; + http.end(); + return false; + } + } + delete clientDuoAuth; + } + return false; +} + +bool DuoAuthLib::processResponse(String* serializedJsonData) +{ + JsonDocument doc; + + _duoApiStat = ""; + _duoAuthTxId = ""; + _duoApiAuthResponseResult = ""; + _duoApiAuthResponseStatus = ""; + + _duoApiAuthResponseStatusMessage = ""; + + _duoApiFailureCode = 0; + _duoApiFailureMessage = ""; + + //Deserialize the json response from the Duo API Endpoints + DeserializationError error = deserializeJson(doc, *serializedJsonData); + + //Check if have an error in our Deserialization before proceeding. + if(!error){ + const char* apiStat = doc["stat"]; + + if(apiStat){ + _duoApiStat = String(apiStat); + + if(strcmp(apiStat,"OK") == 0){ + JsonObject response = doc["response"]; + + if(_async){ + const char* duoTxId = response["txid"]; + if(duoTxId){ + _duoAuthTxId = String(duoTxId); + }else{ + _duoAuthTxId = ""; + return false; + } + }else{ + const char* duoResult = response["result"]; + const char* duoStatus = response["status"]; + const char* duoStatusMsg = response["status_msg"]; + + if(duoResult && duoStatus && duoStatusMsg){ + _duoApiAuthResponseResult = String(duoResult); + _duoApiAuthResponseStatus = String(duoStatus); + _duoApiAuthResponseStatusMessage = String(duoStatusMsg); + }else{ + _duoApiAuthResponseResult = ""; + _duoApiAuthResponseStatus = ""; + _duoApiAuthResponseStatusMessage = ""; + } + } + return true; + }else if(strcmp(apiStat,"FAIL") == 0){ + _duoApiFailureCode = doc["code"]; + const char* failureMessage = doc["message"]; + + if(failureMessage){ + _duoApiFailureMessage = String(failureMessage); + } + + return false; + }else{ + return false; + } + }else{ + return false; + } + }else{ + _duoApiFailureCode = -1; + _duoApiFailureMessage = "DuoAuthLib: Error processing received response"; + return false; + } +} + + +void DuoAuthLib::addRequestParameter(char *requestBuffer, char* field, char* value, bool lastEntry) +{ + if(lastEntry == false){ + strcat(requestBuffer, field); + strcat(requestBuffer, EQUALS_PAYLOAD_PARAM); + strcat(requestBuffer, value); + strcat(requestBuffer, AMPERSAND_PAYLOAD_PARAM); + }else{ + strcat(requestBuffer, field); + strcat(requestBuffer, EQUALS_PAYLOAD_PARAM); + strcat(requestBuffer, value); + } +} + +void DuoAuthLib::generateHmacPayload(char *hmacPayload, char* timeBuffer, char* httpMethod, char* duoHost, const char* duoApiPath, char* postContents) +{ + hmacPayload[0] = 0; + + strcat(hmacPayload, timeBuffer); + strcat(hmacPayload, NEWLINE_PAYLOAD_PARAM); + strcat(hmacPayload, httpMethod); + strcat(hmacPayload, NEWLINE_PAYLOAD_PARAM); + strcat(hmacPayload, duoHost); + strcat(hmacPayload, NEWLINE_PAYLOAD_PARAM); + strcat(hmacPayload, duoApiPath); + strcat(hmacPayload, NEWLINE_PAYLOAD_PARAM); + strcat(hmacPayload, postContents); +} + +void DuoAuthLib::calculateHmacSha1(char *signingKey, char *dataPayload, char *hmacSignatureChar) +{ + byte hmacSignature[20]; + hmacSignatureChar[0] = 0; + + mbedtls_md_context_t mbedTlsContext; + + //Select the SHA1 Hashtype + mbedtls_md_type_t mbedTlsHashType = MBEDTLS_MD_SHA1; + + const size_t payloadLength = strlen(dataPayload); + const size_t keyLength = strlen(signingKey); + + mbedtls_md_init(&mbedTlsContext); + + mbedtls_md_setup(&mbedTlsContext, mbedtls_md_info_from_type(mbedTlsHashType), 1); + + mbedtls_md_hmac_starts(&mbedTlsContext, (const unsigned char *) signingKey, keyLength); + mbedtls_md_hmac_update(&mbedTlsContext, (const unsigned char *) dataPayload, payloadLength); + mbedtls_md_hmac_finish(&mbedTlsContext, hmacSignature); + + mbedtls_md_free(&mbedTlsContext); + + for(int i= 0; i< sizeof(hmacSignature); i++){ + char str[3]; + + sprintf(str, "%02x", (int)hmacSignature[i]); + strcat(hmacSignatureChar, str); + } +} + +//---------------------------------------------------------------- +//Functions to read in a character array and output the calculated +//buffer size, and Encode the input excluding the below +//characters: +// 48-57 = Numbers ( 0123456789 ) +// 65-90 = UPPPERCASE LETTERS ( ABCDEF ) +// 97-122 = lowercase Letters ( abcdef ) +// 45 = Dash ( - ) +// 46 = Period ( . ) +// 95 = Underscore ( _ ) +// 126 = Tilde ( ~ ) +//---------------------------------------------------------------- + +//---------------------------------------------------------------- +//Calculate the length of the Character Array based on Input +//This function also takes into account Terminating Null +int DuoAuthLib::encodeUrlBufferSize(char *stringToEncode) +{ + //Start the count at 1 to account for the terminating null character + int newStrLen = 1; + + //Loop Through Char Array t + for(int i= 0; i< strlen(stringToEncode); i++){ + int charAscii = (int)stringToEncode[i]; + + if((charAscii > 47 && charAscii < 58) || (charAscii > 64 && charAscii < 91) || (charAscii > 96 && charAscii < 123) || (charAscii == 45) || (charAscii == 46) || (charAscii == 95) || (charAscii == 126)){ + //Found Regular Character + //Increment by 1 + newStrLen++; + }else{ + //Found Character that requires URL encoding + //Increment by 3 + newStrLen += 3; + } + } + return newStrLen; +} + +//---------------------------------------------------------------- +//Function to read in a character array and output a URL Encoded +//and write the new variable to the destination variable +void DuoAuthLib::encodeUrl(char *destination, char *stringToEncode) +{ + //Empty our Character Array before proceeding + destination[0] = '\0'; + + //Loop Through Char Array to perform urlEncode as required + for(int i= 0; i< strlen(stringToEncode); i++){ + int charAscii = (int)stringToEncode[i]; + + if((charAscii > 47 && charAscii < 58) || (charAscii > 64 && charAscii < 91) || (charAscii > 96 && charAscii < 123) || (charAscii == 45) || (charAscii == 95) || (charAscii == 126) || (charAscii == 46)){ + char str[2]; + + //Output only the Single Character as it does not need to be encoded + sprintf(str, "%c", (int)stringToEncode[i]); + strcat(destination, str); + }else{ + char str[4]; + + //Output the URL Encoded Format '%XX' + sprintf(str, "%%%02X", (int)stringToEncode[i]); + strcat(destination, str); + } + } +} diff --git a/lib/DuoAuthLibrary/src/DuoAuthLib.h b/lib/DuoAuthLibrary/src/DuoAuthLib.h new file mode 100644 index 0000000..636d630 --- /dev/null +++ b/lib/DuoAuthLibrary/src/DuoAuthLib.h @@ -0,0 +1,306 @@ +/** + *@license + * + *Copyright 2020 Cisco Systems, Inc. or its affiliates + * + *Licensed under the Apache License, Version 2.0 (the "License"); + *you may not use this file except in compliance with the License. + *You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + *Unless required by applicable law or agreed to in writing, software + *distributed under the License is distributed on an "AS IS" BASIS, + *WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + *See the License for the specific language governing permissions and + *limitations under the License. + */ + + +/** + * @file DuoAuthLib.h + * @brief An Arduino Library to simplify the operations of performing Duo Multi-Factor Authentication within your ESP32 Micro Controller project. + * + * @url https://github.com/CiscoDevNet/Arduino-DuoAuthLibrary-ESP32 + * @version 1.0.0 + * @author Gary Oppel + */ + +//Verify that the Duo Auth Library descriptor is only included once +#ifndef DuoAuthLib_H +#define DuoAuthLib_H + +#include +#include + +enum DUO_AUTH_METHOD +{ + PUSH, + PASSCODE +}; +/*! + * @brief Main Duo Authentication Library class + */ +class DuoAuthLib +{ +public: + //Public Class Functions + //------------------------- + //External Functions which abstract Duo API Authentication Requests + + DuoAuthLib(); + ~DuoAuthLib(); + + /** + * @brief Initializes the Duo Auth Library + * + * @param duoApiHost Contains the Duo API Hostname + * @param duoApiIKey Contains the Duo Integration Key (IKey) + * @param duoApiSKey Contains the Duo Secret Key (SKey) + * @param timeInfo Contains the Memory Pointer to the timeinfo Structure Declaration + */ + void begin(const char* duoApiHost, const char* duoApiIKey, const char* duoApiSKey, struct tm* timeInfo); + + /** + * @brief Performs a Duo 'ping' API Query to check if alive + * @return Returns `true` if Ping API Call is Successful + */ + bool ping(); + + /** + * @brief Performs a Duo 'check' API Query to check if provided API-Host, Integration Key (IKey), or Signing Key (SKey) are valid + * @return Returns `true` if provided details for the Duo API are correct + */ + bool checkApiKey(); + + /** + * @brief Performs a Duo 'auth_status' API query to check if alivethe status of provided transaction Id + * @param transactionId Asynchronous Duo Push Transaction Id to get the status + * @return Returns `true` API call was successful + */ + bool authStatus(String transactionId); + + /** + * @brief Performs a Duo Push Request + * @param userName Username of the user to send a Push Request + * @param async Set this to 'true' to enable Asynchronous mode. Duo will return a Transaction ID for checking status updates later. + * @return Returns `true` API call was successful + */ + bool pushAuth(char* userName, bool async = false); + + /** + * @brief Performs a Duo Passcode Authentication Request + * @param userName Username of the user who is verifying their Duo passcode + * @param userPasscode 6 Digit Duo Passcode of the user + * @return Returns `true` API call was successful + */ + bool passcodeAuth(char* userName, char* userPasscode); + + /** + * @brief Checks if the last Duo Push/Passcode Request's Authentication was Successful + * @return Returns `true` if Duo Authentication was successful (E.g. Duo Auth API Result = 'allow') + */ + bool authSuccessful(); + + /** + * @brief Checks if the status returned from the last Duo Request is in the Waiting State (Only Applies to Asynchronous Pushes) + * @return Returns `true` if Duo Push is in waiting state (E.g. Duo Auth API Result = 'waiting') + */ + bool pushWaiting(); + + /** + * @brief Sets the HTTP Timeout for the Duo API Request (Default: 30000ms [30 seconds]) + * @param httpTimeout Value in milliseconds for Duo's HTTP API Requests + */ + void setHttpTimeout(int httpTimeout); + + /** + * @brief Sets the IP Address of the device for Duo API Auth Requests (Default: 0.0.0.0) + * @param ipAddress Value contains the Public IP Address of the Device for additonal Duo Policy Controls + */ + void setIPAddress(char* ipAddress); + + /** + * @brief Sets the Duo Mobile Application's Push Value. This string is displayed in the Duo Mobile app before the word "request". + * @param pushType Value contains the text to be displayed on the Push Notification Screen + */ + void setPushType(char* pushType); + + /** + * @brief Sets the Push Type Notification Text that is displayed to the Enduser's Mobile Device. (Only supported with Duo Push functionality) + * @param Character Array of the Duo Push Type Text + */ + int getHttpCode(); + + /** + * @brief Gets the RAW HTTP Response from the last Duo Request + * @return Returns the RAW HTTP Response + */ + String getHttpResponse(); + + /** + * @brief Gets the API Stat Response from the last Duo Request + * @return Returns the API Stat Response ('OK', 'FAIL') + */ + String getApiStat(); + + /** + * @brief Gets the Auth Response Result from the last Duo Request + * @return Returns the Auth Response Result + */ + String getAuthResponseResult(); + + /** + * @brief Gets the Auth Response Status from the last Duo Request + * @return Returns the Auth Response Status + */ + String getAuthResponseStatus(); + + /** + * @brief Gets the Auth Response Status Message from the last Duo Request + * @return Returns the Auth Response Status Message + */ + String getAuthResponseStatusMessage(); + + /** + * @brief Sets the Duo Mobile Application's Push Value. This string is displayed in the Duo Mobile app before the word "request". + * @param pushType Value contains the text to be displayed on the Push Notification Screen + */ + String getAuthTxId(); + + //Duo API Error Code Reference Table + //https://help.duo.com/s/article/1338 + + /** + * @brief Gets the API Failure Code from the last Duo Request + * @return Returns the API Failure Code + */ + String getApiFailureCode(); + + /** + * @brief Gets the API Failure Message from the last Duo Request + * @return Returns the API Failure Message + */ + String getApiFailureMessage(); + +protected: + + //Protected Class Functions + //------------------------- + + //Internal Functions to handle abstracting core and common Library Functions + bool performAuth(char* userId, char* userPasscode, enum DUO_AUTH_METHOD authMethod); + bool submitApiRequest(uint8_t apiMethod, char *timeString, const char* apiPath, char *hmacPassword, char* requestContents); + bool processResponse(String* serializedJsonData); + + //Functions to generate the API Request to the required format + void generateHmacPayload(char *hmacPayload, char* timeBuffer, char* httpMethod, char* duoHost, const char* duoApiPath, char* postContents); + void addRequestParameter(char *requestBuffer, char* field, char* value, bool lastEntry = false); + + //Function that Calculates the HMAC-SHA1 Signature for the Duo API Call + void calculateHmacSha1(char *signingKey, char *dataPayload, char *hmacSignatureChar); + + //URL Encoding Functions + int encodeUrlBufferSize(char *stringToEncode); + void encodeUrl(char *destination, char *stringToEncode); + + //Duo Auth Library Initialized Flag + bool _init; + + //Buffer size for Date/Time Output Character Array + const int TIME_BUF_STR_SIZE = 36; + + //Maximum IPv4 Length is 16 including null termination + static const int MAX_IP_LENGTH = 16; + + //Maximum Length of the 'Push Type' Notification String + static const int MAX_TYPE_LENGTH = 21; + + //Maximum Length of various miscellaneous variables + static const int MAX_METHOD_LENGTH = 5; + static const int MAX_HOSTNAME_LENGTH = 64; + static const int MAX_API_ENDPOINT_LENGTH = 24; + + //Maximum Username Length + //NOTE: Usernames can contain e-mail addresses. + // Tested & validated with 44 character length Email Address (username). + // Maximum username length selected is 50, with 49 being the usable maximum. + static const int MAX_USER_LENGTH = 50; + + static const int MAX_PARAM_LENGTH = 10; + static const int MAX_PAYLOAD_LENGTH = 20; + + const int SIGNATURE_PAYLOAD_BUFFER_SIZE = TIME_BUF_STR_SIZE + MAX_METHOD_LENGTH + MAX_HOSTNAME_LENGTH + MAX_API_ENDPOINT_LENGTH; + + //Required Parameters for Duo API Auth Requests + const char* ASYNC_PARAM = "async"; + const char* AUTO_PARAM = "auto"; + const char* DEVICE_PARAM = "device"; + const char* FACTOR_PARAM = "factor"; + const char* IPADDR_PARAM = "ipaddr"; + const char* PASSCODE_PARAM = "passcode"; + const char* PUSH_PARAM = "push"; + const char* TRANSACTION_PARAM = "txid"; + const char* TYPE_PARAM = "type"; + const char* USERNAME_PARAM = "username"; + + //Common variables for Duo API Auth Requests + const char* NEWLINE_PAYLOAD_PARAM = "\n"; + const char* AMPERSAND_PAYLOAD_PARAM = "&"; + const char* EQUALS_PAYLOAD_PARAM = "="; + + //Duo Auth API URL Paths + const char* DUO_PING_API_PATH = "/auth/v2/ping"; + const char* DUO_CHECK_API_PATH = "/auth/v2/check"; + const char* DUO_AUTH_API_PATH = "/auth/v2/auth"; + const char* DUO_AUTHSTATUS_API_PATH = "/auth/v2/auth_status"; + + //Duo Auth Library HTTP User Agent + String _duoUserAgent = "DuoAuthLib/1.0 (ESP32HTTPClient)"; + + //Variable to hold IP Address for Duo Authentication Requests + char _ipAddress[MAX_IP_LENGTH]; + + //Variable to hold Push Type string, which is displayed on Push notifications + char _duoPushType[MAX_TYPE_LENGTH]; + + //Variable holds if the Push request is Asynchronous + bool _async; + + //Duo Auth Library Required Variables for API interface + char* _duoHost; + char* _duoIkey; + char* _duoSkey; + + //Asynchronous Request ID Variable + char* _asyncRequestId; + + //Duo Auth Library HTTP Timeout value (Default: 30000 [30 seconds]) + int _defaultTimeout = 30000; + int _httpTimeout; + + //HTTP code returned from the Duo API Request + int _httpCode; + + //Return Variables for Public Functions + String _duoApiStat; + String _duoAuthTxId; + String _duoApiAuthResponseResult; + String _duoApiAuthResponseStatus; + String _duoApiAuthResponseStatusMessage; + int _duoApiFailureCode; + String _duoApiFailureMessage; + String _lastHttpResponse; + + //Buffer sizes for Check Auth API User provided variables + const int CHECK_AUTH_BUFFER_SIZE = 42; + + //Buffer size for Authentication Request API. + //This buffer multiplies the max user length by 3 as the assumption would be all characters would require URL Encoding + const int AUTH_REQUEST_BUFFER_SIZE = 64 + (MAX_USER_LENGTH * 3); + + //Empty Pointer for the `timeinfo` Variable passed in by the end user from the 'begin(...)' function + struct tm* _timeinfo = nullptr; +}; + +#endif diff --git a/lib/MqttLogger/src/MqttLogger.cpp b/lib/MqttLogger/src/MqttLogger.cpp index 335168b..4290c12 100644 --- a/lib/MqttLogger/src/MqttLogger.cpp +++ b/lib/MqttLogger/src/MqttLogger.cpp @@ -83,7 +83,7 @@ void MqttLogger::sendBuffer() { doSerial = true; } - if (doSerial) + if (doSerial && coredumpPrinted) { Serial.write(this->buffer, this->bufferCnt); Serial.println(); diff --git a/lib/MqttLogger/src/MqttLogger.h b/lib/MqttLogger/src/MqttLogger.h index 4aa6920..fceff1c 100644 --- a/lib/MqttLogger/src/MqttLogger.h +++ b/lib/MqttLogger/src/MqttLogger.h @@ -16,6 +16,8 @@ #define MQTT_MAX_PACKET_SIZE 1024 +extern bool coredumpPrinted; + enum MqttLoggerMode { MqttAndSerialFallback = 0, SerialOnly = 1, diff --git a/pio_package_post.py b/pio_package_post.py index fdbfad1..1154d53 100644 --- a/pio_package_post.py +++ b/pio_package_post.py @@ -75,8 +75,6 @@ env.AddPostAction("$PROJECT_DIR/updater/release/" + get_board_name(env) + "/upda env.AddPostAction("$BUILD_DIR/firmware.bin", package_last_files) env.AddPostAction("$BUILD_DIR/partitions.bin", copy_files) env.AddPostAction("$BUILD_DIR/bootloader.bin", copy_files) - -if env.GetProjectOption("custom_build") == 'debug': - env.AddPostAction("$BUILD_DIR/firmware.elf", copy_files) +env.AddPostAction("$BUILD_DIR/firmware.elf", copy_files) env.AddPostAction("$BUILD_DIR/${PROGNAME}.bin", merge_bin) \ No newline at end of file diff --git a/resources/github_root_ca.pem b/resources/github_root_ca.pem index 50d97b5..95629e4 100644 --- a/resources/github_root_ca.pem +++ b/resources/github_root_ca.pem @@ -39,3 +39,25 @@ Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91 pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl MrY= -----END CERTIFICATE----- + +DigiCert High Assurance EV Root CA +================================== +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQG +EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSsw +KQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAw +MFoXDTMxMTExMDAwMDAwMFowbDELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ +MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFu +Y2UgRVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm+9S75S0t +Mqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTWPNt0OKRKzE0lgvdKpVMS +OO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEMxChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3 +MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFBIk5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQ +NAQTXKFx01p8VdteZOE3hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUe +h10aUAsgEsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMB +Af8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaAFLE+w2kD+L9HAdSY +JhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3NecnzyIZgYIVyHbIUf4KmeqvxgydkAQ +V8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6zeM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFp +myPInngiK3BD41VHMWEZ71jFhS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkK +mNEVX58Svnw2Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe +vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep+OkuE6N36B9K +-----END CERTIFICATE----- \ No newline at end of file diff --git a/sdkconfig.defaults b/sdkconfig.defaults index 50c7787..e01a43e 100644 --- a/sdkconfig.defaults +++ b/sdkconfig.defaults @@ -121,4 +121,5 @@ CONFIG_ESP_WIFI_RX_IRAM_OPT=n CONFIG_MBEDTLS_DYNAMIC_BUFFER=y CONFIG_LWIP_DHCP_GET_NTP_SRV=y CONFIG_LWIP_SNTP_UPDATE_DELAY=43200000 -CONFIG_LWIP_SNTP_MAX_SERVERS=3 \ No newline at end of file +CONFIG_LWIP_SNTP_MAX_SERVERS=3 +CONFIG_ESP_COREDUMP_ENABLE_TO_FLASH=y \ No newline at end of file diff --git a/src/Config.h b/src/Config.h index de392ab..f9ebbbc 100644 --- a/src/Config.h +++ b/src/Config.h @@ -5,7 +5,7 @@ #define NUKI_HUB_VERSION "9.08" #define NUKI_HUB_VERSION_INT (uint32_t)908 #define NUKI_HUB_BUILD "unknownbuildnr" -#define NUKI_HUB_DATE "2025-01-17" +#define NUKI_HUB_DATE "2025-01-22" #define GITHUB_LATEST_RELEASE_URL (char*)"https://github.com/technyon/nuki_hub/releases/latest" #define GITHUB_OTA_MANIFEST_URL (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/manifest.json" @@ -24,6 +24,7 @@ #define GITHUB_MASTER_RELEASE_BINARY_URL_DBG (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/debug/master/nuki_hub_esp32c3.bin" #define GITHUB_MASTER_UPDATER_BINARY_URL_DBG (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/debug/master/nuki_hub_updater_esp32c3.bin" #define NUKI_HUB_HW (char*)"ESP32-C3" +#define BOOT_BUTTON_GPIO (gpio_num_t)9 #elif defined(CONFIG_IDF_TARGET_ESP32S3) #if defined(CONFIG_SPIRAM_MODE_OCT) #define GITHUB_LATEST_RELEASE_BINARY_URL (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_esp32s3oct.bin" @@ -41,6 +42,7 @@ #define GITHUB_LATEST_RELEASE_BINARY_URL_OTHER (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_esp32s3.bin" #define GITHUB_LATEST_UPDATER_BINARY_URL_OTHER (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_updater_esp32s3.bin" #define NUKI_HUB_HW (char*)"ESP32-S3 (Octal PSRAM)" +#define BOOT_BUTTON_GPIO (gpio_num_t)0 #else #define GITHUB_LATEST_RELEASE_BINARY_URL (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_esp32s3.bin" #define GITHUB_LATEST_UPDATER_BINARY_URL (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_updater_esp32s3.bin" @@ -57,6 +59,7 @@ #define GITHUB_LATEST_RELEASE_BINARY_URL_OTHER (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_esp32s3oct.bin" #define GITHUB_LATEST_UPDATER_BINARY_URL_OTHER (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_updater_esp32s3oct.bin" #define NUKI_HUB_HW (char*)"ESP32-S3" +#define BOOT_BUTTON_GPIO (gpio_num_t)0 #endif #elif defined(CONFIG_IDF_TARGET_ESP32C6) #define GITHUB_LATEST_RELEASE_BINARY_URL (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_esp32c6.bin" @@ -72,6 +75,7 @@ #define GITHUB_MASTER_RELEASE_BINARY_URL_DBG (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/debug/master/nuki_hub_esp32c6.bin" #define GITHUB_MASTER_UPDATER_BINARY_URL_DBG (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/debug/master/nuki_hub_updater_esp32c6.bin" #define NUKI_HUB_HW (char*)"ESP32-C6" +#define BOOT_BUTTON_GPIO (gpio_num_t)9 #elif defined(CONFIG_IDF_TARGET_ESP32H2) #define GITHUB_LATEST_RELEASE_BINARY_URL (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_esp32h2.bin" #define GITHUB_LATEST_UPDATER_BINARY_URL (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_updater_esp32h2.bin" @@ -86,6 +90,7 @@ #define GITHUB_MASTER_RELEASE_BINARY_URL_DBG (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/debug/master/nuki_hub_esp32h2.bin" #define GITHUB_MASTER_UPDATER_BINARY_URL_DBG (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/debug/master/nuki_hub_updater_esp32h2.bin" #define NUKI_HUB_HW (char*)"ESP32-H2" +#define BOOT_BUTTON_GPIO (gpio_num_t)9 #else #if defined(CONFIG_FREERTOS_UNICORE) #define GITHUB_LATEST_RELEASE_BINARY_URL "https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_esp32-solo1.bin" @@ -101,6 +106,7 @@ #define GITHUB_MASTER_RELEASE_BINARY_URL_DBG (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/debug/master/nuki_hub_esp32-solo1.bin" #define GITHUB_MASTER_UPDATER_BINARY_URL_DBG (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/debug/master/nuki_hub_updater_esp32-solo1.bin" #define NUKI_HUB_HW (char*)"ESP32-SOLO1" +#define BOOT_BUTTON_GPIO (gpio_num_t)0 #else #define GITHUB_LATEST_RELEASE_BINARY_URL "https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_esp32.bin" #define GITHUB_LATEST_UPDATER_BINARY_URL (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/nuki_hub_updater_esp32.bin" @@ -115,6 +121,7 @@ #define GITHUB_MASTER_RELEASE_BINARY_URL_DBG (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/debug/master/nuki_hub_esp32.bin" #define GITHUB_MASTER_UPDATER_BINARY_URL_DBG (char*)"https://raw.githubusercontent.com/technyon/nuki_hub/binary/ota/debug/master/nuki_hub_updater_esp32.bin" #define NUKI_HUB_HW (char*)"ESP32" +#define BOOT_BUTTON_GPIO (gpio_num_t)0 #endif #endif diff --git a/src/Gpio.cpp b/src/Gpio.cpp index a8ae3a0..9490ca0 100644 --- a/src/Gpio.cpp +++ b/src/Gpio.cpp @@ -122,6 +122,19 @@ void Gpio::init() bool hasInputPin = false; + if (_inst->_preferences->getBool(preference_cred_bypass_boot_btn_enabled, false)) + { + pinMode(BOOT_BUTTON_GPIO, INPUT); + } + if (_inst->_preferences->getInt(preference_cred_bypass_gpio_high, -1) > -1) + { + pinMode(_inst->_preferences->getInt(preference_cred_bypass_gpio_high, -1), INPUT); + } + if (_inst->_preferences->getInt(preference_cred_bypass_gpio_low, -1) > -1) + { + pinMode(_inst->_preferences->getInt(preference_cred_bypass_gpio_low, -1), INPUT); + } + for(const auto& entry : _inst->_pinConfiguration) { const auto it = std::find(_inst->availablePins().begin(), _inst->availablePins().end(), entry.pin); @@ -238,10 +251,23 @@ void Gpio::loadPinConfiguration() } } -const std::vector Gpio::getDisabledPins() const +const std::vector Gpio::getDisabledPins() const { std::vector disabledPins; + if (_preferences->getBool(preference_cred_bypass_boot_btn_enabled, false)) + { + disabledPins.push_back(BOOT_BUTTON_GPIO); + } + if (_preferences->getInt(preference_cred_bypass_gpio_high, -1) > -1) + { + disabledPins.push_back(_preferences->getInt(preference_cred_bypass_gpio_high, -1)); + } + if (_preferences->getInt(preference_cred_bypass_gpio_low, -1) > -1) + { + disabledPins.push_back(_preferences->getInt(preference_cred_bypass_gpio_low, -1)); + } + switch(_preferences->getInt(preference_network_hardware, 0)) { case 2: @@ -333,7 +359,7 @@ const std::vector Gpio::getDisabledPins() const break; } - Log->print(("GPIO Ethernet disabled pins:")); + Log->print(("GPIO Boot button and Ethernet disabled pins:")); for_each_n(disabledPins.begin(), disabledPins.size(), [](int x) { diff --git a/src/HomeAssistantDiscovery.cpp b/src/HomeAssistantDiscovery.cpp index 84c246f..7b7473b 100644 --- a/src/HomeAssistantDiscovery.cpp +++ b/src/HomeAssistantDiscovery.cpp @@ -38,7 +38,7 @@ HomeAssistantDiscovery::HomeAssistantDiscovery(NetworkDevice* device, Preference Log->println(curDevId); Log->print("Saved ID: "); Log->println(savedDevId); - Log->println("Efuse ID and NukiHub device ID do not match, removing HASS setup for incorrect NukiHub device ID."); + Log->println("Efuse ID and Nuki Hub device ID do not match, removing HomeAssistant setup for incorrect Nuki Hub device ID."); char uidString[20]; itoa(_preferences->getUInt(preference_device_id_lock, 0), uidString, 10); removeHASSConfig(uidString); @@ -60,7 +60,7 @@ void HomeAssistantDiscovery::setupHASS(int type, uint32_t nukiId, char* nukiName if(type == 0) { publishHASSNukiHubConfig(); - Log->println("HASS setup for NukiHub completed."); + Log->println("HomeAssistant setup for Nuki Hub completed."); } else if(type == 1) { @@ -71,7 +71,7 @@ void HomeAssistantDiscovery::setupHASS(int type, uint32_t nukiId, char* nukiName String lockTopic = _baseTopic; lockTopic.concat("/lock"); publishHASSConfig((char*)"SmartLock", lockTopic.c_str(), nukiName, uidString, firmwareVersion, hardwareVersion, hasDoorSensor, hasKeypad, publishAuthData, (char*)"lock", (char*)"unlock", (char*)"unlatch"); - Log->println("HASS setup for lock completed."); + Log->println("HomeAssistant setup for lock completed."); } else if(type == 2) { @@ -90,7 +90,7 @@ void HomeAssistantDiscovery::setupHASS(int type, uint32_t nukiId, char* nukiName publishHASSConfig((char*)"Opener", openerTopic.c_str(), nukiName, uidString, firmwareVersion, hardwareVersion, hasDoorSensor, hasKeypad, publishAuthData, (char*)"deactivateRTO", (char*)"activateRTO", (char*)"electricStrikeActuation"); } - Log->println("HASS setup for opener completed."); + Log->println("HomeAssistant setup for opener completed."); } } @@ -123,7 +123,7 @@ void HomeAssistantDiscovery::publishHASSNukiHubConfig() JsonArray ids = dev["ids"].to(); ids.add(String("nuki_") + _nukiHubUidString); json["dev"]["mf"] = "Technyon"; - json["dev"]["mdl"] = "NukiHub"; + json["dev"]["mdl"] = "Nuki Hub"; json["dev"]["name"] = _hostname.c_str(); json["dev"]["sw"] = NUKI_HUB_VERSION; json["dev"]["hw"] = NUKI_HUB_HW; @@ -472,19 +472,19 @@ void HomeAssistantDiscovery::publishHASSConfig(char *deviceType, const char *bas if(publishAuthData) { publishHASSConfigAccessLog(deviceType, baseTopic, name, uidString); + removeHASSConfigTopic((char*)"sensor", (char*)"last_action_authorization", uidString); } else { - removeHASSConfigTopic((char*)"sensor", (char*)"last_action_authorization", uidString); removeHASSConfigTopic((char*)"sensor", (char*)"rolling_log", uidString); } if(hasKeypad) { publishHASSConfigKeypad(deviceType, baseTopic, name, uidString); + removeHASSConfigTopic((char*)"sensor", (char*)"keypad_status", uidString); } else { - removeHASSConfigTopic((char*)"sensor", (char*)"keypad_status", uidString); removeHASSConfigTopic((char*)"binary_sensor", (char*)"keypad_battery_low", uidString); } } @@ -519,6 +519,8 @@ void HomeAssistantDiscovery::publishHASSDeviceConfig(char* deviceType, const cha json["unique_id"] = String(uidString) + "_lock"; json["cmd_t"] = String("~") + String(mqtt_topic_lock_action); json["avty"][0]["t"] = availabilityTopic; + json["avty"][1]["t"] = String("~") + String(mqtt_topic_lock_availability); + json["avty_mode"] = "all"; json["pl_lock"] = lockAction; json["pl_unlk"] = unlockAction; @@ -1878,7 +1880,7 @@ void HomeAssistantDiscovery::publishHASSConfigAdditionalLockEntities(char *devic { removeHassTopic((char*)"switch", (char*)"auto_update_enabled", uidString); } - + // Motor speed if((int)advancedLockConfigAclPrefs[23] == 1) { @@ -1895,7 +1897,7 @@ void HomeAssistantDiscovery::publishHASSConfigAdditionalLockEntities(char *devic { removeHassTopic((char*)"select", (char*)"motor_speed", uidString); } - + if((int)advancedLockConfigAclPrefs[24] == 1) { // Slow speed during night mode enabled @@ -2903,24 +2905,6 @@ void HomeAssistantDiscovery::publishHASSConfigAdditionalOpenerEntities(char *dev void HomeAssistantDiscovery::publishHASSConfigAccessLog(char *deviceType, const char *baseTopic, char *name, char *uidString) { - publishHassTopic("sensor", - "last_action_authorization", - uidString, - "_last_action_authorization", - "Last action authorization", - name, - baseTopic, - String("~") + mqtt_topic_lock_log, - deviceType, - "", - "", - "diagnostic", - "", - { - { (char*)"ic", (char*)"mdi:format-list-bulleted" }, - { (char*)"val_tpl", (char*)"{{ (value_json|selectattr('type', 'eq', 'LockAction')|selectattr('action', 'in', ['Lock', 'Unlock', 'Unlatch'])|first|default).authorizationName|default }}" } - }); - String rollingSate = "~"; rollingSate.concat(mqtt_topic_lock_log_rolling); @@ -2984,24 +2968,6 @@ void HomeAssistantDiscovery::publishHASSConfigKeypad(char *deviceType, const cha { (char*)"en", (char*)"false" }, { (char*)"pl_prs", (char*)"1" } }); - - publishHassTopic("sensor", - "keypad_status", - uidString, - "_keypad_stats", - "Keypad status", - name, - baseTopic, - String("~") + mqtt_topic_lock_log, - deviceType, - "", - "", - "diagnostic", - "", - { - { (char*)"ic", (char*)"mdi:drag-vertical" }, - { (char*)"val_tpl", (char*)"{{ (value_json|selectattr('type', 'eq', 'KeypadAction')|first|default).completionStatus|default }}" } - }); } void HomeAssistantDiscovery::publishHassTopic(const String& mqttDeviceType, @@ -3208,7 +3174,13 @@ JsonDocument HomeAssistantDiscovery::createHassJson(const String& uidString, json["cmd_t"] = commandTopic; } - json["avty"]["t"] = _baseTopic + mqtt_topic_mqtt_connection_state; + json["avty"][0]["t"] = _baseTopic + mqtt_topic_mqtt_connection_state; + + if (uidString != "query_lockstate") + { + json["avty"][1]["t"] = String("~") + String(mqtt_topic_lock_availability); + json["avty_mode"] = "all"; + } for(const auto& entry : additionalEntries) { diff --git a/src/MqttTopics.h b/src/MqttTopics.h index ef8f5de..8b84d18 100644 --- a/src/MqttTopics.h +++ b/src/MqttTopics.h @@ -25,6 +25,7 @@ #define mqtt_topic_lock_rssi (char*)"/rssi" #define mqtt_topic_lock_address (char*)"/address" #define mqtt_topic_lock_retry (char*)"/retry" +#define mqtt_topic_lock_availability (char*)"/availability" #define mqtt_topic_official_lock_action (char*)"/lockAction" //#define mqtt_topic_official_mode (char*)"/mode" diff --git a/src/NukiNetwork.cpp b/src/NukiNetwork.cpp index 8cbc306..ec656a1 100644 --- a/src/NukiNetwork.cpp +++ b/src/NukiNetwork.cpp @@ -636,7 +636,7 @@ bool NukiNetwork::reconnect() { Log->println(("MQTT Broker not configured, aborting connection attempt.")); _nextReconnect = espMillis() + 5000; - + if(_device->isConnected()) { _lastConnectedTs = espMillis(); @@ -1036,7 +1036,7 @@ void NukiNetwork::onMqttDataReceived(const char* topic, byte* payload, const uns return; } Log->println(("Webserver enabled, restarting.")); - _preferences->putBool(preference_webserver_enabled, true); + _preferences->putBool(preference_webserver_enabled, true); } else if (strcmp(data, "0") == 0) { diff --git a/src/NukiNetworkLock.cpp b/src/NukiNetworkLock.cpp index 8ecd0b1..4a79b01 100644 --- a/src/NukiNetworkLock.cpp +++ b/src/NukiNetworkLock.cpp @@ -420,6 +420,15 @@ void NukiNetworkLock::publishKeyTurnerState(const NukiLock::KeyTurnerState& keyT lockstateToString((NukiLock::LockState)_nukiOfficial->getOffState(), str); json["lock_state"] = str; } + + if(strcmp(str, "undefined") == 0) + { + _nukiPublisher->publishString(mqtt_topic_lock_availability, "offline", true); + } + else + { + _nukiPublisher->publishString(mqtt_topic_lock_availability, "online", true); + } json["lockngo_state"] = keyTurnerState.lockNgoTimer != 255 ? keyTurnerState.lockNgoTimer : 0; diff --git a/src/NukiNetworkOpener.cpp b/src/NukiNetworkOpener.cpp index 160608a..7031720 100644 --- a/src/NukiNetworkOpener.cpp +++ b/src/NukiNetworkOpener.cpp @@ -347,6 +347,15 @@ void NukiNetworkOpener::publishKeyTurnerState(const NukiOpener::OpenerState& key publishState(keyTurnerState); } } + + if(strcmp(str, "undefined") == 0) + { + _nukiPublisher->publishString(mqtt_topic_lock_availability, "offline", true); + } + else + { + _nukiPublisher->publishString(mqtt_topic_lock_availability, "online", true); + } json["lock_state"] = str; diff --git a/src/PreferencesKeys.h b/src/PreferencesKeys.h index 1b0b60f..1aea27a 100644 --- a/src/PreferencesKeys.h +++ b/src/PreferencesKeys.h @@ -76,6 +76,21 @@ #define preference_mqtt_ssl_enabled (char*)"mqttSSLena" #define preference_lock_gemini_pin (char*)"geminiPin" #define preference_lock_gemini_enabled (char*)"geminiena" +#define preference_cred_duo_enabled (char*)"duoena" +#define preference_cred_duo_host (char*)"duoHost" +#define preference_cred_duo_ikey (char*)"duoIkey" +#define preference_cred_duo_skey (char*)"duoSkey" +#define preference_cred_duo_user (char*)"duoUser" +#define preference_https_fqdn (char*)"httpsFQDN" +#define preference_bypass_proxy (char*)"credBypass" +#define preference_cred_session_lifetime (char*)"credLf" +#define preference_cred_session_lifetime_remember (char*)"credLfRmbr" +#define preference_cred_session_lifetime_duo (char*)"credLfDuo" +#define preference_cred_session_lifetime_duo_remember (char*)"credLfDuoRmbr" +#define preference_cred_duo_approval (char*)"duoApprove" +#define preference_cred_bypass_boot_btn_enabled (char*)"bypassBtBtn" +#define preference_cred_bypass_gpio_high (char*)"bypassHigh" +#define preference_cred_bypass_gpio_low (char*)"bypassLow" // CHANGE DOES NOT REQUIRE REBOOT TO TAKE EFFECT #define preference_find_best_rssi (char*)"nwbestrssi" @@ -130,6 +145,7 @@ #define preference_hybrid_reboot_on_disconnect (char*)"hybridRbtLck" //NOT USER CHANGABLE +#define preference_mfa_reconfigure (char*)"mfaRECONF" #define preference_ntw_reconfigure (char*)"ntwRECONF" #define preference_updater_version (char*)"updVer" #define preference_updater_build (char*)"updBuild" @@ -179,8 +195,15 @@ inline void initPreferences(Preferences* preferences) preferences->putBytes(preference_conf_lock_advanced_acl, (byte*)(&advancedLockConfigAclPrefs), sizeof(advancedLockConfigAclPrefs)); uint32_t advancedOpenerConfigAclPrefs[21] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; preferences->putBytes(preference_conf_opener_advanced_acl, (byte*)(&advancedOpenerConfigAclPrefs), sizeof(advancedOpenerConfigAclPrefs)); + preferences->putString(preference_mqtt_lock_path, "nukihub"); preferences->putString(preference_time_server, "pool.ntp.org"); + preferences->putString(preference_cred_duo_host, ""); + preferences->putString(preference_cred_duo_ikey, ""); + preferences->putString(preference_cred_duo_skey, ""); + preferences->putString(preference_cred_duo_user, ""); + preferences->putString(preference_https_fqdn, ""); + preferences->putString(preference_bypass_proxy, ""); preferences->putBool(preference_check_updates, true); preferences->putBool(preference_opener_continuous_mode, false); @@ -194,7 +217,6 @@ inline void initPreferences(Preferences* preferences) preferences->putBool(preference_enable_bootloop_reset, false); preferences->putBool(preference_show_secrets, false); preferences->putBool(preference_find_best_rssi, true); - preferences->putBool(preference_conf_info_enabled, true); preferences->putBool(preference_keypad_info_enabled, false); preferences->putBool(preference_keypad_topic_per_entry, false); @@ -208,6 +230,17 @@ inline void initPreferences(Preferences* preferences) preferences->putBool(preference_register_opener_as_app, false); preferences->putBool(preference_mqtt_ssl_enabled, false); preferences->putBool(preference_lock_gemini_enabled, false); + preferences->putBool(preference_debug_connect, false); + preferences->putBool(preference_debug_communication, false); + preferences->putBool(preference_debug_readable_data, false); + preferences->putBool(preference_debug_hex_data, false); + preferences->putBool(preference_debug_command, false); + preferences->putBool(preference_connect_mode, true); + preferences->putBool(preference_retain_gpio, false); + preferences->putBool(preference_enable_debug_mode, false); + preferences->putBool(preference_cred_duo_enabled, false); + preferences->putBool(preference_cred_duo_approval, false); + preferences->putBool(preference_cred_bypass_boot_btn_enabled, false); preferences->putInt(preference_mqtt_broker_port, 1883); preferences->putInt(preference_buffer_size, CHAR_BUFFER_SIZE); @@ -227,15 +260,12 @@ inline void initPreferences(Preferences* preferences) preferences->putInt(preference_query_interval_battery, 1800); preferences->putInt(preference_query_interval_keypad, 1800); preferences->putInt(preference_http_auth_type, 0); - - preferences->putBool(preference_debug_connect, false); - preferences->putBool(preference_debug_communication, false); - preferences->putBool(preference_debug_readable_data, false); - preferences->putBool(preference_debug_hex_data, false); - preferences->putBool(preference_debug_command, false); - preferences->putBool(preference_connect_mode, true); - preferences->putBool(preference_retain_gpio, false); - preferences->putBool(preference_enable_debug_mode, false); + preferences->putInt(preference_cred_session_lifetime, 3600); + preferences->putInt(preference_cred_session_lifetime_remember, 720); + preferences->putInt(preference_cred_session_lifetime_duo, 3600); + preferences->putInt(preference_cred_session_lifetime_duo_remember, 720); + preferences->putInt(preference_cred_bypass_gpio_high, -1); + preferences->putInt(preference_cred_bypass_gpio_low, -1); #ifndef CONFIG_IDF_TARGET_ESP32H2 WiFi.begin(); @@ -488,16 +518,19 @@ private: preference_update_from_mqtt, preference_show_secrets, preference_ble_tx_power, preference_webserial_enabled, preference_find_best_rssi, preference_lock_gemini_enabled, preference_network_custom_mdc, preference_network_custom_clk, preference_network_custom_phy, preference_network_custom_addr, preference_network_custom_irq, preference_network_custom_rst, preference_network_custom_cs, preference_network_custom_sck, preference_network_custom_miso, preference_network_custom_mosi, - preference_network_custom_pwr, preference_network_custom_mdio, preference_ntw_reconfigure, preference_lock_max_auth_entry_count, preference_opener_max_auth_entry_count, + preference_network_custom_pwr, preference_network_custom_mdio, preference_lock_max_auth_entry_count, preference_opener_max_auth_entry_count, preference_auth_control_enabled, preference_auth_topic_per_entry, preference_auth_info_enabled, preference_auth_max_entries, preference_wifi_ssid, preference_wifi_pass, preference_keypad_check_code_enabled, preference_disable_network_not_connected, preference_mqtt_hass_enabled, preference_hass_device_discovery, preference_retain_gpio, preference_debug_connect, preference_debug_communication, preference_debug_readable_data, preference_debug_hex_data, preference_debug_command, preference_connect_mode, - preference_lock_force_id, preference_lock_force_doorsensor, preference_lock_force_keypad, preference_opener_force_id, preference_opener_force_keypad, preference_nukihub_id + preference_lock_force_id, preference_lock_force_doorsensor, preference_lock_force_keypad, preference_opener_force_id, preference_opener_force_keypad, preference_nukihub_id, + preference_cred_duo_host, preference_cred_duo_ikey, preference_cred_duo_skey, preference_cred_duo_user, preference_cred_duo_enabled, preference_https_fqdn, preference_bypass_proxy, + preference_cred_session_lifetime, preference_cred_session_lifetime_remember, preference_cred_session_lifetime_duo, preference_cred_session_lifetime_duo_remember, + preference_cred_duo_approval, preference_cred_bypass_boot_btn_enabled, preference_cred_bypass_gpio_high, preference_cred_bypass_gpio_low }; std::vector _redact = { preference_mqtt_user, preference_mqtt_password, preference_cred_user, preference_cred_password, preference_nuki_id_lock, preference_nuki_id_opener, preference_wifi_pass, - preference_lock_gemini_pin + preference_lock_gemini_pin, preference_cred_duo_host, preference_cred_duo_ikey, preference_cred_duo_skey, preference_cred_duo_user, preference_https_fqdn, preference_bypass_proxy }; std::vector _boolPrefs = { @@ -508,10 +541,10 @@ private: preference_publish_authdata, preference_publish_debug_info, preference_official_hybrid_enabled, preference_mqtt_hass_enabled, preference_retain_gpio, preference_official_hybrid_actions, preference_official_hybrid_retry, preference_conf_info_enabled, preference_disable_non_json, preference_update_from_mqtt, preference_auth_control_enabled, preference_auth_topic_per_entry, preference_auth_info_enabled, preference_webserial_enabled, preference_hass_device_discovery, - preference_ntw_reconfigure, preference_keypad_check_code_enabled, preference_disable_network_not_connected, preference_find_best_rssi, + preference_keypad_check_code_enabled, preference_disable_network_not_connected, preference_find_best_rssi, preference_cred_bypass_boot_btn_enabled, preference_debug_connect, preference_debug_communication, preference_debug_readable_data, preference_debug_hex_data, preference_debug_command, preference_connect_mode, preference_lock_force_id, preference_lock_force_doorsensor, preference_lock_force_keypad, preference_opener_force_id, preference_opener_force_keypad, preference_mqtt_ssl_enabled, - preference_hybrid_reboot_on_disconnect, preference_lock_gemini_enabled, preference_enable_debug_mode + preference_hybrid_reboot_on_disconnect, preference_lock_gemini_enabled, preference_enable_debug_mode, preference_cred_duo_enabled, preference_cred_duo_approval }; std::vector _bytePrefs = { @@ -528,7 +561,9 @@ private: preference_task_size_network, preference_task_size_nuki, preference_authlog_max_entries, preference_keypad_max_entries, preference_timecontrol_max_entries, preference_ble_tx_power, preference_network_custom_mdc, preference_network_custom_clk, preference_network_custom_phy, preference_network_custom_addr, preference_network_custom_irq, preference_network_custom_rst, preference_network_custom_cs, preference_network_custom_sck, preference_network_custom_miso, - preference_network_custom_mosi, preference_network_custom_pwr, preference_network_custom_mdio, preference_http_auth_type + preference_network_custom_mosi, preference_network_custom_pwr, preference_network_custom_mdio, preference_http_auth_type, + preference_cred_session_lifetime, preference_cred_session_lifetime_remember, preference_cred_session_lifetime_duo, preference_cred_session_lifetime_duo_remember, + preference_cred_bypass_gpio_high, preference_cred_bypass_gpio_low }; std::vector _uintPrefs = { diff --git a/src/WebCfgServer.cpp b/src/WebCfgServer.cpp index 8f91996..b603468 100644 --- a/src/WebCfgServer.cpp +++ b/src/WebCfgServer.cpp @@ -15,9 +15,12 @@ #include #endif #include +#include +#include "driver/gpio.h" extern const uint8_t x509_crt_imported_bundle_bin_start[] asm("_binary_x509_crt_bundle_start"); extern const uint8_t x509_crt_imported_bundle_bin_end[] asm("_binary_x509_crt_bundle_end"); +extern bool timeSynced; #ifndef NUKI_HUB_UPDATER #include @@ -44,6 +47,31 @@ WebCfgServer::WebCfgServer(NukiNetwork* network, Preferences* preferences, bool { _hostname = _preferences->getString(preference_hostname, ""); String str = _preferences->getString(preference_cred_user, ""); + str = _preferences->getString(preference_cred_user, ""); + _isSSL = (psychicServer->getPort() == 443); + + if (_preferences->getBool(preference_cred_duo_enabled, false)) + { + _duoEnabled = true; + _duoHost = _preferences->getString(preference_cred_duo_host, ""); + _duoIkey = _preferences->getString(preference_cred_duo_ikey, ""); + _duoSkey = _preferences->getString(preference_cred_duo_skey, ""); + _duoUser = _preferences->getString(preference_cred_duo_user, ""); + + if (_duoHost == "" || _duoIkey == "" || _duoSkey == "" || _duoUser == "" || !_preferences->getBool(preference_update_time, false)) + { + _duoEnabled = false; + } + else if (_preferences->getBool(preference_cred_bypass_boot_btn_enabled, false) || _preferences->getInt(preference_cred_bypass_gpio_high, -1) > -1 || _preferences->getInt(preference_cred_bypass_gpio_low, -1) > -1) + { + if (_preferences->getBool(preference_cred_bypass_boot_btn_enabled, false)) + { + _bypassGPIO = true; + } + _bypassGPIOHigh = _preferences->getInt(preference_cred_bypass_gpio_high, -1); + _bypassGPIOLow = _preferences->getInt(preference_cred_bypass_gpio_low, -1); + } + } if(str.length() > 0) { @@ -61,6 +89,11 @@ WebCfgServer::WebCfgServer(NukiNetwork* network, Preferences* preferences, bool { loadSessions(); } + + if (_duoEnabled) + { + loadSessions(true); + } } _confirmCode = generateConfirmCode(); @@ -80,18 +113,26 @@ WebCfgServer::WebCfgServer(NukiNetwork* network, Preferences* preferences, bool #endif } -bool WebCfgServer::isAuthenticated(PsychicRequest *request) +bool WebCfgServer::isAuthenticated(PsychicRequest *request, bool duo) { - if (request->hasCookie("sessionId")) { - String cookie = request->getCookie("sessionId"); + String cookieKey = "sessionId"; - if (_httpSessions[cookie].is()) + if (duo) + { + cookieKey = "duoId"; + } + + if (request->hasCookie(cookieKey.c_str())) + { + String cookie = request->getCookie(cookieKey.c_str()); + + if ((!duo && _httpSessions[cookie].is()) || (duo && _duoSessions[cookie].is())) { struct timeval time; gettimeofday(&time, NULL); int64_t time_us = (int64_t)time.tv_sec * 1000000L + (int64_t)time.tv_usec; - if (_httpSessions[cookie].as() > time_us) + if ((!duo && _httpSessions[cookie].as() > time_us) || (duo && _duoSessions[cookie].as() > time_us)) { return true; } @@ -108,9 +149,18 @@ bool WebCfgServer::isAuthenticated(PsychicRequest *request) esp_err_t WebCfgServer::logoutSession(PsychicRequest *request, PsychicResponse* resp) { Log->print("Logging out"); - resp->setCookie("sessionId", "", 0, "HttpOnly"); - if (request->hasCookie("sessionId")) { + if (!_isSSL) + { + resp->setCookie("sessionId", "", 0, "HttpOnly"); + } + else + { + resp->setCookie("sessionId", "", 0, "Secure; HttpOnly"); + } + + if (request->hasCookie("sessionId")) + { String cookie = request->getCookie("sessionId"); _httpSessions.remove(cookie); saveSessions(); @@ -120,57 +170,161 @@ esp_err_t WebCfgServer::logoutSession(PsychicRequest *request, PsychicResponse* Log->print("No session cookie found"); } + if (_duoEnabled) + { + if (!_isSSL) + { + resp->setCookie("duoId", "", 0, "HttpOnly"); + } + else + { + resp->setCookie("duoId", "", 0, "Secure; HttpOnly"); + } + + if (request->hasCookie("duoId")) { + String cookie2 = request->getCookie("duoId"); + _duoSessions.remove(cookie2); + saveSessions(true); + } + else + { + Log->print("No session cookie found"); + } + } + return buildConfirmHtml(request, resp, "Logging out", 3, true); } -void WebCfgServer::saveSessions() +void WebCfgServer::saveSessions(bool duo) { if(_preferences->getBool(preference_update_time, false)) { - if (!SPIFFS.begin(true)) { - Log->println("SPIFFS Mount Failed"); - } - else - { - File file = SPIFFS.open("/sessions.json", "w"); - serializeJson(_httpSessions, file); - file.close(); - } - } -} -void WebCfgServer::loadSessions() -{ - if(_preferences->getBool(preference_update_time, false)) - { - if (!SPIFFS.begin(true)) { + if (!SPIFFS.begin(true)) + { Log->println("SPIFFS Mount Failed"); } else { - File file = SPIFFS.open("/sessions.json", "r"); + File file; - if (!file || file.isDirectory()) { - Log->println("sessions.json not found"); + if (!duo) + { + file = SPIFFS.open("/sessions.json", "w"); + serializeJson(_httpSessions, file); } else { - deserializeJson(_httpSessions, file); + file = SPIFFS.open("/duosessions.json", "w"); + serializeJson(_duoSessions, file); + } + file.close(); + } + } +} +void WebCfgServer::loadSessions(bool duo) +{ + if(_preferences->getBool(preference_update_time, false)) + { + if (!SPIFFS.begin(true)) + { + Log->println("SPIFFS Mount Failed"); + } + else + { + File file; + + if (!duo) + { + file = SPIFFS.open("/sessions.json", "r"); + + if (!file || file.isDirectory()) { + Log->println("sessions.json not found"); + } + else + { + deserializeJson(_httpSessions, file); + } + } + else + { + file = SPIFFS.open("/duosessions.json", "r"); + + if (!file || file.isDirectory()) { + Log->println("duosessions.json not found"); + } + else + { + deserializeJson(_duoSessions, file); + } } file.close(); } } } +void WebCfgServer::clearSessions() +{ + if (!SPIFFS.begin(true)) + { + Log->println("SPIFFS Mount Failed"); + } + else + { + _httpSessions.clear(); + _duoSessions.clear(); + File file; + file = SPIFFS.open("/sessions.json", "w"); + serializeJson(_httpSessions, file); + file.close(); + file = SPIFFS.open("/duosessions.json", "w"); + serializeJson(_duoSessions, file); + file.close(); + } +} + int WebCfgServer::doAuthentication(PsychicRequest *request) { - if(strlen(_credUser) > 0 && strlen(_credPassword) > 0) + if (!_network->isApOpen() && _preferences->getString(preference_bypass_proxy, "") != "" && request->client()->localIP().toString() == _preferences->getString(preference_bypass_proxy, "")) + { + return 4; + } + else if(strlen(_credUser) > 0 && strlen(_credPassword) > 0) { int savedAuthType = _preferences->getInt(preference_http_auth_type, 0); if (savedAuthType == 2) { - if (!isAuthenticated(request)) { + if (!isAuthenticated(request)) + { return savedAuthType; } + else if (_duoEnabled && !isAuthenticated(request, true)) + { + if (_bypassGPIO) + { + if (digitalRead(BOOT_BUTTON_GPIO) == LOW) + { + Log->print("Duo bypassed because boot button pressed"); + return 4; + } + } + if (_bypassGPIOHigh > -1) + { + if (digitalRead(_bypassGPIOHigh) == HIGH) + { + Log->print("Duo bypassed because bypass GPIO pin pulled high"); + return 4; + } + } + if (_bypassGPIOLow > -1) + { + if (digitalRead(_bypassGPIOLow) == LOW) + { + Log->print("Duo bypassed because bypass GPIO pin pulled low"); + return 4; + } + } + return 3; + } } else { @@ -178,12 +332,188 @@ int WebCfgServer::doAuthentication(PsychicRequest *request) { return savedAuthType; } + else if (_duoEnabled && !isAuthenticated(request, true)) + { + if (_bypassGPIO) + { + if (digitalRead(BOOT_BUTTON_GPIO) == LOW) + { + Log->print("Duo bypassed because boot button pressed"); + return 4; + } + } + if (_bypassGPIOHigh > -1) + { + if (digitalRead(_bypassGPIOHigh) == HIGH) + { + Log->print("Duo bypassed because bypass GPIO pin pulled high"); + return 4; + } + } + if (_bypassGPIOLow > -1) + { + if (digitalRead(_bypassGPIOLow) == LOW) + { + Log->print("Duo bypassed because bypass GPIO pin pulled low"); + return 4; + } + } + return 3; + } } } return 4; } +bool WebCfgServer::startDuoAuth(char* pushType) +{ + int64_t timeout = esp_timer_get_time() - (30 * 1000 * 1000L); + if(!_duoActiveRequest || timeout > _duoRequestTS) + { + const char* duo_host = _duoHost.c_str(); + const char* duo_ikey = _duoIkey.c_str(); + const char* duo_skey = _duoSkey.c_str(); + const char* duo_user = _duoUser.c_str(); + + DuoAuthLib duoAuth; + bool duoRequestResult; + duoAuth.begin(duo_host, duo_ikey, duo_skey, &timeinfo); + duoAuth.setPushType(pushType); + duoRequestResult = duoAuth.pushAuth((char*)duo_user, true); + + if(duoRequestResult == true) + { + _duoTransactionId = duoAuth.getAuthTxId(); + _duoActiveRequest = true; + _duoRequestTS = esp_timer_get_time(); + Log->println("Duo MFA Auth sent"); + return true; + } + else + { + Log->println("Failed Duo MFA Auth"); + return false; + } + } + return true; +} + +int WebCfgServer::checkDuoAuth(PsychicRequest *request) +{ + const char* duo_host = _duoHost.c_str(); + const char* duo_ikey = _duoIkey.c_str(); + const char* duo_skey = _duoSkey.c_str(); + const char* duo_user = _duoUser.c_str(); + + if (request->hasParam("id")) { + const PsychicWebParameter* p = request->getParam("id"); + String cookie2 = p->value(); + DuoAuthLib duoAuth; + if(_duoActiveRequest && _duoCheckIP == request->client()->localIP().toString() && cookie2 == _duoCheckId) + { + duoAuth.begin(duo_host, duo_ikey, duo_skey, &timeinfo); + + Log->println("Checking Duo Push Status..."); + duoAuth.authStatus(_duoTransactionId); + + if(duoAuth.pushWaiting()) + { + Log->println("Duo Push Waiting..."); + return 2; + } + else + { + if (duoAuth.authSuccessful()) + { + Log->println("Successful Duo MFA Auth"); + _duoActiveRequest = false; + _duoTransactionId = ""; + _duoCheckIP = ""; + _duoCheckId = ""; + int64_t durationLength = 60*60*_preferences->getInt(preference_cred_session_lifetime_duo_remember, 720); + + if (!_sessionsOpts[request->client()->localIP().toString()]) + { + durationLength = _preferences->getInt(preference_cred_session_lifetime_duo, 3600); + } + struct timeval time; + gettimeofday(&time, NULL); + int64_t time_us = (int64_t)time.tv_sec * 1000000L + (int64_t)time.tv_usec; + _duoSessions[cookie2] = time_us + (durationLength*1000000L); + saveSessions(true); + if (_preferences->getBool(preference_mfa_reconfigure, false)) + { + _preferences->putBool(preference_mfa_reconfigure, false); + } + return 1; + } + else + { + Log->println("Failed Duo MFA Auth"); + _duoActiveRequest = false; + _duoTransactionId = ""; + _duoCheckIP = ""; + _duoCheckId = ""; + if (_preferences->getBool(preference_mfa_reconfigure, false)) + { + _preferences->putBool(preference_cred_duo_enabled, false); + _duoEnabled = false; + _preferences->putBool(preference_mfa_reconfigure, false); + } + return 0; + } + } + } + } + return 0; +} + +int WebCfgServer::checkDuoApprove() +{ + const char* duo_host = _duoHost.c_str(); + const char* duo_ikey = _duoIkey.c_str(); + const char* duo_skey = _duoSkey.c_str(); + const char* duo_user = _duoUser.c_str(); + + DuoAuthLib duoAuth; + if(_duoActiveRequest) + { + duoAuth.begin(duo_host, duo_ikey, duo_skey, &timeinfo); + + Log->println("Checking Duo Push Status..."); + duoAuth.authStatus(_duoTransactionId); + + if(duoAuth.pushWaiting()) + { + Log->println("Duo Push Waiting..."); + return 2; + } + else + { + if (duoAuth.authSuccessful()) + { + Log->println("Successful Duo MFA Auth"); + _duoActiveRequest = false; + _duoTransactionId = ""; + _duoCheckIP = ""; + _duoCheckId = ""; + return 1; + } + else + { + Log->println("Failed Duo MFA Auth"); + _duoActiveRequest = false; + _duoTransactionId = ""; + _duoCheckIP = ""; + _duoCheckId = ""; + return 0; + } + } + } + return 0; +} + void WebCfgServer::initialize() { //_psychicServer->onOpen([&](PsychicClient* client) { Log->printf("[http] connection #%u connected from %s\n", client->socket(), client->localIP().toString().c_str()); }); @@ -221,6 +551,8 @@ void WebCfgServer::initialize() resp->setCode(302); resp->addHeader("Cache-Control", "no-cache"); return resp->redirect("/get?page=login"); + break; + case 3: case 4: default: break; @@ -254,6 +586,8 @@ void WebCfgServer::initialize() resp->setCode(302); resp->addHeader("Cache-Control", "no-cache"); return resp->redirect("/get?page=login"); + break; + case 3: case 4: default: break; @@ -301,7 +635,7 @@ void WebCfgServer::initialize() } int authReq = doAuthentication(request); - if (value != "status" && value != "login" && value != "logout") + if (value != "status" && value != "login" && value != "duocheck") { switch (authReq) { @@ -315,6 +649,15 @@ void WebCfgServer::initialize() resp->setCode(302); resp->addHeader("Cache-Control", "no-cache"); return resp->redirect("/get?page=login"); + break; + case 3: + if (value != "duoauth") + { + resp->setCode(302); + resp->addHeader("Cache-Control", "no-cache"); + return resp->redirect("/get?page=duoauth"); + } + break; case 4: default: break; @@ -336,6 +679,18 @@ void WebCfgServer::initialize() { return logoutSession(request, resp); } + else if (value == "duoauth") + { + return buildDuoHtml(request, resp); + } + else if (value == "duocheck") + { + return buildDuoCheckHtml(request, resp); + } + else if (value == "coredump") + { + return buildCoredumpHtml(request, resp); + } else if (value == "reboot") { String value = ""; @@ -380,6 +735,30 @@ void WebCfgServer::initialize() } else if (value == "export") { + if(_preferences->getBool(preference_cred_duo_approval, false)) + { + if (!timeSynced) + { + return buildConfirmHtml(request, resp, "NTP time not synced yet, Duo not available, please wait for NTP to sync", 3, true); + } + else if (startDuoAuth((char*)"Approve Nuki Hub export")) + { + int duoResult = 2; + + while (duoResult == 2) + { + duoResult = checkDuoApprove(); + delay(2000); + esp_task_wdt_reset(); + } + + if (duoResult != 1) + { + return buildConfirmHtml(request, resp, "Duo approval failed, redirecting to main menu", 3, true); + } + } + } + return sendSettings(request, resp); } else if (value == "impexpcfg") @@ -562,10 +941,40 @@ void WebCfgServer::initialize() resp->setCode(302); resp->addHeader("Cache-Control", "no-cache"); return resp->redirect("/get?page=login"); + break; + case 3: + resp->setCode(302); + resp->addHeader("Cache-Control", "no-cache"); + return resp->redirect("/get?page=duoauth"); + break; case 4: default: break; } + + if(_preferences->getBool(preference_cred_duo_approval, false)) + { + if (!timeSynced) + { + return buildConfirmHtml(request, resp, "NTP time not synced yet, Duo not available, please wait for NTP to sync", 3, true); + } + else if (startDuoAuth((char*)"Approve Nuki Hub setting change")) + { + int duoResult = 2; + + while (duoResult == 2) + { + duoResult = checkDuoApprove(); + delay(2000); + esp_task_wdt_reset(); + } + + if (duoResult != 1) + { + return buildConfirmHtml(request, resp, "Duo approval failed, redirecting to main menu", 3, true); + } + } + } } if (value == "login") @@ -666,6 +1075,8 @@ void WebCfgServer::initialize() break; case 2: return ESP_FAIL; + case 3: + return ESP_FAIL; case 4: default: break; @@ -689,6 +1100,12 @@ void WebCfgServer::initialize() resp->setCode(302); resp->addHeader("Cache-Control", "no-cache"); return resp->redirect("/get?page=login"); + break; + case 3: + resp->setCode(302); + resp->addHeader("Cache-Control", "no-cache"); + return resp->redirect("/get?page=duoauth"); + break; case 4: default: break; @@ -742,6 +1159,11 @@ void WebCfgServer::initialize() resp->addHeader("Cache-Control", "no-cache"); return resp->redirect("/get?page=login"); break; + case 3: + resp->setCode(302); + resp->addHeader("Cache-Control", "no-cache"); + return resp->redirect("/get?page=duoauth"); + break; case 4: default: break; @@ -1491,15 +1913,108 @@ esp_err_t WebCfgServer::buildLoginHtml(PsychicRequest *request, PsychicResponse* response.beginSend(); response.print(""); response.print(""); - response.print(""); - response.print("

NukiHub login

"); + response.print("

Nuki Hub login

"); response.print("
"); response.print(""); - response.print("
"); + response.print(""); response.print("
"); return response.endSend(); } +esp_err_t WebCfgServer::buildDuoCheckHtml(PsychicRequest *request, PsychicResponse* resp) +{ + char valueStr[2]; + itoa(checkDuoAuth(request), valueStr, 10); + resp->setCode(200); + resp->setContentType("text/plain"); + resp->setContent(valueStr); + return resp->send(); +} + +esp_err_t WebCfgServer::buildCoredumpHtml(PsychicRequest *request, PsychicResponse* resp) +{ + if (!SPIFFS.begin(true)) + { + Log->println("SPIFFS Mount Failed"); + } + else + { + File file = SPIFFS.open("/coredump.hex", "r"); + + if (!file || file.isDirectory()) { + Log->println("coredump.hex not found"); + } + else + { + PsychicFileResponse response(resp, file, "coredump.hex"); + String name = "coredump.txt"; + char buf[26 + name.length()]; + snprintf(buf, sizeof(buf), "attachment; filename=\"%s\"", name.c_str()); + response.addHeader("Content-Disposition", buf); + return response.send(); + } + } + + resp->setCode(302); + resp->addHeader("Cache-Control", "no-cache"); + return resp->redirect("/"); +} + +esp_err_t WebCfgServer::buildDuoHtml(PsychicRequest *request, PsychicResponse* resp) +{ + if (!timeSynced) + { + return buildConfirmHtml(request, resp, "NTP time not synced yet, Duo not available, please wait for NTP to sync", 3, true); + } + + bool duo = startDuoAuth((char*)"Approve Nuki Hub login"); + + if (!duo) + { + return buildConfirmHtml(request, resp, "Duo check failed", 3, true); + } + else + { + PsychicStreamResponse response(resp, "text/html"); + char buffer[33]; + int i; + for (i = 0; i < 4; i++) { + sprintf(buffer + (i * 8), "%08lx", (unsigned long int)esp_random()); + } + + int64_t durationLength = 60*60*_preferences->getInt(preference_cred_session_lifetime_duo_remember, 720); + + if (!_sessionsOpts[request->client()->localIP().toString()]) + { + durationLength = _preferences->getInt(preference_cred_session_lifetime_duo, 3600); + } + + if (!_isSSL) + { + response.setCookie("duoId", buffer, durationLength, "HttpOnly"); + } + else + { + response.setCookie("duoId", buffer, durationLength, "Secure; HttpOnly"); + } + + _duoCheckIP = request->client()->localIP().toString(); + _duoCheckId = buffer; + + response.beginSend(); + response.print(""); + response.print(""); + response.print((String)""); + response.print("

Nuki Hub login

"); + response.print("
Duo Push sent

"); + response.print("Please confirm login in the Duo app

"); + response.print(""); + response.print("
"); + + return response.endSend(); + } +} + bool WebCfgServer::processLogin(PsychicRequest *request, PsychicResponse* resp) { if(request->hasParam("username") && request->hasParam("password")) @@ -1512,14 +2027,24 @@ bool WebCfgServer::processLogin(PsychicRequest *request, PsychicResponse* resp) { char buffer[33]; int i; - int64_t durationLength = 60*60*24*30; + int64_t durationLength = 60*60*_preferences->getInt(preference_cred_session_lifetime_remember, 720); for (i = 0; i < 4; i++) { sprintf(buffer + (i * 8), "%08lx", (unsigned long int)esp_random()); } if(!request->hasParam("remember")) { - durationLength = 60*60; + durationLength = _preferences->getInt(preference_cred_session_lifetime, 3600); + } + + _sessionsOpts[request->client()->localIP().toString()] = request->hasParam("remember"); + + if (!_isSSL) + { + resp->setCookie("sessionId", buffer, durationLength, "HttpOnly"); + } + else + { + resp->setCookie("sessionId", buffer, durationLength, "Secure; HttpOnly"); } - resp->setCookie("sessionId", buffer, durationLength, "HttpOnly"); struct timeval time; gettimeofday(&time, NULL); @@ -1886,6 +2411,8 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S bool manPairLck = false; bool manPairOpn = false; bool networkReconfigure = false; + bool clearSession = false; + bool newMFA = false; unsigned char currentBleAddress[6]; unsigned char authorizationId[4] = {0x00}; unsigned char secretKeyK[32] = {0x00}; @@ -1989,30 +2516,33 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S } else { - if(value != "") + if(value != "*") { - File file = SPIFFS.open("/mqtt_ssl.ca", FILE_WRITE); - if (!file) { - Log->println("Failed to open /mqtt_ssl.ca for writing"); + if(value != "") + { + File file = SPIFFS.open("/mqtt_ssl.ca", FILE_WRITE); + if (!file) { + Log->println("Failed to open /mqtt_ssl.ca for writing"); + } + else + { + if (!file.print(value)) + { + Log->println("Failed to write /mqtt_ssl.ca"); + } + file.close(); + } } else { - if (!file.print(value)) - { - Log->println("Failed to write /mqtt_ssl.ca"); + if (!SPIFFS.remove("/mqtt_ssl.ca")) { + Serial.println("Failed to delete /mqtt_ssl.ca"); } - file.close(); } + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; } - else - { - if (!SPIFFS.remove("/mqtt_ssl.ca")) { - Serial.println("Failed to delete /mqtt_ssl.ca"); - } - } - Log->print(("Setting changed: ")); - Log->println(key); - configChanged = true; } } else if(key == "MQTTCRT") @@ -2022,30 +2552,33 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S } else { - if(value != "") + if(value != "*") { - File file = SPIFFS.open("/mqtt_ssl.crt", FILE_WRITE); - if (!file) { - Log->println("Failed to open /mqtt_ssl.crt for writing"); + if(value != "") + { + File file = SPIFFS.open("/mqtt_ssl.crt", FILE_WRITE); + if (!file) { + Log->println("Failed to open /mqtt_ssl.crt for writing"); + } + else + { + if (!file.print(value)) + { + Log->println("Failed to write /mqtt_ssl.crt"); + } + file.close(); + } } else { - if (!file.print(value)) - { - Log->println("Failed to write /mqtt_ssl.crt"); + if (!SPIFFS.remove("/mqtt_ssl.crt")) { + Serial.println("Failed to delete /mqtt_ssl.crt"); } - file.close(); } + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; } - else - { - if (!SPIFFS.remove("/mqtt_ssl.crt")) { - Serial.println("Failed to delete /mqtt_ssl.crt"); - } - } - Log->print(("Setting changed: ")); - Log->println(key); - configChanged = true; } } else if(key == "MQTTKEY") @@ -2055,30 +2588,33 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S } else { - if(value != "") + if(value != "*") { - File file = SPIFFS.open("/mqtt_ssl.key", FILE_WRITE); - if (!file) { - Log->println("Failed to open /mqtt_ssl.key for writing"); + if(value != "") + { + File file = SPIFFS.open("/mqtt_ssl.key", FILE_WRITE); + if (!file) { + Log->println("Failed to open /mqtt_ssl.key for writing"); + } + else + { + if (!file.print(value)) + { + Log->println("Failed to write /mqtt_ssl.key"); + } + file.close(); + } } else { - if (!file.print(value)) - { - Log->println("Failed to write /mqtt_ssl.key"); + if (!SPIFFS.remove("/mqtt_ssl.key")) { + Serial.println("Failed to delete /mqtt_ssl.key"); } - file.close(); } + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; } - else - { - if (!SPIFFS.remove("/mqtt_ssl.key")) { - Serial.println("Failed to delete /mqtt_ssl.key"); - } - } - Log->print(("Setting changed: ")); - Log->println(key); - configChanged = true; } } #ifdef CONFIG_SOC_SPIRAM_SUPPORTED @@ -2089,30 +2625,33 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S } else { - if(value != "") + if(value != "*") { - File file = SPIFFS.open("/http_ssl.crt", FILE_WRITE); - if (!file) { - Log->println("Failed to open /http_ssl.crt for writing"); + if(value != "") + { + File file = SPIFFS.open("/http_ssl.crt", FILE_WRITE); + if (!file) { + Log->println("Failed to open /http_ssl.crt for writing"); + } + else + { + if (!file.print(value)) + { + Log->println("Failed to write /http_ssl.crt"); + } + file.close(); + } } else { - if (!file.print(value)) - { - Log->println("Failed to write /http_ssl.crt"); + if (!SPIFFS.remove("/http_ssl.crt")) { + Serial.println("Failed to delete /http_ssl.crt"); } - file.close(); } + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; } - else - { - if (!SPIFFS.remove("/http_ssl.crt")) { - Serial.println("Failed to delete /http_ssl.crt"); - } - } - Log->print(("Setting changed: ")); - Log->println(key); - configChanged = true; } } else if(key == "HTTPKEY") @@ -2122,30 +2661,33 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S } else { - if(value != "") + if(value != "*") { - File file = SPIFFS.open("/http_ssl.key", FILE_WRITE); - if (!file) { - Log->println("Failed to open /http_ssl.key for writing"); + if(value != "") + { + File file = SPIFFS.open("/http_ssl.key", FILE_WRITE); + if (!file) { + Log->println("Failed to open /http_ssl.key for writing"); + } + else + { + if (!file.print(value)) + { + Log->println("Failed to write /http_ssl.key"); + } + file.close(); + } } else { - if (!file.print(value)) - { - Log->println("Failed to write /http_ssl.key"); + if (!SPIFFS.remove("/http_ssl.key")) { + Serial.println("Failed to delete /http_ssl.key"); } - file.close(); } + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; } - else - { - if (!SPIFFS.remove("/http_ssl.key")) { - Serial.println("Failed to delete /http_ssl.key"); - } - } - Log->print(("Setting changed: ")); - Log->println(key); - configChanged = true; } } #endif @@ -2329,6 +2871,175 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S //configChanged = true; } } + else if(key == "HTTPSFQDN") + { + if(_preferences->getString(preference_https_fqdn, "") != value) + { + _preferences->putString(preference_https_fqdn, value); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + } + } + else if(key == "DUOHOST") + { + if(value != "*") + { + if(_preferences->getString(preference_cred_duo_host, "") != value) + { + _preferences->putString(preference_cred_duo_host, value); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + clearSession = true; + newMFA = true; + } + } + } + else if(key == "DUOIKEY") + { + if(value != "*") + { + if(_preferences->getString(preference_cred_duo_ikey, "") != value) + { + _preferences->putString(preference_cred_duo_ikey, value); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + clearSession = true; + newMFA = true; + } + } + } + else if(key == "DUOSKEY") + { + if(value != "*") + { + if(_preferences->getString(preference_cred_duo_skey, "") != value) + { + _preferences->putString(preference_cred_duo_skey, value); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + clearSession = true; + newMFA = true; + } + } + } + else if(key == "DUOUSER") + { + if(value != "*") + { + if(_preferences->getString(preference_cred_duo_user, "") != value) + { + _preferences->putString(preference_cred_duo_user, value); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + clearSession = true; + newMFA = true; + } + } + } + else if(key == "DUOENA") + { + if(_preferences->getBool(preference_cred_duo_enabled, false) != (value == "1")) + { + _preferences->putBool(preference_cred_duo_enabled, (value == "1")); + if (value == "1") { + _preferences->putBool(preference_update_time, true); + } + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + clearSession = true; + newMFA = true; + } + } + else if(key == "DUOBYPASS") + { + if(_preferences->getBool(preference_cred_bypass_boot_btn_enabled, false) != (value == "1")) + { + _preferences->putBool(preference_cred_bypass_boot_btn_enabled, (value == "1")); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + } + } + else if(key == "DUOBYPASSHIGH") + { + if(_preferences->getInt(preference_cred_bypass_gpio_high, -1) != value.toInt()) + { + _preferences->putInt(preference_cred_bypass_gpio_high, value.toInt()); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + } + } + else if(key == "DUOBYPASSLOW") + { + if(_preferences->getInt(preference_cred_bypass_gpio_low, -1) != value.toInt()) + { + _preferences->putInt(preference_cred_bypass_gpio_low, value.toInt()); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + } + } + else if(key == "DUOAPPROVAL") + { + if(_preferences->getBool(preference_cred_duo_approval, false) != (value == "1")) + { + _preferences->putBool(preference_cred_duo_approval, (value == "1")); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + } + } + else if(key == "CREDLFTM") + { + if(_preferences->getInt(preference_cred_session_lifetime, 3600) != value.toInt()) + { + _preferences->putInt(preference_cred_session_lifetime, value.toInt()); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + clearSession = true; + } + } + else if(key == "CREDLFTMRMBR") + { + if(_preferences->getInt(preference_cred_session_lifetime_remember, 720) != value.toInt()) + { + _preferences->putInt(preference_cred_session_lifetime_remember, value.toInt()); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + clearSession = true; + } + } + else if(key == "CREDDUOLFTM") + { + if(_preferences->getInt(preference_cred_session_lifetime_duo, 3600) != value.toInt()) + { + _preferences->putInt(preference_cred_session_lifetime_duo, value.toInt()); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + clearSession = true; + } + } + else if(key == "CREDDUOLFTMRMBR") + { + if(_preferences->getInt(preference_cred_session_lifetime_duo_remember, 720) != value.toInt()) + { + _preferences->putInt(preference_cred_session_lifetime_duo_remember, value.toInt()); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + clearSession = true; + } + } else if(key == "HADEVDISC") { if(_preferences->getBool(preference_hass_device_discovery, false) != (value == "1")) @@ -3061,6 +3772,21 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S Log->print(("Setting changed: ")); Log->println(key); configChanged = true; + clearSession = true; + } + } + else if(key == "CREDTRUSTPROXY") + { + if(value != "*") + { + if(_preferences->getString(preference_bypass_proxy, "") != value) + { + _preferences->putString(preference_bypass_proxy, value); + Log->print(("Setting changed: ")); + Log->println(key); + configChanged = true; + clearSession = true; + } } } else if(key == "ACLLCKLCK") @@ -3516,6 +4242,7 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S Log->print(("Setting changed: ")); Log->println(key); configChanged = true; + clearSession = true; } } } @@ -3697,6 +4424,7 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S Log->print(("Setting changed: ")); Log->println("CREDPASS"); configChanged = true; + clearSession = true; } } @@ -3726,6 +4454,7 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S Log->print(("Setting changed: ")); Log->println("CREDUSER"); configChanged = true; + clearSession = true; } if(_preferences->getString(preference_cred_password, "") != "") { @@ -3733,6 +4462,7 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S Log->print(("Setting changed: ")); Log->println("CREDPASS"); configChanged = true; + clearSession = true; } } @@ -3807,6 +4537,32 @@ bool WebCfgServer::processArgs(PsychicRequest *request, PsychicResponse* resp, S } } + if(clearSession) + { + clearSessions(); + } + if(newMFA) + { + _preferences->putBool(preference_mfa_reconfigure, true); + + if (_preferences->getBool(preference_cred_duo_enabled, false)) + { + _duoEnabled = true; + _duoHost = _preferences->getString(preference_cred_duo_host, ""); + _duoIkey = _preferences->getString(preference_cred_duo_ikey, ""); + _duoSkey = _preferences->getString(preference_cred_duo_skey, ""); + _duoUser = _preferences->getString(preference_cred_duo_user, ""); + + if (_duoHost == "" || _duoIkey == "" || _duoSkey == "" || _duoUser == "" || !_preferences->getBool(preference_update_time, false)) + { + _duoEnabled = false; + } + } + else + { + _duoEnabled = false; + } + } if(configChanged) { message = "Configuration saved, reboot required to apply"; @@ -4144,6 +4900,7 @@ esp_err_t WebCfgServer::buildImportExportHtml(PsychicRequest *request, PsychicRe } #endif response.print("

"); + response.print("

"); response.print(""); return response.endSend(); } @@ -4294,13 +5051,25 @@ esp_err_t WebCfgServer::buildCredHtml(PsychicRequest *request, PsychicResponse* printInputField(&response, "CREDUSER", "User (# to clear)", _preferences->getString(preference_cred_user).c_str(), 30, "id=\"inputuser\"", false, true); printInputField(&response, "CREDPASS", "Password", "*", 30, "id=\"inputpass\"", true, true); printInputField(&response, "CREDPASSRE", "Retype password", "*", 30, "id=\"inputpass2\"", true); - std::vector> httpAuthOptions; httpAuthOptions.push_back(std::make_pair("0", "Basic")); httpAuthOptions.push_back(std::make_pair("1", "Digest")); httpAuthOptions.push_back(std::make_pair("2", "Form")); - printDropDown(&response, "CREDDIGEST", "HTTP Authentication type", String(_preferences->getInt(preference_http_auth_type, 0)), httpAuthOptions, ""); + printInputField(&response, "CREDTRUSTPROXY", "Bypass authentication for reverse proxy with IP", _preferences->getString(preference_bypass_proxy, "").c_str(), 255, ""); + printCheckBox(&response, "DUOENA", "Duo Push authentication enabled", _preferences->getBool(preference_cred_duo_enabled, false), ""); + printCheckBox(&response, "DUOAPPROVAL", "Require Duo Push authentication for all sensitive Nuki Hub operations (changing/exporting settings)", _preferences->getBool(preference_cred_duo_approval, false), ""); + printCheckBox(&response, "DUOBYPASS", "Bypass Duo Push authentication by pressing the BOOT button while logging in", _preferences->getBool(preference_cred_bypass_boot_btn_enabled, false), ""); + printInputField(&response, "DUOBYPASSHIGH", "Bypass Duo Push authentication by pulling GPIO High", _preferences->getInt(preference_cred_bypass_gpio_high, -1), 2, ""); + printInputField(&response, "DUOBYPASSLOW", "Bypass Duo Push authentication by pulling GPIO Low", _preferences->getInt(preference_cred_bypass_gpio_low, -1), 2, ""); + printInputField(&response, "DUOHOST", "Duo API hostname", "*", 255, "", true, false); + printInputField(&response, "DUOIKEY", "Duo integration key", "*", 255, "", true, false); + printInputField(&response, "DUOSKEY", "Duo secret key", "*", 255, "", true, false); + printInputField(&response, "DUOUSER", "Duo user", "*", 255, "", true, false); + printInputField(&response, "CREDLFTM", "Session validity (in seconds)", _preferences->getInt(preference_cred_session_lifetime, 3600), 12, ""); + printInputField(&response, "CREDLFTMRMBR", "Session validity remember (in hours)", _preferences->getInt(preference_cred_session_lifetime_remember, 720), 12, ""); + printInputField(&response, "CREDDUOLFTM", "Duo Session validity (in seconds)", _preferences->getInt(preference_cred_session_lifetime_duo, 3600), 12, ""); + printInputField(&response, "CREDDUOLFTMRMBR", "Duo Session validity remember (in hours)", _preferences->getInt(preference_cred_session_lifetime_duo_remember, 720), 12, ""); response.print(""); response.print("
"); response.print(""); @@ -4397,6 +5166,7 @@ esp_err_t WebCfgServer::buildNetworkConfigHtml(PsychicRequest *request, PsychicR { response.print("Set HTTP SSL Certificate"); response.print("Set HTTP SSL Key"); + printInputField(&response, "HTTPSFQDN", "Nuki Hub FQDN for HTTP redirect", _preferences->getString(preference_https_fqdn, "").c_str(), 255, ""); } #endif response.print(""); @@ -4427,7 +5197,7 @@ esp_err_t WebCfgServer::buildMqttConfigHtml(PsychicRequest *request, PsychicResp printInputField(&response, "MQTTPORT", "MQTT Broker port", _preferences->getInt(preference_mqtt_broker_port), 5, ""); printInputField(&response, "MQTTUSER", "MQTT User (# to clear)", _preferences->getString(preference_mqtt_user).c_str(), 30, "", false, true); printInputField(&response, "MQTTPASS", "MQTT Password", "*", 30, "", true, true); - printInputField(&response, "MQTTPATH", "MQTT NukiHub Path", _preferences->getString(preference_mqtt_lock_path).c_str(), 180, ""); + printInputField(&response, "MQTTPATH", "MQTT Nuki Hub Path", _preferences->getString(preference_mqtt_lock_path).c_str(), 180, ""); printCheckBox(&response, "ENHADISC", "Enable Home Assistant auto discovery", _preferences->getBool(preference_mqtt_hass_enabled), "chkHass"); response.print("
"); @@ -4496,7 +5266,7 @@ esp_err_t WebCfgServer::buildMqttSSLConfigHtml(PsychicRequest *request, PsychicR file.close(); ca[filesize] = '\0'; - printTextarea(&response, "MQTTCA", "MQTT SSL CA Certificate (*, optional)", ca, 2200, true, true); + printTextarea(&response, "MQTTCA", "MQTT SSL CA Certificate (*, optional)", "*", 2200, true, true); found = true; } } @@ -4529,7 +5299,7 @@ esp_err_t WebCfgServer::buildMqttSSLConfigHtml(PsychicRequest *request, PsychicR file.close(); cert[filesize] = '\0'; - printTextarea(&response, "MQTTCRT", "MQTT SSL Client Certificate (*, optional)", cert, 2200, true, true); + printTextarea(&response, "MQTTCRT", "MQTT SSL Client Certificate (*, optional)", "*", 2200, true, true); found = true; } } @@ -4562,7 +5332,7 @@ esp_err_t WebCfgServer::buildMqttSSLConfigHtml(PsychicRequest *request, PsychicR file.close(); key[filesize] = '\0'; - printTextarea(&response, "MQTTKEY", "MQTT SSL Client Key (*, optional)", key, 2200, true, true); + printTextarea(&response, "MQTTKEY", "MQTT SSL Client Key (*, optional)", "*", 2200, true, true); found = true; } } @@ -4615,7 +5385,7 @@ esp_err_t WebCfgServer::buildHttpSSLConfigHtml(PsychicRequest *request, PsychicR file.close(); cert[filesize] = '\0'; - printTextarea(&response, "HTTPCRT", "HTTP SSL Certificate (*, optional)", cert, 4400, true, true); + printTextarea(&response, "HTTPCRT", "HTTP SSL Certificate (*, optional)", "*", 4400, true, true); found = true; } } @@ -4649,7 +5419,7 @@ esp_err_t WebCfgServer::buildHttpSSLConfigHtml(PsychicRequest *request, PsychicR file.close(); key[filesize] = '\0'; - printTextarea(&response, "HTTPKEY", "HTTP SSL Key (*, optional)", key, 2200, true, true); + printTextarea(&response, "HTTPKEY", "HTTP SSL Key (*, optional)", "*", 2200, true, true); found = true; } } @@ -4675,7 +5445,7 @@ esp_err_t WebCfgServer::buildAdvancedConfigHtml(PsychicRequest *request, Psychic response.print("
"); response.print(""); response.print("

Advanced Configuration

"); - response.print("

Warning: Changing these settings can lead to bootloops that might require you to erase the ESP32 and reflash nukihub using USB/serial

"); + response.print("

Warning: Changing these settings can lead to bootloops that might require you to erase the ESP32 and reflash Nuki Hub using USB/serial

"); response.print(""); response.print("
Current bootloop prevention state"); response.print(_preferences->getBool(preference_enable_bootloop_reset, false) ? "Enabled" : "Disabled"); @@ -5233,14 +6003,39 @@ esp_err_t WebCfgServer::buildInfoHtml(PsychicRequest *request, PsychicResponse* response.print(_preferences->getString(preference_latest_version, "")); response.print("\nAllow update from MQTT: "); response.print(_preferences->getBool(preference_update_from_mqtt, false) ? "Yes" : "No"); - response.print("\nUpdate NukiHub and Nuki devices time using NTP: "); + response.print("\nUpdate Nuki Hub and Nuki devices time using NTP: "); response.print(_preferences->getBool(preference_update_time, false) ? "Yes" : "No"); response.print("\nWeb configurator username: "); response.print(_preferences->getString(preference_cred_user, "").length() > 0 ? "***" : "Not set"); response.print("\nWeb configurator password: "); response.print(_preferences->getString(preference_cred_password, "").length() > 0 ? "***" : "Not set"); + response.print("\nWeb configurator bypass for proxy IP: "); + response.print(_preferences->getString(preference_bypass_proxy, "").length() > 0 ? "***" : "Not set"); response.print("\nWeb configurator authentication: "); response.print(_preferences->getInt(preference_http_auth_type, 0) == 0 ? "Basic" : _preferences->getInt(preference_http_auth_type, 0) == 1 ? "Digest" : "Form"); + response.print("\nSession validity (in seconds): "); + response.print(_preferences->getInt(preference_cred_session_lifetime, 3600)); + response.print("\nSession validity remember (in hours): "); + response.print(_preferences->getInt(preference_cred_session_lifetime_remember, 720)); + response.print("\nDuo Push MFA enabled: "); + response.print(_preferences->getBool(preference_cred_duo_enabled, false) ? "Yes" : "No"); + + if (_preferences->getBool(preference_cred_duo_enabled, false)) + { + response.print("\nDuo Host: "); + response.print(_preferences->getString(preference_cred_duo_host, "").length() > 0 ? "***" : "Not set"); + response.print("\nDuo IKey: "); + response.print(_preferences->getString(preference_cred_duo_ikey, "").length() > 0 ? "***" : "Not set"); + response.print("\nDuo SKey: "); + response.print(_preferences->getString(preference_cred_duo_skey, "").length() > 0 ? "***" : "Not set"); + response.print("\nDuo User: "); + response.print(_preferences->getString(preference_cred_duo_user, "").length() > 0 ? "***" : "Not set"); + response.print("\nDuo Session validity (in seconds): "); + response.print(_preferences->getInt(preference_cred_session_lifetime_duo, 3600)); + response.print("\nDuo Session validity remember (in hours): "); + response.print(_preferences->getInt(preference_cred_session_lifetime_duo_remember, 720)); + } + response.print("\nWeb configurator enabled: "); response.print(_preferences->getBool(preference_webserver_enabled, true) ? "Yes" : "No"); response.print("\nHTTP SSL: "); @@ -5257,6 +6052,8 @@ esp_err_t WebCfgServer::buildInfoHtml(PsychicRequest *request, PsychicResponse* response.print((!file || file.isDirectory() || !file2 || file2.isDirectory()) ? "Disabled" : "Enabled"); file.close(); file2.close(); + response.print("\nNuki Hub FQDN for HTTP redirect: "); + response.print(_preferences->getString(preference_https_fqdn, "").length() > 0 ? "***" : "Not set"); } } else diff --git a/src/WebCfgServer.h b/src/WebCfgServer.h index a5c6a1d..d93ce78 100644 --- a/src/WebCfgServer.h +++ b/src/WebCfgServer.h @@ -100,14 +100,21 @@ private: std::vector _rssiList; String generateConfirmCode(); String _confirmCode = "----"; - - void saveSessions(); - void loadSessions(); + + int checkDuoAuth(PsychicRequest *request); + int checkDuoApprove(); + bool startDuoAuth(char* pushType = (char*)""); + void saveSessions(bool duo = false); + void loadSessions(bool duo = false); + void clearSessions(); esp_err_t logoutSession(PsychicRequest *request, PsychicResponse* resp); - bool isAuthenticated(PsychicRequest *request); + bool isAuthenticated(PsychicRequest *request, bool duo = false); bool processLogin(PsychicRequest *request, PsychicResponse* resp); int doAuthentication(PsychicRequest *request); - esp_err_t buildLoginHtml(PsychicRequest *request, PsychicResponse* resp); + esp_err_t buildCoredumpHtml(PsychicRequest *request, PsychicResponse* resp); + esp_err_t buildLoginHtml(PsychicRequest *request, PsychicResponse* resp); + esp_err_t buildDuoHtml(PsychicRequest *request, PsychicResponse* resp); + esp_err_t buildDuoCheckHtml(PsychicRequest *request, PsychicResponse* resp); esp_err_t buildSSIDListHtml(PsychicRequest *request, PsychicResponse* resp); esp_err_t buildConfirmHtml(PsychicRequest *request, PsychicResponse* resp, const String &message, uint32_t redirectDelay = 5, bool redirect = false, String redirectTo = "/"); esp_err_t buildOtaHtml(PsychicRequest *request, PsychicResponse* resp, bool debug = false); @@ -133,8 +140,25 @@ private: char _credUser[31] = {0}; char _credPassword[31] = {0}; bool _allowRestartToPortal = false; + bool _isSSL = false; uint8_t _partitionType = 0; size_t _otaContentLen = 0; String _hostname; JsonDocument _httpSessions; + JsonDocument _duoSessions; + JsonDocument _sessionsOpts; + struct tm timeinfo; + bool _duoActiveRequest; + bool _duoEnabled = false; + bool _bypassGPIO = false; + int _bypassGPIOHigh = -1; + int _bypassGPIOLow = -1; + int64_t _duoRequestTS = 0; + String _duoTransactionId; + String _duoHost; + String _duoSkey; + String _duoIkey; + String _duoUser; + String _duoCheckId; + String _duoCheckIP; }; diff --git a/src/main.cpp b/src/main.cpp index dde42f7..9da9be3 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -11,10 +11,11 @@ #include "hal/wdt_hal.h" #include "esp_chip_info.h" #include "esp_netif_sntp.h" -#ifdef CONFIG_SOC_SPIRAM_SUPPORTED -#include "esp_psram.h" +#include "esp_core_dump.h" #include "FS.h" #include "SPIFFS.h" +#ifdef CONFIG_SOC_SPIRAM_SUPPORTED +#include "esp_psram.h" #endif #ifndef NUKI_HUB_UPDATER @@ -88,6 +89,8 @@ RTC_NOINIT_ATTR bool forceEnableWebServer; RTC_NOINIT_ATTR bool disableNetwork; RTC_NOINIT_ATTR bool wifiFallback; RTC_NOINIT_ATTR bool ethCriticalFailure; +bool coredumpPrinted = true; +bool timeSynced = false; int lastHTTPeventId = -1; bool doOta = false; @@ -180,7 +183,8 @@ uint8_t checkPartition() } void cbSyncTime(struct timeval *tv) { - Log->println("NTP time synched"); + Log->println("NTP time synced"); + timeSynced = true; } void networkTask(void *pvParameters) @@ -507,6 +511,93 @@ void setupTasks(bool ota) } } +void logCoreDump() +{ + coredumpPrinted = false; + delay(500); + Serial.println("Printing coredump and saving to coredump.hex on SPIFFS"); + size_t size = 0; + size_t address = 0; + if (esp_core_dump_image_get(&address, &size) == ESP_OK) + { + const esp_partition_t *pt = NULL; + pt = esp_partition_find_first(ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_COREDUMP, "coredump"); + + if (pt != NULL) + { + uint8_t bf[256]; + char str_dst[640]; + int16_t toRead; + + if (!SPIFFS.begin(true)) + { + Log->println("SPIFFS Mount Failed"); + } + + File file = SPIFFS.open("/coredump.hex", FILE_WRITE); + if (!file) { + Log->println("Failed to open /coredump.hex for writing"); + } + else + { + file.printf("%s\r\n", NUKI_HUB_HW); + file.printf("%s\r\n", NUKI_HUB_BUILD); + } + + Serial.printf("%s\r\n", NUKI_HUB_HW); + Serial.printf("%s\r\n", NUKI_HUB_BUILD); + + for (int16_t i = 0; i < (size/256)+1; i++) + { + strcpy(str_dst, ""); + toRead = (size - i*256) > 256 ? 256 : (size - i*256); + + esp_err_t er = esp_partition_read(pt, i*256, bf, toRead); + if (er != ESP_OK) + { + Serial.printf("FAIL [%x]", er); + break; + } + + for (int16_t j = 0; j < 256; j++) + { + char str_tmp[2]; + if (bf[j] <= 0x0F) + { + sprintf(str_tmp, "0%x", bf[j]); + } + else + { + sprintf(str_tmp, "%x", bf[j]); + } + strcat(str_dst, str_tmp); + } + Serial.printf("%s", str_dst); + + if (file) { + file.printf("%s", str_dst); + } + } + + Serial.println(""); + + if (file) { + file.println(""); + file.close(); + } + } + else + { + Serial.println("Partition NULL"); + } + } + else + { + Serial.println("esp_core_dump_image_get() FAIL"); + } + coredumpPrinted = true; +} + void setup() { //Set Log level to error for all TAGS @@ -529,10 +620,18 @@ void setup() preferences = new Preferences(); preferences->begin("nukihub", false); initPreferences(preferences); - uint8_t partitionType = checkPartition(); - initializeRestartReason(); + if(esp_reset_reason() == esp_reset_reason_t::ESP_RST_PANIC || + esp_reset_reason() == esp_reset_reason_t::ESP_RST_INT_WDT || + esp_reset_reason() == esp_reset_reason_t::ESP_RST_TASK_WDT || + esp_reset_reason() == esp_reset_reason_t::ESP_RST_WDT) + { + logCoreDump(); + } + + uint8_t partitionType = checkPartition(); + //default disableNetwork RTC_ATTR to false on power-on if(espRunning != 1) { @@ -618,6 +717,20 @@ void setup() file2.close(); key[filesize2] = '\0'; + psychicServer = new PsychicHttpServer(); + psychicServer->config.ctrl_port = 20424; + psychicServer->onNotFound([](PsychicRequest* request, PsychicResponse* response) { + String url = "https://" + request->host() + request->url(); + if (preferences->getString(preference_https_fqdn, "") != "") + { + url = "https://" + preferences->getString(preference_https_fqdn) + request->url(); + } + + response->setCode(301); + response->addHeader("Cache-Control", "no-cache"); + return response->redirect(url.c_str()); + }); + psychicServer->begin(); psychicSSLServer = new PsychicHttpsServer; psychicSSLServer->ssl_config.httpd.max_open_sockets = 8; psychicSSLServer->setCertificate(cert, key); @@ -780,6 +893,20 @@ void setup() file2.close(); key[filesize2] = '\0'; + psychicServer = new PsychicHttpServer(); + psychicServer->config.ctrl_port = 20424; + psychicServer->onNotFound([](PsychicRequest* request, PsychicResponse* response) { + String url = "https://" + request->host() + request->url(); + if (preferences->getString(preference_https_fqdn, "") != "") + { + url = "https://" + preferences->getString(preference_https_fqdn) + request->url(); + } + + response->setCode(301); + response->addHeader("Cache-Control", "no-cache"); + return response->redirect(url.c_str()); + }); + psychicServer->begin(); psychicSSLServer = new PsychicHttpsServer; psychicSSLServer->ssl_config.httpd.max_open_sockets = 8; psychicSSLServer->setCertificate(cert, key); diff --git a/updater/platformio.ini b/updater/platformio.ini index 1ceacf0..6ceb202 100644 --- a/updater/platformio.ini +++ b/updater/platformio.ini @@ -51,6 +51,7 @@ lib_ignore = lib_deps = PsychicHttp=symlink://../lib/PsychicHttp ArduinoJson=symlink://../lib/ArduinoJson + DuoAuthLibrary=symlink://../lib/DuoAuthLibrary monitor_speed = 115200 monitor_filters =